2016

Toward a Concurrent Programming Model with Modular Reasoning

Mehdi Bagherzadeh
Iowa State University

Follow this and additional works at: https://lib.dr.iastate.edu/etd

Part of the Computer Sciences Commons

Recommended Citation
Bagherzadeh, Mehdi, "Toward a Concurrent Programming Model with Modular Reasoning" (2016). Graduate Theses and Dissertations. 15659.
https://lib.dr.iastate.edu/etd/15659

This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact digirep@iastate.edu.
DEDICATION

To my parents Akram and Javad.
# TABLE OF CONTENTS

<table>
<thead>
<tr>
<th>Section</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>LIST OF TABLES</td>
<td>vii</td>
</tr>
<tr>
<td>LIST OF FIGURES</td>
<td>viii</td>
</tr>
<tr>
<td>ACKNOWLEDGEMENTS</td>
<td>x</td>
</tr>
<tr>
<td>ABSTRACT</td>
<td>xi</td>
</tr>
<tr>
<td>CHAPTER 1. INTRODUCTION</td>
<td>1</td>
</tr>
<tr>
<td>1.1 Contributions</td>
<td>3</td>
</tr>
<tr>
<td>1.2 Outline</td>
<td>4</td>
</tr>
<tr>
<td>CHAPTER 2. OVERVIEW OF RELATED WORK</td>
<td>6</td>
</tr>
<tr>
<td>2.1 Programming Model</td>
<td>6</td>
</tr>
<tr>
<td>2.2 Modular Reasoning</td>
<td>8</td>
</tr>
<tr>
<td>2.3 Interference Control Framework</td>
<td>8</td>
</tr>
<tr>
<td>2.4 Concurrent Behavioral Subtyping</td>
<td>9</td>
</tr>
<tr>
<td>2.5 Order Types</td>
<td>10</td>
</tr>
<tr>
<td>CHAPTER 3. INTERFERENCE CONTROL FRAMEWORK</td>
<td>12</td>
</tr>
<tr>
<td>3.1 Problem</td>
<td>12</td>
</tr>
<tr>
<td>3.2 Solution: Panini</td>
<td>14</td>
</tr>
<tr>
<td>3.2.1 Sparse Interference to Solve Pervasive Interference</td>
<td>15</td>
</tr>
<tr>
<td>3.2.2 Cognizant Interference to Solve Oblivious Interference</td>
<td>18</td>
</tr>
<tr>
<td>3.2.3 Modular Reasoning Using Panini’s Interference Model</td>
<td>19</td>
</tr>
<tr>
<td>3.2.4 Contributions</td>
<td>19</td>
</tr>
</tbody>
</table>
### 3.3 Panini’s Syntax  ................................................................. 20
### 3.4 Operational Semantics ..................................................... 21
#### 3.4.1 Dynamic Objects ....................................................... 22
#### 3.4.2 Local and Global Semantics ........................................... 24
#### 3.4.3 Sequential Synchronous Local Semantics ......................... 24
#### 3.4.4 Concurrent Asynchronous Global Semantics ....................... 27
#### 3.4.5 Ownership Transfer Semantics ...................................... 29
#### 3.4.6 Exceptional Semantics ............................................... 30
#### 3.4.7 Initial Configuration .................................................. 31
#### 3.4.8 Actions: Conflict and Happens-Before Relations ............... 34
#### 3.4.9 Sharing of Capsule Instances and Futures ...................... 37
### 3.5 Sparse and Cognizant Interference .................................... 39
#### 3.5.1 Sparse Interference .................................................. 40
#### 3.5.2 Cognizant Interference .............................................. 41
### 3.6 Hoare-style Modular Reasoning ........................................ 44
### 3.7 Static Semantics .......................................................... 47
#### 3.7.1 Type Attributes ...................................................... 47
#### 3.7.2 Typing Rules .......................................................... 48
### 3.8 Discussion ................................................................. 50
### 3.9 Related Work ............................................................. 51

**CHAPTER 4. CONCURRENT BEHAVIORAL SUBTYING** .......................... 54

### 4.1 Background ............................................................... 55
#### 4.1.1 Panini ............................................................... 56
#### 4.1.2 Program Syntax ..................................................... 56
#### 4.1.3 Semantics in a Nutshell ............................................ 58
### 4.2 Key Challenges .......................................................... 60
#### 4.2.1 Problem Q: Interference Behavior Incompatibility .............. 61
#### 4.2.2 Modular Reasoning and Interference ................................ 61
#### 4.2.3 Interference Behavior Incompatibility ............................. 64
4.2.4 Problem 4: Incompatible Interface Behavior ........................................... 65
4.3 Concurrent Subtyping ........................................................................... 67
  4.3.1 Formalization of Concurrent Subtyping .............................................. 67
  4.3.2 Sound Modular Reasoning ................................................................. 71
4.4 Proving Concurrent Subtyping ............................................................... 74
  4.4.1 Encapsulated Inheritance ................................................................. 75
  4.4.2 Proving Interference Subtyping ......................................................... 75
  4.4.3 Proving Concurrent Subtyping ......................................................... 77
4.5 Semantics ............................................................................................... 77
  4.5.1 Static Semantics ................................................................................. 77
  4.5.2 Operational Semantics ........................................................................ 77
4.6 Evaluation ............................................................................................... 80
  4.6.1 Akka ................................................................................................. 82
  4.6.2 Java .................................................................................................. 83
  4.6.3 Type Encapsulation ............................................................................ 83
  4.6.4 Findings ............................................................................................ 83
4.7 Related Work .......................................................................................... 85

CHAPTER 5. ORDER TYPES ............................................................................ 86

4.1 Motivation ............................................................................................... 88
  4.1.1 Modular Message Race Detection ..................................................... 88
  4.1.2 Abstraction and Abstraction-eligibility ............................................. 92
  4.1.3 Proper Blame Assignment ................................................................ 95
4.2 Process Model and Program Syntax ....................................................... 97
  4.2.1 Program Syntax ................................................................................ 97
4.3 Order Type Syntax .................................................................................. 99
  4.3.1 Type Attributes ................................................................................. 100
4.4 Type System ............................................................................................ 100
  4.4.1 Declarations ...................................................................................... 102
  4.4.2 Invocations ....................................................................................... 102
LIST OF TABLES

Table 3.1 Previous work addressing (√) pervasive and oblivious interference. . . . . . 13

Table 4.1 Number of supertypes accessing their supertypes’ states. . . . . . . . . . . 80
## LIST OF FIGURES

<table>
<thead>
<tr>
<th>Figure</th>
<th>Description</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>Figure 3.1</td>
<td>Capsule Counter with state x and procedure add.</td>
<td>15</td>
</tr>
<tr>
<td>Figure 3.2</td>
<td>Capsule Counter with a reference type state.</td>
<td>16</td>
</tr>
<tr>
<td>Figure 3.3</td>
<td>Capsule Client with JML-like assertion $\Phi$ on line 7.</td>
<td>17</td>
</tr>
<tr>
<td>Figure 3.4</td>
<td>Panini’s core syntax, based on [138].</td>
<td>20</td>
</tr>
<tr>
<td>Figure 3.5</td>
<td>Design and wiring declarations in capsule Main.</td>
<td>22</td>
</tr>
<tr>
<td>Figure 3.6</td>
<td>Added syntax, evaluation contexts, configurations and actions in semantics.</td>
<td>23</td>
</tr>
<tr>
<td>Figure 3.7</td>
<td>Local and global operational semantics of Panini.</td>
<td>25</td>
</tr>
<tr>
<td>Figure 3.8</td>
<td>Panini’s auxiliary functions.</td>
<td>31</td>
</tr>
<tr>
<td>Figure 3.9</td>
<td>Exceptional semantics of Panini, select rules.</td>
<td>32</td>
</tr>
<tr>
<td>Figure 3.10</td>
<td>Rules to create initial configuration of Panini programs.</td>
<td>33</td>
</tr>
<tr>
<td>Figure 3.11</td>
<td>Conflicting actions and their happens-before $\triangleright$ relations.</td>
<td>35</td>
</tr>
<tr>
<td>Figure 3.12</td>
<td>Sharing counter among client1 and client2.</td>
<td>37</td>
</tr>
<tr>
<td>Figure 3.13</td>
<td>Static verification of the behavioral contract of test.</td>
<td>45</td>
</tr>
<tr>
<td>Figure 3.14</td>
<td>Type attributes.</td>
<td>48</td>
</tr>
<tr>
<td>Figure 3.15</td>
<td>Panini’s select typing rules.</td>
<td>49</td>
</tr>
<tr>
<td>Figure 4.1</td>
<td>Panini’s core syntax with capsule inheritance and procedure specifications.</td>
<td>57</td>
</tr>
<tr>
<td>Figure 4.2</td>
<td>Interference points $\alpha$ and interference closure $\kappa(c,\text{Counter})$.</td>
<td>60</td>
</tr>
<tr>
<td>Figure 4.3</td>
<td>Interference behavior incompatibility breaks modular reasoning.</td>
<td>64</td>
</tr>
<tr>
<td>Figure 4.4</td>
<td>Interface behavior incompatibility breaks modular reasoning.</td>
<td>65</td>
</tr>
<tr>
<td>Figure 4.5</td>
<td>Incompatible interface behavior breaks sequential modular reasoning.</td>
<td>66</td>
</tr>
<tr>
<td>Figure 4.6</td>
<td>$\text{CxCounter}$ is an interference subtype of $\text{Counter}$.</td>
<td>70</td>
</tr>
<tr>
<td>Figure 4.7</td>
<td>Select rules for Panini’s Hoare logic.</td>
<td>72</td>
</tr>
</tbody>
</table>
ACKNOWLEDGEMENTS

First and foremost, I would like to thank my advisor Hridesh Rajan for his extraordinary advice, support and encouragement throughout my entire graduate studies. I aspire to one day be as excellent an advisor as him. I would like to thank Gary T. Leavens for great research collaborations and advice, just like a second advisor. My special thanks goes to my other committee members Samik Basu, Vasant G. Honavar and Robyn R. Lutz.

In addition to the work presented in this thesis, I have been involved in the work on translucid contracts [17, 20, 21] to enable modular reasoning about functional and flow behaviors of event-based systems for both normal and exceptional executions [19] in the presence of event subtyping [15, 16, 50, 53, 54]. Translucid contracts build on the Ptolemy language [140–142] which supports explicit announcement and handling of typed events and allows for event type polymorphism [60]. I have also been involved in the work on semantic characterization of message order problems in concurrent message passing software [105] and the work on contract modularization using AspectJML [145, 146]. My thank goes to Ali Darvish, Robert Dyer, Rex D. Fernando, Eric Lin, Yuheng Long, Sean L. Mooney, Henrique Rebêlo, Josè Sánchez, Ganesha Upadhyaya and all my other collaborators for their great collaborations on these works during Panini, Ptolemy and AspectJML projects.

My research during my graduate studies including the research in this thesis was supported in part by grants from the US National Science Foundation (NSF) under grants CCF-08-46059, CCF-10-17334, CCF-11-17937, CCF-14-23370 and CCF-15-18897.

I also like to thank Gogul Balakrishnan, Franjo Ivanović and Aarti Gupta for the research internship opportunity at NEC Laboratories of America.

There are many other people and organizations who have helped me over the years, and while your names may not be on this list I extend my gratitude to you as well.

Parts of Chapter 1 and Chapter 2 and most of Chapter 3 is based on our previous work published in MODULARITY 2015 [18].
ABSTRACT

Modular reasoning and concurrent programming are both necessary for scalable development of performant software. Modular reasoning improves scalability by allowing a program to be understood one module at a time. Concurrent programming improves the performance by allowing simultaneous executions of multiple computations in a single program. However, modular reasoning about a concurrent program is difficult because of its thread interference, module inheritance and nondeterministic message orders. The statement of this thesis is that there exists a concurrent programming model that enables modular reasoning about behaviors of its programs in the presence of interference, inheritance and nondeterministic message orders using the following three ideas.

The first idea is an interference control framework that enables modular reasoning in the presence of interference. The technical innovations of the interference control framework are its sparse interference and cognizant interference properties that allow for standard Hoare-style modular reasoning about a concurrent program. Sparse and cognizant interference guarantee that interference happens only at explicitly specified program points and the interference behavior is statically known, respectively.

The second idea is concurrent behavioral subtyping that enables modular reasoning in the presence of inheritance. The technical innovations of concurrent behavioral subtyping are a new definition of behavioral subtyping for a concurrent program in terms of standard interface subtyping and a novel interference subtyping and show that in the presence of encapsulated inheritance the interface subtyping is sufficient to guarantee concurrent behavioral subtyping.

The third and last idea is order types that enables modular reasoning in the presence of nondeterministic message orders. The technical innovations of order types are to disallow message races using existential types that capture unknown module dependencies, abstraction that hides local messaging behavior of the module in its order type and a blame assignment that properly blames the module with bad expression composition or bad module composition and not the module in which the race happens.
These three ideas have the potential to ease software engineering of concurrent systems by improving a developer’s ability to design, implement, test and evolve their software one module at a time.
CHAPTER 1. INTRODUCTION

The concurrency revolution [158] and the need for performant software requires sequentially-trained programmers [108] to write concurrent programs. Modular reasoning [132] allows programmers to understand their programs one module at a time and in a scalable manner. This is because in modular reasoning a module is understood using its implementation and static types of other modules it refers to, independent of their dynamic types [97] and implementations. Modular reasoning is also scalable because any changes in the dynamic type or implementation of a referred module cannot invalidate an already verified property of a module that refers to it. However, modular reasoning about a concurrent program can become difficult and sometimes intractable because of the interference among its threads [67], inheritance among its modules [97] and nondeterminism in orders of its messages [162].

Interference Two modules interfere if during their concurrent execution, interleaving instructions of one module changes the program state and consequently the behavior of the other module [177]. Interference makes modular reasoning difficult because the interference can happen between any two instructions of a module and at each interference point the interference behavior is unknown. To understand a module $M$ the programmer should consider the possibility of interference between any two instructions of the module and for each interference point carry out a global reasoning to know its interference behavior, which is a lot of non-modular reasoning work. Any changes in any module in the program can invalidate a previously verified property of the module $M$.

To illustrate, consider the single line of code below that sums up the values of variables $x$ and $y$.

There could be three interference points that occur between instructions that read the value of $x$, read the value of $y$, add the values of $x$ and $y$ and write the result to $x$.

$$x = x + y;$$

That is, this code actually looks like $\alpha x = \alpha x + \alpha y$ where $\alpha$ denotes an interference point. And there is no information about how interfering tasks at interference points $\alpha$ may or may not modify the
values of $x$ and $y$. To understand this single line of code with only four instructions the programmer should consider three interference points and for each interference point carry out a global reasoning to know how interference task may modify the values of $x$ and $y$, which is a lot of work. Any changes in any part of the program may invalidate this understanding and require the reasoning to be redone.

**Inheritance** Inheritance and dynamic dispatch make modular reasoning difficult because behaviors of modules in an inheritance hierarchy can be different. To understand an invocation in a module $M$, the programmer should consider the receiver module and carry out a global reasoning over its inheritance hierarchy to understand modules that inherit from it, which is a lot of non-modular reasoning work. Any changes in any module in the inheritance hierarchy of the receiver can invalidate a previously verified property of the module $M$.

To illustrate, consider the single line of code below that invokes a procedure `save` of a proxy module $r$ with a static type `Proxy`.

```java
r.save();
```

To understand this invocation, a programmer should understand the behavior of the procedure `save` in `Proxy` and any other module in its inheritance hierarchy that may override `save`, which is a lot of work. Any changes in the inheritance hierarchy of `Proxy` can invalidate this understanding and require the reasoning to be done.

**Nondeterministic message orders** Nondeterministic message orders make modular reasoning intractable because nondeterminism can lead to racy messages that can arrive at any arbitrary order. To understand a module $M$, the programmer should consider all messages that the module sends and understand their orderings. This problem becomes exponential with message races. Any changes in the message ordering of any other module can invalidate a previously verified property of $M$.

To illustrate, consider the single line of code below in which the programmer intends to save the client’s work in a server module before shutting down the server. This code is a simplified version of a real world bug found in previous work [93,161].

```java
client : r.save(); s.kill();
```

The client first sends a `save` message to a proxy module $r$. The proxy saves the client’s work in a server $s$ by sending a `save` message to the server, after performing some bookkeeping. The proxy implements
the Proxy design pattern [71] and relays the client’s messages to the server. Then the client sends a
kill message to the server which shuts down the server. A procedure invocation emulates a message
send [14,86]. Due to asynchrony of message sends and concurrent execution of client, proxy and server,
messages save and kill sent from client can arrive at the server at any order and with no happens-before
order [91] between them. That is, save and kill messages are racy and save can arrive at the server
before kill or vice versa. To understand this single line of code, a programmer should consider both
(i.e. 2!) message orders. In general, for a message race involving n messages there are n! message
orderings that should be understood, which is intractable [161, 162].

1.1 Contributions

The idea in this thesis is that there exists a concurrent programming model that enables modular rea-
soning about behaviors of its programs in the presence of interference, inheritance and nondeterminism.
The thesis proposes a concurrent programming model with interference control, concurrent behavioral
subtyping and order types to enable modular reasoning.

**Interference control framework** Interference control framework enables Hoare-style modular rea-
soning [77] in the presence of interference by guaranteeing that interference happens only at explicitly
specified program points in a module and the interference behaviors are statically and modularly known.
A programmer can understand a module M using only its implementation and the static types of other
modules it refers to, independent of their implementations.

**Concurrent behavioral subtyping** Concurrent behavioral subtyping enables supertype abstraction
modular reasoning [97] in the presence of inheritance by guaranteeing that the behavior of a module
does not violate the behavior of a module that it inherits from. The programmer can understand the
module M using only its implementation and the static types of other modules it refers to, independent
of their dynamic types and inheritance hierarchies.

**Order types** Order types enables tractable modular reasoning in the presence of nondeterministic
message orders by disallowing message races. The programmer can understand the messaging behavior
of the module M using only its implementation and the abstracted order types of modules it refers to,
independent of their implementations or non-abstracted types.
1.2 Outline

Chapter 2 presents an overview of the related work on the proposed message passing programming model in Section 2.1, modular reasoning in Section 2.2, interference control framework in Section 2.3, concurrent behavioral subtyping in Section 2.4 and order types in Section 2.5.

Chapter 3 discusses and formalizes the interference control framework. Section 3.1 illustrates two problems of pervasive interference and oblivious interference that make modular reasoning difficult in the presence of interference. Section 3.2 informally presents the interference control framework and its two properties sparse and cognizant interference. Section 3.3 defines the core syntax of the proposed message passing calculus and model without inheritance and its operational semantics discussed in Section 3.4. Section 3.5 defines formalizes and proves sparse and cognizant interference properties. Section 3.6 shows how these two properties allow for the use of sequential Hoare-style modular reasoning [77]. Section 3.7 discusses the static semantics and typing rules of the model. Section 3.8 discusses expressiveness of the proposed model and granularity of interference behaviors. Section 3.9 presents a detailed discussion of related work to interference control.

Chapter 4 discusses and formalizes concurrent behavioral subtyping. Section 4.1 presents the core syntax and semantics of of the proposed message passing model with inheritance added. Section 4.2 illustrates two problems of incompatible interface behavior and incompatible interference behavior that make modular reasoning difficult in the presence of inheritance. Section 4.3 proposes and formalizes concurrent behavioral subtyping as a combination of standard interface subtyping and new interference subtyping and presents Hoare-style supertype abstraction reasoning [97] using concurrent subtyping. Section 4.4 shows reduction of concurrent behavioral subtyping to standard interface subtyping in the presence of encapsulated inheritance [155]. Section 4.5 discusses the static and operational semantics of our calculus with inheritance added. Section 4.6 empirically evaluates the usefulness of concurrent subtyping and encapsulated inheritance on a large set of Java and Akka [8] projects. Section 4.7 presents a detailed discussion of related work of concurrent behavioral subtyping.

Chapter 5 discusses and formalizes order types. Section 5.1 motivates the use of existential order types, order type abstraction and proper blame assignment. Section 5.2 briefly presents the core calculus and its semantics. Section 5.3 presents the core syntax of order types. Section 5.4 formalizes the
type checking and well-formedness rules for order types, order type abstraction and abstraction-eligible modules and blame assignment. It also discusses the over-approximation in the order type of a conditional expression to avoid state-space explosion, use of memory effects for a more precise race detection and avoiding of benign races. Section 5.5 presents a detailed discussion of related work to order types.

Chapter 6 discusses avenues of future work and concludes.
CHAPTER 2. OVERVIEW OF RELATED WORK

2.1 Programming Model

This thesis uses and builds on capsule-oriented programming model, an implicit concurrent message passing programming model with capsules [135–138] as concurrent abstractions. In a message passing model, a program is a set of concurrent abstractions that run concurrently and communicate by sending and receiving messages. A concurrent programming model can be explicit, implicit or automatic. In an explicit model, a programmer manually creates concurrent tasks and manages their synchronizations. In an implicit model, the programmer uses annotations or programming constructs that provide hints to the compiler for creation and synchronization of concurrent task. In an automatic model, the compiler itself is responsible for finding and exposing concurrency.

A capsule [18, 136–138] is a concurrent abstraction with mutable state [172], ownership [38], encapsulation [117], inheritance with behavioral subtyping [104], typed messages [86] and sequential execution [35]. A capsule unites its declaration and the composition of the capsules it owns [113]. Capsule-oriented programming is implemented [100] in the language Panini with a large set of multithreaded and actor programs translated into Panini [100, 105] that show comparable performances [138]. Various compilation strategies along with optimal mappings of capsules to JVM threads using their communication and computation behaviors are also studied [167, 168]. Capsules are closely related to and build on previous programming models and abstractions including processes in process calculi such as communicating sequential processes (CSP) [78] and calculus of communicating systems (CCS) [111], actors [6], active objects [94, 102, 125] and ambients [42].

A CSP [78] process is a sequential entity composed from atomic actions that synchronously communicates with another concurrently running process by sending and receiving messages over a communication channel. CCS [111] is similar but adds first class channels that can be passed between two
process over a shared channel and allow for dynamic changes in the topology of the system. An actor [6, 76] encapsulates its mutable state and a thread of execution and asynchronously communicates with another concurrently running actor by sending and receiving messages but without channels. When receiving a message an actor may update its state, change its behavior, send messages or create more actors. Variations of the actor model allow for sharing among actors [8], arbitrary actor inheritance [8, 14], concurrent execution inside the actor [152], typed messages [14] or ownership of the actor state [118]. Using typed messages, an actor defines a set of procedures [8, 14] invoked by other actors. A procedure invocation emulates a type-safe message send [86]. Using ownership an actor owns its state and control access to it. Ownership can be guaranteed using ownership types [37] or analysis [118]. An ambient [42] is an actor specialized for mobile computing with support for handling of consistency issues in a distributed network with failures and connectivity losses. An active object [94] is an object that encapsulates a thread of execution and communicates with another concurrently running active object by invoking their methods. A method invocation emulates a message send [86]. Variations of active objects allow for immutable states [151], ownership of states [37], cooperative concurrent execution inside the object [151] or grouping of active object in a cobox and restricting mutable access to them [151]. Mutable state allows for readonly sharing among objects. Cooperative concurrent execution guarantees that the state of the object is not simultaneously accessed by more than one thread. The execution of a thread must explicitly yield before the execution of another thread can start.

Ownership [38], encapsulation [117], behavioral subtyping [104], typed messages [86] and sequential execution [35] of a capsule enable modular reasoning in a concurrent program in the presence of interference, inheritance and nondeterministic message orders. Different concurrent abstractions in previous work propose various combinations of these properties but not a combination of all of them in a single abstraction. Arbitrary sharing in the absence of ownership or encapsulation, arbitrary inheritance without behavioral subtyping, untyped messages, and unsynchronized concurrent execution inside capsules can break modular reasoning guarantees of the capsule-oriented programming model and make modular reasoning about a concurrent program difficult or intractable again.
2.2 Modular Reasoning

In modular reasoning, a program is understood one module at a time using only its implementation and static types of other modules it refers to, independent of their dynamic types or implementations [95,132]. To the best of our knowledge this thesis proposes the first concurrent programming model that enables modular reasoning in the combined presence of interference, inheritance and nondeterministic message orders. Modular reasoning is enabled using an interference control framework, concurrent behavioral subtyping and order types each of which build on a rich body of previous work discussed in the remaining of this chapter.

2.3 Interference Control Framework

Two modules interfere if during their concurrent execution, interleaving instructions of one module changes the program state and consequently the behavior of the other module [177]. Interference makes modular reasoning difficult because interference can happen between any two instructions of a module and at each interference point the interference behavior is unknown. Interference control framework enables modular reasoning by making interference points and interference behaviors known syntactically, statically and modularly. Previous work either controls interference points [2, 6, 7, 84, 90, 94, 151, 154, 157, 172, 176, 177, 177] or interference behaviors [56, 68, 126, 129] but not both. Actors [6, 7, 172], active objects [94, 151], atomicity [58, 66, 171], cooperability [157, 176, 177] and automatic mutual exclusion [2, 84, 154] control interference points but not interference behaviors. Rely-guarantee reasoning [87], the work of Owicki-Gries [129] and its variations [126], concurrent separation logic [59,127] and concurrent abstract predicates [47,159] control the interference behavior but not the interference points.

An actor [6,76] or an active object [94] with encapsulation and ownership guarantees a macro-step semantics [4] in which interference can only happen after message sends or receives and the rest of the implementation is atomic and free from interference. An atomic block is a block of code with the guarantee that interference cannot happen inside the block. That is, interference can happen anywhere except inside atomic blocks. Automatic mutual exclusion [84] is the inverse of atomic blocks. That is, interference can happen only at explicitly specified program points and anywhere else is atomic. Co-
operability [177] is similar with the guarantee that interference happens only at program points marked with a special expression \texttt{yield}. These technique control interference points by limiting them to explicitly specified program points but not the interference behaviors. That is, interference behavior at an interference point is not known and requires a global reasoning to know about the interference behavior.

In rely-guarantee reasoning [87] and the work of Owicki-Gries [129] a module provides a guarantee and relies on guarantees provided by other modules in its environment. Environment specification of a module is an upper bound on the interfering behavior of other modules in its environment. Concurrent separation logic [127], concurrent abstract predicates (CAP) [47] and impredicative concurrent abstract predicates (iCAP) [159] limit sharing to modules called resources. A resource can have an invariant which should hold at any program state. Interfering behavior of other modules on the resource must not invalidate its invariant. These techniques control the interference behavior but not the interference points. That is, interference can happen between any two instructions of a module.

2.4 Concurrent Behavioral Subtyping

In modular supertype abstraction reasoning [97], an invocation is understood using the static type of its receiver module. Inheritance can break modular reasoning because an invocation can be dynamically dispatched to a module or any modules inheriting from it in its inheritance hierarchy where behaviors of these modules are incompatible. Concurrent behavioral subtyping allows for modular reasoning about an invocation by guaranteeing that the behavior of a module or any of the modules that inherit from it are compatible [130]. Concurrent behavioral subtyping defines interference subtyping for a concurrent programs and combines it with standard interface subtyping for a sequential program [36,49,96,130] to provide a new definition for behavioral compatibility in a concurrent program. Concurrent behavioral subtyping is complementary to previous work that extend sequential interface subtyping for concurrent programs [9,45,47,48,67,87,88,95,104,117,127,148,165]. Use of encapsulated inheritance [155] to reduce concurrent behavioral subtyping to interface subtyping is new.

The functional behavior of a procedure of module can be described using its precondition and post-condition which are predicates on the program state that must hold before and after invocations of the procedure. Sequential behavioral subtyping guarantees [10] that the behavior of a module does not
violate the behavior of the module it inherits from by relating their preconditions and postconditions by requiring a contravariance and covariance relations between preconditions and postconditions respectively. Weak behavioral subtyping [44,96] for sequential programs weaken the covariance requirement for postconditions. However, sequential behavioral subtyping cannot accommodate interference among concurrently running modules and therefore is not directly applicable to a concurrent program [67,148].

Strong behavioral subtyping [104] uses explicit history constraints to accommodate interference. A history constraint is a predicate on two transitively consecutive program states [95]. To guarantee behavioral subtyping between two modules of a concurrent program, not only their preconditions and postcondition but also their history constraints should be related. A variation of strong behavioral subtyping without history constraints [104] requires that every procedure that is added to an inheriting module and modifies its state should be expressible using the procedures of the inherited module. Weak behavioral subtyping [44] for concurrent programs weakens this requirement by controlling cross-type aliasing between two modules in an inheritance hierarchy and allows for mutable subtypes. Concurrent JML [148] and Contracts for concurrency [124] exploit the semantic equivalence for executions of sequential and atomic code to allow for the use of sequential behavioral subtyping for atomic modules. Previous work integrates behavioral subtyping into concurrent programming languages and tools such as Eiffel [110,124], Java [63,96], JML [95], ESC/Java [69] and Spec# [22]. However, previous work cannot separate the interference and interface behavior of a module and cannot compute its interference behavior using its preconditions and postconditions.

2.5 Order Types

Nondeterministic message orders can cause message races [161] and make modular reasoning about a concurrent message passing program intractable. Order types disallow message races and make modular reasoning about message orders tractable by avoiding state-space explosion [93,161,162]. Order type abstraction that hides the local messaging behavior of an abstraction-eligible module is new. Similar to previous work [62,173], the blame assignment lays the blame with the module that is the supplier of bad values and not the module that uses the bad value. Local descriptive order types complement previous work on global prescriptive behavioral types and specially session types.
Message orders determine the behavior of a message passing program [93, 161] and should be understood to understand a program. A state-space exploration that searches through all possible message orders of a program could become intractable because of the state-space explosion problem. Nondeterministic message orders can cause message races and make modular reasoning intractable through an exponential explosion of state-space. Two messages are racy if they are sent transitively from the same source module and arrive at a sink module with no happens-before order [91] between them. The happens-before relation is a partial order that orders messages. Partial order reduction techniques address this problem by pruning the state-space into a representative subset of all possible message orders. However, the pruning is a global analysis that is dependent on the property of interest and cannot be easily modularized.

A session type [79, 80] is a global type that prescribes a communication protocol among its participant modules over a session. A communication protocol includes messages sent by each participant and their happens-before order. A session is an abstraction that structures the communication over a private channel [111] and isolates it from other communication. A global session type can be projected into its participant to compute their local session types. Global progress of a session type guarantees the absence of deadlocks. Session fidelity ensures that communication over a channel goes as prescribed by its session type. Session linearity guarantees the absence of message races on its enclosed channel. Variations of session types support two [79] or more session participants [80] or infer a global principal type from local types of its participants [116]. Addition of channels and sessions to structure communication over channels allows the application of session types to a variety of multithreaded [43], message passing [115, 120] and sequential [81, 119] programming models. Session types and their underlying session-based programming are also added to languages like Erlang [115], Java [81] and Python [119] and frameworks like CORBA [169]. However, session types are designed for a session-based programming model that uses channel communications and are not directly applicable to message passing concurrency models without these constructs [120]. Also session types do not support abstraction and cannot hide local messaging behavior of a module.
CHAPTER 3. INTERFERENCE CONTROL FRAMEWORK

Modular reasoning is important for scalable software development because it allows programmers and tools [68, 148] to discharge verification obligations about a module by just considering the implementation of the module and the interfaces (not implementations) of static types named in that module. Concurrent programming, i.e. the ability to perform two or more simultaneous computations in a single program, is also vital for creating modern software systems. We believe that concurrent programming stubbornly remains difficult and error-prone because we cannot, yet, do modular reasoning about concurrent programs.

3.1 Problem

Two fundamental obstacles make modular reasoning about a concurrent program difficult [87, 177]:

1. the pervasive interference problem, and
2. the oblivious interference problem.

By the pervasive interference we mean that in a concurrent program, between any two consecutive instructions of a concurrent task, interleaving instructions of another task could change the state of the program such that it influences the subsequent behavior of the first task [177]. This in turn means, there are too many points in a program that a programmer must analyze before they can understand the behavior of their program. For example, in the single straight line code below there could be three interference points that occur between instructions that read the value of \( x \), read the value of \( y \), add the two values, and write the value of \( x \).

\[
x = x + y;
\]

That is, this code actually looks like \( \alpha x = \alpha x + \alpha y \) where \( \alpha \) denotes an interference point.
By the *oblivious interference* we mean that interference points do not give out any information, either concrete or abstract, about what other concurrent tasks may interfere or what are their behaviors. This in turn means, a programmer must consider all potentially concurrent tasks to determine whether their interleavings would be harmful and cause interferences (global reasoning). For example, in the straight line code above, there is no information about how interfering tasks at interference points α may or may not modify the values of x and y.

The key difference between pervasive and oblivious interference is that the former is about locations of interferences (where) whereas the latter is concerned about behaviors of interferences (what). Though, these two are well-known concurrency problems we coin the terms “pervasive interference” and “oblivious interference” to refer to them.

Pervasive and oblivious interference together, make modular reasoning about concurrent programs difficult [68, 87, 148, 176, 177]. Several prior techniques have been proposed for controlling interference and interfering behaviors of concurrent programs. Figure 3.1 summarizes closely related works and compares them regarding pervasiveness and obliviousness of interferences. Section 3.9 details the comparison of previous work regarding pervasive and oblivious interference for all related works.

<table>
<thead>
<tr>
<th>Interference</th>
<th>Pervasive</th>
<th>Oblivious</th>
</tr>
</thead>
<tbody>
<tr>
<td>atomicity, transactional memory, cooperability, AME</td>
<td>✓</td>
<td></td>
</tr>
<tr>
<td>actors, active objects</td>
<td>✓</td>
<td></td>
</tr>
<tr>
<td>rely-guarantee, Owicki-Gries</td>
<td></td>
<td>✓</td>
</tr>
</tbody>
</table>

**Atomicity, transactional memory, cooperability and automatic mutual exclusion (AME)** An atomic block [58, 66, 171] is a code block which is free of interference, i.e. the code in the block behaves as if it executes sequentially. Atomicity limits the interference points to the code outside atomic blocks, however, for the code outside an atomic block interference could still happen between any two instructions. Atomic blocks do not say anything about behaviors of interfering tasks.
Cooperability [157, 176, 177] and automatic mutual exclusion [2, 84, 154] are the inverse of atomic blocks, i.e. the code is atomic and interference-free unless explicitly specified. These techniques limit interferences to explicitly specified interference points but similarly do not say anything about behaviors of interfering tasks.

**Actors and active objects** Actors [6, 7, 172] encapsulate data and control and communicate by passing messages. A class of actor models (similarly active objects [38, 151]) in which actors provide confinement and do not permit unfettered internal concurrency limits interference points to message sends or receives, i.e. a block of code between two message receives are atomic (macro-step semantics [7]). However, actor models that allow uncontrolled internal concurrency or arbitrary data sharing among actors still could have interference between any two instructions. Actor models do not solve the oblivious interference problem because their dynamic name bindings could make the exact static type of a receiver or sender of a message unknown. Thus, a programmer cannot tell which concurrent tasks are interfering at interference points.

**Rely-guarantee and Owicki-Gries** Rely-guarantee based reasoning approaches [68, 87] and Owicki-Gries’s work [129] specify the behavior of the environment (other concurrently running tasks) of a task and thus limit the interference behavior. However, interferences can still happen between any two instructions of a program.

### 3.2 Solution: Panini

A concurrent programming model can enable more modular reasoning if it provides the following properties to a programmer:

1. **Sparse interference**: interference points are not pervasive in a program, instead they can be explicitly identified by certain program constructs; and

2. **Cognizant interference**: interference points are not oblivious in the program, instead each explicitly identified interference point provides an abstraction of behaviors of all potentially interfering concurrent tasks.

The language Panini presents such a programming model called *capsule-oriented programming* [136, 138]. Before discussing Panini’s interference model and semantics, we provide a gentle introduc-
tion using the example in Figure 3.1. The example declares a capsule type Counter with a state x, on line 2, and a procedure add, on lines 3–5. The body of add contains the straight line code shown in the previous section, which adds y to x. A capsule instance of Counter, say c, can be declared and it behaves like a process.

In Panini, a program is a set of concurrently running capsule instances which own their states and communicate with each other through asynchronous procedure invocations. Invocation of a capsule instance procedure appends the invoked procedure to the tail of the instance's queue and returns a future [174] for its result. The single execution thread of a capsule instance dequeues its invoked procedures from the head of the queue and executes them in the order that they appear in the queue. Invocation and returning of a procedure transfers the ownership of its parameters and return values between its invoking and invoked capsule instances, respectively.

```cpp
1  capsule Counter {
2   int x;
3   void add( int y ) {
4     x = x + y;
5   }
6  }
```

Figure 3.1 Capsule Counter with state x and procedure add.

### 3.2.1 Sparse Interference to Solve Pervasive Interference

Panini’s semantics controls and limits sharing among two capsule instances to other capsule instances and futures. This in turn allows a Panini program to limit its interference points to after capsule procedure invocations and guarantees sparse interference. As an example, there are no interferences in the body of the procedure add of a capsule instance c of type Counter, which is in contrast with straight line code in the previous section with pervasive interference and possible interferences between any two instructions. This is because Panini’s semantics guarantees that the state x is owned and is only accessible to its enclosing capsule instance c and there is only one thread of execution running c and accessing x. This in turn allows interferences in the code for the procedure add to be safely swapped out [101], as if the code runs with no interferences.
A reader familiar with synchronization features in languages like Java could perhaps achieve the same by implementing the counter as a class and marking its add method as synchronized, however, the capsule model saves the programmer from worrying about if there still could be interferences on line 4 and whether acquiring an object-level lock is actually sufficient to protect x. A lock protects a memory location if, throughout a program, every access to the location is preceded by acquiring the lock [66].

```java
capsule Counter {
  Number x;
  void add( Number y ) {
    x.add( y.value() );
  }
  Number value() { return x.value(); }
}
```

Figure 3.2 Capsule Counter with a reference type state.

To illustrate Panini’s semantics more, consider the capsule Counter in Figure 3.2 which creates the possibility of sharing the state x and the capsule procedure argument y, among an instance of Counter and other capsule instances, by changing their types from integer to a reference type Number.

Again, the body of the procedure add of a capsule instance c does not have any interferences. This is because Panini’s semantics guarantees that not only the state x but also its representation [32], i.e. the object graph rooted at x, is owned by the instance c and is only accessible from within c itself. The semantics also guarantees that upon invocation of the procedure add and throughout its execution its argument y and its representation is owned by c. This in turn allows interferences in the code for add to be safely swapped out, as if the code runs with no interferences.

Note that the alternative using synchronized or locks works only if proper locks are put in place to guarantee that they protect not only the state x and its representation but also the parameter y and its representation [66]. Panini’s semantics does not allow lock splitting, i.e. protecting fields in a capsule by different locks.

So far we have looked at capsules with no interference points in the bodies of their procedures. To illustrate capsules with interference points consider the capsule Client in Figure 3.3. This capsule imports an external capsule instance c of type Counter, on line 1, that a capsule instance of type Client can interact with. The body of the procedure test of Client contains asynchronous invocations of procedures value and add on the receiver capsule instance c, on lines 4–6. Asynchronous invocation of value, on
line 4, appends the body of the procedure to the end of the queue for c and immediately returns the unresolved future oldVal without waiting for the execution of value. The future is resolved and ready whenever the capsule instance c dequeues the body of value from its queue and executes it. Any attempt to access an unresolved future, e.g. on line 7, blocks until the future is resolved. Lines 5–6 append the queue of c with invocations of procedures add and value, respectively. The capsule instance c dequeues its invoked procedures from its queue in the same order as they appear in the queue and executes them, i.e. first in first out (FIFO) order. For invocations of value and add, on lines 5–6, execution of value starts after the execution of add finishes.

```java
1  capsule Client ( Counter c ) { 
2    Number oldVal, newVal; 
3    void test ( Number y ) { 
4      oldVal = c.value(); 
5      c.add( y ); 
6      newVal = c.value(); 
7      //@ assert newVal >= oldVal; Φ 
8    } 
9  }
```

Figure 3.3 Capsule Client with JML-like assertion Φ on line 7.

There are three interference points in the body of test, one right after each asynchronous invocation of procedures value and add, on lines 4–6. This is because, Panini’s semantics guarantees that the imported capsule instance c is the only shared resource among a capsule instance of type Client and other capsule instances in the system, with unsynchronized access. Other shared resources are futures oldVal and newVal, however, their accesses are synchronized and do not cause interference [177]. Panini’s semantics also guarantees that upon invocation of add, on line 5, the ownership of its parameter y is transferred to c, and the body of test does not access y after its ownership is transferred.

As Figures 3.1, 3.2 and 3.3 illustrate, unlike pervasive interference in which interferences can happen between any two instructions in a program, Panini’s semantics guarantees that in a Panini program, potential interference points are explicitly identified and they are limited to only after asynchronous procedure invocations.
3.2.2 Cognizant Interference to Solve Oblivious Interference

Panini controls and limits accessibility of states of a capsule instance to only through its procedures and dispatches procedure invocations using the static type of their receiver capsule instances. This in turn, allows a Panini program to limit the interference behavior at an interference point to the Kleene closure of procedures of the static type of the receiver of the procedure invocation and guarantees cognizant interference. The Kleene closure of a set of procedures contains the empty set and any concurrent composition of any number of procedures in the set.

For example, the interfering behavior at the interference point after the invocation of the procedure `value` on capsule instance `c`, on line 4, is contained in the Kleene closure \( \kappa = \{c.value(), c.add(_)\}^* \). This is because Panini’s semantics guarantees that the imported capsule instance `c` is the only shared resource with unsynchronized access between an instance of `Client` and other capsule instance in a system. Panini’s semantics also guarantees that the state of the capsule instance `c` is only accessible through its procedures `add` and `value`. Finally Panini’s semantics guarantees that the invocation of `value`, at the interference point on line 4, is dispatched using the static type of its receiver capsule instance `c` and not its subtype capsules which may have more procedures than `add` and `value`.

To interfere with `c`, other concurrently running capsule instances in the system can change the state of `c` by invoking its two procedures `add` and `value` any number of times and in any order which basically is the same as the closure \( \kappa \). The closure \( \kappa \) is a closure of 0 or more, concurrently running, invocations of all procedures of the capsule instance `c`. The Kleene closure for `value` and `add` includes empty set \( \emptyset \) and is closed under the sequential composition and execution operation `;`. For example, `c.value()`, `c.value(); c.value()`, `c.add(_)` and `c.value(); c.add(_)` are a few elements of \( \kappa \).

As Figure 3.3 illustrates, unlike oblivious interference in which the interference behavior is unknown, Panini’s semantics guarantees that interference behavior for an interference point after an asynchronous procedure invocation is limited to the Kleene closure of procedures of the static type of the receiver of the invocation.
3.2.3 Modular Reasoning Using Panini’s Interference Model

Panini’s sparse and cognizant interference enable static modular reasoning about its concurrent programs. To modularly understand a module in a Panini program (1) using sparse interference, the interference points of the module can be identified syntactically by only considering the implementation of the module. This is because interference points are explicitly identified by asynchronous procedure invocations. (2) using cognizant interference, the interfering behaviors at interference points can be identified statically by just considering the interfaces of static types of receivers of procedure invocations at these interference points. This is because interfering behaviors are Kleene closures of procedures of receivers of procedure invocations. (3) for each interference point identified in (1) its interfering behavior identified in (2) could be inserted at the interference point in the module to arrive at a result module that takes interference and its behavior into account. Such a module could be modularly understood [68] using Hoare-style reasoning [77].

For example, consider static verification of the assertion $\Phi$, on line 7 of Figure 3.3. In this example, sparse interference limits the interference points to after asynchronous invocations of procedures `value` and `add`, on lines 4–6, and cognizant interference limits the interference behavior at these interference points to the Kleene closure $\kappa = \{c.value(), c.add(_)}^*$. $\Phi$ can be modularly verified after inserting the interfering behavior $\kappa$ at each interference point in the procedure `test` using Hoare-style [77] reasoning.

Such reasoning is modular because the programmer only needs to consider the implementation of the procedure `test` and the interface of the static types it refers to, i.e. capsule type `Counter`. Identification of interference points and interfering behavior in `test` is similarly modular. Behaviors of procedures `value` and `add` say that the former does not change the value of the counter whereas the latter only increases it. Behaviors of these procedures are specified by their contracts, illustrated in Section 3.6.

3.2.4 Contributions

In summary, the contributions of this chapter are the following:

- formalization of Panini’s core calculus and its semantics (Section 3.3 and Section 3.4); and
- proving sparse and cognizant properties of Panini’s interference model (Section 3.5); and
• illustration of modular Hoare-style reasoning using behavioral contracts for concurrent Panini programs with interference (Section 3.6).

Section 3.8 briefly discusses Panini’s expressiveness, usability and Kleene closure analysis. Section 3.9 presents related work.

### 3.3 Panini’s Syntax

Figure 3.4 shows Panini’s expression-based core syntax. In this figure, the superscript term shows a sequence of zero or more terms. A Panini program is a set of capsule declarations. A capsule declaration contains a capsule name $C$ and declares a set of imported capsule instances $\text{imp}$, a design $\text{design}$, a set of capsule states $\text{state}$ and capsule procedures $\text{proc}$. A capsule instance can interact and invoke procedures.

![Panini's Syntax](image-url)
of two kinds of other capsule instances: imported and locally declared. An import declaration declares an imported capsule instance by specifying its capsule type $D$ and capsule name $i$. A local design declaration declares a set of local capsule instances $\overline{ins}$ and specifies their connections together in a wiring declaration $wire$. A wiring declaration $i(\overline{j})$ assigns capsule instances $\overline{j}$ to the imported capsule instances of the capsule $i$. Local capsule instances of one capsule are not accessible to other capsules.

Capsule instances of a Panini program interact only by invoking procedures of each other. A procedure declaration of a capsule has a variable return type $T$, a name $p$, set of formal parameters $\overline{form}$ and a body $e$. The body of a capsule procedure is a sequence of global and local expressions. Using global expressions, a procedure can asynchronously invoke a procedure of another capsule instance. However, using local expressions, a procedure of a capsule can synchronously invoke another procedure of the same capsule, access the state of the capsule through $self$ or allocate and access memory locations. Labels $\alpha$ denote possible interference points after asynchronous procedure invocations. The sequence of expressions $e_1; e_2$ is a syntactic sugar for $let \ b = e_1 \ in \ e_2$ in which variable $x$ is free in $e_2$.

Panini’s type system, in Section 3.7, distinguishes capsule types $C$ from variable types $T$. Unlike variable types, capsule types cannot subtype each other and thus their exact types are statically known. This in turn enables statically-bound procedure invocations in which the exact type of the receiver of a capsule is statically known.

To illustrate, Figure 3.3 declares a capsule type $Client$ with the imported capsule $c$ of capsule type $Counter$ and a procedure $test$ with formal parameter $y$ of variable type $Number$. The procedure body is a sequence of three asynchronous invocations of procedures $value$ and $add$ which are statically dispatched on the imported capsule instance $c$. As another example, the capsule type $Main$ in Figure 3.5, declares a design declaration on lines 2–6 that includes declarations of two capsule instances $client$ and $counter$ of types $Client$ and $Counter$, respectively. The design declaration contains a wiring declaration on line 5 that connects the client and counter instances by passing $counter$ as the client’s imported capsule instance.

### 3.4 Operational Semantics

In Panini’s operational (dynamic) semantics each concurrently running capsule instance owns its states and their representations, i.e. reference graphs reachable from its states; dynamically transfers
ownership of parameters and return values of its global procedure invocations; and uses only one thread of execution to dequeue and execute its invoked procedures. These in turn result in the following properties of a Panini programs that are critical to its sparse and cognizant interference model:

1. sharing among two capsule instances is limited to their imported capsule instances and unresolved future locations;

2. states of a capsule instance and their representations are only accessible through its procedures.

Panini’s interference model and its underlying properties are formalized in Section 3.5. Panini’s type system is formalized in Section 3.7.

3.4.1 Dynamic Objects

Panini’s dynamic semantics relies on three additional expressions \( l, \text{resolve} \) and \( \text{OWE} \), shown in Figure 3.6, that are not part of its surface syntax. The expression \( l \) represents a memory location in the store. The expression \( \text{resolve}(l, e, id, p) \) returns the result of the asynchronous invocation of procedure \( p \) with body \( e \) into future location \( l \) in the invoking capsule instance \( id \). The ownership transfer exception \( \text{OWE} \) denotes accessing a transferred location that a capsule instance no longer owns or transferring a location in the representation of a capsule’s state.

Panini’s operational semantics transitions from one global (program) configuration to another, as shown in Figure 3.6. A global configuration \( \mathcal{K} \) is a concurrent composition \( \parallel \) of capsule instance configurations \( \Sigma^1 \). A capsule configuration \( \Sigma \) contains a unique capsule identifier \( id \), a queue \( Q \) with an expression \( e \) under evaluation at its head, a local store \( S \), a capsule record \( r \) and an instance mapping \( I \). A queue is a possibly empty queue of expressions \( e \). The local store is a mapping from locations

---

\[ \Sigma \parallel \Sigma' \text{ is commutative, i.e. } \Sigma \parallel \Sigma' = \Sigma' \parallel \Sigma. \]
Added syntax:

\[ e ::= .. \]

- \( l \) memory location
- \( \text{resolve}(l, e, id, p) \) resolve a future location
- \( \text{OWE} \) ownership transfer exception

Evaluation contexts:

\[ \mathcal{E} ::= - | i.p(v, \mathcal{E}..) | \text{self}.p(v, \mathcal{E}..) \]

\[ \text{self}.f := \mathcal{E} | \text{ref} \mathcal{E} | \text{deref} \mathcal{E} \]

\[ \mathcal{E} ::= e | \text{let} x = \mathcal{E} \text{ in } e \]

Evaluation relations \( a \mapsto \) and \( \delta : \mathcal{X} \overset{a}{\rightarrow} \mathcal{X}' \) and \( \Sigma \overset{a}{\rightarrow} \Sigma' \)

Domains:

\[ \mathcal{X} ::= \bullet | \Sigma || \mathcal{X} \] global (program) configurations

\[ \Sigma ::= (P, id, e.Q, S, r, I) \] capsule instance configurations

\[ r ::= [C.F] \] capsule records

\[ F ::= \{ f_k \mapsto l_k \} \] state maps

\[ Q ::= \bullet | e.Q \] queues

\[ S ::= \{ l_k \mapsto v_k \} \] local stores

\[ I ::= \{ i_k \mapsto id_k \} \] instance maps

\[ v ::= l \] location values

\[ e \] unresolved future values

\[ \square \] transferred location values

Actions:

\[ a ::= \]

- \( \text{read}(id, l) \) read
- \( \text{write}(id, l) \) write
- \( \text{invoke}(id, id', p, l) \) invoke
- \( \text{resolve}(id, id', p, l) \) resolve
- \( \text{local}(id) \) local

\[ l \in \Sigma \] set of locations

\[ id, id' \in \mathcal{R} \] set of capsule identifiers

\[ k \in \mathbb{N} \] set of natural numbers

\[ P \] program declarations

Figure 3.6 Added syntax, evaluation contexts, configurations and actions in semantics.

\( l \) accessible to the capsule instance to their values \( v \). The capsule record contains the static capsule type \( C \) of the instance and a state mapping \( F \) from capsule fields \( f \) to locations. The instance mapping maps the names of imported and locally declared capsule instances \( i \) to their identifiers \( id \). A capsule configuration also includes the program text \( P \) which contains capsule declarations, similar to the class table in Featherweight Java, and is similarly used to look up declarations and procedure bodies when invoking a procedure.
In Panini, a value can be a location \( l \). A value can also be an unresolved future value \( \epsilon \) that denotes the result of an asynchronous procedure invocation before it is ready; or it can be a transferred value \( \square \) denoting the value of a location whose ownership has been transferred and no longer is accessible to a capsule instance.

Panini uses a left-most inner-most call-by-value evaluation policy. Evaluation contexts, in Figure 3.6, specify the evaluation order of an expression and the evaluation position in the expression.

Execution of a Panini program produces a trace of observable actions. Actions are basic units of execution and each action represents execution of a single \textit{indivisible} (atomic) instruction. Figure 3.6 shows a core set of actions observed during the execution of a Panini program. An action can be: a read or write of a memory location \( l \) by a capsule instance \( id \); asynchronous invocation of a procedure \( p \) of another capsule \( id' \) with the future result \( l \); resolving the result of an asynchronous procedure invocation into the future location \( l \); or it can be a local action of a capsule \( id \), such as invocation of a synchronous procedure of the capsule or dequeuing an expression from its queue.

### 3.4.2 Local and Global Semantics

Panini’s operational semantics has two sets of evaluation rules for its local and global semantics. A local evaluation \( \overset{a}{\rightarrow} \) denotes transition from a capsule configuration to another performing the action \( a \). A local transition in turn causes a global transition \( \overset{a}{\rightarrow} \) from one program configuration to another in which capsule instances run concurrently. A \textit{preemptive scheduler nondeterministically} chooses a capsule instances for evaluation at each point in time.

Figure 3.7 shows Panini’s substitution-based operational semantics for normal execution, i.e. no exceptions thrown. Figure 3.9 shows its exceptional operational semantics. The notation used in formalizing the operational semantic is similar to previous work [177].

### 3.4.3 Sequential Synchronous Local Semantics

Local evaluation relation \( \overset{a}{\rightarrow} \) in a capsule instance denotes evaluation of an expression \( e \) at the head of its queue to another expression \( e' \) and performing the action \( a \). This evaluation causes transition from a capsule configuration to another with a possibly modified queue and local store\(^2\). In local

\(^2\) Evaluation of a configuration does not change its mapping \( I \) and record \( r \).
Local evaluation relation $\leadsto$: 
\[
\langle p, id, e'[v].Q,S,r,l \rangle \leadsto \langle p, id, e'[e'].Q',S',r,l \rangle
\]

(State Read)
\[
\langle p, id, e[\text{self}.f].Q,S,l = v,|C.F|f = l|,l \rangle \stackrel{\text{read(id,l)}}{\leadsto} \langle p, id, e[v].Q,S,|C.F|,l \rangle
\]

(State Assign)
\[
\langle p, id, e'[f := v].Q,S,|C.F|f = l|,l \rangle \stackrel{\text{write(id,l)}}{\leadsto} \langle p, id, e[v].Q,S,l := v,|C.F|,l \rangle
\]

(Self Invoc)
\[
\langle p[capsule C(\ldots)|p(T \overline{x})\{e \ldots}]|id, e[\text{self}.p(\overline{v})].Q,S,|C.F|,l \rangle \stackrel{\text{local(id)}}{\leadsto} \langle p, id, e[e[\overline{v}/\overline{x}]].Q,S,|C.F|,l \rangle
\]

(Ref)
\[
\langle p, id, e[\text{ref} v].Q,S,r,l \rangle \stackrel{\text{write(id,l)}}{\leadsto} \langle p, id, e[l].Q,S,l := v,|r,l \rangle
\]

(Deref)
\[
\langle p, id, e[\text{deref} l].Q,S,l = v,|r,l \rangle \stackrel{\text{read(id,l)}}{\leadsto} \langle p, id, e[v].Q,S,r,l \rangle
\]

(Ref Asgn)
\[
\langle p, id, e[l := v].Q,S,l \neq e,|r,l \rangle \stackrel{\text{write(id,l)}}{\leadsto} \langle p, id, e[v].Q,S,l := v,|r,l \rangle
\]

(Ref FIFO Queue)
\[
\langle p, id, v,e.Q,S,r,l \rangle \stackrel{\text{local(id)}}{\leadsto} \langle p, id, e.Q,S,r,l \rangle
\]

Global evaluation relation $\mathcal{A}$: 
\[
\mathcal{A} \mid \langle p, id, e'[v].Q,S,r,l \rangle \cdot \mathcal{A} \mid \langle p, id, e'[e'].Q',S',r,l \rangle
\]

(Congruence)
\[
\mathcal{A} \mid \langle p, id, e'[v].Q,S,r,l \rangle \cdot \mathcal{A} \mid \langle p, id, e'[e'].Q',S',r,l \rangle
\]

(Proc Invoc)
\[
id' = l(i) \quad \Sigma' = \langle p,id',e'.Q',S',|C'.F'|,l' \rangle \in \mathcal{A} \quad \text{capsule} C'(D_j)\ldots T p(T \overline{x})\{e \ldots \} \in P
\]
\[
e' = e[\overline{v}/\overline{x},l'/j] \quad R = \text{reach}(v,S) \quad R' = \bigcup_{l \in \text{dom}(F)} \text{reach}(l',S)
\]
\[
R \cap R' = \emptyset \quad \text{fresh(l)} \quad \mathcal{A}' = \mathcal{A} \cup \langle p,id',e'.Q'.\text{resolve}(l,e',id,p),S \oplus R,|C'.F'|,l' \rangle
\]
\[
\mathcal{A} \mid \langle p, id, e[i.v(\overline{v})].Q,S,|C.F|,l \rangle \stackrel{\text{invoke(id,p,l)}}{\mapsto} \mathcal{A}' \mid \langle p, id, e[l].Q,S,l := v \circ R,|C.F|,l \rangle
\]

(Resolve)
\[
R = \text{reach}(v,S) \quad l' \in \text{dom}(F) \quad R' = \bigcup_{l' \in \text{dom}(F)} \text{reach}(l',S)
\]
\[
R \cap R' = \emptyset \quad \Sigma = \langle p, id, v.Q,S,l = v,|r,l \rangle \in \mathcal{A} \quad \mathcal{A}' = \mathcal{A} \cup \langle p, id, v.Q,S,l := v \circ R,|C.F|,l \rangle
\]
\[
\mathcal{A} \mid \langle p, id'.\text{resolve}(l,v,id,p).Q',S',|C'.F'|,l' \rangle \stackrel{\text{resolve(id,p,l)}}{\mapsto} \mathcal{A}' \mid \langle p, id', v.Q',S' \circ R,|C'.F'|,l' \rangle
\]

Figure 3.7  Local and global operational semantics of Panini.

semantics, a capsule instance can access its state through self, allocate and access memory locations, invoke a procedure of itself or dequeue an expression in its queue. Local evaluation is synchronous and sequential, i.e., a capsule instance only has one execution thread.
A capsule can read and write its state through the variable `self` in the rules `STATE READ` and `STATE ASSIGN`. A capsule state is accessible through state mapping `F` and local store `S`. A capsule’s state name is mapped to a location in `F` and then there is a mapping between the state location and its value in `S`. To read the value of a state in `STATE READ`, the notation `F[f = l]` means to check if the field name `f` maps to a location `l` and the notation `S[l = v]` means to check if the value of the location in the local store is equal to `v` and if so returns `v`. Reading a state stored at the location `l` by a capsule instance `id` causes a `read(id, l)` action in the execution trace of the program. To assign a value to a state in `STATE ASSIGN`, the notation `S[l := v]` means to replace the old value of the location `l` with its new value `v`, such that the rest of `S` stays intact. Similar to read, writing a state stored at the location `l` by capsule instance `id` causes a `write(id, l)` action.

A capsule can also create a reference, dereference it and assign to it in the rules `REF`, `DEREF` and `REF ASGN`. To create a new reference with a value `v` in `REF`, `fresh(l)` ensures that `l` is a fresh location which then is mapped to its value in the local store of the capsule. A fresh location is a location that does not belong to the local store of any other capsule instance in the program, as shown in Figure 5.15. By mapping the newly allocated location `l` to its value in the local store `S`, the rule `REF` makes the capsule instance `id` the owner of the location `l` as well. To dereference a location `l` in `DEREF`, its value is retrieved from the store `unless the value is equal to the unresolved future value ε`. Trying to dereference an unresolved future value causes the capsule instance to `block`. The capsule instance unblocks and can continue execution when the value of the future is resolved, i.e. is not equal to `ε` anymore. The blocking condition `v ≠ ε` in `DEREF` `synchronizes` access to unresolved future locations and does not allow concurrent access to them. To assign to a reference in `REF ASGN`, its value is simply updated in the local store of the capsule. Again, trying to assign to an unresolved future location causes the capsule instance to block. Evaluation rules `REF`, `DEREF` and `REF ASGN` perform their corresponding write, read and write actions, respectively.

A reference location manipulated by these rules resides in a capsule’s local store unless its ownership is transferred to another capsule via a procedure invocation. In other words, a capsule instance cannot access locations in other capsule instances if their ownership is not transferred to the capsule through procedure invocations.

---

3 Notation `S[l = v]` does not modify `S` whereas `S[l := v]` does.
A capsule instance can synchronously invoke a procedure of itself in (SELF INVOC). Invocation of a local procedure causes the body of the procedure to replace the procedure invocation after proper substitutions for its formal parameters \( \overline{x} \) and imported capsule instances \( \overline{j} \). The notation \( e[\overline{v}/\overline{x}] \) means to substitute formal parameters \( \overline{x} \) with their values \( \overline{v} \) in \( e \). Invocation of a local procedure of a capsule instance \( id \) causes a local action \( local(id) \).

In (FIFO DEQUEUE), after evaluation of the head of the queue in a capsule instance to a value \( v \), the next expression in the queue is moved to the head of the queue for evaluation, if the queue is not empty. Dequeue blocks until the queue of the capsule instance is not empty. Dequeueing a queue of a capsule instance causes a local action as well. Semantics of a let expression is standard.

### 3.4.4 Concurrent Asynchronous Global Semantics

The global evaluation relation \( \xleftarrow{\delta} \) denotes concurrent local evaluations of capsule instances of a Panini program as well as their asynchronous interactions through procedure invocations.

The rule (CONGRUENCE) plays the role of a preemptive scheduler that nondeterministically chooses a capsule instance \( id \) in the global configuration \( \mathcal{X} \) to take an atomic action at each point in time, according to the local semantic rules.

In (PROC INVOC), a capsule instance \( id \) asynchronously invokes the procedure \( p \) of a capsule instance with the name \( i \). The invoking capsule finds the identifier \( id' \) for the invoked capsule name \( i \) in its instance mapping \( I \), finds its corresponding configuration \( \Sigma' \) in the global configuration \( \mathcal{X} \) and retrieves the body \( e \) of its invoked procedure \( p \). It then replaces in \( e \) the formal parameters \( \overline{x} \) of \( p \) with their values \( \overline{v} \) and imports \( \overline{j} \) of its capsule type \( C' \) with their identifiers from instance mapping \( I' \), to arrive at \( e'' \). Then it wraps \( e'' \) in a resolve expression with a fresh future location \( l \) for returning the result of the invocation to its invoking capsule \( id \) and appends the resolve expression to the tail of the queue \( Q' \) of the invoked capsule instance \( id' \). The notation \( \mathcal{X} \uplus \langle P, id', e'.Q'.resolve(l, e'', id, p), S', R, [C'.F'], I' \rangle \) denotes overriding the configuration \( \langle P, id', e'.Q', S', [C'.F'], I' \rangle \) of the capsule instance \( id' \) in the global configuration \( \mathcal{X} \), where \( \uplus \) is an overriding union operation. A resolve expression \( resolve(l, e, id, p) \) is a sugar for \( let \ x = e \ in \ resolve(l, x, id, p) \) where \( x \) is free in \( e \). The auxiliary function \( dom \) returns the domain of a map like store.
Because of the asynchrony of the procedure invocation, in (PROC INVOC) the control immediately returns back to the invoking capsule id without waiting for the execution of the invoked procedure p. The future location l is now shared between the invoking and invoked capsule instances, marked in the invoking capsule instance id as an unresolved future location with its value ε. The invocation expression performs an invoke(id, id′, p, l) action.

The resolve expression ensures that the result of its evaluation is sent back to the invoking capsule instance when it is ready and is going to be accessible through the future location. In (RESOLVE), the invoked capsule instance id′ returns the result v of the evaluation of its expression e to the invoking capsule id and assigns the value to the future location l in its store, i.e. $S[l := v]$. The resolve expression performs a resolve(id′, id, p, l) action.

The rule (PROC INVOC) along with (FIFO DEQUEUE) enforce the first in first out (FIFO) evaluation order of expressions in the queue of a capsule where (PROC INVOC) appends to the tail of the queue and (FIFO DEQUEUE) dequeues from its head. A Panini program terminates normally when for each capsule instance id in the program configuration the expression at the head of the queue is evaluated to a value and the queue is empty, i.e. $⟨P, id, v, •, S, r, l⟩$.

To illustrate, consider the capsule Client, in Figure 3.3, and its asynchronous invocation of the procedure value of the capsule Counter, on line 4. Upon invocation of value on the capsule instance c its body, on lines 6 of Figure 3.2, is wrapped in a resolve expression and is appended to the tail of c’s queue. The control immediately returns to Client and the unresolved future NewVal is shared between the client and counter capsule instances as a placeholder for the invocation’s result. Any attempt to access NewVal in the client capsule, e.g. on line 7, blocks until c dequeues the resolve expression for invocation of value and executes it to resolve the future.

**Asynchronous invocation, blocking expressions and procedure execution order** Asynchronous invocations of capsule procedures and blocking access to unresolved future locations impose an order on executions of invoke procedures which may or may not be the same as in a synchronous setting. To illustrate, the procedure add, on line 5 of Figure 3.3, is invoked on the capsule instance c before value is invoked on the same instance, on line 6. This in turn means the body of add is appended to the queue of c and shows up before the body of value in the queue. Consequently, the invoked procedure add is executed before value because of the FIFO execution of the queue in c. This is true, even if either add
or value or both contain blocking expressions, e.g. trying to access an unresolved future, in their body because the execution of value in \( c \) does not start before the execution of add is finished.

```plaintext
capsule Client ( Counter c, Counter d ) { ..
void test ( Number y ) {
.. 
d.add( y );
newVal = c.value();
.. }
}
```

In contrast, consider invocations of procedures add and value on different capsule instances \( c \) and \( d \), in the above variation of Client, on lines 4–5. In this example, add and value procedures can execute in any arbitrary order because instances \( c \) and \( d \) run concurrently and can execute bodies of their invoked procedures add and value in any arbitrary order. This is true even with blocking expressions in the bodies of add or value procedures or both.

In other words, for asynchronous invocations of procedures of the same capsule instance, the rule (FIFO DEQUEUE) ensures that these procedures run in the same order they are invoked, even if they contain blocking expressions. This in turn guarantees that blocking does not disrupt modular reasoning using Kleene closures, because procedure invocations in a closure are on the same receiver instance.

### 3.4.5 Ownership Transfer Semantics

To control sharing, Panini’s global semantics uses dynamic transfer of ownership for parameters and the return value of a procedure invocation. Transferring the ownership of a location from one capsule to another removes that location and locations reachable from it, i.e. its reach (representation), from the local store of the former instance and adds them to the local store of the latter. This in turn guarantees that an invocation of a procedure does not cause sharing of its parameters and the result between the invoking and invoked capsule instances. Panini’s ownership transfer is similar to ownership transfer in Singularity [57], changing threads access sets in a multithreaded program [85] or inferred ownership transfer semantics in SOTER [118] for programs in the actor language ActorFoundry [14].

In (PROC INVOC), upon invocation of a capsule’s procedure the ownership of the actual parameters \( \forall \) of the procedure and their reach \( \text{reach}(\forall, S) \), in Figure 5.15, is transferred from the invoking capsule instance to the invoked capsule. The auxiliary function \( \ominus \), in Figure 5.15, removes locations from a
local store of a capsule instance whereas ⊕ adds locations to the local store of the capsule instance. For example, in the configuration \( \langle P, id, e[l], Q, S[l := e] \ominus R, [C.F], I \rangle \), locations R are removed from the local store S of the invoking capsule instance id and in \( \langle P, id', e', Q'.resolve(l, e'', id, p), S' \ominus R, [C'.F'], I' \rangle \) the locations R are added to the local store S' of the invoked capsule instance id'.

After transferring a location, ⊖ maps the value of a transferred location to \( \Box \). This in turn means that the capsule instance does not own the transferred location anymore and any attempt to access it results in an exceptional state.

A state of a capsule instance or its reach cannot be transferred to another capsule instance. The condition \( R \cap R' = \emptyset \) checks that there is no shared location among transferred locations and their reach R and the locations in the capsule’s state or its reach \( R' \).

In (Resolve), upon returning the result of an invocation, the ownership of the resolved future value, holding the result, and its reach in the local store of the invoked capsule instance are transferred to the invoking capsule instance. Similar to (Proc Invoc), the state of the invoked capsule instance cannot be transferred when returning the result of an invocation.

To illustrate, the ownership of the parameter y on line 5 of the procedure test in Figure 3.3 is transferred from the invoking instance of capsule Client to the invoked capsule instance c. The ownership of the future newVal on line 6 is transferred from invoked capsule instance c to the invoking capsule Client when the future is resolved and is ready.

3.4.6 Exceptional Semantics

A Panini program terminates abnormally, throwing an exception OWE, if a capsule instance attempts to access a location whose ownership is transferred or pass or return capsule states or their representations into/from global procedure invocations. Figure 3.9 shows Panini’s exceptional semantics.

In rules (X Deref) and (X Ref Asgn), attempting to dereference or assign to a location that is transferred out and is not owned by a capsule instance anymore results in throwing an ownership transfer exception OWE. A transferred location is marked with the value \( \Box \), by the transfer operation ⊖. In rules (X Proc Invoc) and (X Resolve), attempting to pass capsule states or any location in their reach as actual parameters or results of global procedure invocations, i.e. \( R \cap R' \neq \emptyset \), causes throwing the ownership exception and termination of the program. A Panini program terminates abnormally when a
configuration

K is the entry point to a Panini program. The rule (M instance recursively takes a Panini program and configurations. Figure 3.10 shows Panini’s initial configuration rules. The initial configuration phase system and is reported as a compile time warning rather than terminating the program at runtime.

of ownership transfer semantics is detected using a modular static analysis incorporated into its type terminating states. However, in the current prototype implementation of Panini’s compiler, a violation declaration it connects the declared capsule instances together.

capsule instance id in the program evaluates the head of its queue to OWE, i.e. ⟨P, id, OWE, Q, S, r, I⟩.

In Panini’s core semantics, for simplicity and without loss of generality, exceptions are final terminating states. However, in the current prototype implementation of Panini’s compiler, a violation of ownership transfer semantics is detected using a modular static analysis incorporated into its type system and is reported as a compile time warning rather than terminating the program at runtime.

3.4.7 Initial Configuration

Evaluation of a Panini program follows a phase which builds the program’s initial global and local configurations. Figure 3.10 shows Panini’s initial configuration rules. The initial configuration phase takes a Panini program and recursively processes design declarations of its capsules, such that for each capsule instance declaration in a design declaration it instantiates a capsule instance and for each wiring declaration it connects the declared capsule instances together.

The initial configuration phase starts with the rule (MAIN). The rule constructs a special capsule instance main of capsule Main with the identifier 0, i.e. Construct(Main main, 0). The capsule Main is the entry point to a Panini program. The rule (MAIN) sets the capsule instance main to the global configuration X₀ and calls functions instantiateRec and wireupRec, in rules (Instantiate Rec) and

Figure 3.8 Panini’s auxiliary functions.
For a capsule instance declaration \( C \ i \), declared in the enclosing capsule instance \( id \) and a global configuration \( \mathcal{K} \), the function \texttt{InstantiateRec}, defined in (\texttt{InstantiateRec}) instantiates a capsule configuration \( \Sigma' \) with the identifier \( id' \) and name \( i \), using \texttt{Instantiate}; changes the instance mapping \( I \) of its enclosing capsule instance to map the name \( i \) to its identifier \( id' \), i.e. \( I[i := id'] \) and adds \( \Sigma' \) to \( \mathcal{K} \) to create a new global configuration \( \mathcal{K}' \). To process the capsule instance declarations \( C' \ i' \) in newly created \( id' \), \texttt{InstantiateRec} is recursively called with the new global configuration \( \mathcal{K}' \).

For a wiring declaration \( i(\overline{j}) \) declared in the enclosing capsule instance \( id \) and the global configuration \( \mathcal{K} \), the function \texttt{WireupRec}, defined in (\texttt{WireupRec}), connects instances \( i \) and \( \overline{j} \), using \texttt{wireup}, to construct the new configuration \( \Sigma'_i \) for \( i \); replaces the old configuration \( \Sigma_i \) with its new configuration \( \Sigma'_i \) in \( \mathcal{K} \) to arrive at a new global configuration \( \mathcal{K}' \). To process the wiring declarations \( i'(\overline{j'}) \) for the newly wired capsule instance \( id_i \), \texttt{WireupRec} is recursively called with the identifier \( id_i \) and the new global configuration \( \mathcal{K}' \).

Function \texttt{Instantiate} defined in (\texttt{Instantiate}) simply instantiates the capsule configuration \( \Sigma \) for the capsule instance declaration \( C \ i \) in its enclosing capsule \( id \). Function \texttt{wireup} in (\texttt{Wireup}) connects capsule instances \( i \) and \( \overline{j} \) in their enclosing capsule \( id \).

To illustrate, consider the capsule \texttt{Main} in Figure 3.5. In this example, \texttt{Construct(Main main,0)}
(MAIN)

\[ \mathcal{X}_0 = \text{instantiate}(0, \text{Main main}) = \langle P, 0, \bullet, Q, S, [\text{Main,F}], I \rangle \]

\[ \text{capsule Main}() \{ \bar{T_j} : \text{design} \{ \bar{\text{ins}} \bar{\text{wire}} \} \bar{\text{proc}} \} \in CT \]

\[ \forall C i \in \bar{\text{ins}}. \quad \mathcal{X} = \text{instantiateRec}(\mathcal{X}_0, 0, C i) \quad \forall i(j) \in \bar{\text{wire}}. \quad \mathcal{X}' = \text{wireupRec}(\mathcal{X}, 0, i(j)) \]

\[ \text{construct}(\text{Main main}, 0) = \mathcal{X}' \]

(INSTANTIATION REC)

\[ \text{capsule C(\ldots) \{ \bar{T_j} \} \bar{\text{proc}} \} \in CT \quad \Sigma' = \langle P, i d', \bullet, Q', S', [C', F'], I' \rangle = \text{instantiate}(i d, C i) \quad \Sigma = \langle P, i d, \bullet, Q, S, [C, F], I \rangle \in \mathcal{X} \]

\[ \mathcal{X}' = \mathcal{X} \cup \{ P, i d, \bullet, Q, S, [C, F], I[i := id'] \} \cup \Sigma' \quad \forall C_i' \in \bar{\text{ins}}. \quad \mathcal{X}'' = \text{instantiateRec}(\mathcal{X}', i d, C_i') \]

\[ \text{instantiateRec}(\mathcal{X}', i d, C_i) = \mathcal{X}' \]

(WIRING REC)

\[ \Sigma = \langle P, i d, \bullet, Q, S, [C, F], I \rangle \in \mathcal{X} \quad i d_i = I(i) \quad \Sigma = \langle P, i d_i, \bullet, Q_i, S_i, [C_i, F_i], I_i \rangle \in \mathcal{X} \]

\[ \Sigma' = \text{wireup}(i d, i(j)) \quad \text{capsule C_i(\text{imp}) \{ \ldots \text{design} \{ \bar{\text{ins}} \bar{\text{wire}} \} \ldots \} \in CT \]

\[ \mathcal{X}' = \mathcal{X} \cup \Sigma_i' \quad \forall \bar{f}(j') \in \bar{\text{wire}}. \quad \mathcal{X}'' = \text{wireupRec}(\mathcal{X}', i d, \bar{f}(j)) \]

\[ \text{wireupRec}(\mathcal{X}', i d, \bar{f}(j)) = \mathcal{X}'' \]

(INSTANTIATION REC-BASE)

\[ \Sigma = \langle P, i d, \bullet, Q, S, [C, F], I \rangle \in \mathcal{X} \quad i d_i = I(i) \quad \Sigma = \langle P, i d_i, \bullet, Q_i, S_i, [C_i, F_i], I_i \rangle \in \mathcal{X} \]

\[ \Sigma_i' = \text{wireup}(i d, i(j)) \quad \text{capsule C_i(\text{imp}) \{ \ldots \text{design} \{ \bar{\text{ins}} \bar{\text{wire}} \} \ldots \} \in CT \]

\[ \mathcal{X}' = \mathcal{X} \cup \Sigma_i' \quad \text{wireupRec}(\mathcal{X}', i d, i(j)) = \mathcal{X}' \]

(INSTANTIATE)

\[ \text{fresh}(i d') \quad \text{capsule C(\ldots) \{ \bar{T_j} \} \bar{\text{design}} \{ \bar{\text{ins}} \bar{\text{wire}} \} \bar{\text{proc}} \} \in CT \quad F = \emptyset \quad S = \emptyset \]

\[ I = \emptyset \quad Q = \bullet \quad \forall (T f) \in \bar{T_j}. \quad \text{fresh}(i), F[f := I], S[I := (\cdot)] \quad \Sigma = \langle P, i d', \bullet, Q, S, [C, F], I \rangle \]

\[ \text{instantiate}(i d, C i) = \Sigma \]

(WIREUP)

\[ \Sigma = \langle P, i d, \bullet, Q, S, [C, F], I \rangle \in \mathcal{X} \quad i d_i = I(i) \quad \Sigma = \langle P, i d_i, \bullet, Q_i, S_i, [C_i, F_i], I_i \rangle \in \mathcal{X} \]

\[ \forall j \in \bar{\text{j}}. \quad i d_j = I(j), \langle P, i d_j, \bullet, Q_j, S_j, [C_j, F_j], I_j \rangle \in \mathcal{X} \quad \text{capsule C_j(\text{imp}) \{ \ldots \text{design} \{ \bar{\text{ins}} \bar{\text{wire}} \} \ldots \} \in CT \]

\[ \Sigma_j' = \langle P, i d_j, \bullet, Q_j, S_j, [C_j, F_j], \forall (D h) \in \bar{\text{imp}}, j \in \bar{\text{J}}. \quad I[h := i d_j] \rangle \]

\[ \text{wireup}(i d, i(j)) = \Sigma_j' \]

Figure 3.10 Rules to create initial configuration of Panini programs.

creates a capsule instance configuration for Main with the identifier 0; then it calls instantiateRec for the instantiation of capsule instances counter and client, declared on lines 3–4, followed by a call to wireupRec to connect the counter and client instances, as declared on line 5.

There is no sharing of memory locations among capsule instances in the initial configuration of a Panini program, as shown in Lemma 1.
Lemma 1 (No sharing of memory locations in initial configuration) Let $\Sigma = \langle P, id, \mathcal{E}[e].Q, S, r, I \rangle$ and $\Sigma' = \langle P, id', \mathcal{E}[e'].Q', S', r', I' \rangle$ be two arbitrary capsule instance configurations in the initial configuration $\mathcal{K}$ for a Panini program $P$ with global configuration $\mathcal{K}$, i.e., $\Sigma, \Sigma' \in \mathcal{K}$. Let $A = \text{dom}(S) \cap \text{dom}(S')$ be the intersection of domains of the stores $S$ and $S'$. Then $A = \emptyset$.

In other words, there is no sharing between local stores of capsule instances in the initial configuration of a program.

Proof: The proof is based on the cases of the initial configuration rules of Figure 3.10. The rule (INSTANTIATE) is the only rule allocating memory locations and mapping them in the stores of capsule instances. The rule only uses fresh locations for instantiation of each capsule instance and thus does not cause any sharing among capsule instances and thus their local stores.

3.4.8 Actions: Conflict and Happens-Before Relations

Evaluation of a Panini program, with its nondeterministic preemptive scheduler, results in a trace of interleaved actions of the types, shown in Figure 3.6, performed by different capsule instances of the program. However, as illustrated in Figures 3.1, 3.2 and 3.3, for a trace of a capsule’s procedure, interleaving actions of other capsule instances can be moved in the trace, such that they only appear right after the global procedure invocations in the trace, i.e., sparse interference. This is because of Panini’s conflicting and happens-before relations and the mover properties of its actions which in turn are affected by sharing semantics of Panini.

In the following, we define the execution trace of a Panini program, the conflict and happens-before relations and prove mover properties of its comprising actions using Lipton’s reduction theory [101]. Definitions 1-4 are adapted from previous work [175].

Definition 1 (Trace) An execution trace of a Panini program is a total order of actions $a$ performed by individual capsule instances in the program’s configuration when evaluating the program thorough local and global evaluation rules of Figure 3.7.

Definition 2 (Adjacent and neighbor actions) Two actions $a$ and $b$ in a trace $\mathcal{T}$ are adjacent if one follows immediately after the other. Two adjacent actions $a$ and $b$ are neighbors if they are performed by different capsule instances, i.e., $\text{instance}(a) \neq \text{instance}(b)$.
The auxiliary function instance returns the capsule identifier of an action.

**Definition 3 (Commuting and conflicting actions)** Let \( a_1 \) and \( a_2 \) be neighbor actions of capsule instances \( id_1 \) and \( id_2 \) in an execution trace \( H_0 \xrightarrow{a_1} H_1 \xrightarrow{a_2} H_2 \). Then actions \( a_1 \) and \( a_2 \) commute, written as \( a_1 \# a_2 \), if swapping them in the trace results in the same final state in the trace starting with the same start state, i.e. \( H_0 \xrightarrow{a_2} H_1' \xrightarrow{a_1} H_2 \). Otherwise, \( a_1 \) and \( a_2 \) conflict, written as \( a_1 \# a_2 \).

There are several conflicting actions in Panini considering its semantics: read or write of an unresolved future location conflicts with the resolution of the same future location and invoke action of a procedure of a capsule instance conflicts with another invoke action on the same capsule instance. A happens-before relation \( \succ \) [91] orders the conflicting actions. For example, in Panini resolution of a future location \( l \) by a capsule instance \( id \) must happen-before any reads (or writes) of the location by another capsule instance \( id' \), i.e. \( \text{resolve}(id, id', l, p) \succ \text{read}(id', l) \). Figure 3.11 shows Panini’s conflicting actions and their happens-before relations. The happens-before relation is a transitively closed partial order [177].

\[
\begin{align*}
\langle P, id', e[l = \varepsilon], Q, S \rangle & \in \mathcal{X} \\
\text{read}(id', l) & \# \text{resolve}(id, id', l, p) \\
\text{write}(id', l) & \# \text{resolve}(id, id', l, p) \\
\text{invoke}(id_1, id, p, l) & \# \text{invoke}(id_2, id', p', l') \\
\text{resolve}(id, id', l, p) & \succ \text{read}(id', l) \\
\text{resolve}(id, id', l, p) & \succ \text{write}(id', l)
\end{align*}
\]

Figure 3.11  Conflicting actions and their happens-before \( \succ \) relations.

**Definition 4 (Right, left, both and non-mover actions)** Let \( a_1 \) and \( a_2 \) be neighbor actions of capsule instances \( id_1 \) and \( id_2 \) in an arbitrary execution trace \( H_0 \xrightarrow{a_1} H_1 \xrightarrow{a_2} H_2 \).

Then \( a_1 \) is a right mover if swapping \( a_1 \) with \( a_2 \) in the trace results in the same final state in the trace beginning with the same start state, i.e. \( H_0 \xrightarrow{a_2} H_1' \xrightarrow{a_1} H_2 \). Conversely, \( a_2 \) is a left mover if swapping it with \( a_1 \) results in the same final state. An action that can be swapped with its both left and right neighbor actions in any trace is a both mover. Conversely, an action that cannot be swapped with neither its left nor right neighbors is a non-mover.
Panini’s semantics determines mover properties of its actions. Lemma 2 specifies mover properties of Panini’s actions.

**Lemma 2 (Panini action’s mover properties)** Let $T$ be the execution trace of an arbitrary Panini program $P$.

Then, in trace $T$ read and write actions $\text{read}(id, l)$ and $\text{write}(id, l)$ of a capsule instance $id$ of a memory location $l$ are right movers; a global invocation action $\text{invoke}(id, id', p, l)$ of a procedure $p$ from the invoking capsule $id$ to the invoked capsule $id'$ and result $l$ is a non-mover; and a resolve action $\text{resolve}(id, id', p, l)$ for this global invocation is a left mover.

**Proof:** The proof is based on happens-before relations of Panini’s actions in Figure 3.11. The resolution of a future location must happen before any read or write of the location and thus in a trace of a program, a read action $\text{read}(id, l)$ of future location $l$ cannot be swapped with a left neighbor action $\text{resolve}(id', id, l, _)\,$ resolving the same location. Thus, a read action is a right mover. The same applies to an action writing a future location. Similarly, a resolve action is a left mover. Swapping an invoke action $\text{invoke}(id', id, _, _)\,$ invoking a procedure of capsule $id$ with another left or right neighbor invoke action $\text{invoke}(id'', id, _, _)\,$ on the same capsule $id$ results in different program states especially different queues for the capsule instance $id$. Thus an invoke action is a non-mover. The notation _ denotes irrelevant values in actions.

Let $a$ be an action with left and right neighbors $a_l$ and $a_r$ respectively in the subtrace $a_l \rightarrow a \rightarrow a_r$. We replace $a$ with read, write, invoke and resolve actions of a capsule instance $id$ to show their mover properties in an arbitrary trace with arbitrary left and right neighbor actions from other capsules.

In a subtrace $a_l \leftrightarrow \text{read}(id, l) \leftrightarrow a_r$, the read action of a location $l$ conflicts with a left neighbor $\text{resolve}(id, id', p, l)$ action of the same location. This is because swapping the read action with its left neighbor allows reading a future location even before it is resolved. However, Panini’s happens-before relations, in Figure 3.11, does not allow this by ensuring that a future location is resolved before it is read or otherwise it blocks, i.e. $\text{resolve}(id, id', p, l) \triangleright \text{read}(id, l)$. This in turn means the read action cannot be a left mover. Since resolving of a future location must happen before its read, a resolve action $\text{resolve}(id, id', p, l)$ cannot be right neighbor to the read action $\text{read}(id, l)$ and thus the read action can be safely swapped with any of its right neighbors, i.e. the read action is a right mover. The same argument
applies to a write action \textit{write}(id, l) and thus a write action is a right mover too.

Similarly, a resolve action \textit{resolve}(id, id', p, l) in a subtrace $a_t \leftarrow \text{resolve}(id, id', p, l) \leftrightarrow a_r$ only conflicts with read and write actions from and to the same location $l$, i.e. \textit{read}(id, l) and \textit{write}(id, l). Again, based on Panini’s happens-before relation a read or write of a future location happens only after the future is resolved and thus the read and write actions of a future location cannot be left neighbors to their resolve actions. This in turn means that the resolve action is a left mover and not a right mover.

An invoke action \textit{invoke}(id, id', p, l) only conflicts with another invoke action if they both invoke procedures on the same capsule instance $id'$, since they both modify the queue of the capsule $id'$. In a subtrace $a_t \leftarrow \text{invoke}(id, id', p, l) \leftrightarrow a_r$ the invocation action cannot be safely swapped with neither its left nor its right neighbors and thus is a non-mover. This is because they neighbors could be invocation actions on the same capsule instance $id'$.

It is worth to note that local actions as well as read and write of non future locations are both movers.

Finally, in (X \textit{DEREF}) and (X \textit{REF ASGN}), trying to dereference or assign to a transferred location not owned by the capsule instance anymore, causes the program to throw an ownership transfer exception \textit{OWE} and terminate. In (X \textit{PROC INVOC}) and (X \textit{RESOLVE}), the program terminates by throwing an ownership transfer exception upon any attempts to leak the states of an instance or its reach by passing them or returning them from a global procedure invocation.

### 3.4.9 Sharing of Capsule Instances and Futures

Panini limits sharing among two capsules to their imported capsule instances and unresolved futures of their procedure invocations.

```java
 capsule Main() {
    design {
        Counter counter;
        Client client1, client2;
        client1 (counter);
        client2 (counter);
    } ..
}
```

Figure 3.12 Sharing counter among client1 and client2.

Panini’s semantics allows an imported capsule instance to be freely shared among other instances
as specified in a design declaration of their enclosing capsule. For example, in the design declaration of Figure 3.12, counter is shared among two client instances $\texttt{client1}$ and $\texttt{client2}$, on lines 5–6.

Panini’s semantics limits sharing of memory locations to unresolved future locations, as shown by Lemma 3. A future location, which is a placeholder for the result of an asynchronous procedure invocation, is shared among its invoking and invoked capsule instances as long as it is unresolved and accesses to it are synchronized. That is, any attempt to access an unresolved future location in the invoking capsule instance blocks until the future is ready.

Let $\lor$ denote an exclusive logical disjunction, in which at most one of the disjunct predicates can be true. Let $\text{dom}_\square(S)$ be the domain of the stores $S$ minus its transferred locations with the value $\square$.

**Lemma 3** *(Sharing of unresolved future locations)* Let $\Sigma = \langle P, id, e[e], Q, S, r, I \rangle$ and $\Sigma' = \langle P, id', e'[e'], Q', S', r', I' \rangle$ be two arbitrary capsule instance configurations in a global configuration $\mathcal{K}$ for a Panini program $P$, i.e. $\Sigma, \Sigma' \in \mathcal{K}$. Let $T$ be the execution trace of the program $P$. Let $A = \text{dom}_\square(S) \cap \text{dom}_\square(S')$ be the intersection of domains of the stores $S$ and $S'$ minus their transferred locations. Let action $a$ and $a'$ be any of the read and write actions of a location $l$ in $A$ in the trace $T$ by capsule instances $id$ and $id'$, respectively.

Then either $A = \emptyset$ or:

1. $\forall l \in A. \ S[l = \varepsilon] \lor S'[l = \varepsilon]$; and

2. $\forall l \in A, a \in \{\text{read}(id, l), \text{write}(id, l)\}, a' \in \{\text{read}(id', l), \text{write}(id', l)\}. \ a \triangleright a' \lor a' \triangleright a$.

In other words, (i) the only memory locations that local stores $S$ and $S'$ may share are unresolved future locations with (ii) synchronized accesses (reads and writes), i.e. with happens-before relation between their reads and writes.

Transferred locations with values $\square$ are irrelevant and thus taken out in $\text{dom}_\square$ of local stores, because any attempt to access them terminates the program.

**Proof:** The proof is by cases on Panini’s normal and exceptional semantics rules in figures 3.7 and 3.9, happens-before relations in Figure 3.11 and Lemma 1. Initial configuration does not cause any sharing of memory location among capsule instances; dynamic transfer of ownership of locations among capsule instances in Panini’s dynamic semantics, and especially $(\text{PROC INVOC})$ and $(\text{RESOLVE})$,
limits sharing of locations among capsules to only unresolved future locations; and rules (Deref) and
(Ref Asgn) synchronize access to these shared future locations by enforcing that resolving of a future
location in one capsule instance must happen-before any of its reads or writes in other capsule instances.

**Initial configuration** Using Lemma 1 there is no shared location among capsule instances in the
initial configuration, i.e. $A = \emptyset$, and thus the lemma holds.

**Dynamic semantics** Rules (Proc Invoc) and (Resolve) transfer ownership of memory locations
among local stores of the invoking and invoked capsule instances. For each procedure invocation, these
rules share a fresh future location among the invoking and invoked capsule instances and set the value
of the shared location in the local store of the invoking instance to $\varepsilon$. However, the condition $R \cap R' =
\emptyset$ in these two rules prevents them to share other memory locations, upon transferring ownership of
parameters of the procedure invocation or returning its result.

The rule (Ref) allocates a fresh location in the local store of a capsule instance and thus does not
cause any sharing.

The rules (Deref) and (Ref Asgn) block when attempting to read or write an unresolved future
location with the value $\varepsilon$. This means for an unresolved future location $l$ with value $\varepsilon$ in the capsule
instance $\Sigma$, its read action $a = \text{read}(id, l)$ does not unblock unless the value of the future location is
resolved by the capsule instance $\Sigma$; any write action $a' = \text{write}(id', l)$ of the location $l$ by the capsule
instance $id$ should happen before the location is resolved, because of ownership transfer after resolve.
That is, $a' \triangleright \text{resolve}(id', id, l, _) \triangleright a$ which in turn means $a' \triangleright a$ because of the transitivity of the happens-
before relation [177]. In other words, there is a happens-before relation between $a$ and $a'$ and thus they
are synchronized. The same applies to other combination of $a$ and $a'$ actions in (ii) in the lemma. Other
rules in Panini’s normal and exceptional dynamic semantics do not cause any transfer of ownership or
memory allocation.

### 3.5 Sparse and Cognizant Interference

Panini guarantees sparse interference by limiting sharing among two capsules to other capsule in-
stances and unresolved futures and guarantees cognizant interference by limiting accessibility of states
of a capsule instance to only through its procedures and dispatching a procedure invocation on the static
type of its receiver capsule. In this section we formalize and provide proof sketches of Panini’s sparse and cognizant interferences.

3.5.1 Sparse Interference

Theorem 5 formalizes Panini’s sparse interference property which limits the interference points of a program to points after its global procedure invocations.

**Theorem 5 (Sparse interference in Panini)** Let $P$ be a program in Panini. Let $I$ be a set of labels after global capsule invocations and after procedure bodies in $P$, i.e. $I = \{ \alpha | \alpha \in \text{labels}(P), i.p(\bar{x})^\alpha \in P \vee T \ p(\text{form}) \{ e^\alpha \} \in P \}$ where the auxiliary function labels is defined in Figure 5.15. Then $I$ is the set of all potential interference points for $P$.

**Proof:** The proof is based on Lemma 2 where in a trace of a capsule’s procedure, interfering actions of other capsule instances can be safely moved to either after the global procedure invocation actions in the trace or to the beginning or end of the execution of the trace. The interference at the beginning of the trace of a procedure can be safely moved out to the trace of its invoking procedure, either to the end of the invoking procedure’s trace or after one of its global procedure invocations.

Let $\text{read}(id), \text{write}(id), \text{invoke}(id)$ and $\text{resolve}(id)$ stand as shorter versions of $\text{read}(id,\_), \text{write}(id,\_), \text{invoke}(id,\_,\_,\_)$ and $\text{resolve}(id,\_,\_,\_)$ of capsule instance $id$ where $\_$ denotes irrelevant values that do not matter to the discussion.

Let $T_{id,p}$ denote a subtrace corresponding to execution of procedure $p$ of capsule instance $id$. $T_{id,p}$ starts with the first action of the procedure, $a_s$, and ends with the resolve action $\text{resolve}(id)$ of the procedure, with actions of procedures of other capsule instances interleaving. Furthermore, lets partition $T_{id,p}$ to smaller subtraces $T_{sub}$ such that actions $\text{invoke}(id), \text{resolve}(id)$ and $a_s$ only end up at the beginning or end of the subtrace. Subtraces $T_{sub}$ do not overlap and their concatenation results in $T_{id,p}$. A subtrace $T_{sub}$ has one of the following four shapes: (1) it starts and ends with invoke actions $\text{invoke}(id)$ with zero or more read and write actions of $id$, i.e. $\text{read}(id)$ or $\text{write}(id)$ in between (2) it starts with $a_s$ and ends with an invoke action $\text{invoke}(id)$ with read and write actions of $id$ in between; (3) it start with an $\text{invoke}(id)$ and ends in $\text{resolve}(id)$ with read and write actions of $id$ in between; or (4) it start with $a_s$
and end with resolve(id) with read and write actions of id in between. In any of these subtraces, actions of other capsules are interleaving.

In a subtrace $T_{sub}$ of form (1), using Lemma 2 any read and write actions read(id) and write(id) can be right swapped such that they form a transaction with the invoke action at the end of the subtrace. A transaction is a sequence of actions of a capsule instance that behaves as if executed sequentially with no interference. This in turn means, all neighboring actions of other capsule instances in $T_{sub}$ move to after the invoke action at the start of the subtrace. In a subtrace of form (2), right swapping read and write actions read(id) and write(id) causes them to form a transaction with the invoke action at the end of the subtrace. Consequently, all neighboring actions in this subtrace moves to before the $a_s$ action, i.e. before the execution of the body of the procedure $p$. In a subtrace of form (3) right swapping of read(id) and write(id) causes them to form a transaction with read(id) and thus all neighboring actions of other capsules move to after the invoke at the beginning of the subtrace. Finally in a subtrace of form (4), right swap of read(id) and write(id) causes the whole subtrace to form a transaction and all neighboring actions move to before the execution of the procedure $p$. In other words, all the neighboring actions interleaving with actions of procedure $p$ of capsule instance id can be moved to either before the execution of the procedure or to after invocation actions invoke(id) of the procedure. The interference at the beginning of the trace of the procedure $p$ can be safely moved out to the trace of its invoking procedure, either to the end of the invoking procedure’s trace or after one of its global procedure invocations. This argument could be repeated for execution of all procedure bodies in the trace $\mathcal{T}$ of a Panini program $P$.

### 3.5.2 Cognizant Interference

Theorem 6 formalizes Panini’s cognizant interference property which limits the interfering behavior at each global invocation interference point to Kleene closure of behaviors of procedures in the static type of the invocation’s receiver.

**Theorem 6 (Cognizant interference in Panini)**

Let $\Sigma = \langle P, id, \varepsilon[i.p_k(\bar{\tau})^\alpha; e], Q, S, r, I \rangle$ be the configuration for capsule instance id in a global configuration $\mathcal{K}$, such that the capsule is about to evaluate the sequence expression $i.p_k(\bar{\tau})^\alpha; e$ at the head
of its queue with a single interference point \( \alpha \), i.e., there is no other interference in other expressions \( e \) and \( e' \) in the sequence. Let \( \Sigma' = \langle P, id', e'[e'], Q' . resolve(l, e'_k, id, p_k), S', [C'.F'], I' \rangle \in \mathcal{K}' \) be the capsule configuration for capsule name \( i \) right at the interference point \( \alpha \), i.e., right after execution of invocation \( i.p_k(e) \) in \( \Sigma \). Let \( C' \) be the static capsule type for \( i \) with declared procedures \( p_1 .. p_n \), i.e.

\[
\{ \text{design state } T_1 p_1(\ldots)\{e_1\} .. T_k p_k(\ldots)\{e_k\} .. T_n p_n(\ldots)\{e_n\} \} \in CT.
\]

Also let \( e'_1,..,e'_n \) be bodies of procedure \( p_1,..,p_n \) with their formal parameters substituted with their values from their invocation sites and their local capsule names substituted with their identifiers from instance mappings \( I' \). Also let \( \theta \) be the interfering behavior of other capsule instances in the program at the interference point \( \alpha \).

Then, \( \theta \) is the Kleene closure of behaviors of procedures of the capsule \( id' \), i.e. \( \theta = \{e'_1,..,e'_n\}^* \).

**Proof:** The proof is by cases on local and global evaluation rules in Figure 3.7 and that Panini limits sharing of memory locations to unresolved future locations with synchronized access, in Lemma 3, and limits accessibility of the state of a capsule instance to only through global invocation of its procedures, in Lemma 4.

Let \( \text{resolve}(e'_1) \) stand as abbreviation for \( \text{resolve}(_, e'_1, _, _) \) in which _ denotes irrelevant values. Capsule instances \( id' \) and \( id \) are shared among other capsule instances in the global configuration \( \mathcal{K}' \) and thus could be susceptible to interference. Using Lemma 4, the state of \( id' \) can only be accessed and modified through invocation of its procedures.

Case analysis for dynamic semantic rules:

(PROC INVOC): at the interference point \( \alpha \), Panini’s global procedure invocation along with preemptive and nondeterministic scheduler in (CONGRUENCE) allows any arbitrary number (zero or more) of procedures of \( id' \) to be invoked and their bodies, with their formal parameters substituted with their values and self substituted with \( id' \), to be appended to its queue \( Q' \). Consequently the queue of \( id' \) will be of the form \( e'[e].Q' . resolve(l, e'_k, id).\{\text{resolve}(e'_1),..,\text{resolve}(e'_n)\}^* \), in which zero or more bodies of the invoked procedures are appended to the end of the queue.

(FIFO DEQUEUE): at the interference point \( \alpha \), Panini’s dequeue rule (FIFO DEQUEUE) along with the scheduler (CONGRUENCE) allow an arbitrary number of resolve expressions of procedure bodies to be dequeued from \( Q' \) and evaluated.
(OTHER): the global rule (Resolve) or other local rules (STATE READ), (STATE ASSIGN), (REF),
(DEREF), (REF ASGN), (LET BINDING) and (SELF INVOC), do not cause any invocation of procedures of
the capsule id' and thus are irrelevant to interfering behavior at \( \alpha \).

For the capsule instance id, using Lemma 4, its state can only be accessed and modified through
invocation of its procedures. At interference point \( \alpha \), any invocation of procedures of id using (PROC INVOC)
is appended to the end of its queue \( Q \) for later dequeuing using (FIFO DEQUEUE) and local sequential
execution and thus does not interfere at \( \alpha \). Other dynamic semantic rules do not invoke any procedure
on id and thus do not interfere at \( \alpha \).

Thus, according to the aforementioned case analysis of the dynamic semantics rules, the interfering
behavior of other capsule instances at the interference point \( \alpha \) is
\[
\theta = \{ e'_1, \ldots, e'_n \}^*.
\]

Lemma 4 (Global accessibility through procedures) Let \( \Sigma = \langle P, id, \mathcal{E}[e], Q, S, [C,F], I \rangle \) and
\( \Sigma' = \langle P, id', \mathcal{E}'[e'], Q', S', [C',F'], I' \rangle \) be arbitrary capsule instance configurations in a global configuration \( \mathcal{K} \), i.e. \( \Sigma, \Sigma' \in \mathcal{K} \). Let C be the static capsule type of id with states \( \overline{f} \) and procedures \( p_1 \ldots p_n \), i.e.
capsule \( C(\ldots) \{ \text{design } T \} \) \( U_1 p_1(\ldots)\{e_1\} \ldots U_n p_n(\ldots)\{e_n\} \} \in P. \)

Then during evaluation of program P, the capsule instance id' can access (read and write) states \( \overline{f} \)
of the instance id only through its procedures \( p_1 \ldots p_n \), and not directly through memory locations.

Proof: The proof follows from Lemma 3 that guarantees the only shared locations among capsules
are unresolved future locations and the rules (PROC INVOC) and (RESOLVE) in Figure 3.7 that prevent
transfer of ownership of states of a capsule or its reach during procedure invocations and resolving of
their results.

Using Lemma 3, there is no shared location among local stores S and S' of capsule instances, except
future locations for returning the result of procedure invocations among capsules.

Let l be a shared future location among capsules id and id' when id' invokes a procedure of id. The
future location cannot be used to modify the state of id because, upon the invocation the rule
(PROC INVOC) guarantees that the future location is fresh and thus does not point to any state of id;
during the execution of the procedure body, the rules (DEREF) and (REF ASGN) ensure that any attempts
to access the location in id blocks until the future is resolved; and after the future location is resolved,
(RESOLVE) ensures that the resolved future does not point to any state of id or its reachable locations.
3.6 Hoare-style Modular Reasoning

Standard Hoare logic [77] does not take interference into account and cannot be used right out of the box to reason about concurrent programs [68, 148]. Panini’s sparse and cognizant interference enable use of Hoare logic in the presence of interference by making interference points of a Panini program and their interfering behaviors statically known.

In Panini’s Hoare logic, the only rule that needs to take into account interference is the rule for global procedure invocations, because sparse interference limits interference points to after global procedure invocations. Other rules can be used as if they are interference-free. To take interference into account it is sufficient to consider the interfering behavior at each interference point [68].

To illustrate, consider the Hoare triple \{Pre\} i.p(\overline{v}) \{Post\} which says that if the execution of the global procedure invocation i.p(\overline{v}) starts in a state satisfying the predicate Pre and procedure p of the capsule instance i executes and terminates, it terminates in a state satisfying the predicate Post. To take into account the interference, the triple becomes \{Pre\} i.p(\overline{v})^\alpha \{Post\} in which \alpha is an interference point. The new triple says if the execution of the procedure p of the capsule instance i starts in a state satisfying Pre and is interfered with by execution of some interfering tasks at \alpha, if execution of p terminates, it terminates in a state satisfying the predicate Post.

**Pure predicates** In Hoare logic, predicates Pre and Post must be side effect free and if they invoke a procedures the procedures must be pure. A procedure is pure if it does not change the state of its program. In Panini the state of a program not only includes local stores of its capsule instances but also their queues. That is, a Panini procedure is pure if it does not change stores or queues of capsule instances in the program, including itself. To meet such a requirement a pure procedure in a capsule instance can only read states or invoke other pure procedures of its enclosing capsule instance via self. Predicates Pre and Post can only invoke pure procedures of their enclosing capsule instance and cannot invoke pure procedures of other capsule instances. This is because invocation of a pure procedure of another capsule instance adds the invoked procedure to the queue of invoked capsule instance and changes the state of the system, i.e. the predicate is not pure.

**Interference-free predicates** In a Hoare triple \{Pre\} e \{Post\} in a capsule instance in Panini, predicates Pre and Post are free from interference. This is because, these pure predicates only read
states of their enclosing capsule instance and invoke only its pure procedures. Corresponding actions for reading states and invocation of self procedures are both movers and thus any interference in predicates can be moved out, as if it appears to happen before evaluation of Pre or after the evaluation of Post.

```plaintext
capsule Client ( Counter c ) {
Number newVal, oldVal;
//@ requires y.value() >= 0
//@ ensures newVal >= oldVal
void test ( Number y ) {
    oldVal = c.value();
    c.add( y );
    newVal = c.value();
}
capsule Counter {
    Number x;
//@ requires y.value() >= 0
//@ ensures self.value() >= \old( self .value()) ;
void add( Number y ) { .. }//@ pure
Number value() { .. }
}
```

Figure 3.13 Static verification of the behavioral contract of test.

**Behavioral contracts** In Panini, a behavioral contract for a procedure specifies the precondition and postcondition of a procedure. Figure 3.13 illustrates the contracts for procedure test of capsule Client with its pre and postconditions, on lines 3–4. The contract says if the execution of the procedure test starts in a state satisfying the precondition \( y.value() \geq 0 \) and its execution terminates, it terminates in a state satisfying the postcondition \( \text{newVal} \geq \text{oldVal} \). Similarly, the contract for procedure add of capsule Counter, on lines 13–14, says it only increases the value of the counter provided that the parameter \( y \) is a positive number. Finally, the contract for value, on line 16, says it is a pure procedure and does not change the state of its enclosing capsule or any other capsule in the program. The precondition and postcondition of a behavioral contract are free from interference.

**Modular reasoning** Hoare-style reasoning can be used to statically verify the contract of procedure test. To illustrate, consider static verification of the method test in the capsule Client. The Hoare triple
representing such verification looks like the following:

\[ \Gamma \models \{ y.\text{value()} \geq 0 \} \]

\[
\begin{align*}
  &\texttt{self.oldVal} = \texttt{c.value();} \\
  &\texttt{c.add(y)} \\
  &\texttt{self.newVal} = \texttt{c.value();} \\
  &\{ \texttt{self.newVal} \geq \texttt{self.oldVal} \}
\end{align*}
\]

The notation \( \Gamma \models \{ \text{Pre} \} e \{ \text{Post} \} \) denotes that the Hoare triple \( \{ \text{Pre} \} e \{ \text{Post} \} \) is valid in the typing environment \( \Gamma \).

Following Panini’s sparse interference, interferences only happen after global procedure invocations. Thus, the Hoare triple becomes like the following to take into account the interference, with \( \alpha \) denoting the interference points:

\[ \Gamma \models \{ y.\text{value()} \geq 0 \} \]

\[
\begin{align*}
  &\texttt{self.oldVal} = \texttt{c.value()}^\alpha; \\
  &\texttt{c.add(y)}^\alpha; \\
  &\texttt{self.newVal} = \texttt{c.value()}^\alpha; \\
  &\{ \texttt{self.newVal} \geq \texttt{self.oldVal} \}
\end{align*}
\]

Following Panini’s cognizant interference, the interfering behavior at the interference points in the above Hoare triple is \( \theta = \{ \texttt{c.value()}, \texttt{c.add(\_)} \}^* \), i.e. the Kleene closure of procedure of the static capsule type \texttt{Counter} for the receiver c of the global procedure invocations:

\[ \Gamma \models \{ y.\text{value()} \geq 0 \} \]

\[
\begin{align*}
  &\texttt{self.oldVal} = \texttt{c.value()}; \{ \texttt{c.value()}, \texttt{c.add(\_)} \}^*; \\
  &\texttt{c.add(y)}; \{ \texttt{c.value()}, \texttt{c.add(\_)} \}^*; \\
  &\texttt{self.newVal} = \texttt{c.value();} \{ \texttt{c.value()}, \texttt{c.add(\_)} \}^*; \\
  &\{ \texttt{self.newVal} \geq \texttt{self.oldVal} \}
\end{align*}
\]

The above triple could be easily verified assuming \( \texttt{c.value()} \) is pure and \( \texttt{c.add(\_)} \) only increases the counter, according to their contracts. This is because the closure \( \{ \texttt{c.value()}, \texttt{c.add(\_)} \}^* \) either maintains the value of the counter \( c \) or increases it, which in turn means \( \texttt{self.newVal} \geq \texttt{self.oldVal} \).

Such reasoning is modular because it only uses the implementation of \texttt{Client} and the interface (contract)
of procedures of the capsule Counter it refers to. The notation _ stands for the parameter of the procedure add. The exact value of this parameter is not statically known, however, using the precondition of add, on line 13, we know it is a positive number.

Without sparse and cognizant interference, one must consider the possibility of interferences with unknown behaviors between any two instructions of a program and its contracts [148].

Adding a procedure, say subtract, to the capsule Counter, in Figure 3.13, which decreases the counter changes the interference behaviors to the Kleene closure \{value(), add(_), subtract(_)\}*. Using this closure, one cannot verify the postcondition of the procedure add anymore. However, this is not a limitation and is not specific to Panini. A similar situation happens in other reasoning techniques including rely-guarantee [67, 87], Owicki-Gries work [129], etc.

Similar to sequential reasoning, completeness of our reasoning is proportional to completeness of procedure specifications. That is, using incomplete specifications we can still reason about whatever specifications specify. For example, using the contract of add in Figure 3.13 we can reason about values of a counter, however, we cannot reason about other values which are part of its state but not mentioned in the contract.

### 3.7 Static Semantics

Panini’s type system distinguishes between two kinds of types: variable types and capsule types. Unlike variable types that can subtype each other, capsule types cannot. This in turn, allows the exact type of the receiver of a global capsule invocation to be statically known. The type system also ensures that capsule instances cannot be passed as parameters or returned as return values of procedure invocations by requiring procedure parameters and return values to be of variable types.

#### 3.7.1 Type Attributes

Panini’s typing rules use type attributes of Figure 5.12. In this figure variable types are unit and reference types and capsule types are capsule names declared in a Panini program P.

The typing judgment \(\Gamma, \Pi \vdash e : \theta\) says that for a program P in the typing environment \(\Gamma\) and store typing environment \(\Pi\), the expression \(e\) has the type \(\theta\). The typing environment \(\Gamma\) maps variable names
to variable types $T$ and capsule names to capsule types $C$ and the store typing environment $\Pi$ maps locations to their variable types.

$$\theta ::= \text{type attributes}$$

$$\begin{align*}
T ::= & \text{variable types} \\
C ::= & \text{capsule types} \\
\text{unit} & \text{unit types} \\
\text{int} & \text{int types} \\
\text{ref}(T) & \text{reference types}
\end{align*}$$

$$\Gamma ::= \{ x_k : T_k, i_k : C_k \} \text{ variable typing environment}$$

$$\Pi ::= \{ l_k : T_k \} \text{ store typing environment}$$

$$\Gamma, \Pi \vdash e : \theta \text{ typing judgement}$$

$k \in \mathbb{N}$ set of natural numbers

Figure 3.14 Type attributes

The notation $P \vdash \theta$ in Panini’s typing rules denotes that $\theta$ is a well-formed variable or capsule type and the notation $\vdash_C$ denotes well-typedness in the context of the declaration of a capsule type $C$.

### 3.7.2 Typing Rules

Figure 3.15 shows Panini’s select typing rules. (T-CAPSULE DECL) type checks a capsule declaration. It ensures that the declarations of the capsule’s imports, design, states and procedures are well typed. An import declaration is well typed if its imported names are of valid capsule types, i.e. $P \vdash D$. A well typed design declaration has well typed instance and wiring declarations. Similar to import declarations, an instance declaration is well typed if its declared name is of valid capsule type, i.e. $P \vdash G$. A state declaration is well typed if it declares a state name of a variable type, i.e. $P \vdash T$. This is because capsule instances cannot be part of state of other capsule instances. Wiring and procedure declarations should type check in the context of imported and locally declared capsule instances in the design declaration.

(T-PROC DECL) type checks a procedure declaration in the context of a capsule type $C$. It ensures that capsule instances cannot be declared as formal parameters or the return value of a procedure, by requiring them to be of variable types. This in turn prevents capsule instances to be passed to or returned
Figure 3.15 Panini’s select typing rules.

from procedure invocations in (T-PROC INVOC). The rule also checks that the type of the body e of the procedure is the same as its return type. Subtyping can be easily added using the subsumption rule (T-SUBSUME) if needed.

(T-PROC INVOC) type checks a global procedure invocation. It ensures that the receiver i of the invocation is of capsule type C and its actual parameters and return value are of variable types. It also checks that the receiver’s capsule type contains the invoked method p and the actual and formal parameters of the procedures have the same type. \(\Gamma(i)\) returns the type of a capsule name i in the typing environment \(\Gamma\). Type checking of local procedure invocations in (T-Self INVOC) is similar.
(T-WIRING DECL) type checks a wiring declaration by ensuring that types of capsule names passed to a wiring declaration are the same as capsule types declared in the import declaration of capsule type C. This is because capsule types do not subtype each other.

(T-RESOLVE) type checks a resolve expression. It ensures that the variable type of the expression $e$ is of the same variable type of the location that is going to hold the value of $e$. $\Pi(l)$ returns the variable type of the location $l$ in the typing environment $\Pi$.

(T-$\epsilon$) and (T-$\Box$) type check unresolved future value $\epsilon$ and $\square$ value of transferred locations, respectively. These two values can have any arbitrary variable type $T$. (T-REF) type checks a reference creation expression. It ensures that capsule names cannot be stored in the store, by requiring $e$ to be of a variable type. The same is true in (T-REF ASGN).

**Soundness** Proof of Panini’s type soundness follows standard progress and preservation arguments and thus is omitted.

### 3.8 Discussion

**Expressiveness, usability, scalability and concurrency granularity** Panini [137, 138] has been implemented [100] and tried out [100, 105] tried out on hundreds of thousands of lines of code of concurrent programs including translations of JavaGrande, NPB and StreamIt benchmarks and actor programs from Basset, Habanero and Jetlang covering a variety of patterns including master/worker, pipeline, event based coordination, loop parallelism. Previous work shows that Panini programs usually perform as well as their corresponding multithreaded programs [100, 138]. These experiences have not run into any issues with granularity of capsules or Panini’s ownership model. We will not report on these experience as this chapter focuses on the formalization of Panini’s semantics, interference model and modular reasoning.

**Closure analysis** Analysis of a Kleene closure can grow with the number of procedures in a capsule. However, Panini’s cognizant interference is still a significant improvement over oblivious interference in which interfering behavior is completely unknown. Closure analysis could be further improved for example by eliminating pure procedures from closures or use of procedure invocation protocols to eliminate invalid invocation sequences and similar directions which are part of our future work plans.
Also, we conjecture that number of a capsule’s procedures on average will be on par with average number of methods in a class, which is not a large number. For all Java projects in SourceForge as of Sep 2013, this average is about 8 methods, as obtained using Boa [51, 52, 55, 143].

3.9 Related Work

Actors and active objects This chapter builds on the actor model [6]. Some variants of the actor model, such as Erlang [172], guarantee confinement, i.e. no shared locations among actors, and use a single thread of execution per actor. Actors of this variant address the pervasive interference via their macro-step semantics [7] which limits interference points to message receive sites in the code. However, variants of the actor model which do not guarantee confinement, e.g. Scala Actors [74], or allow multiple unsynchronized execution threads per actor instance, e.g. Habanero [83], could still suffer from pervasive interference. Actor models and their variants also do not address the oblivious interference problem due to their dynamic binding of actor names and message names (in some cases), e.g. ActorFoundry [14] does not allow the static type of actor instances to be known statically.

Active objects [94], similar to actors, encapsulate their state and control. Variants of active objects that guarantee confinement and synchronized access to memory in active objects, such as JCoBox [151], address the pervasive interference problem. Several techniques including ownership type systems [38] or immutable data [151] can be used to enforce confinement. Again, dynamic binding of names could lead to oblivious interference.

Atomicity, transactional memory, cooperability and automatic mutual exclusion (AME) Transactional memory [92] is a concurrent programming model that enforces atomic blocks at runtime. There are also a variety of static [66] and dynamic [58] analyses to detect atomicity violations. Atomic sets [171] put fields of objects into atomic sets such that access to the fields in these sets is guaranteed to be atomic. These techniques are not concerned about oblivious interference and only partially address the pervasive interference by limiting the interference points to outside of specified atomic blocks. However, interference outside atomic blocks and between atomic blocks can still be pervasive [177]. An atomic block is an interference-free block of code.

Automatic mutual exclusion [2, 84, 154] inverts the model of atomic blocks in transactional memory
such that code is run atomically unless explicitly specified using yield expressions. Similarly, cooperative reasoning \cite{176,177} and observationally cooperative multithreading \cite{157} limit interleaving points to yield expressions. Task Types \cite{90} enforce pervasive atomicity, i.e. every piece of code must be in some atomic block, through a data-centric technique for specification of shared objects and syntactically explicated accesses to share objects. These techniques address the pervasive interference, however, they are not concerned about the oblivious interference problem.

**Rely-guarantee and Owicki-Gries’s work** In rely-guarantee reasoning \cite{87} a module satisfies a guarantee condition after each instruction and in turn can assume the rely condition satisfied by the environment. Previous work \cite{68} leverages rely-guarantee reasoning for thread-modular verification of multithreaded programs in which rely and guarantee conditions are specified for threads and their environments. Similarly, in Owicki and Gries’s work \cite{129} and its variations \cite{126} each instruction is annotated by an interference-free assertion which must hold locally in the presence of concurrent interfering tasks. These techniques extend Hoare logic and address the oblivious interference problem via environment assumptions, however, they still assume pervasive interference between each two instructions. Atomic actions \cite{56} combine atomicity and rely-guarantee reasoning through iterative use of abstraction and reduction to infer atomic blocks. Rely-guarantee addresses oblivious interference, however, interferences outside atomic blocks and between each two atomic blocks can still be pervasive.

**Concurrent separation logic and abstract predicates** In concurrent separation logic \cite{127} accesses to a shared resource are synchronized through mutual exclusion and guaranteed to preserve the resource invariants. Use of permissions enables read-sharing \cite{31}. Concurrent separation logic can be treated as a specialization of rely-guarantee for well-synchronized programs \cite{59}. Concurrent abstract predicates \cite{47,159} are self-stable predicates that combine separation logic with permissions to enable fine-grained modular reasoning about concurrent programs presenting a fiction of disjointness over shared resources. Resource specifications in these techniques limit the interference behavior and address oblivious interference, however, interferences among each two accesses to a shared resource can still be pervasive \cite{177}.

**Aspect-orientation** Interference between aspects and base code, its pervasiveness and obliviousness is discussed in aspect-oriented programming languages \cite{61,147}. However, solutions for interference problems of these sequential languages are not directly applicable to concurrent programming models.
Data race freedom  There is a vast number of previous work on finding, fixing and preventing data races [30, 32, 33, 65, 144]. However, the absence of data races does not guarantee the absence of interferences and errors due to interferences [66].

Reconciliation of concurrency and modularity  Panini and its capsule-oriented programming model follow previous work [106, 107, 135, 139] that suggests that modularity and concurrency goals are intertwined and could be reconciled.
Behavioral subtyping is an important property for extensible software design, as it allows a type hierarchy to be extended without invalidating an already verified property [9, 96, 104, 130, 132]. This property, initially proposed for sequential programs, has been augmented to handle thread-based concurrency e.g. by adding history constraints [104], environment and resource specifications [47, 67, 87], and atomicity [148] and locking specifications [11, 148].

In this chapter, inspired by the recently found success of module-like linguistics abstractions for concurrency e.g. actors [6, 8], active objects [35, 38, 86, 151], capsules [18, 136, 138], etc., that promote more disciplined concurrency (compared to threads), we ask whether these linguistic abstractions can help promote a concurrent programming discipline where behavioral subtyping is the norm.

To explore these goals, we propose concurrent behavioral subtyping — or concurrent subtyping for short, a novel complementary foundation to previous work [9, 45, 47, 87, 96, 104, 130] on behavioral subtyping. Given a subtype \( \sigma \) and its supertype \( \tau \), concurrent subtyping defines behavioral subtyping as the combination of the following subtyping relations:

- **interference subtyping**: the interference behaviors of the subtype \( \sigma \) and its supertype \( \tau \) are compatible [130]; and

- **interface subtyping**: the interface behaviors of \( \sigma \) and \( \tau \) are compatible.

Interference and interface subtyping address interference and interface behavior incompatibilities between the supertype \( \tau \) and its subtype \( \sigma \) and enable modular reasoning. Interface subtyping is similar to methods rule in standard behavioral subtyping [104].

Separation of the behavioral subtyping relation into these two, perhaps orthogonal, relations has a significant positive impact. For some linguistic abstractions, e.g. those that promote more disciplined concurrency, we find that the language design can imply interference subtyping and only the standard
interface subtyping [104] needs to be proven. Surprisingly, our empirical results finds that a majority of real world programs e.g. 354/416 programs written using Akka framework [8], a library for actors, can reap these benefits.

**Contributions and Scope** In summary, this chapter makes the following contributions:

- it proposes and formalizes *concurrent behavioral subtyping* as the combination of *interference subtyping* and *interface subtyping*.

- it shows how concurrent subtyping can enable modular supertype abstraction reasoning [97].

- it shows that with type encapsulation and encapsulated inheritance concurrent subtyping can be guaranteed using only the standard interface subtyping [96, 104].

- it presents an empirical study that examines the effectiveness of separating behavioral subtyping into two relations by measuring prevalence of scenarios where linguistic features can guarantee interference subtyping.

Throughout this chapter, we remain focussed on subtyping of functional behavior [95] in a concurrent program. Subtyping of either synchronization behavior (inheritance anomaly [109]) or communication behavior (session types [73]) is not the focus of this chapter.

### 4.1 Background

Modular reasoning in the presence of subtyping and dynamic dispatch is sound only if behaviors $B_\sigma$ and $B_\tau$ of the subtype $\sigma$ and the supertype $\tau$ are compatible [9, 104]. In a concurrent program, arbitrary inheritance between a subtype $\sigma$ and its supertype $\tau$ can cause incompatibilities [96, 104, 130] between behaviors of $\sigma$ and $\tau$ and consequently break modular reasoning in a type $\eta$ that interacts with $\tau$ and a type $\eta'$ that $\tau$ interferes with.

To illustrate these two problems, we use the concurrent programming language Panini that provides module-like linguistic abstractions for concurrency [18, 136, 138]. The main features that we build upon are also present in a host of other concurrent languages with actors [6, 8, 74] such as Akka [8] and ActorFoundry [14] and Erlang [12], and active objects [35, 38] such as Creol [86] and JCoBox [151]
and even modeling languages such as ABS [46]. However, a framework for modular reasoning about Panini has also been developed by Bagherzadeh and Rajan [18] that we build upon here.

4.1.1 Panini

In Panini, a capsule is a type that encapsulates its state by making it accessible only through invocations of its procedures; a capsule instance executes its invoked procedures sequentially while running concurrently with other capsule instances in a program.

4.1.2 Program Syntax

Figure 4.1 shows the expression-based core syntax of Panini inspired by [18] and extended with inheritance. \texttt{term} denotes a sequence of zero or more terms and \texttt{[term]} denotes an optional term.

A program is a set of capsule declarations that each contains a capsule name \( C \), a supercapsule name \( D \) and declares a set of imported capsule instances \texttt{import}, a design declaration \texttt{design}, a set of states \texttt{state} and procedures \texttt{proc}. A capsule instance can asynchronously invoke procedures of its imported or locally declared capsule instances. An import declaration \( d \) has a capsule type \( D \) and name \( c \). A design declaration declares a set of local capsule instances \texttt{instance} and connects them together in a wiring declaration \texttt{wiring}. A wiring declaration \( c(d) \) exports capsule instances \( d \) to the imported capsule instances of \( c \). Imported and exported capsule instances are shared.

\textbf{Global asynchronous and local synchronous expressions} A capsule encapsulates its state by making it available only through asynchronous invocation of its procedures [117]. A procedure declaration has a variable return type \( T \), a name \( p \), set of formal parameters \texttt{form} and a body \( e \). The body of a capsule procedure is a sequence of \textit{global asynchronous} and \textit{local synchronous} expressions. In a global expression, a capsule can \textit{asynchronously} invoke a procedure of another capsule including its supercapsule through the pseudo-variable \texttt{super}. In asynchronous invocation the invoking capsule does not block for the execution of the invoked procedure to finish and does not wait for its result. A future [174] is returned as the result of the asynchronous invocation as a placeholder for a value which need not be immediately available. The value of a future can be claimed by blocking on it when needed using a \texttt{deref} expression. Due to concurrent execution of capsule instances in a program, an interference can happen
prog ::= decl
decl ::= capsule C (import) extends D { design state proc }
import ::= D d
state ::= T s;
proc ::= {spec} T p (T x) { e }
design ::= {instance wiring} ;
wiring ::= c (d)
instance ::= D d

e ::= 
| c . p (x) a | self . p (x) | super . p (x)  
| self . s | self . s := x  
| ref x | deref x | x := e  
| let x be e in e | if x then e else e  
| deref x  
| x  
| ()  

spec ::= requires ep ensures ep

ep ::= 
| true  
| x  
| c . p (x) | self . p (x)  
| ep & ep | not ep  
| ep == ep | ep < ep  
| old (ep)  

C, D ∈ C  capsule type names  T ∈ T  variable types  
s ∈ S  state names  p ∈ P  procedure names  
x ∈ X  variable names  c, d ∈ J  instance names  
a ∈ L  labels

capsule declaration  
import declaration  
state declaration  
procedure declaration  
design  
wiring  
instance declaration  
expression:  
procedure invocation  
state access  
references  
let, conditional  
future resolution  
variable  
unit value  
specification  
pure predicates:  
true  
variable read  
procedure invocation  
conjunction, negation  
equality, less than  
old predicate  

Figure 4.1  Panini’s core syntax with capsule inheritance and procedure specifications.

at interference point α after an asynchronous procedure invocation. In a local expression, a capsule can synchronously invoke a procedure of itself or access its state through the pseudo-variable self.

The type system distinguishes between a capsule type C and a variable type T. Sets of possible values for capsule types and variable types are disjoint.

Atomic procedure specifications  A procedure specification requires ep₁ ensures ep₂ includes a precondition predicate ep₁ and a postcondition ep₂ that both are pure and side-effect free. A specification predicate can be true, read variable x or it can invoke pure procedures of its enclosing capsule or other
capsules that the enclosing capsule encapsulates. Specification predicates can be compared for their values, conjoined or negated. The \textit{old} predicate in a procedure specification refers to the state of its enclosing capsule at the beginning of the procedure execution. Procedure specifications are syntactically similar to JML specifications but are semantically different because they are atomic [18]. The specification \textit{requires} \textit{ep}$_1$ \textit{ensures} \textit{ep}$_2$ is atomic iff \textit{ep}$_1$ and \textit{ep}$_2$ predicates are free from interference. Procedure specifications are for partial correctness and do not specify termination [77, 95].

\textbf{Type specifications} There are no type specifications like invariants or history constraints [95, 104]. An invariant, similar to previous work [95, 103] can be desugared and conjoined into preconditions and postconditions of procedures of a capsule. Unlike previous work [103], concurrent subtyping does not require history constraints to guarantee behavioral subtyping.

4.1.3 Semantics in a Nutshell

A Panini program is a set of concurrently running capsule instances with the following semantics:

\begin{enumerate}
\item[\textbf{P}$_1$] \textbf{Encapsulation:} A capsule encapsulates its state and its \textit{representation}, non shared local capsule instances, supercapsule and parameters of its procedures and their representations. The capsule makes what it encapsulates accessible only through asynchronous invocations of its procedures. The representation of a state is the object graph reachable from the state.
\item[\textbf{P}$_2$] \textbf{Sequential execution:} A capsule instance has a single thread of execution that dequeues and executes its invoked procedures from its queue sequentially [35]. The execution of an invoked procedure does not start before the execution of the currently running invoked procedure finishes [83].
\item[\textbf{P}$_3$] \textbf{Typed messages:} The procedures of a capsule constitute the set of messages it can accept [8, 14]. Invocation of a procedure of a capsule is the type-safe equivalent of sending a message to the capsule [86].
\end{enumerate}

Encapsulation provided by a capsule can be guaranteed using various techniques such as copying [151], uniqueness [112] or ownership and ownership transfer [38, 39, 118]. Panini uses the latter to guarantee encapsulation.
\( P_4 \) **Ownership and ownership transfer:** A capsule owns what it encapsulates. Upon a procedure invocation, the ownership of parameters of the procedure (and their representations) is transferred from the invoking to the invoked capsule instance; upon the return of the invocation result, the ownership of the result (and its representation) is transferred from the invoked to the invoking capsule instance.

Semantic properties \( P_1 - P_4 \) are sufficient for defining concurrent subtyping. \( P_1 - P_4 \) in turn guarantee properties \( P_5 - P_6 \):

\( P_5 \) **Interference control:** Interference can only happen after a procedure invocation on a shared capsule instance and the interference behavior at that interference point is bound by the behavior of its interference closure.

\( P_6 \) **Specification atomicity:** Procedure specifications in a capsule are atomic if they only access the encapsulated state of the capsule.

Intuitively, the interference control and specification atomicity hold because the state encapsulated by a capsule can only be accessed by invocations of sequentially executing procedures of the capsule. The detailed formal proofs of these properties can be found in previous work [18].

Asynchronous execution increases the possibility of concurrency [86] and first in first out (FIFO) execution of invoked procedures of a capsule decreases the unnecessary nondeterminism in message passing concurrency [163]. However, \( P_7 - P_8 \) are not necessary for concurrent subtyping.

\( P_7 \) **Asynchronous invocation:** Asynchronous invocation of a procedure of a capsule instance puts the procedure in the capsule’s queue and immediately returns a future value without waiting for the execution of the procedure.

\( P_8 \) **FIFO execution:** The single execution thread of a capsule instance dequeues and executes its invoked procedures from its queue in a first in first out (FIFO) order.

Ownership guarantees Panini’s sharing model.

\( P_9 \) **Sharing:** The only shared entities among two capsule instances are either other capsule instances or unresolved future results of their procedure invocations. Access to an unresolved shared future is synchronized.
\( \mathcal{P}_10 \) *Encapsulated inheritance:* A subcapsule can access its supercapsule’s state only through invocations of its procedures and not directly [155].

In summary, \( \mathcal{P}_1-\mathcal{P}_4 \) will be sufficient to define concurrent subtyping.

**Illustration** To illustrate, Figure 4.2 declares a capsule `Counter` with a state \( r \) and procedures `inc` and `val` to increment the counter by 1 and return its value. Another capsule `Client` imports a shared instance \( c \) of `Counter`, line 1, and in its main procedure asynchronously invokes `Counter` procedures `inc` and `val` and assigns their results to futures \( v1 \) and \( v2 \). The specification of `inc` in `counter` says that if the procedure execution starts in a program state that satisfies its precondition \( \text{true} \), and the execution terminates, then it terminates in a state that satisfies its postcondition \( c.val() == \text{old}(c.val()) + 1 \), i.e. `inc` increments the counter by one. The specification of `val` says that it is pure and does not change the value of the counter.

```plaintext
1 capsule Client(Counter c) {
    int v1, v2;
    //@ requires true;
    //@ ensures v2 >= v1 + 1;
    void main() {
        v1 = c.val();
        c.inc();
        v2 = c.val();
    }
}
capsule Counter {
    int r;
    //@ requires true;
    //@ ensures val() == old(val()) + 1;
    void inc() { r = r + 1; }
    //@ pure
    int val() { return r; }
}
```

Figure 4.2 Interference points \( \alpha \) and interference closure \( \kappa(c, \text{Counter}) \).

### 4.2 Key Challenges

Incompatibilities between behaviors of subtype \( \sigma \) and supertype \( \tau \) can be divided into the following two fundamental problems:
\section*{4.2.1 Problem 1: Interference Behavior Incompatibility}

A subcapsule $\sigma$ with an interference behavior that is incompatible with the interference behavior of its supercapsule $\tau$ breaks modular reasoning in a capsule $\eta$ that $\tau$ interferes with.

To illustrate, consider modular verification of the assertion $\Phi$ in Figure 4.2. $\Phi$ says that the implementation of the procedure $\text{main}$ in the capsule $\text{Client}$ satisfies its specification. To prove $\Phi$, one should prove that if the execution of $\text{main}$ starts in a program state that satisfies its precondition $\text{true}$, and the execution terminates, then it terminates in a program state that satisfies its postcondition $v_2 \geq v_1 + 1$.

\section*{4.2.2 Modular Reasoning and Interference}

Concurrency gives rise to thread interference and therefore any reasoning technique about a concurrent program should take into account the possibility of interference [18, 47, 87]. We first provide a short background on how modular reasoning is carried out in Panini in the presence of interference.

One way to take interference that is caused by concurrent execution of instances of $\text{Client}$ and $\text{Counter}$ into account when proving $\Phi$ is:

\begin{itemize}
  \item to identify the program points in the implementation of $\text{main}$ in which interference can happen (interference points); and
  \item for each interference point identify its interference behavior.
\end{itemize}

Panini’s encapsulation and sequential execution of capsules guarantee that in a Panini program:
\( \mathcal{G}_1 \) interference can happen only after a procedure invocation on a shared capsule instance; and

\( \mathcal{G}_2 \) interference behavior at the procedure invocation (interference point) is limited to the Kleene closure of invocations of procedures of the static type of the invocation’s receiver. We refer to this closure as interference closure.

The interference closure is an upper bound on the interference and therefore its behavior provides an upper bound on the interference behavior. Intuitively, this hold because the state encapsulated by a capsule instance can only be accessed by invocations of sequentially executing procedures of the capsule. More details and proofs about Panini’s interference control above can be found in previous work [18].

Using these two properties one can easily take interference into account when proving \( \Phi \). To illustrate, Figure 4.2 shows the \texttt{Counter} and \texttt{Client} capsules with their interference points and interference closures. Using \( \mathcal{G}_1 \), there are no procedure invocations in the body of the procedure \texttt{inc} and therefore it is free from interference points and is atomic. A block of code is atomic if it is free from interference. Similarly, the procedure \texttt{val} is atomic. However, there are three interference points \( \alpha \) in the procedure \texttt{main} of \texttt{Client} because there are three procedure invocations on the shared capsule instance \( c \), on lines 7–9. In Panini, an imported capsule instance is a shared capsule instance. Using \( \mathcal{G}_2 \), the interference closure at \( \alpha \) after the first invocation \( c.val() \), on line 7, is the Kleene closure \( \kappa(c, \texttt{Counter}) = \{ c.inc(), c.val() \}^* \) of all procedures \texttt{inc} and \texttt{val} of the static type \texttt{Counter} of the receiver \( c \). The closure \( \kappa(c, \texttt{Counter}) \) is a set that is either empty \( \emptyset \) or contains any sequential composition \( ; \) of any number of procedure invocations \( c.val() \) and \( c.inc() \) in any order. Invocations \( c.inc(), c.inc();c.val(), c.val();c.inc() \) or \( c.inc();c.inc() \) are examples of few elements that belong to the \( \kappa(c, \texttt{Counter}) \). Other interference closures in \texttt{main} are computed similarly.

After identifying interference points \( \alpha \) and interference closures \( \kappa(c, \texttt{Counter}) \) in \texttt{main}, one can construct the following Hoare-like triple \( \mathcal{H}_\Phi \). The standard Hoare triple does not take interference into account [148]. To take interference into consideration, interference closures \( \kappa(c, \texttt{Counter}) \) are inserted at interference points \( \alpha \) in the body of \texttt{main}. \( \mathcal{H}_\Phi \) says that in the typing environment \( \Gamma \) if the execution of \texttt{main} starts in a program state that satisfies its precondition \texttt{true}, and the execution terminates, then it terminates in a program state that satisfies its postcondition \( v2 \geq v1 + 1 \). This is exactly what the assertion \( \Phi \) wants to prove. The static typing environment \( \Gamma \) for \texttt{Client} maps the counter instance \( c \) to
its static type Counter where the annotation @import denotes that c is a capsule instance shared between Client and other capsule instances in the system.

\[ \Phi : \Gamma \models \{ \text{true} \} \]

precondition

\[ \kappa(c, \text{Counter}): \text{increase or not change c} \]

\[ v_1 = c.val(); \quad \{c.inc(), c.val()\}^*; \]

\[ c.inc(); \quad \{c.inc(), c.val()\}^*; \]

\[ v_2 = c.val(); \quad \{c.inc(), c.val()\}^*; \]

\[ (\text{true}, c.val() \geq \text{old}(c.val())) \]

\[ \{ v_2 \geq v_1 + 1 \} \]

postcondition

\( \Gamma \vdash c : @import \text{Counter} \)

To prove \( \Phi \), recall that specifications of procedures of Counter say that inc increases the counter by 1 and val is pure and does not change the counter. Using these specifications, an oracle can conclude that the interference closure \( \kappa(c, \text{Counter}) = \{c.val(), c.inc()\}^* \) either increases the counter by an arbitrary value or does not change it (but does not decrease it). The behavior of \( \kappa(c, \text{Counter}) \) can be explained using the specification \((\text{true}, c.val() \geq \text{old}(c.val()))\) which says if the interference in the counter c starts in a program state that satisfies the precondition \( \text{true} \), and its execution terminates, then it terminates in a program state that satisfies the postcondition \( c.val() \geq \text{old}(c.val()) \). The \( \text{old} \) predicate in this specification refers to the state of the counter c before the start of the interference. The behavior \((ep_1, ep_2)\) is short for requires \( ep_1 \) ensures \( ep_2 \). Using this interference behavior and specification of Counter one can prove that the postcondition of \( \mathcal{H}_\Phi \) and therefore the assertion \( \Phi \) holds. In proving \( \Phi \), one should note that read accesses to values of futures \( v_1 \) and \( v_2 \) in the postcondition \( v_2 \geq v_1 + 1 \) do not unblock until the executions of \( \text{val} \) in the counter c are executed and finished. Panini’s first in first out execution model guarantees that in the postcondition of \( \mathcal{H}_\Phi \), the execution of the first asynchronous invocation \( c.val() \) finishes before the start of the execution of \( c.inc() \) which itself finishes before the execution of the second invocation \( c.val() \) starts.

Next, we illustrate interference and interface behavior incompatibility problems of modular reasoning in the presence of interference and inheritance.
4.2.3 Interference Behavior Incompatibility

To illustrate, consider the addition of the subcapsule $Cx\text{Counter}$ in Figure 4.3 to the inheritance hierarchy of $Counter$. $Cx\text{Counter}$ adds an extra procedure $dec$ that decreases the counter by one. The incompatibility between interference behaviors of $Cx\text{Counter}$ and $Counter$ invalidates the assertion $\Phi$, that was previously verified in the absence of $Cx\text{Counter}$. In the presence of $Cx\text{Counter}$ and dynamic dispatch, invocations $c.val()$ and $c.inc()$ in the body of the procedure $main$ in $Client$ can be dispatched to an instance $c$ of $Cx\text{Counter}$ instead of $Counter$. However, the interference closure $\kappa(c, Cx\text{Counter}) = \{c.val(), c.inc(), c.dec()\}^*$ for $c$ of type $Cx\text{Counter}$ is different from the interference closure $\kappa(c, Counter) = \{c.val(), c.inc()\}^*$ for $c$ of type $Counter$ and their behaviors are not compatible. Specifications $(true, true)$ and $(true, c.val() >= old(c.val()))$ denote the behaviors of interference closures $\kappa(c, Cx\text{Counter})$ and $\kappa(c, Counter)$, respectively. The behavior of $\kappa(c, Counter)$ either increases the counter or not change it, whereas the behavior of $\kappa(c, Cx\text{Counter})$ with its newly added $dec$ procedure can not only increase or not change the counter but also decrease it by any arbitrary value, which is incompatible with the behavior of $\kappa(c, Counter)$.

```
capsule CxCounter extends Counter {
  int i;
  void dec() { r = r - 1; }
}
```

Figure 4.3 Interference behavior incompatibility breaks modular reasoning.

A non modular verifier with the knowledge about the subcapsule $Cx\text{Counter}$ would construct the following Hoare triple $\mathcal{H}_\Phi'$ instead of the previous triple $\mathcal{H}_\Phi$. However, unlike $\mathcal{H}_\Phi$, the postcondition of $\mathcal{H}_\Phi'$ and therefore the assertion $\Phi$ cannot be proved anymore. The incompatibility of the interference behavior of the subcapsule $Cx\text{Counter}$ with the interference behavior of its supercapsule $Counter$ breaks modular reasoning in the capsule $Client$ that the supercapsule $Counter$ interferes with. The dynamic typing environment $\Pi$ of $Client$ maps its counter instance $c$ to its dynamic type $Cx\text{Counter}$.
$H'_{\Phi} : \Gamma \models \{ \text{true} \}$

decrease, increase or not change $c$

$v1 = c.val(); \{c.inc(), c.val(), c.dec()\}^*$

c.inc(); \{c.inc(), c.val(), c.dec()\}^*$

$v2 = c.val(); \{c.inc(), c.val(), c.dec()\}^*$

$\{v2 \geq v1 + 1\}$

$\Gamma \vdash c : \text{import Counter}$

$\Pi \vdash c : \text{CxCounter}$

4.2.4 Problem $\Theta$: Incompatible Interface Behavior

A subcapsule $\sigma$ with an interface behavior that is incompatible with the interface behavior of its supercapsule $\tau$ breaks modular reasoning in

1 a type $\eta$ that $\tau$ interferes with; and

2 a type $\eta$ that interfaces with $\tau$ by invoking its procedures.

*Incompatible interface behavior causes incompatible interference behavior* We first discuss the case in which the incompatibility of interface behaviors of $\sigma$ and $\tau$ breaks the modular reasoning in a type $\eta$ that $\tau$ interferes with. To illustrate, reconsider the assertion $\Phi$ that was previously verified in Figure 4.2 in the absence of CxCounter and consider the addition of the subcapsule CxCounter in Figure 4.4 to the inheritance hierarchy of Counter. CxCounter overrides the procedure inc of Counter.

```java
22 capsule CxCounter extends Counter { ..
23     void inc() { r = 0; }
24 }
```

Figure 4.4 Interface behavior incompatibility breaks modular reasoning.

After the addition of the subcapsule CxCounter, the incompatibility between the interface behaviors of CxCounter and Counter invalidates the assertion $\Phi$. In the presence of CxCounter and dynamic dispatch, invocations $c.inc()$ in the procedure main in Client can be dispatch to an instance $c$ of CxCounter instead
of Counter. However, the interface behavior \( t(c, CxCounter) = \{ inc(\text{true}, c.val() == 0), val(\text{pure}) \} \) for an instance \( c \) of \( CxCounter \) is not compatible with the interface behavior \( t(c, Counter) = \{ inc(\text{true}, c.val() == \text{old}(c.val()) + 1), val(\text{pure}) \} \) for \( c \) of \( Counter \) for the procedure \( inc \). The interface behavior of \( CxCounter \) includes behaviors \( (\text{true}, c.val() == 0) \) and \( \text{pure} \) of its procedures \( inc \) and \( val \). The behavior \( (\text{true}, c.val() == 0) \) of the procedure \( inc \) specifies its precondition \( \text{true} \) and the postcondition \( c.val() == 0 \). Unlike \( inc \) in \( Counter \) that increases the counter by one, \( inc \) in \( CxCounter \) resets the counter. This interface behavior incompatibility, causes incompatibility between the behavior of the interference closure \( \kappa(c, CxCounter) = \{ c.val(), c.inc() \}^* \) for \( CxCounter \) and the behavior of the interference closure \( \kappa(c, Counter) = \{ c.val(), c.inc() \}^* \) for \( Counter \). Behaviors \( (\text{true}, c.val() == 0) \) and \( (\text{true}, c.val() >= \text{old}(c.val())) \) denote behaviors of \( \kappa(c, CxCounter) \) and \( \kappa(c, Counter) \). Unlike \( \kappa(c, Counter) \) that either increases the counter or not change it, \( \kappa(c, CxCounter) \) with its overriding procedure \( inc \) either resets the counter or not change it.

**Interface incompatibility breaks modular reasoning** The case in which the incompatibility of interface behaviors of \( \sigma \) and \( \tau \) breaks the modular reasoning in a type \( \eta \) that interacts with \( \tau \) is standard and is recognized by previous work [9, 104]. To illustrate it in the context of a concurrent language, consider Figure 4.5 that declares a variation of \( \text{Client} \) that, unlike Figure 4.2, declares a local and non shared instance \( c \) of \( Counter \), in its design declaration on line 2. In Panini, a local capsule instance is declared in a design declaration.

```plaintext
1 capsule Client { ..
2   design {Counter c; }
4   //@ requires \text{true};
5   //@ ensures v2 == v1 + 1;
6   void main() {
7     v1 = c.val();
8     c.inc();
9     v2 = c.val();
10   }
11 }
```

Figure 4.5 Incompatible interface behavior breaks sequential modular reasoning.

Using \( G_1 \), the procedure \( main \) in \( \text{Client} \) is atomic because there is no procedure invocation on a shared capsule instance in its body anymore. In the absence of a subcapsule \( CxCounter \), one can verify the new
assertion $\Phi$ by constructing the following Hoare triple $H_\Phi$:

$$H_\Phi : \Gamma \models \{ \text{true} \}$$

$\nu_1 = c.\text{val}();$  \hspace{1cm} \text{no interference}

$\kappa(c,\text{Counter}) = \emptyset$

$c.\text{inc}();$  \hspace{1cm} \text{no interference}

$\nu_2 = c.\text{val}();$  \hspace{1cm} \text{no interference}

$\{ \nu_2 == \nu_1 + 1 \}$

$\Gamma \vdash c : \mathbb{a}\text{local Counter}$

The procedure main is atomic and therefore the interference closure $\kappa(c,\text{Counter})$ and its behavior are trivially empty. Atomicity of main allows the use of standard sequential reasoning [77] for the verification of $H_\Phi$. $H_\Phi$ and consequently $\Phi$ holds because specifications of $\text{inc}$ and $\text{val}$ in $\text{Counter}$ say that they only increase the counter by one or not change it.

However, after the addition of CxCCounter in Figure 4.3, the incompatibility between interface behaviors of CxCCounter and Counter invalidates the assertion $\Phi$. This is because unlike the behavior $(\text{true}, c.\text{val}() == \text{old}(c.\text{val}()) + 1)$ of $\text{inc}$ in $t(c, \text{Counter})$ which increases the counter, the behavior $(\text{true}, c.\text{val}() == 0)$ of $\text{inc}$ in $t(c, \text{CxCCounter})$ resets the counter.

### 4.3 Concurrent Subtyping

Concurrent subtyping holds if both interference and interface behaviors of a subtype $\sigma$ are compatible with interference and interface behaviors of its supertype $\tau$. Concurrent subtyping addresses incompatible interference and interface behavior problems and enables modular reasoning. In this section, we formalize concurrent subtyping.

#### 4.3.1 Formalization of Concurrent Subtyping

Concurrent subtyping defines behavioral subtyping as the combination of interference and interface subtyping. Definition 7 and Definition 8 define interference closure and concurrent subtyping.

**Definition 7 (Interference closure)** Let $C$ be a capsule type with procedures $T_1 p_1 (x_1) \ldots T_n p_n (x_n)$ in its interface, including procedures inherited from its supercapsules. Let $c$ be a capsule instance with
the static type $C$, i.e. $\Gamma \vdash c : C$, and a possibly different dynamic type $C'$. Then, the interference closure of $c$, written as $\kappa(c, C)$, is the Kleene closure of sequential composition $\cdot$ of any number of invocations of all procedures in the interface of its static type $C$ in any arbitrary order:

$$\kappa(c, C) = \{c.p_1(\_), c.p_2(\_), \ldots, c.p_n(\_)\}^*$$

The notation $\_\_$ denotes an unspecified arbitrary value which is of the expected type of the procedure argument and does not invalidate the procedure specification.

The closure $\kappa(c, C)$ denotes an upper bound on the interference on an instance $c$ that a concurrently running instance of $D$ can cause.

**Definition 8 (Concurrent subtyping)** Let $C'$ and $C$ be two capsule types in a Panini program where $C'$ is a subcapsule of $C$ in its inheritance hierarchy, written as $C' \prec C$. Let $c$ be a capsule instance of static type $C$ in a static typing environment $\Gamma$, i.e. $\Gamma \vdash c : C$, and of dynamic type $C'$ in the dynamic typing environment $\Pi$, i.e. $\Pi \vdash c : C'$. Let $ep_1$ and $ep_2$ be atomic specification predicates. Let the closure $\kappa(c, C)$ be the interference closure of $C$. Then, $C'$ is a concurrent subtype of $C$ iff:

1. $C'$ is an interference subtype of $C$:

$$\forall ep_1, ep_2 \in ep. \ \ \Gamma \vdash \{ep_1\} \ \kappa(c, C) \ \{ep_2\} \ \Rightarrow \ \Gamma \vdash \{ep_1\} \ \kappa(c, C') \ \{ep_2\}$$

2. $C'$ is an interface subtype of $C$:

$$\forall p \in \mathcal{P}, ep_1, ep_2 \in ep, override([C', T p(\bar{x})\{e'\}], [C, T p(\bar{x})\{e\}]) \ .$$

$$\Gamma \vdash \{ep_1\} \ e \ \{ep_2\} \ \Rightarrow \ \Gamma \vdash \{ep_1\} \ e' \ \{ep_2\}$$

A subcapsule $C'$ is a concurrent subtype of its supercapsule $C$ if $C'$ is the interference subtype and interface subtype of $C$. $C'$ is an interference subtype of its supercapsule $C$ only if the interference behavior of $C'$ is compatible with the interference behavior of $C$. Similarly, $C'$ is an interface subtype of $C$ if the
interface behavior of \( C' \) is compatible with the interference behavior of \( C \). Similar to standard behavioral subtyping [9, 44, 96, 104], concurrent subtyping does not provide any guarantees about program termination. The function \textit{override} checks if a procedure \( p \) in \( C' \) is overriding the procedure \( p \) in \( C \).

An oracle knows the behavior \((ep_1, ep_2)\) of an interference closure \( \kappa(c, C) \) of a type \( C \). The behavior \((ep_1, ep_2)\) for an overridden procedure of \( C \) can be its behavior \textit{spec} specified by its programmer.

### 4.3.1.1 Interference Subtyping

In Definition 8, the subcapsule \( C' \) is an interference subtype of its supercapsule \( C \) if the interference behavior of its interference closure \( \kappa(c, C') \) is compatible with the behavior of the interference closure \( \kappa(c, C) \) of its supercapsule \( C \):

\[
\forall ep_1, ep_2 \in ep . \quad \Gamma \vdash \{ep_1\} \kappa(c, C) \{ep_2\} \implies \Gamma \vdash \{ep_1\} \kappa(c, C') \{ep_2\}
\]

To be compatible, the interference closure \( \kappa(c, C') \) of the subcapsule \( C' \) should preserve any behavior \((ep_1, ep_2)\) that the interference closure \( \kappa(c, C) \) of the supercapsule \( C \) satisfies. The Hoare judgement \( \Gamma \vdash \{ep_1\} \kappa(c, C) \{ep_2\} \) above denotes the satisfaction of the interference behavior \((ep_1, ep_2)\) by the interference closure \( \kappa(c, C) \) in the static typing environment \( \Gamma \) [77]. The interference closure \( \kappa(c, C) \) satisfies its behavior \((ep_1, ep_2)\) if the execution of the closure starts in a program state that satisfies \( ep_1 \), and it terminates, then it terminates in a state that satisfies \( ep_2 \).

To illustrate, the subcapsule \texttt{CxCounter} in Figure 4.3 is not the interference subtype of its supercapsule \texttt{Counter}:

\[
\Gamma \vdash \{\texttt{true}\} \kappa(c, \texttt{Counter}) \{c.val() >= old(c.val())\}
\]

\[\not\Rightarrow\]

\[
\Gamma \vdash \{\texttt{true}\} \kappa(c, \texttt{CxCounter}) \{c.val() >= old(c.val())\}
\]

This is because the behavior \((\texttt{true, true})\) of \( \kappa(c, \texttt{CxCounter}) = \{c.inc(), c.val(), c.dec()\}^* \) of \texttt{CxCounter} is not compatible with the behavior \((\texttt{true, c.val() >= old(c.val())})\) for \( \kappa(c, \texttt{CxCounter}) = \{c.inc(), c.val()\}^* \) of its supercapsule \texttt{Counter}. 
However, the subcapsule CxCounter in Figure 4.6 is an interference subtype of Counter. This is because both interference closures \( \kappa(c, \text{Counter}) \) and \( \kappa(c, \text{CxCounter}) \) have the same and therefore trivially compatible behaviors (\( \text{true}, c.\text{val}() \geq \text{old}(c.\text{val}()) \)):

\[
\Gamma \vdash \{ \text{true} \} \kappa(c, \text{Counter}) \{ c.\text{val}() \geq \text{old}(c.\text{val}()) \}
\Rightarrow
\Gamma \vdash \{ \text{true} \} \kappa(c, \text{CxCounter}) \{ c.\text{val}() \geq \text{old}(c.\text{val}()) \}
\]

It is interesting to see that CxCounter is an interference subtype of Counter while their inc procedures have different behaviors. inc in CxCounter increases the counter by 2 whereas inc in Counter increases the counter by 1.

```java
22capsule CxCounter extends Counter { ..
23    void inc() { r = r + 2; }
24}
```

Figure 4.6 CxCounter is an interference subtype of Counter.

### 4.3.1.2 Interface Subtyping

In Definition 8, the subcapsule \( C' \) is an interface subtype of its supercapsule \( C \) if the behavior of the body \( e' \) for each of its overriding procedures is compatible with the behavior of the body \( e \) of the procedure it overrides:

\[
\forall p \in \Psi, ep_1, ep_2 \in ep, \text{override}(\{ C', T \ p(\bar{x})\{ e' \}\}, [C, T \ p(\bar{x})\{ e \}]).
\]

\[
\Gamma \vdash \{ ep_1 \} e \{ ep_2 \} \Rightarrow \Gamma \vdash \{ ep_1 \} e' \{ ep_2 \}
\]

The Hoare judgement \( \Gamma \vdash \{ ep_1 \} e \{ ep_2 \} \) above denotes satisfaction of the procedure behavior \( (ep_1, ep_2) \) by the expression \( e \) in the static typing environment \( \Gamma \). The expression \( e \) satisfies the behavior \( (ep_1, ep_2) \) if its execution starts in a program state that satisfies \( ep_1 \), and it terminates, then it terminates in a program state that satisfies \( ep_2 \). Interface subtyping, similar to the methods rule in standard behavioral subtyping \([9, 44, 104]\) relates the explicit preconditions and postconditions of an overriding and overridden procedure in a subtype and its supertype by requiring a contravariance and covariance relations between preconditions and postconditions respectively. Variations of interface subtyping \([96]\) with weaker covariance requirements for postconditions can also be used.
To illustrate, the subcapsule CxCounter in Figure 4.4 is not the interface subtype of its supercapsule Counter:

\[
\text{override}([\text{CxCounter, void inc()}\{r = 0\}], \quad [\text{Counter, void inc()}\{r = r + 1\}]) \cdot \Gamma \vdash \{\text{true}\} r = r + 1 \{c.\text{val()} == \text{old}(c.\text{val()} + 1)\}
\]

This is because the behavior \((\text{true, c.val()} == 0)\) of the overriding procedure inc in CxCounter is not compatible with the behavior \((\text{true, c.val == old(c.val()) + 1})\) of its overridden procedure inc in its supercapsule Counter.

However, the subcapsule CxCounter in Figure 4.3 is an interface subtype of Counter trivially because it does not override any procedure of Counter.

**Neither interference nor interface subtyping alone are sufficient for concurrent subtyping** A subcapsule \(C'\) can be an interference subtype of its supercapsule \(C\) but not its interface subtype. Similarly, \(C'\) can be an interface subtype of \(C\) but not its interference subtype. This shows that neither interference subtyping nor interface subtyping alone is sufficient to guarantee concurrent subtyping.

To illustrate, the subcapsule CxCounter in Figure 4.6 is an interference subtype of its supercapsule Counter but is not its interface subtype. Similarly, the CxCounter in Figure 4.3 is an interface subtype of Counter but not its interference type.

### 4.3.2 Sound Modular Reasoning

Now we show a Hoare-style logic [77] that uses concurrent subtyping to enable modular supertype abstraction reasoning [97] in the presence of interference and inheritance. In supertype abstraction reasoning, an invocation of a procedure is understood using the static type \(C\) of its receiver capsule instance and independent of its possibly different dynamic type \(C'\) used to dispatch the invocation. Figure 4.7 shows select rules in our Hoare logic. The reasoning rules for atomic expressions that are free from interference are similar to sequential reasoning rules in previous work [3, 77] and are omitted.

In the reasoning rules, the judgement \(\Gamma \vdash \{ep_1\} \ e \ \{ep_2\}\) denotes that the Hoare triple \(\{ep_1\} \ e \ \{ep_2\}\) is provable using the static typing environment \(\Gamma\). The reasoning rules use a fixed capsule table \(CT\)
The inference rule (V-PROC INVOC) reasons about the invocation of a procedure on a capsule instance $c$ with the static type $C$ and a possibly different dynamic type. The rule says that the behavior of the invocation of a procedure $p$ is the behavior $(e_1', e_2')$ of the procedure combined with the behavior $(e_1'\prime, e_2'\prime)$ of the interference closure $\kappa(c, C)$ for its receiver $c$. This is because in Panini interference can happen after each procedure invocation point $^a$ and the interference behavior is bound by the behavior of the interference closure $\kappa(c, C)$. $(e_1', e_2')$ is the behavior $(e_1, e_2)$ of the procedure $p$ after substitutions for its parameters and the pseudo-variable $self$. The key in this rule is that, independent of the dynamic type of the receiver which maybe different from $C$, the rule uses the static type $C$ of the receiver $c$ to retrieve the behavior $(e_1', e_2')$ of the procedure $p$ and compute the interference behavior $(e_1'\prime, e_2'\prime)$ of the receiver. Reasoning about the procedure invocation using the static type and independent of the dynamic type of its receiver is sound only because concurrent subtyping guarantees both interference
and interface subtyping.

(V-SELF INVOC) reasons about the invocation of a procedure of a capsule itself. The rule says that the behavior of the self invocation of a procedure \( p \) of a capsule \( C \) is the same as the behavior \((ep'_1, ep'_2)\) of the procedure, after appropriate substitutions. Unlike (V-PROC INVOC), the behavior of the self invoked procedure does not need to be combined with any interference behavior. This is because the invocation of a self procedure is executed synchronously. Similarly, (V-SUPER INVOC) reasons about the invocation of a procedure in a supercapsule. The rule says that the behavior of the invocation of a procedure \( p \) of a supercapsule \( C \) is the same as the behavior \((ep'_1, ep'_2)\) of the procedure, after appropriate substitutions. Again there is no combination of the procedure behavior with any interference behavior. This is because in Panini a capsule owns and controls access its supercapsule, similar to its local capsule instances, and can access its supercapsule’s state free from interference. by its (V-CONSEQUENCE) is the standard consequence rule [77].

4.3.2.1 Soundness

Modular reasoning using the Hoare logic in Figure 4.7 is sound because:

- the behavior of a capsule \( C \) is divided into interference and interface behaviors; and

- concurrent behavioral subtyping guarantees that a subcapsule \( C' \) is both interference and interface subtype of its supercapsule \( C \); and consequently

- interference behaviors of \( C \) and \( C' \) are compatible for a capsule \( D \) that \( C \) interferes with and interface behaviors of \( C \) and \( C' \) are compatible for a capsule \( D \) that interact with \( C \) by invoking its procedures.

Therefore, any property \( \Phi \) reasoned about and verified using the behavior of the supercapsule \( C \) and the rules in Figure 4.7 will not be invalidated by any of its existing subcapsules \( C' \) or any subcapsules \( C' \) added in the future. Theorem 9 formalizes soundness of our reasoning Hoare logic.

Theorem 9 (Soundness of reasoning) The reasoning Hoare logic in Figure 4.7 is sound. That is, any Hoare triple provable using this Hoare logic, written as \( \Gamma \models \{ep_1\} \ e \ \{ep_2\} \), is a valid Hoare triple, written as \( \Gamma \vdash \{ep_1\} \ e \ \{ep_2\} \).
Proof Sketch: The proof is based on the induction over the expressions in the syntax in Figure 4.1 and uses interference and interface subtyping guarantees of concurrent subtyping. The judgement $\Gamma \models \{ep_1\} e \{ep_2\}$ denotes that the provable triple $\{ep_1\} e \{ep_2\}$ is valid in $\Gamma$ if for every state $f$ that agrees with type environment $\Gamma$, if $ep_1$ is true in a program state $f$, i.e. $f \models ep_1$, and if the execution of $e$ terminates in a state $f'$, then $f' \models ep_2$. The validity is for partial correctness and does not say anything about the termination [153].

4.4 Proving Concurrent Subtyping

To prove that a subcapsule $C'$ is a concurrent subtype of its supercapsule $C$ requires the following proofs according to Definition 8:

1. **Interference subtyping**: all overriding and extra procedures of $C'$ provide a proof that $C'$ is an interference subtype of $C$; and

2. **Interface subtyping**: every overriding procedure of $C'$ provides a proof that $C'$ is an interface subtype of $C$.

The following key observations allow for an alternative way to prove concurrent subtyping:

$O_1$ in the presence of type encapsulation [117] and encapsulated inheritance [155], to prove that $C'$ is an interference subtype of $C$ it is sufficient to prove that $C'$ is a standard interface subtype [45,104] of $C$.

$O_2$ consequently and more importantly, to prove that $C'$ is a concurrent subtype of $C$ it is sufficient to prove that $C'$ is an interface subtype of $C$.

The standard interface subtyping and its variations [10,104] relate behaviors of an overriding procedure in a subtype and the procedure it overrides in the supertype by requiring contravariance and covariance relations on their preconditions and postconditions respectively. Variations of interface subtyping [44, 96] weaken the covariance rule for postconditions.

Using $O_2$, in a concurrent language with type encapsulation and encapsulated inheritance, a programmer can simply prove the standard interface subtyping and in return reap the benefits of concurrent
subtyping without the need to be worried about interference and interference subtyping. This in turn could help foster concurrent programming languages in which behavioral subtyping is the norm.

4.4.1 Encapsulated Inheritance

Encapsulated inheritance makes the state and its representation of a supercapsule \( C \) accessible to its subcapsule \( C' \) only through invocations of procedures of \( C \) [155]. This is in contrast to standard inheritance mechanisms in languages such as Java in which a subclass can directly access fields of its superclass. Definition 11 defines encapsulated inheritance. Definition 10 defines extended state of a capsule used in Definition 11.

**Definition 10 (Extended state)** Let \( C' \) be a capsule with the declaration capsule \( C'(\text{import}) \text{ extends } C \{ \text{design state proc} \} \). The extended state of \( C' \), written as \( XState(C') \), is a set of memory locations including its state \( \text{state} \) and its representation, extended state of its supercapsule \( C' \) and extended states of local non shared capsule instances declared in its design declaration.

A locally declared instance \( G g \) in \( C' \) is not shared if there is no wiring declaration \( h(g) \) in design declaration of \( C' \) that exports \( g \) to \( h \). Extended state of \( C' \) is the set of memory locations that are not shared by \( C' \) and can be accessed by the capsule without any interference. Imported or exported capsule instance of \( C' \) are shared and therefore are not part of its extended state.

To illustrate, the extended state of the capsule \( \text{Client} \) in Figure 4.2 includes its states \( v1 \) and \( v2 \) but does not include states of its imported counter instance \( c \). However, the extended state of \( \text{Client} \) in Figure 4.5, in addition to \( v1 \) and \( v2 \), includes the states of the locally declared counter instance \( c \).

**Definition 11 (Encapsulated inheritance)** Let \( C' \) and \( C \) be two capsule types where \( C' \) is a subtype of \( C \), i.e. \( C' \prec C \). Let \( XState(C) \) be the extended state of \( C \). Then, \( C' \) is a subcapsule of \( C \) over an encapsulated inheritance hierarchy, written as \( C' \prec_E C \), iff there is no direct access in procedures of \( C' \) to the extended state of \( C \).

4.4.2 Proving Interference Subtyping

In the presence of type encapsulation and encapsulated inheritance, a subcapsule \( C' \) is the interference subtype of its supercapsule \( C \) if \( C' \) is an interface subtype of \( C \). Theorem 12 formalizes this.
Theorem 12 (Interference subtyping is guaranteed by encapsulated inheritance and interface subtyping) Let \( C' \) and \( C \) be two capsule types where \( C' \) is a subtype of \( C \) over its encapsulated inheritance hierarchy, i.e. \( C' \prec_E C \); Let \( C' \) be an interface subtype of \( C \). Then \( C' \) is an interference subtype of \( C \).

Proof: Let \( c \) be a capsule instance of static type \( C \), i.e. \( \Gamma \vdash c : C \) and dynamic type \( C' \), i.e. \( \Pi \vdash c : C' \). According to Definition 8, to prove that \( C' \) is an interference subtype of \( C \) we need to prove that:

\[
\forall e_{p_1}, e_{p_2} \in e.p. \quad \Gamma \vdash \{ e_{p_1} \} \kappa(c, C) \{ e_{p_2} \} \implies \Gamma \vdash \{ e_{p_1} \} \kappa(c, C') \{ e_{p_2} \}
\]

Recall that the interference closure \( \kappa(c, C') \) of \( C' \) is a set of sequential compositions of any number of invocations of the procedures of \( C' \) in any order. A procedure in the interface of the subcapsule \( C' \) can be:

1. a procedure \( p \) declared in its supercapsule \( C \) and not overridden in \( C' \) or
2. an overrriding procedure \( p_{o}' \) in \( C' \) or
3. an extra procedure \( p_{x} \). For (1), an invocation of \( p \) dispatched to \( C' \) is included in \( \kappa(c, C) \) that satisfies the behavior \((e_{p_1}, e_{p_2})\) and therefore such invocation cannot invalidate \((e_{p_1}, e_{p_2})\). For (2), the assumed interface subtyping guarantees that the behavior of \( p_{o}' \) in \( C' \) is compatible with the behavior of the procedure \( p_{o} \) it overrides in \( C \) and therefore an invocation of \( p_{o}' \) preserves the behavior \((e_{p_1}, e_{p_2})\) that \( \kappa(c, C) \) satisfies. For (3), encapsulated inheritance guarantees that to access the extended state

\[
XState(C)
\]

of the supercapsule \( C \), \( p_{x} \) must go through procedures of \( C \) where invocations of these procedures is included in \( \kappa(c, C) \) which satisfies \((e_{p_1}, e_{p_2})\). \( p_{x} \) can directly access \( XState(C') \setminus XState(C) \), however, Lemma 5 shows that \( XState(C) \) is disjoint from \( XState(C') \setminus XState(C) \) and therefore any modifications to \( XState(C') \setminus XState(C) \) by invocation of \( p_{x} \) does not invalidate the behavior \((e_{p_1}, e_{p_2})\) over \( XState(C) \).

A downcall from a supertype to an overriding procedure of its subtype via the pseudo-variable \textit{self} is not allowed.

Lemma 5 (Disjoint extended states) Let \( C \) and \( C' \) be two different capsule types with extended states \( XState(C) \) and \( XState(C') \). If \( C \) and \( C' \) do not belong to the same inheritance hierarchy, i.e. \( C \not\prec_E C' \) and \( C' \not\prec_E C \), then their extended states are disjoint, written as \( XState(C) \# XState(C') \). Otherwise, if they are on the same inheritance hierarchy, i.e. \( C' \prec_E C \), then the extended state \( C \) is disjoint from the extended state of \( C' \) minus the extended state of \( C \), i.e. \( XState(C) \# (XState(C') \setminus XState(C)) \).

Proof Sketch: The proof is based on type and inheritance encapsulation of capsules.
4.4.3 Proving Concurrent Subtyping

In the presence of type encapsulation and encapsulated inheritance, a subcapsule \( C' \) is the concurrent subtype of its supercapsule \( C \) iff \( C' \) is an interface subtype of \( C \). Theorem 13 formalizes this.

**Theorem 13** *(Concurrent subtyping is guaranteed by encapsulated inheritance and interface subtyping)*

Let \( C' \) and \( C \) be two capsule types where \( C' \) is a subcapsule of \( C \) over its encapsulated inheritance hierarchy, i.e. \( C' \prec_E C \). Let \( C' \) be an interface subtype of \( C \). Then \( C' \) is a concurrent subtype of \( C \).

**Proof**: The proof is straightforward using Theorem 12 and Definition 8.

**Proving interface subtyping** To prove that a subcapsule \( C' \) is an interface subtype of its supercapsule \( C \) one can use various techniques proposed by previous work [9, 104] including specification inheritance [45]. Specification inheritance combines behaviors of \( C \) and \( C' \) by disjoining preconditions and conjoining postconditions of an overriding procedure and the procedure it overrides. The combined specification becomes the new specification of the subcapsule \( C' \). The key in enforcing interface subtyping using specification inheritance is that specification inheritance automatically guarantees that \( C' \) is an interface subtype of \( C \). This in turn may help more in making behavioral subtyping in concurrent languages prevalent. Supporting specification inheritance for capsules is straightforward, especially since their procedure specifications are atomic.

4.5 Semantics

4.5.1 Static Semantics

Figure 4.8 adds capsule subtyping to Panini’s type system, with most other rules being straightforward and similar to rules without capsule subtyping discussed in Chapter 3.

4.5.2 Operational Semantics

Figure 4.9 shows dynamic semantics of Panini. The new rule *(SUPER INVOC)* delegates an invocation to a supercapsule as an asynchronous invocation and in turn guarantees encapsulated inheritance. Other rules are similar to Panini’s operational semantics without capsule inheritance.
(T-PROC INVOC) \[ \Gamma, \Pi \vdash e : C \quad T' \quad p(\overline{T}x)\{e\} = procBody(C, p) \quad \forall x_k \in \mathcal{V}, T_k \in T \quad \Gamma, \Pi \vdash x_k : T_k \] \[ \Gamma, \Pi \vdash .c : T' \quad (T-RESOLVE) \quad \Gamma, \Pi \vdash e : T \quad T = \Pi(l) \quad \Gamma, \Pi \vdash resolve(l, e, id, p) : T \]

(T-SELF INVOC) \[ \Gamma, \Pi \vdash self : C \]

\[ capsule C(...) extends D\{.. T' \quad p(\overline{T}x)\{e\} ..\} = CT(C) \quad \forall x_k \in \mathcal{V}, T_k \in T \]

\[ \Gamma, \Pi \vdash self .p(x) : T' \]

(T-SUPER INVOC) \[ \Gamma, \Pi \vdash super : C \]

\[ capsule C(...) extends .. . T' \quad p(\overline{T}x)\{e\} .. = CT(C) \quad \forall x_k \in \mathcal{V}, T_k \in T \]

\[ \Gamma, \Pi \vdash super .p(x) : T' \]

(T-SUB VAR) \[ \Gamma, \Pi \vdash e : T' \quad T' < : T \]

\[ \Gamma, \Pi \vdash e : T \]

(T-SUB CAP) \[ \Gamma, \Pi \vdash e : C' \quad C' < : C \]

\[ \Gamma, \Pi \vdash e : C \]

(T-CAP EXTEND) \[ \Gamma, \Pi \vdash super .p(x) : T' \]

\[ capsule C'(...) extends .. . T' \quad p(\overline{T}x)\{e\} .. = CT(C') \]

\[ \Gamma, \Pi \vdash super .p(x) : T' \]

(T-SUPER ST READ) \[ \Gamma, \Pi \vdash self : C \quad capsule C(...) extends D\{.. T.s ..\} = CT(C) \]

\[ \Gamma, \Pi \vdash self .s : T \]

(T-SUPER ST ASGN) \[ \Gamma, \Pi \vdash self : C \quad \Gamma, \Pi \vdash x : T \quad capsule C(...) extends D\{.. T.s ..\} = CT(C) \]

\[ \Gamma, \Pi \vdash self .s := x : T \]

(T-REFERENCE) \[ \Gamma, \Pi \vdash x : T \]

\[ \Gamma, \Pi \vdash x : T \]

(T-ASSIGN) \[ \Gamma, \Pi \vdash e : T \]

\[ \Gamma, \Pi \vdash e : T \]

(T-LET) \[ \Gamma, \Pi \vdash e_1 : T \]

\[ \Gamma, \Pi \vdash e_2 : T \]

\[ \Gamma, \Pi \vdash let x : T be e_1 in e_2 : T \]

(T-IF) \[ \Gamma, \Pi \vdash x : int \]

\[ \Gamma, \Pi \vdash e_1 : T \]

\[ \Gamma, \Pi \vdash e_2 : T \]

\[ \Gamma, \Pi \vdash if x then e_1 else e_2 : T \]

(T-COND) \[ \Gamma, \Pi \vdash \Delta : T \]

\[ \Gamma, \Pi \vdash \Delta : T \]

\[ \Gamma, \Pi \vdash \Delta : T \]

\[ \Gamma, \Pi \vdash x : T \quad \Gamma, \Pi \vdash spec : int \]

\[ \Gamma, \Pi \vdash T \quad \forall T \in T \quad \Gamma, \Pi \vdash T \]

\[ \Gamma, \Pi \vdash \Gamma [\text{spec}] T' p(\overline{T}x)\{e\} \]

(T-WIRING DECL) \[ \Gamma, \Pi \vdash c : C \quad capsule C(\overline{g} g) \text{ extends } D\{.. \} = CT(C) \quad \overline{G} = \Gamma(g) \]

\[ \Gamma, \Pi \vdash c(\overline{g}) \]

(T-CAPSULE DECL) \[ \forall \text{proc} \in \text{proc} . \quad \overline{G} : \Gamma, \overline{h} : \overline{H}, \text{self} : C, \text{super} : D \vdash \text{proc} \]

\[ \forall \text{wire} \in \text{wire} . \quad \overline{G} : \Gamma, \overline{h} : \overline{H} \vdash \text{wire} \quad \forall \overline{G} \in \overline{G} . \quad \vdash \overline{G} \vdash \overline{H} . \quad \vdash \overline{H} \quad \vdash D \quad \forall T \in T . \quad \vdash \]

\[ \vdash capsule C(\overline{g} g) \text{ extends } D\{ \text{ design} \{ \overline{H} \overline{h} \text{wire} \} \ T \text{ proc} \} \]

Figure 4.8 Panini’s select typing rules.
Local evaluation relation $\sim$:
$$\langle id, \sigma[e].Q,S,r,I \rangle \sim \langle id, \sigma[e'].Q',S',r,I \rangle$$

(State Read)
$$\langle id, \sigma[\text{self}.f].Q,S[l = v],[C,F][f = I],I \rangle \sim \langle id, \sigma[v].Q,S,[C,F],I \rangle$$

(State ASGN)
$$\langle id, \sigma[\text{self}.f = v].Q,S,[C,F][f = I],I \rangle \sim \langle id, \sigma[v].Q,S[l = v],[C,F],I \rangle$$

(Self Invoc)
$$\text{capsule } C(\cdot) \text{ extends } C' \{ .. T \ p(\overline{T \ x})\{e\} .. \} = CT(C)$$
$$\langle id, \sigma[\text{self}.p(\overline{v})].Q,S,[C,F],I \rangle \sim \langle id, \sigma[e \ [\overline{v/x}]].Q,S,[C,F],I \rangle$$

(REF)
$$\text{fresh}(I) \quad \text{DEREF}$$
$$\langle id, \sigma[\text{ref } v].Q,S,r,I \rangle \sim \langle id, \sigma[I].Q,S[l := v],r,I \rangle$$
$$\langle id, \sigma[\text{deref } I].Q,S[l = v],r,I \rangle \sim \langle id, \sigma[v].Q,S,r,I \rangle$$

(LET)
$$\langle id, \sigma[\text{let } x \ be \ v \ in \ e].Q,S,r,I \rangle \sim \langle id, \sigma[v/x].e].Q,S,r,I \rangle$$

(FIFO DEQUEUE)
$$\langle id, v.e.Q,S,r,I \rangle \sim \langle id,e.Q,S,r,I \rangle$$

Global evaluation relation $\Rightarrow$:
$$\mathcal{H} \mid \langle id, \sigma[e].Q,S,r,I \rangle \Rightarrow \mathcal{H}' \mid \langle id, \sigma[e'].Q',S',r,I \rangle$$

(PROC INVOC)
$$id' = I(i) \quad \Sigma' = \langle id', e', Q', S', [C', F'], I' \rangle \in \mathcal{H} \quad \text{capsule } C'(\overline{D}) \text{ extends } .. \cdot T \ p(\overline{T \ x})\{e\} .. \} \in P$$
$$e'' = e \ [\overline{v/x}, I'(\overline{f})] \quad R = \text{reach}(\overline{v}, S) \quad R' = \bigcup_{f \in \text{dom}(F)} \text{reach}(I', S)$$
$$R \cap R' = \emptyset \quad \text{fresh}(I) \quad \mathcal{H}' = \mathcal{H} \uplus \langle id', e'.Q'.\text{resolve}(I,e'',id,p),S \oplus R,[C',F'],I' \rangle$$
$$\mathcal{H}' \mid \langle id'.\text{resolve}(I,v,\overline{v},id,p),Q',S',[C',F'],I' \rangle \Rightarrow \mathcal{H}'' \mid \langle id', e'.Q', S' \oplus R,[C',F'],I' \rangle$$

(RESOLVE)
$$R = \text{reach}(\overline{v}, S) \quad R' = \bigcup_{f \in \text{dom}(F)} \text{reach}(I', S)$$
$$R \cap R' = \emptyset \quad \Sigma = \langle id,e.Q,S[l = e],r,I \rangle \in \mathcal{H} \quad \mathcal{H}' = \mathcal{H} \uplus \langle id,e.Q,S[l := e] \oplus R,r,I \rangle$$
$$\mathcal{H}' \mid \langle id'.\text{resolve}(I,v,\overline{v},id,p),Q',S',[C',F'],I' \rangle \Rightarrow \mathcal{H}'' \mid \langle id', e, Q', S', [C', F'], I' \rangle$$

(SUPER INVOC)
$$\Sigma' = \langle id', e', Q', S', [C', F'], I' \rangle \in \mathcal{H} \quad \text{capsule } C'(\overline{D}) \text{ extends } .. \cdot T \ p(\overline{T \ x})\{e\} .. \} = CT(C')$$
$$e'' = e \ [\overline{v/x}, I'(\overline{f})] \quad R = \text{reach}(\overline{v}, S) \quad R' = \bigcup_{f \in \text{dom}(F)} \text{reach}(I', S)$$
$$R \cap R' = \emptyset \quad \text{fresh}(I) \quad \mathcal{H}' = \mathcal{H} \uplus \langle id', e'.Q'.\text{resolve}(I,e'',id,p),S \oplus R,[C',F'],I' \rangle$$
$$\mathcal{H}' \mid \langle id, \sigma[e].Q,S,[C,F],I \rangle \Rightarrow \mathcal{H}'' \mid \langle id, \sigma[e].Q,S[l := e] \oplus R,[C,F],I \rangle$$

Figure 4.9 Local and global operational semantics with capsule inheritance.
Table 4.1 Number of supertypes accessing their supertypes’ states.

<table>
<thead>
<tr>
<th></th>
<th>revisions</th>
<th>pairs</th>
<th>subtypes</th>
<th>%accessing</th>
<th>accesses</th>
<th>writes</th>
<th>%writing</th>
<th>Total%</th>
</tr>
</thead>
<tbody>
<tr>
<td>Akka</td>
<td>1-5</td>
<td>354</td>
<td>30</td>
<td>8.47</td>
<td>81</td>
<td>29</td>
<td>35.80</td>
<td>3.02</td>
</tr>
<tr>
<td></td>
<td>6-11</td>
<td>163</td>
<td>9</td>
<td>5.52</td>
<td>28</td>
<td>7</td>
<td>25.00</td>
<td>1.38</td>
</tr>
<tr>
<td></td>
<td>12-24</td>
<td>249</td>
<td>33</td>
<td>13.25</td>
<td>51</td>
<td>18</td>
<td>35.29</td>
<td>4.67</td>
</tr>
<tr>
<td></td>
<td>25-49</td>
<td>212</td>
<td>15</td>
<td>7.08</td>
<td>110</td>
<td>42</td>
<td>38.18</td>
<td>2.70</td>
</tr>
<tr>
<td></td>
<td>50-99</td>
<td>75</td>
<td>3</td>
<td>4.00</td>
<td>6</td>
<td>2</td>
<td>33.33</td>
<td>1.33</td>
</tr>
<tr>
<td></td>
<td>&gt;=100</td>
<td>274</td>
<td>25</td>
<td>9.12</td>
<td>92</td>
<td>34</td>
<td>36.96</td>
<td>3.37</td>
</tr>
<tr>
<td></td>
<td>Total</td>
<td>1327</td>
<td>115</td>
<td>8.67</td>
<td>368</td>
<td>132</td>
<td>35.87</td>
<td>3.11</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th></th>
<th>revisions</th>
<th>pairs</th>
<th>subtypes</th>
<th>%accessing</th>
<th>accesses</th>
<th>writes</th>
<th>%writing</th>
<th>Total%</th>
</tr>
</thead>
<tbody>
<tr>
<td>Java</td>
<td>1-5</td>
<td>2,452,901</td>
<td>589,050</td>
<td>24.01</td>
<td>7348,741</td>
<td>25,77,021</td>
<td>35.07</td>
<td>8.42</td>
</tr>
<tr>
<td></td>
<td>6-11</td>
<td>846,579</td>
<td>197,856</td>
<td>23.37</td>
<td>3015,861</td>
<td>915,763</td>
<td>35.9</td>
<td>8.39</td>
</tr>
<tr>
<td></td>
<td>12-24</td>
<td>992,184</td>
<td>234,234</td>
<td>23.61</td>
<td>3015,861</td>
<td>1,039,681</td>
<td>34.47</td>
<td>8.13</td>
</tr>
<tr>
<td></td>
<td>25-49</td>
<td>822,406</td>
<td>207,718</td>
<td>25.26</td>
<td>2624,272</td>
<td>968,774</td>
<td>36.92</td>
<td>9.32</td>
</tr>
<tr>
<td></td>
<td>50-99</td>
<td>963,136</td>
<td>235,178</td>
<td>24.42</td>
<td>3,038,645</td>
<td>111,4326</td>
<td>36.67</td>
<td>8.95</td>
</tr>
<tr>
<td></td>
<td>&gt;=100</td>
<td>4,488,687</td>
<td>1,057,102</td>
<td>23.55</td>
<td>13,072,998</td>
<td>4,911,229</td>
<td>37.5</td>
<td>8.84</td>
</tr>
<tr>
<td></td>
<td>Total</td>
<td>2,521,138</td>
<td>105,658</td>
<td>23.68</td>
<td>31,651,585</td>
<td>11,526,794</td>
<td>36.42</td>
<td>8.69</td>
</tr>
</tbody>
</table>

4.6 Evaluation

One of our key findings is that in the presence of type encapsulation and encapsulated inheritance, the standard interface subtyping alone is sufficient to guarantee concurrent subtyping. To evaluate the usefulness of such finding we study:

\( \mathcal{E}_1 \) the extent to which interface subtyping can be used to guarantee concurrent subtyping, which in turn is determined by

\( \mathcal{E}_2 \) the prevalence of encapsulated inheritance and type encapsulation.

**Dataset** We measure violations of encapsulated inheritance and type encapsulation in a large set of randomly chosen Akka and Java projects from GitHub. Our data set includes 416 Akka and 554,864 Java projects. We consider a Java project that uses Akka’s Java library [8] as an Akka project. There are 2003 actors in our Akka projects in addition to non actor classes and 21,320,654 Java classes in our Java projects.

**Encapsulated inheritance** We use two proxies to measure violations of encapsulated inheritance:

\( \mathcal{M}_1 \) actual violation of encapsulated inheritance by a subtype \( \sigma \) that accesses fields of its immediate or transitive supertype \( \tau \) directly without using their methods; and
possible violation of visibility-based encapsulated inheritance \cite{155} in a type $\tau$ if it has non private or non static fields that could be accessible to any potential subtype $\sigma$.

In visibility-based encapsulation, private fields of a supertype $\tau$ are not directly accessible to its subtypes $\sigma$. Visibility-based encapsulation only encapsulates and protects the state of a type and not its representation. However, in languages like Java and Akka that do not check for encapsulation by default, programmers are taught to use visibility-based encapsulation to guarantee encapsulation \cite{27,156}. Visibility-based encapsulation is not sufficient to guarantee encapsulation, however, may be a good starting measure to understand programmer’s intent.

**Type encapsulation** We use the following proxy to measure the violation of type encapsulation:

possible violations of visibility-based encapsulation \cite{89} in a type $\tau$ if it has non private or non protected or static fields that could be accessible to any potential type $\eta$ that may interact with $\tau$.

In visibility-based encapsulation, private and protected fields of a type $\tau$ are not directly accessible to another type that interacts with $\tau$.

**Granularity** We measure violations of encapsulated inheritance and type encapsulation for two type and project granularity levels. A project breaks encapsulated inheritance if there is at least one pair of supertype $\tau$ and $\sigma$ in the project that break encapsulated inheritance. Similarly, the project breaks type encapsulation if there is at least one type $C$ that its type encapsulation can be broken.

**Maturity** We divide the projects of our study into revision categories based on the number of their revisions. These include a category for projects with 1 to 5 revisions, and categories for 6–11, 12–24, 25–49, 50–99 and more than 100. Revision categories allow us to understand our findings for both more mature and less mature projects. We consider a project with more revisions to be more mature \cite{122}.

**Boa** We use Boa \cite{51,52,55,143} to conduct our studies. Boa is a data mining infrastructure that includes an ultra-large corpus of open source projects and an infrastructure for mining and understanding software repositories.

Figure 4.1 shows our measurements for $M_1$. In this figure the column *pairs* denotes the number of supertype and subtype pairs; *subtypes* denotes the number of subtypes that access their supertypes and *%accessing* shows the percentage of *subtypes* to *pairs*. The column *accesses* is the total number of accesses from *subtypes* to supertypes with the number of *writes* accesses specified and the remaining
are the read accesses. %writing shows the percentage of write accesses to the total accesses. %Total is the multiplication of %accessing and %accessing.

4.6.1 Akka

Akka [8, 166] is a popular concurrent message passing framework in which a sequential actor encapsulates its state and communicates by other concurrently running actors by messages.

4.6.1.1 Encapsulated Inheritance

Type level $M_1$ shows that about 8.67% of subactors access fields of their superactors from which about 35.87% access a superactor to write its fields and the remaining accesses are read. A read access can be automatically refactored to an invocation of a side effect free and pure accessor method added to the superactor to preserve encapsulated inheritance. The addition of these accessor methods does not change the interference closure and the interference behavior of the superactor. Therefore, only about 3.11% of subactors may break the encapsulated inheritance of their superactors. The 3.11% is the product of percentage of subactors that may access their superactors (8.67%) and the percentage of such accesses being a write access (35.87%).

$M_2$ shows that at most 3.94% (79 out of 2003) of subactors can break encapsulated inheritance of their superactors by having non-private non-static fields that can be accessed and modified by a subactor. $M_1$ is lower than $M_2$ because $M_1$ measures the actual violations that happen in the code whereas $M_2$ measures an upper bound on the possible that may happen in the future as well.

Project level Using $M_1$ there are 11 out of 416 projects that violate encapsulated inheritance in their types. Using $M_2$ there are at most 38 out of 416 projects that could possibly violate the encapsulated inheritance.

4.6.1.2 Type Encapsulation

Similar to $M_2$, $M_3$ measures an upper bound on the number of type encapsulation violations.

Type level Type encapsulation of at most 2.65% (53 out of 2003) of actors can be broken by directly accessing their public or protected non static fields.

Project level At most 24 projects out of 416 can violate type encapsulation.

### 4.6.2 Java

We conduct a similar study of measuring $M_1$–$M_3$ on our set of Java projects.

#### 4.6.2.1 Encapsulated Inheritance

**Type level**  About 23.68% of subclasses access fields of their superclass among which about 36.42% of their accesses are write. Therefore, about 8.69% of subclasses actually break the encapsulated inheritance of their superclasses.

**Project level**  Using $M_1$ there are 90,567 projects out of 554,864 that actually violate their encapsulated inheritance. Using $M_2$ there are at most 131,104 projects that could possibly violate the encapsulated inheritance.

### 4.6.3 Type Encapsulation

**Type level**  Type encapsulation of at most 11.8% (2,521,138 out of 21,320,654) can be violated by directly accessing their public or protected fields non static fields.

**Project level**  At most there are 105,707 projects out of 554,864 that can violate type encapsulation.


### 4.6.4 Findings

**Akka**  At the project level, using $M_1$ and $M_3$, there are at most 62 (38+24) Akka projects out of 416 that can violate either encapsulated inheritance or type encapsulation. This in turn means 354 (85.10%) projects abide by encapsulated inheritance and type encapsulation and therefore their concurrent subtyping can be guaranteed using only standard interface subtyping. If we use $M_2$, instead of $M_1$, then there are 35 (11+24) projects (instead of 52) that actually violate their encapsulated inheritance or type
encapsulation and therefore the remaining 381 (91.6%) are abiding. At the type level 3.11% of types can violate either encapsulated inheritance or type encapsulation and the remaining 96.89% of types abide by both type and inheritance encapsulation.

Different distribution of types among projects causes different outcomes in the percentages of projects and type that violate encapsulated inheritance or type encapsulation.

**Java** At the project level, using $M_1$ and $M_3$, there are at most 236,811 (131,104+105,707) projects out of 554,864 that can violate either encapsulated inheritance or type encapsulation. This in turn means that 318,053 (57.32%) projects abide by encapsulated inheritance and type encapsulation and therefore their concurrent subtyping can be guaranteed using only standard interface subtyping. If we use $M_2$, instead of $M_1$, then there are 196,274 (90,567+105,707) projects, instead of 236,811, that violate encapsulated inheritance or type encapsulation and therefore the remaining 358,590 (64.63%) are abiding. At type level 8.69% of types can violate either encapsulated inheritance or type encapsulation and the remaining 91.31% abide by them.

**Summary** More than three quarters of Akka projects and more than half of Java projects in our study abide by encapsulated inheritance and type encapsulation and their concurrent subtyping can be guaranteed using interface subtyping. Interestingly, trends of our findings regarding violations of encapsulated inheritance and type encapsulation stay stable and do not fluctuate a lot between more mature and less mature projects.

**4.6.4.1 Threats to Validity**

Similar to other experimental analyses there are threats to the validity of our findings. Our dataset includes a large set of randomly chosen Java and Akka projects not implemented by authors, however, it may not be representative of all concurrent programs that could be written in all mainstream languages that allow concurrent programming. Not all Java programs in our study are concurrent programs. Our analysis using visibility-based encapsulated inheritance and visibility-based type encapsulation is mostly syntactic and does not completely take into account aliasing semantics of Java programs.
4.7 Related Work

Previous work studies behavioral subtyping for sequential and concurrent programming languages.

**Sequential** Previous work \([36, 49, 96, 130]\) in sequential languages guarantees behavioral subtyping by relating behaviors of overriding and overridden procedures in a subtype \(\sigma\) and its supertype \(\tau\) through standard interface subtyping by enforcing contravariance and covariance requirements on preconditions and postconditions of these procedures. There is no interference during execution of a sequential program and therefore previous work in this category is not directly applicable to concurrent programming languages.

**Concurrent** One category of previous work \([148]\) extends behavioral subtyping of sequential language to programs in concurrent languages in which both procedures of a type and their specifications are atomic and free from interference. Another category of previous work \([45, 95, 117]\) uses history constraints \([9, 104]\) to take the interference into account and relate history constraints and invariants of the supertype \(\tau\) and its subtype \(\sigma\) to guarantee behavioral subtyping. Other previous work \([67]\) uses rely-guarantee \([87]\) or its reformulation in deny-guarantee reasoning \([48]\) in which the interference caused by one type on another is encoded as an environment specification in a rely predicate. Another category of previous work \([47]\) extends concurrent separation logic \([127]\) with specifications that specify shared resources and the interference behavior on the resource as its invariant. Some work in this category \([88, 165]\) specify the access protocol of a shared resource in terms of permissible order of operations instead of the interference behavior. These specifications are fine-grained enough to talk about memory locations and read and write permissions for these locations. This chapter is complementary and adds to previous work its novelty that it separates the interference behavior and the interface behavior of a type and distinguishes between interference and interface behavior compatibility and subtyping. Another novelty of this chapter is that it uses encapsulation and encapsulated inheritance to reduce behavioral subtyping in a concurrent language to the standard interface subtyping \([9]\).

**Integration into program logics and languages** Some previous work integrates variations of behavioral subtyping mentioned above into sequential or concurrent programming languages and tools such as Eiffel \([110, 124]\), Java \([63, 96]\), JML \([95]\), ESC/Java \([69]\) and Spec# \([22]\).
CHAPTER 5. ORDER TYPES

The concurrency revolution [158] has renewed interest in message passing concurrency (MPC) [4, 43, 81, 115, 120, 169] because of its modularity [5, 18, 80, 98, 99] and scalability [168] benefits [8, 12, 74]. A significant challenge in MPC program design is reasoning about message orders. Message races and their nondeterministic message orders make reasoning about message orders intractable [29, 41, 93, 105, 108, 161] and lead to bugs that are hard to find and fix.

In this chapter, we develop order types, a novel type system to modularly detect message races and to explain their causes. The order type of a process is a local and descriptive causal type [123] that encodes its messaging behavior in terms of asynchronous message it sends and their happens-before relations. Compared to the rich body of previous work on session types [25, 26, 28, 40, 43, 79–81, 119, 120, 160, 178], discussed in Section 5.5, that focuses on specification and verification of system-level coordination properties, order types focus on process-level interactions aimed at facilitating bottom-up MPC program design. Our calculus, Panini, introduces three innovations in type system design for MPC programs. A Panini capsule is equivalent of a process that runs concurrently with other processes.

**Bottom-up MPC program design through existential typing** In bottom-up MPC program design processes are designed, coded and tested independently, and then composed to form the complete program. Programmers relies on the interfaces (types) of other processes that the process communicates with, but not on the concrete process instance. Order types facilitate this design style. The order type of the process can encode its dependency on a process instance with an unknown value via the introduction of an existentially quantified process variable. An existential process variable is eliminated statically when the process is composed with other processes and values of its composing processes are known.

**Inter-process communication abstraction and abstraction eligibility** Order type abstraction can decrease complexity by abstracting away inter-process communication that is local to a process. A local process instance is encapsulated by its enclosing process which controls access to it [38, 118, 136].
Naive abstraction can allow message races to hide behind abstraction. Abstraction of the order type of a process is sound if the process is abstraction-eligible. A process is abstraction-eligible if order types of sequential compositions of invocation of any of its two procedures are well-formed, i.e. do not lead to any message race. Two messages are racy if they are sent directly or transitively from a process and arrive at another process without any happens-before relation between them. Abstraction improves information hiding by preventing the exposure of local messaging behavior and increases the scalability of the type checking by decreasing the number of messages and their happens-before relations in an order type.

**Blame Assignment for MPC Programs** A message race in a process happens because of bad composition of messages and processes, each of which can happen at different processes. An ill-formed order type properly blames the process that causes the race and is responsible for bad composition of processes or messages as the supplier of bad values. or the process at which the race happens is not blamed because it is the users of the bad value and not its supplier. Blame assignment in order types is similar to higher order contract [62, 173] in which the blame lays with the provider of the bad value independent of who invokes the first-class function.

**Contributions** In summary, this chapter makes the following contributions:

- order types to enable modular reasoning about messaging behavior in a compositional bottom-up program design;
- well-formedness of order types to disallow message races; and
- abstraction of order types to soundly hide local messaging behavior of abstraction-eligible processes and improve information hiding and the scalability of type checking;
- blame assignment to properly blame a process responsible for process composition or message composition as the supplier of bad values; and
- type checking rules for an asynchronous concurrent process model with encapsulation [38] and structured sharing [118].
5.1 Motivation

Order types enable the modular detection of a message race in bottom-up program design and proper blame assignment to explain its cause. Abstraction hides the local messaging behavior.

5.1.1 Modular Message Race Detection

A message race happens when a process receives two messages from another process with no happens-before relation \([91]\) between them. The happens-before relation is a partial order that orders messages within and between processes. Message races and their nondeterministic message orders make reasoning about message orders intractable \([29, 41, 93, 105, 108, 161]\) and lead to subtle bugs that are hard to find, reproduce and fix.

The order type of a process can detect and disallow message races in bottom-up program design and construction. The order type of a process is a local descriptive type that encodes its messaging behavior. The messaging behavior of a process includes the messages it directly sends and their happens-before relations. A process is well-formed if the order types of its procedures are well-formed. The order type of a procedure is well-formed if the messages it sends directly or transitively do not lead to a message race. The following steps check the well-formedness of the order type of a procedure:

1. a constraints set of happens-before relationships between messages that the procedure directly or transitively sends is constructed;

2. the constraint set is checked to be well-formed and thus free from message races.

```cpp
 capsule Server() {
  /* \(\sigma_3 = \bullet \rightarrow\) */
  void save() { /* no message send */}
  /* \(\sigma_4 = \bullet \rightarrow\) */
  void kill() { /* no message send */}
}
```

Figure 5.1 Well-formed process `Server` with empty order types for its procedures.

To illustrate, consider a bottom-up program design which starts off with the declaration of a `Server` process in Figure 5.1. The server declares two procedures `save` and `kill` to save its client’s work and shutdown, respectively. Order types \(\sigma_3 = \bullet\) and \(\sigma_4 = \bullet\) of `save` and `kill` are the empty order type \(\bullet\)
because these procedures do not send any messages in their implementations. Types $\sigma_3$ and $\sigma_4$ are trivially well-formed and therefore free from message race. This is because there is no message send in these types and therefore their constraint sets $\Delta_3 = \cdot$ and $\Delta_4 = \cdot$ are empty messages. The order type of a procedure can be easily constructed by exposing the message sends in its implementation.

$Server$ is written in an asynchronous concurrent programming model with encapsulation [38, 118, 136], structured sharing [136] and transitive inorder delivery and processing [8, 80, 105]. A program in this model is a set of concurrently running processes that communicate by sending messages asynchronously. Procedures of a process denote type-safe messages that the process can receive and a procedure invocation is the equivalent of a message send [8, 14, 86]. A process encapsulates its local processes and controls access to them. Sharing is structured around importing and exporting process instances. Messages are delivered and processed in the same order they are sent. This process model overlaps with the underlying models for variations of active objects [38], actors [118] and Panini [18, 136, 138] message passing concurrency models.

```cpp
7  capsule Proxy(Server sv) {
8   /* $\sigma_1 = \exists sv : Server . sv!save$ */
9   void save() { sv.save(); } 
10  /* $\sigma_2 = \exists sv : Server . sv!kill$ */
11  void kill () { sv.kill (); }
12 }
```

Figure 5.2 Well-formed process $Proxy$ with existential quantification for $sv$ in its type.

To continue the bottom-up program design, consider the declaration of a $Proxy$ process in Figure 5.2. The proxy uses $Server$ and acts an interface to it, according to the $Proxy$ design pattern [71]. The proxy declares the same procedures $save$ and $kill$ as the server and relays the client’s messages to the server. On line 7, the proxy imports the $Server$ process instance $sv$ that it is dependent on and uses. The proxy does not know the value of the process variable $sv$. The order type $\sigma_1 = \exists sv : Server . sv!save$ for the procedure $save$ describes its messaging behavior in which it sends a $save$ message to the server $sv$. The existentially quantified process variable $sv$ encodes the fact that the proxy does not know the value of the process variable $sv$ that it is using. The type $\sigma_1$ is well-formed and free from message races because its constraint set $\Delta_1 = \exists sv : Server . sv!save \triangleright \cdot$ is well-formed. The constraint set $\Delta_1$ contains happens-before relations between messages that $save$ directly or transitively sends. Order type $\sigma_1$ shows
that \texttt{save} sends a $\exists sv : Server . sv!save$ message directly. Receipt of this message by \texttt{Server} process \texttt{sv} causes the execution of its procedure \texttt{save} with the order type $\sigma_3 = \bullet$. The procedure \texttt{save} in \texttt{Server} does not send any messages and its constraint set $\Delta_3 = \bullet$ is empty, as discussed previously. That is, the direct message send $\exists sv : Server . sv!save$ in proxy's \texttt{save} leads to a transitive message send $\bullet$ in server's \texttt{save}. In the semantics of a message passing program, a message send always happens-before its receipt and processing. Therefore, the message send $\exists sv : Server . sv!save$ in proxy happens-before its receipt in server with the message send $\bullet$. This leads to the existentially quantified semantic constraint $\exists sv : Server . sv!save \triangleright \bullet$. This is the only constraint caused by the proxy's \texttt{save} and forms its constraint set $\Delta_1 = \exists sv : Server . sv!save \triangleright \bullet$ which is trivially well-formed. Construction of $\Delta_1$ for $\sigma_1$ is modular. This is because \texttt{Proxy} uses its implementation and the order type $\sigma_3$ (interface) of the \texttt{Server} that it refers to and not its implementation. In modular reasoning, a module is understood using only its implementation and the interfaces (not implementations) of other modules it refers to [132]. Similarly, proxy's \texttt{kill} is well-formed.

```plaintext
13 capsule Client() {
14    design { Server s; Proxy r; r(s); }
15    /* $\sigma = r!save; s!kill$ */
16    void main() { r.save(); s.kill(); }
17 }
```

Figure 5.3 Ill-formed process \texttt{Client} causes a message race in \texttt{Server}.

To continue the bottom-up program design, consider the declaration of a \texttt{Client} process in Figure 5.3 that uses both \texttt{Proxy} and \texttt{Server} processes. On line 15, the client instantiates local server and proxy instances \texttt{s} and \texttt{r} that it uses and exports \texttt{s} to the import \texttt{sv} of the proxy. The export of \texttt{s} to proxy assigns \texttt{s} to its import \texttt{sv} and shares the server \texttt{s} between the client and the proxy. The client declares a procedure \texttt{main} that intends to save the client's work in the server \texttt{s} and then shut down the server. The procedure \texttt{main} sends a \texttt{save} message to the proxy \texttt{r} followed by a \texttt{kill} message to the server \texttt{s}. The order type $\sigma = r!save; s!kill$ of \texttt{main} reflects the sequence of these message sends. Proxy in turn sends a \texttt{save} message to the server \texttt{s}. Client, proxy and server processes run concurrently. Unlike existential order types $\sigma_2$ and $\sigma_3$ in \texttt{Proxy}, $\sigma$ is not existential. This is because the client instantiates process variables \texttt{s} and \texttt{r} and knows their concrete values.

Due to asynchrony of message sends and concurrent execution of client, proxy and server processes,
messages `save` and `kill` sent from client can arrive at the server `s` at any order and with no happens-before relation between them. In other words, these messages are racy. Depending on the arrival order of `save` and `kill`, the client can have two different behaviors:

1. **Desirable behavior:** with message ordering `save⇑kill` in which the `save` message arrives at the server before the `kill` message, the server **correctly** saves the client’s work before it shuts down;

2. **Undesirable behavior:** with the opposite ordering `kill⇑save` the server **incorrectly** shuts down before saving client’s work.

To reason about message ordering in this program, one should consider both (i.e. 2!) message orders `save⇑kill` and `kill⇑save` before they can understand the program behavior. In general, in a program with a message race involving `n` messages, there are `n!` message orderings that should be understood, which is intractable \[162\].

Because of the message race, the order type \(\sigma = r!save; s!kill\) of client and its constraint set \(\Delta\) are not well-formed. Construction of \(\Delta\) proceeds as the following. First, the message send `r!save` in \(\sigma\) causes the invocation and execution of the proxy’s procedure `save` with the order type \(\sigma_1 = \exists sv : Server . sv!save\) and its corresponding constraint set \(\Delta_1 = \{\exists sv : Server . sv!save\} \). The client knows the value of existentially quantified process variable `sv` in `\(\sigma_1\)` because it instantiates the server instance `s` and exports and assigns it to `sv` in proxy `r`. This allows for the elimination of existential quantifier for `sv` and replacing it its known value `s` in the context of client. After quantification elimination, \(\sigma_1 = s!save\) and \(\Delta_1 = \{s!save\} \). Second, the message send `s!kill` in \(\sigma\) causes the invocation and execution of the server’s procedure `kill` with its order type \(\sigma_4 = \bullet\) and corresponding constraint set \(\Delta_4 = \bullet\). Third, due to the inorder delivery, sending of `r!save` of `\(\sigma\)` in client happens before sending of `s!kill` and causes the constraint \(\Delta_0 = \{r!save⇑s!save\}\) in the client. Putting \(\Delta_0–\Delta_2\) together through
their union we arrive at the constraint set $\Delta$ below:

$$\Delta = \Delta_4 \cup \Delta_1 \cup \Delta_0 = \{ r!save \triangleright s!save, s!save \triangleright \ast, s!kill \triangleright \ast, r!save \triangleright s!kill \}$$

$\Delta$ is not well-formed because there exists two messages $s!save$ and $s!kill$ (in gray) in it with no happens-before relation between them. Consequently, the order type $\sigma$ of main in Client is not well-formed. The ill-formedness of $\sigma$ detects and avoid this message race without any global or local specifications written by programmers [80]. Detection of this race is modular because in its type checking Client uses its implementation and the order types $\sigma_1$ and $\sigma_4$ of the Proxy and Server processes and is independent from their implementations.

### 5.1.2 Abstraction and Abstraction-eligibility

Order type abstraction can decrease complexity by abstracting away local messaging behavior of a process. This is sound because a local process instance is encapsulated by its enclosing process which controls access to it [38, 118, 136].

```plaintext
7 capsule Proxy1(Server sv) {
8     design { Logger l; }
9     /* $\sigma'_1$ = $\exists$sv : Server. l!log ; s!save */
10    void save() { l.log(); sv.save(); }
11    /* $\sigma'_2$ = $\exists$sv : Server. s!kill */
12    void kill() { sv.kill(); }
13 }
14 capsule Client() {
15     design { Server s; Proxy1 r; r(s); }
16     /* $\sigma'$ = r!save ; s!kill */
17     void main() { r.save(); s.kill(); }
18 }
```

Figure 5.5 Abstraction of messaging behavior for local logger l.

To illustrate abstraction, consider a variation of Proxy in Figure 5.5 called Proxy1. Proxy1’s procedure logs bookkeeping information by sending a log message to an instance of a Logger process before relaying the save message to the server s. The order type $\sigma'_1 = \exists$sv : Server. l!log; sv!save reflects this messaging behavior. Unlike the server sv which is imported with an unknown value the logger l is locally declared in Proxy1 and its value is known.
The addition of the invocation \texttt{l.log()} in \texttt{Proxy1}'s \texttt{save} procedure adds the message \texttt{l!log} to its order type \( \sigma'_1 = \exists sv: Server \cdot l!log; sv!save \). The order type \( \sigma'_1 \) with \( l!log \) is larger than the order type \( \sigma_1 = \exists sv: Server \cdot sv!save \) for \texttt{save} in \texttt{Proxy} without it. To check the well-formedness of \( \sigma'_1 \) the constraint set \( \Delta'_1 = \{ l!log \triangleright \star, \exists sv: Server \cdot sv!save \triangleright \star, \exists sv: Server \cdot l!log \triangleright sv!save \} \) should be constructed and checked for well-formedness. The constraint set \( \Delta'_1 \) with three happens-before relations is larger than \( \Delta = \{ \exists sv: Server \cdot sv!save \triangleright \star \} \) with only one happens-before relation and consequently its construction and checking takes more time.

Similarly, to check the well-formedness of \( \sigma' \) in the \texttt{Client} that uses \texttt{Proxy1} the following constraint set \( \Delta' \) should be constructed and checked for well-formedness:

\[
\Delta' = \{ r!save \triangleright l!log, l!log \triangleright \star, r!save \triangleright s!save, s!save \triangleright \star, l!log \triangleright s!save, s!kill \triangleright \star, r!save \triangleright s!kill \}
\]

There is a race between \( s!save \) and \( s!kill \) (in gray) in \( \Delta' \) for \texttt{Proxy1} and therefore \( \sigma' \) is ill-formed. However, the same race exists in \( \Delta \) and \( \sigma \) for \texttt{Proxy} without the logger. Compared to \texttt{Proxy}, sending a \texttt{log} message to the local logger \( l \) in \texttt{Proxy1} and consequently in \( \sigma' \) and its corresponding happens-before relations in \( \Delta' \) does not contribute to any more races. Therefore the local process instance \( l \), its messages and its happens-before relations can be abstracted away from the order type of the procedures of \texttt{Proxy1}.

After abstraction \( \sigma' = \exists s: Server \cdot s!save \) (equal to \( \sigma \) in \texttt{Proxy}) and \( \Delta' = \{ r!save \triangleright s!save, s!save \triangleright \star, s!kill \triangleright \star, r!save \triangleright s!kill \} \) (equal to \( \Delta \) in \texttt{Proxy}). Abstraction decreases size of \( \sigma' \) by reducing the number of its messages and decreases the size of \( \Delta' \) by reducing the number of its happens-before relations. Construction and checking of abstracted \( \Delta' \) takes less time than the original \( \Delta' \) without abstraction. Abstraction only applies to local process instances and not imported process instances such as \( sv \).

\textbf{Abstraction-eligibility} A naive abstraction can hide message races. To illustrate, consider a variation of \texttt{Client} declared in Figure 5.7 called \texttt{Client1}. On line 14, \texttt{Client1} locally declares server and proxy process instances \( s \) and \( r \). By abstracting the local process instance, the order type \( \sigma_0 = r!save \) of the
procedure rSave becomes $\sigma_0 = \bullet$. Similarly, $\sigma = s!kill$ for sKill becomes $\sigma = \bullet$ after abstraction. Now consider a process using an instance c of Client1 in an invocation sequence c.rSave():c.sKill(). Using order types $\sigma_0 = r!save$ and $\sigma = s!kill$ before the abstraction one can conclude that there is a race between save and kill messages sent to the server. However, this race will not be detected and the invocation will be well-formed using the abstracted order types $\sigma_0 = \bullet$ and $\sigma = \bullet$ are used. Here abstraction of local process instances s and r hides the race, which is unsound.

```
capsule Client1() {
    design { Server s; Proxy r; r(s); }
    /* $\sigma_0 = r!save$ becomes $\sigma_0 = \bullet$ after abstraction */
    void rSave(){ r.save(); }
    /* $\sigma = s!kill$ becomes $\sigma = \bullet$ after abstraction */
    void sKill () {s. kill (); }
}
```

Figure 5.6 Naive order type abstraction in Client1.

Similarly, abstraction of local process instance r in Client2 is not sound. This is because, in process using an instance c2 of Client2 with access to s the invocation sequence c2.rsave(): s.kill() will be ill-formed before the abstraction of Client2 and well-formed after. The local proxy instance r cannot be abstracted away because the shared imported server instance s flows to it. Flowing of an imported share process into a local process taints the local and prevents its abstraction. This is because the local can directly or indirectly send messages to the shared process which will be hide by abstraction.

```
capsule Client2(Server s) {
    design { Proxy r; r(s); }
    /* $\sigma_0 = r!save$ becomes $\sigma_0 = \bullet$ after abstraction */
    void rSave(){ r.save(); }
}
```

Figure 5.7 Unsound abstraction of the tainted local process instance r.

Order type abstraction is sound if the following conditions hold:

1. abstraction only abstracts aways message sends and their happens-before relations to untainted local process instances; and

2. the enclosing process is abstraction-eligible.

An untainted local is a local process instance with no import process instance or untainted local instance
exported to it. The abstraction is sound because an untainted locally declared process and its local processes instances are encapsulated by its enclosing process and are not directly accessible to the outside processes. These processes are only accessible through procedures of the enclosing process.

A process is abstraction-eligible if the following conditions hold:

1. the order types of its procedures are well-formed before abstraction;

2. a sequence composition of invocations of any of its two procedures before abstraction does not lead to message races.

To illustrate, Client1 is not abstraction-eligible. Both procedures rSave and sKill are well-formed. The invocation sequence c.sKill();c.rSave() leads to the constraint set \{c!sKill>s!kill,c!rSave>r!save, r!save>s!save,c!sKill>c!rSave\} which is well-formed in the presence of transitive inorder delivery and processing. However, the invocation sequence c.rSave();c.sKill() leads to a race and is not well-formed. Unlike Client1, Proxy1 is abstraction-eligible. This is because order types \(\sigma_1' = !!log;s!save\) and \(\sigma_2 = s!kill\) of its procedures save and kill are well-formed. And sequences of invocations of these two procedures lead to well-formed constraint sets. Similarly, Server is abstraction-eligible. Client is not abstraction-eligible because its procedure main leads to a race and its order type is not well-formed.

5.1.3 Proper Blame Assignment

Proper blame assignment enables programmers to quickly ascertain racy processes to be fixed or replaced. A message race in a process happens because of bad composition of messages and processes, each of which can happen at different processes. An ill-formed order type properly blames the process that causes the race and is responsible for bad composition of processes or messages as the supplier of bad values.

To illustrate, consider the previous Client process in Figure 5.3. The bad composition of messages r.save() and s.kill() on line 15 in client’s procedure main leads to a race in Server process s. That is, the race happens in the server but we blame the client. The bad message composition in client contributes to the race but it is not the true reason behind the race. The main reason for the race is the bad process composition Proxy r(s) in Client. This process composition shares the server s between the Client and
Proxy process \( r \) by exporting client’s \( s \) to proxy’s imported \( sv \). The bad process composition is blamed for the race because it is the supplier of the bad value.

```plaintext
13 capsule Client3(Server s, Proxy r) { 
14   /* \( \sigma = \exists s: Server . r!save . r!save . s!kill \) */
15   void main() { r.save(); s.kill(); }
16 }
```

Figure 5.8  A message composition that could lead to a race with bad composition.

To illustrate the difference between bad message and process compositions, consider a variation of the client called `Client3` in Figure 5.8. Procedures `main` in both `Client` and `Client2` compose `r.save()` and `s.kill()` messages similarly. However, while `Client` is ill-formed and causes a race in the server, `Client3` is well-formed. The difference between these two is their process compositions. The constraint set \( \Delta = \exists r: Proxy . r!save \triangleright \exists sv: Server . sv!save, \exists sv: Server . sv!save \triangleright s, \exists s: Server . s!kill \triangleright \bullet, \exists r: Proxy, s: Server . r!save \triangleright s!kill \) for `Client3` is well-formed unless \( r.sv \) is equal to \( s \). That is, \( \Delta \) is well-formed if server \( sv \) of proxy \( r \) is not the same as the server \( s \) in the client. `Client3` does not provide such process composition and therefore is well-formed whereas `Client` provides such composition and is ill-formed.

![Bad process and message compositions may happen at different processes. To illustrate, consider the process `User` in Figure 5.9. `Client3` provides a bad message composition but not a process composition that leads to a race. `User` provides a bad process composition for its `Client3` process \( c \) and will cause a race. `User` is to blame for this race and not `Client1`.](image)

```plaintext
17 capsule User() { 
18   Design { Server s; Relay r; Client3 c, r(s); c(s, r); }
19 }
```

Figure 5.9  Bad process composition in `User` and bad message composition in `Client1`.

A bad message composition and a bad process composition both are necessary to cause a race and neither are sufficient alone. To illustrate, `User` in the absence of the procedure `main` in `Client3` does not lead to a race; similarly, `main` in `Client3` in the absence of `User` does not lead to a race.
5.2 Process Model and Program Syntax

In the process model Panini, a concurrent message-passing program consists of a set of processes that run concurrently with the following properties:

- a process communicates with another process by asynchronous invocations of its procedures. Procedures of a process denote the set of messages a process can receive and a procedure invocation is the type-safe equivalent of a message send [86].

- a process is sequential [78] and owns its states and local process instances. A sequential process has a single thread of execution that finishes the execution of one invoked procedure before starting another. A process owns [38, 75] its state and local processes by controlling access to them and make them accessible only through its procedures.

- a process can create other processes and share them in a structured way. Structured sharing is built around exporting and importing process instances.

- messages are sent in the same order they appear in the program text and are processed in the same order they are received [80];

This process model overlaps with the underlying models for variations of active objects [38] in Creol [86] and JCoBox [151], actors [118] in ActorFoundry [13] and SALSA [170] and Panini [18, 136, 138] message passing concurrency models. Unlike process models based on channels and sessions [43, 78, 81, 111, 120], this process model does not require neither channels for process communications nor sessions to structure and isolate communications [80].

5.2.1 Program Syntax

Figure 5.10 shows the expression-based core syntax of our process model. In this figure $\text{term}$ denotes a sequence of zero or more terms.

A program is a set of process declarations. A process declares a set of local process instances and states along with procedures to access them. A process imports a set of process instances that are shared between the process and the outside world and exports a set of process instances that are shared between the process and its local process instances. A local declaration instantiates a process instance
\[ \text{prog} ::= \text{decl} \]
\[ \text{decl} ::= \text{capsule } C \text{ (import)} \{ \text{design state proc } \} \]
\[ \text{import} ::= D i \]
\[ \text{state} ::= T s; \]
\[ \text{proc} ::= T p \{ T x \} \{ e \} \]
\[ \text{design} ::= \text{design } \{ \text{ins wire } \} \]
\[ \text{ins} ::= C i \]
\[ \text{wire} ::= i j \]

\[ e ::= \]
\[ | i . p (x) | \text{self} . p (x) \]
\[ | \text{self} . s | \text{self} . s := x \]
\[ | \text{let } x : T \text{ be } e \text{ in } e \]
\[ | \text{if } x \text{ then } e \text{ else } e \]
\[ | \text{while } x \text{ do } e \]
\[ | x \]
\[ | () \]
\[ | n \]

- \( C, D \in \mathcal{C} \) set of processes
- \( T \in \mathcal{T} \) set of variable types
- \( s \in \mathcal{S} \) set of states
- \( p \in \mathcal{P} \) set of procedures
- \( x \in \mathcal{X} \) set of variables
- \( i, j, h \in \mathcal{I} \) set of process instance

Figure 5.10 Core process syntax, inspired by [14, 18, 86].

and a wiring declaration composes it by exporting its composing process instances to its imports. The local declaration can compose process instances. In a procedure, a process can \textit{asynchronously} invoke a procedure of another process or \textit{synchronously} invoke a procedure of itself through the pseudo-variable \textit{self}. A let expression sequences two expressions. The let expression can compose message sends. Other expressions are standard. A local process instance or state of a process cannot be accessed directly by another process. A process instance cannot be an argument of a procedure or its return value and cannot be assigned to its local variables.

To illustrate, in Figure 5.2, the declaration of the process \textit{Proxy} imports a \textit{Server} instance \( \textit{sv} \) and declares two procedures \textit{save} and \textit{kill}; in Figure 5.3, \textit{Client} instantiates \textit{Server} process \( \textit{s} \) and instantiates and composes \textit{Proxy} instance \( \textit{r} \) by exporting \( \textit{s} \) to the import \( \textit{sv} \) of the proxy; in Figure 5.3, \textit{Client} declares a procedure \textit{main} that sequences and composed to procedure invocations (message sends).
5.3 Order Type Syntax

\[
\sigma ::= \quad \text{order type:}
\]
\[
\bullet \quad \text{empty}
\]
\[
\tau \quad \text{singleton}
\]
\[
\sigma;\sigma \quad \text{sequence}
\]
\[
[\sigma]^{\ast} \quad \text{recursive}
\]
\[
\tau ::= \quad \text{action:}
\]
\[
\zeta !p \quad \text{message}
\]
\[
\zeta ::= \quad \text{message modifier:}
\]
\[
\epsilon \quad \text{none}
\]
\[
\exists i : C. \quad \text{existential}
\]

\[
i, j \in \mathcal{I} \quad \text{set of process instances} \quad p \in \mathcal{M} \quad \text{set of messages}
\]
\[
C \in \mathcal{C} \quad \text{set of process types} \quad \gamma \in \mathcal{V} \quad \text{set of type variables}
\]

Figure 5.11 Syntax of order types.

Figure 5.11 shows the syntax for order types. An order type can be empty, a singleton message send, a sequence of two order types and a recursive order type. An empty order type encodes the type of an expression that sends no messages. A singleton order type encodes the type of an expression that sends a single message to a receiver \(i\) with an unknown or known concrete value. By existentially qualifying the receiver process variable, an existential singleton order type encodes sending a message to a receiver that its value is not known to the enclosing process. In contrast, in a regular singleton order type, the concrete value of the receiver is known. A sequence order type encodes the order type of a sequence of expressions as they appear in the program text. A recursive order type encodes the order type of a recursive expression. We take the equirecursive view for recursive order types in which a type and its unfolding are equal [133].

To illustrate, in Figures 5.1 and 5.2, the procedure `save` of `Server` has the empty order type empty \(\sigma_3 = \bullet\); `save` of `Proxy` has the existential order type \(\sigma_1 = \exists sv : Server. \; sv!save\); and in Figure 5.7, the procedure `sKill` of `Client1` has the regular order type \(\sigma = s!kill\).
5.3.1 Type Attributes

Figure 5.12 defines the type attributes used in the type checking rules for order types.

\[
\begin{align*}
\theta ::= & \quad \text{standard type:} \\
& | T \quad \text{variable type} \\
& | C \quad \text{process type} \\
T ::= & \quad \text{variable type:} \\
& | \text{unit} \quad \text{unit} \\
& | \text{int} \quad \text{integer} \\
& | T \to T \quad \text{procedure type} \\
\Gamma ::= & \quad \text{typing environment} \\
\eta ::= & \quad \text{type qualifier:} \\
& | @\text{local} \quad \text{local} \\
& | @\text{import} \quad \text{import} \\
\Psi ::= & \quad \text{aliasing environment} \\
\Delta ::= & \quad \text{constraint set} \\
\Gamma \vdash e : \sigma^\theta \quad \text{typing judgement}
\end{align*}
\]

The type system distinguishes between a variable type \( T \) and a process type \( C \). A variable type is standard and can be a unit, integer or function type. A process type is a process declared in a program. The typing environment \( \Gamma \) maps a variable to its type. A qualifier for a process type denotes if the process variable is locally declared or imported. The aliasing environment \( \Psi \) maps a process variable to its aliases. The constraint set \( \Delta \) is a set of happens-before relations between message sends. The typing judgement \( \Gamma \vdash e : \sigma^\theta \) denotes that in the typing environment \( \Gamma \) the expression \( e \) has the order type \( \sigma \) and the process or variable type \( \theta \).

5.4 Type System

The order type of a procedure encodes the messages a procedure sends directly and the textual ordering among them as they appear in the procedure text. The order type is well-formed if the messages
Figure 5.13 Select type checking rules for order types.
it sends *transitively* do not lead to a race. Messages that a procedure sends transitively and their *semantic* happens-before relations are included in the constraint set of its order type. For an ill-formed order type, blame assignment properly blames the supplier of bad values. Order type abstraction hides local messaging behavior and improves the scalability of type checking. Figure 5.13 shows select type checking rules for order types. The rest of more standard typing rules can be found in Figure 5.14.

\[
\text{(T-Self Invoc)} \quad \Gamma \vdash \text{self} : \bullet \quad \forall x \in \mathcal{X}, T' \in \mathcal{T}, \quad \Gamma \vdash x : \bullet' \quad \sigma T' \rightarrow T = \text{pType}(C, p)
\]

\[
\text{(T-Loop)} \quad \Gamma \vdash x : \mathit{int} \quad \Gamma \vdash e : \sigma T \quad \Gamma \vdash \text{while } x \text{ do } e : [\sigma]^T
\]

\[
\text{(T-State Read)} \quad \Gamma \vdash \text{self} : \bullet C \quad \Gamma \vdash C f : \bullet T \quad \Gamma \vdash \text{self}.f : \bullet T
\]

\[
\text{(T-State Asgn)} \quad \Gamma \vdash \text{self} : \bullet C \quad \Gamma \vdash C f : \bullet T \quad \Gamma \vdash x : \bullet T \quad \Gamma \vdash \text{self}.f = x : \bullet T
\]

\[
\text{(T-Unit)} \quad \Gamma \vdash () : \mathit{unit} \quad \Gamma \vdash n : \mathit{int} \quad \Gamma \vdash i : \eta C
\]

5.4.1 Declarations

A program type checks if its process declarations type check. Without abstraction, type checking of a process declaration and its procedures are straightforward. In the rule (T-PROCESS DECL), a process declaration type checks if its procedure and local process declarations type check. In (T-PROC DECL), a procedure declaration type checks if its implementation type checks. Among the expressions in the body of a procedure, type checking rules for a procedure invocation, let and conditional expressions are more interesting.

5.4.2 Invocations

There are two rules for procedure invocations depending on if the concrete value of its receiver is known in the enclosing process.

**Known receiver value** The rule (T-PROC INVOC) type checks an invocation with a known receiver value. The enclosing process locally declares and instantiates the receiver \(i\) and therefore knows its concrete value and dynamic type. The order type of a variable is the empty order type \(\bullet\). The type \(i!p^T\)
encodes that (1) the invocation sends a message $p$ to a receiver $i$ and (2) the concrete value of the receiver
is known. $T$ is the return type of the invocation. An invocation type checks if its invoked procedure $p$
type checks and its arguments and formal parameters are of the same type. The rule \( \text{(SUB)} \) allows for
subsumption among both variable and order types. The function $p\text{Type}$ returns the type of a procedure.
**Unknown receiver value** The rule (T-INVC-∃) type checks an invocation with an unknown receiver value. The enclosing process imports the receiver \( i \) and therefore does not know its concrete value and dynamic type. The existential type \( \exists i : C \cdot i!p^T \) encodes that (1) the invocation sends a message \( p \) to a receiver \( i \) of type \( C \) and (2) the concrete value of the receiver is unknown. Unknown value of an imported process instance will be known and the existential quantifier will be eliminated when processes are composed and its concrete value is exported.

The order type of an invocation represents the message it sends.

### 5.4.3 Composition and Blame Assignment

Bad compositions of process and messages leads to a race. Processes can be composed in a local process declaration and messages can be composed in a let expression.

#### 5.4.3.1 Process Composition

The rule (T-WIRING DECL) type checks a local declaration in a process \( G \). The declaration of a process instance of type \( C \) type checks if the order types of its procedures are well-formed. An order type is well-formed if its constraint set is well-formed, i.e. \( \Gamma \vdash \Delta \). A constraint set is well-formed if it is free from message races. The auxiliary function \( \text{copy} \) constructs the constraint set of an order type. The local declaration of \( i \) instantiates and then composes it by exporting composing process instances \( j \) to its imports \( h \). These exports make \( i.h \) and \( j \) aliases in the enclosing process \( G \). The auxiliary function \( \text{aliasEnv} \) constructs this aliasing environment. The aliasing environment is statically known because of structured sharing that happens only through imports and exports during process compositions. The projection auxiliary function \( \downarrow \) makes the aliasing environment of the enclosing process \( G \) compatible with the point of view of the process \( C \). For an aliasing relation \( i.h = j \) in the aliasing environment of \( G \), its \( i \)-projection in \( C \) becomes \( h = j \).

#### 5.4.3.2 Semantics Happens-before Relations

The constraint set of an order type is a set of semantic happens-before relations between messages that the order type sends transitively. Semantic happens-before relations stem from the following:
\(R_1\) a message send in a sender process happens-before its receipt and processing in its receiver process; and

\(R_2\) messages are sent in the same order they appear in the program text and they are delivered in the same order sent. Messages are processed in the same order they are delivered. These happens-before relations are guaranteed by inorder delivery and processing of messages.

Happens-before relations \(R_1\) and \(R_2\) are used in the construction of a constraint set and \(R_2\) relations are used in checking its well-formedness.

\[
\begin{array}{c}
\text{(H-TRANS)} \quad \frac{\Delta \vdash \tau_1 \triangleright \tau_2 \quad \Delta \vdash \tau_2 \triangleright \tau_3}{\Delta \vdash \tau_1 \triangleright \tau_3} \\
\text{(H-INORDER)} \quad \frac{\Delta \vdash il[p_1] \triangleright il[p_2] \quad \Delta \vdash il[p_1] \triangleright j!q_1 \quad \Delta \vdash il[p_2] \triangleright j!q_2}{\Delta \vdash j!q_1 \triangleright j!q_2} \\
\text{(H-TRANS-INORDER)} \quad \frac{\Delta \vdash il[p_1] \triangleright j!q_1 \quad \Delta \vdash il[p_2] \triangleright \ldots \triangleright j!q_2}{\Delta \vdash j!q_1 \triangleright j!q_2}
\end{array}
\]

Figure 5.16 Happens-before rules for direct and transitive inorder delivery and processing.

Happens-before relations is a partial order with transitive antisymmetric properties. Figure 5.16 shows the rules for the happens-before relation. The standard rule (H-TRANS) encodes the transitivity of the relation. The rule (H-INORDER) encodes direct inorder delivery and processing. Messages \(p_1\) is sent to a receiver \(i\) followed by a message \(p_2\), i.e. \(il[p_1] \triangleright il[p_2]\). Inorder delivery guarantees that \(i\) receives \(p_1\) before \(p_2\). The process \(i\) processes message \(p_1\) during which it directly sends a message \(q_1\) to a receiver process \(j\). Sending of \(p_1\) message to \(i\) happens before its processing, i.e. \(il[p_1] \triangleright j!p_1\). Similarly, \(il[p_2] \triangleright j!q_2\). Inorder processing guarantees that \(i\) processes \(p_1\) before \(p_2\). Therefore, message send \(j!q_1\) happens-before \(j!q_2\), i.e. \(j!q_1 \triangleright j!q_2\). The rule (H-TRANS-INORDER) encodes transitive inorder delivery and processing [8, 105]. (H-TRANS-INORDER) is similar to (H-INORDER) except that \(i\) sends its message \(q_2\) to \(j\) indirectly, i.e. \(il[p_2] \triangleright \ldots \triangleright j!q_2\).
5.4.3.3 Constraint Set

Figure 5.17 shows the function copy used to constructs the constraint set of an order type.

\[
\begin{align*}
\text{(EMP)} & \quad \text{copy}(\bullet, \Psi, \Gamma) = \bullet \\
\text{(SN)} & \quad \text{copy}(\text{!}p, \Psi, \Gamma) = \text{!}p : \text{copy}(\sigma, \Psi', \Gamma') \\
\text{(SENM)} & \quad \text{copy}(\exists i : C \cdot \text{!}p, \Psi, \Gamma) = \exists i : C \cdot \text{!}p : \text{copy}(\sigma, \Psi', \Gamma') \\
\text{(SN)} & \quad \text{copy}(\exists i : C \cdot \text{!}p, \Psi, \Gamma) = \exists i : C \cdot \text{!}p : \text{copy}(\sigma, \Psi', \Gamma') \\
\text{(SNAL)} & \quad \text{copy}([\sigma]^*, \Psi, \Gamma) = \text{copy}(\sigma, \Psi, \Gamma)
\end{align*}
\]

where

\[
\begin{align*}
p\text{Type}(p, C) : \sigma \rightarrow^? T & \quad \Psi' = \downarrow_i \Psi \\
\Psi'' = \Psi' \uplus x\text{AliasEnv}(C) & \quad \Gamma' = \Gamma \uplus x\text{TypeEnv}(C)
\end{align*}
\]

Figure 5.17 Function copy for constraint set, inspired by copy rule [114].

The constraint set of an empty order type is just an empty order type with no happens-before relations. In (SN), a singleton order type \( \text{!}p \) is replaced by with an \( \mathcal{R}_1 \) happens-before relation between \( \text{!}p \) and the copy of the order type \( \sigma' \) of the invoked procedure \( p \). In the recursive invocation of copy, the input typing environment \( \Gamma \) is augmented with a typing environment that contains the externally visible typing information of the recipient process \( C \). The externally visible typing information of a capsule include its import declarations and tainted local declarations. Similarly, the input aliasing environment \( \Psi \) is augmented with an aliasing environment that contains the externally visible aliasing information for \( C \). The auxiliary functions \( x\text{TypeEnv} \) and \( x\text{AliasEnv} \) constructs the externally visible typing and aliasing environments of a process. The externally visible aliasing information of a capsule includes aliasing of imported process instances and imports of its tainted local declarations.

In (SNEM), the concrete value of the existentially quantified process variable \( i \) is locally declared in the aliasing environment and is known. The quantified variable is replaced by its concrete value. Otherwise, in (SNAL), the existential quantifier is replaced with its alias which could be a process instance with an unknown imported value.

Constraints for a sequence order type \( \sigma_1 \cdot \sigma_2 \) is the union of constraints of its constituents types \( \sigma_1 \).
and $\sigma_2$. An $R_2$ happens-before relation is added to denote that the last message send in $\sigma_1$ happens-before the first message send in $\sigma_2$. Auxiliary functions $\text{head}$ and $\text{tail}$ return the first and last message send in an order type. The constraint set for a recursive order type is equal to constraints of its once-folding. In once folding a type variable of a recursive order type is replaced with the empty order type $\bullet$. This is because inorder delivery and processing guarantees that message in one unfolding of the recursive order type are sent, delivered and processed before the messages in its next unfolding.

The function $\text{copy}$ is similar to transitive application of the copy rule for method specifications [114] in object-oriented programming models. The copy rule for method specifications replaces a method invocation with the specification of the method, after proper substitutions of variables in the specification with their known values.

5.4.3.4 Well-formedness and Blame

An order type is well-formed if its constraint set is well-formed with no message races. In the rule (W-TYPE) a constraint set is well-formed if for any two messages $\tau_1$ and $\tau_2$ sent to the same process $i$, there should be a happens-before relation $\triangleright$ between them. That is, either $\tau_1$ happens-before $\tau_2$ or $\tau_2$ happens-before $\tau_1$. Note that these messages can be regular or quantified messages.

In rules (T-WIRING DECL) and (T-LET), if the constraint set of a not well-formed then the order type is ill-formed because of a race in its implementation.

5.4.4 Abstraction

For an abstraction-eligible process, abstraction allows hiding of the local messaging behavior of its procedures in their order types. Figure 5.18 shows typing rules for abstraction. Judgements $\Gamma \vdash e : \sigma^T$ and $\Gamma \vdash^a e : \sigma^T$ denote type checking before and after abstraction.

Unlike Figure 5.13, the rule (T-PROCESS DECL) in Figure 5.18 type checks a procedure declaration with abstraction. A process $C$ type checks if it type checks in the absence of abstraction, i.e. $\Gamma \vdash C$, and it is abstraction-eligible. A process is abstraction eligible if sequences of invocations of any of its two procedures $p_1$ and $p_2$ are do not lead to a race. That is, order types of $\sigma_1; \sigma_2$ and $\sigma_2; \sigma_1$ of these invocations are well-formed. The sequence order type $\sigma_1; \sigma_2$ is the type of a sequence of invocations in
(T-PROCESS DECL)

\[ \Gamma \vdash C \quad \text{capsule } C(\text{import}) \{ \text{design } \text{state } \text{proc} \} = CT(C) \quad p_1, p_2 \in \text{proc} \]

\[ \sigma_1^{T_1} \rightarrow T_1 = pType(p_1, C) \quad \sigma_2^{T_2} \rightarrow T_2 = pType(p_2, C) \quad \Psi = \text{aliasEnv}(C) \quad \Gamma, \Psi \vdash \sigma \quad \Gamma, \Psi \vdash \sigma' \]

\[ \Gamma \vdash_a C \]

(T-PROC DECL)

\[ \Gamma \vdash C \quad \Gamma \vdash C T\ p(T^{x'})\{e\} : \sigma^{T'} \rightarrow T \quad \chi = \text{imported}(C) \cup \text{tainted}(C) \quad \sigma' = \text{hide}(\sigma, \chi) \]

\[ \Gamma \vdash_a C T\ p(T^{x'})\{e\} : \sigma'^{T'} \rightarrow T \]

Figure 5.18 Typing rules for abstraction-eligibility and abstraction

<table>
<thead>
<tr>
<th>Hide</th>
</tr>
</thead>
<tbody>
<tr>
<td>(EMP) hide(·, χ) = ·</td>
</tr>
<tr>
<td>(SIN) hide(ilp, χ) = i!p if i ∈ χ</td>
</tr>
<tr>
<td>(SIN) hide(ilp, χ) = · if i /∈ χ</td>
</tr>
<tr>
<td>(SIN-∃) hide(∃i : C, i!lp, χ) = ∃i : C, i!p if i ∈ χ</td>
</tr>
<tr>
<td>(SIN-∃) hide(∃i : C, i!lp, χ) = · if i /∈ χ</td>
</tr>
<tr>
<td>(SEQ) hide(σ; σ, χ) = hide(σ, χ); hide(σ, χ)</td>
</tr>
<tr>
<td>(REC) hide([σ]⁺, χ) = [hide(σ, χ)]⁺</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Tainted</th>
</tr>
</thead>
<tbody>
<tr>
<td>(NON) tainted(i(i), C) = ∅</td>
</tr>
<tr>
<td>(COM) tainted(i(ij), C) = i if capsule C(G g) {design ins wire } = CT(C), {j \in j : j \in π } ∨ {∃H jH \in wire . tainted(jH, C) \neq ∅ }</td>
</tr>
<tr>
<td>(ALL) tainted(wire, C) = ∀wire ∈ wire . \bigcup \text{tainted}(\text{wire}, C)</td>
</tr>
</tbody>
</table>

Figure 5.19 Abstraction function hide and taint function tainted.

which \( p_1 \) is invoked before \( p_2 \) is invoked. Similarly, \( \sigma_1 ; \sigma_2 \) denotes the type of the alternative invocation sequence. For a process that is abstraction-eligible, order type of its procedures can be abstracted.

The rule (T-PROC DECLARE) type checks a procedure declaration in the presence of abstraction. The order type of the procedure can be abstracted if its enclosing process is abstraction-eligible. Abstraction hides the local messaging behavior of the procedure from its order type. The local messaging behavior includes messages sent to untainted local process instances of the enclosing process. A local process instance is untainted if it is composed of only untainted instance. A local process instance is tainted if it is composed of an imported process instance or another tainted local instance. A process instance
is tainted if it is composed from an imported or tainted process instance. Auxiliary functions imported and tainted return imported and tainted process instances of a process. The auxiliary function hide exposes message sends of an order type to its imported and tainted process instances and hides the rest. Figure 5.19 shows the definition of hide.

To illustrate, the local server process s in Client in Figure 5.3 is untainted because it is not composed of any other process; the local proxy process r is untainted because it is composed of untainted server s. However, the proxy r in Client2 in Figure 5.7 is tainted because it is composed of the imported server s.

5.4.5 Soundness of Abstraction

Abstraction of local messaging behavior of a process C is sound because if it cannot hide a message race. Local messaging behavior includes message sends to locally declared process instances. There are two types of local process instances: untainted and tainted. The abstractions hides message sends to an untainted local process instance. Abstraction is sound because of the following:

1 **Untainted:** Encapsulation guarantees that untainted local process instance i and its composing process instances j can only be accessed through the procedures of C.
   - if message sends to i or j lead to a race in a procedure of C, the race will manifest in type checking of the procedure and the procedure does not type check.
   - if message sends to i or j over multiple procedures of C lead to a race, the race will manifest in checking for abstraction-eligibility and the process does not type check.

2 **Tainted:** Messaging behavior for the tainted local variable i and its imported process instances j is not abstracted away.
   - If message sends to shared j in procedures C and procedures of another process D lead to a race, the race will manifest in a process that composes these together and the process does not type check.

5.4.6 Discussion

**Random delivery and processing** Direct and transitive inorder delivery and processing are not necessary and can be added or removed to support different delivery and processing models. Actors
[6] usually support a random delivery and processing model in which messages can be delivered and processed in any arbitrary order. To model random delivery and processing it is sufficient to remove (H-INORDER) and (H-TRANS-INORDER) from the set of happens-before rules in Figure 5.16.

**Conditionals** The rule (T-COND) type checks an if expression. Similar to (T-LET), the order type of the expression sequences the order type of its subexpressions $e'$ and $e''$. This is an over-approximation because the runtime evaluates either $e'$ or $e''$ and not both. However, this over-approximation is necessary to keep the type checking tractable. To illustrate, consider an alternative order type $[\sigma', \sigma'']$ that encodes $\sigma'$ and $\sigma''$ as exclusive alternatives. To encode the exclusion between $\sigma'$ and $\sigma''$, two separate constraint sets should be constructed and checked to for the well-formedness of $[\sigma', \sigma'']$. In other words, two (i.e. $2^1$) constraint sets should be constructed and checked for well-formedness of the type. In general, for an order type with $n$ alternative order types in it, $2^n$ constraint sets should be constructed and checked, which is intractable.

**Message receive** A message receive $\zeta \ i?p$ can be encoded as a wait on the future result of a message send $\zeta \ i!p$. A message receive simply adds two happens-before relations to the constraint set of its enclosing procedure. The first happens-before relation is $\zeta \ i!p \triangleright \ i?p$ which says that a message send happens before a receive on that message. The second happens-before relation is $\text{tail}(\sigma) \triangleright \ zeta \ i?p$ which says that the processing of message $p$ in process $i$ with the order type $\sigma$ happens before the message receive. Addition of message receives are straightforward and thus are omitted.

**Memory effects and benign races** Precision of race detection can be improved by integrating memory effects of messages into the type system. Using effects, a message race happens when a process receives two messages with conflicting memory effects from another process with no happens-before relations between them. Two memory access conflict if they both access the same memory location and one of them is a write access [64]. Addition of an $\text{@benign}$ annotation to a process which causes a benign and harmless message race can allow the process to type check.

### 5.5 Related Work

Previous work in the following categories are related to this chapter.
**Behavioral session types and contracts** Order types, similar to session types [25, 26, 28, 40, 43, 79–81, 119, 120, 160, 178] denote the messaging behavior of a process but explore a different design space. A session type prescribes a global communication protocol [116] in a session-based top-down programming model in which communication is carried over channels and is structured by sessions [79]. Addition of channels and sessions to structure communication over channels allows the application of session types to a variety of multithreaded [43], message passing [115, 120] and sequential [81, 119, 169] programming models. Session types and their underlying session-based programming are also added to languages like Erlang, Java and Python. However, an order type is a local type that describes the abstracted messaging behavior of a process as specified by its program text in a bottom-up programming model without channels and sessions. Prescriptive and global nature of session types and descriptive and local nature of order types can complement each other.

**State-space exploration** Systematic verification and testing techniques explore the entire state-space of a concurrent message-passing program including all ordering of its messages, which is intractable. The exploration can be optimized and become tractable using partial order reduction techniques [93, 161]. Previous work [162] uses message race relations to improve a partial reduction technique for dynamic testing of actor programs. Order types make modular reasoning about a message passing program tractable by statically disallowing message races and explain their causes.

In dynamic testing of actor programs, previous work [162] uses message race relations to prune out part of state-space. These techniques are usually global and any changes in a program may invalidate their reasoning. Order types, unlike global state-space exploration techniques, are modular.

**Multithreaded programming** Previous work prevents low [64, 65] and high level data races [66, 171] in multithreaded programs and and guarantees its deterministic execution [29]. However, data race detection techniques are not directly applicable to detect message races in message-passing models.
CHAPTER 6. CONCLUSION AND FUTURE WORK

The concurrency revolution and the need for performant software requires sequentially trained software engineers to write concurrent software. Engineering of concurrent software could be made easier with modular reasoning. Using modular reasoning a system is understood one module at a time and changes in implementations of other modules cannot invalidate the understanding about this module as long as interfaces of those modules stay the same. This thesis identifies three challenges that can make modular reasoning about a concurrent software difficult or intractable: arbitrary thread interference, arbitrary module inheritance and arbitrary message orders. This thesis proposes and formalizes an implicit concurrent message passing programming model with interference control, concurrent behavioral subtyping and order types to enable modular reasoning about a concurrent software in the presence of arbitrary interference, inheritance and message orders.

6.1 Interference Control Framework

The interference control framework enables modular reasoning by guaranteeing that in a concurrent program interference happens only at explicitly specified program points and at each interference point the interference behavior is known. This is in contrast to the state of the art programming models in which interference can happen between any two instructions of a software and interference behaviors are unknown. The interference control framework allows the standard and well-known Hoare-style [77] modular reasoning for sequential programs to be adapted to understand a concurrent program in the presence of interference. To reason about a concurrent program first its interference points and their interference behaviors are computed syntactically and modularly; second interference is taken into account by inserting interference behaviors at their corresponding interference points; and third sequential Hoare-style reasoning is applied to understand the behavior of the program. Our adaptation of standard
Hoare-style reasoning could make it easier for developments tools, such as KeY [23], that integrate construction of sequential software and formal verification [24], to adapt to concurrent software.

### 6.2 Concurrent Behavioral Subtyping

Concurrent behavioral subtyping enables modular reasoning by guaranteeing that the behavior of a module is compatible with the behavior of the module it inherits from. This is in contrast to state of the art where there is no relation between behaviors of two modules in an inheritance hierarchy. Concurrent behavioral subtyping allows the standard modular supertype abstraction reasoning [97] to be adapted to understand a concurrent program and specially its invocations in the presence of inheritance and dynamic dispatch. In supertype abstraction reasoning, an invocation can be understood using the static type of its receiver, independent of its dynamic types. Our adaptation of supertype abstraction reasoning could make it easier for programming logics [23, 117, 128, 131, 134] that support supertype abstraction reasoning for sequential software to adapt to concurrent software.

Concurrent behavioral subtyping provides a new definition for behavioral subtyping [103] using standard behavioral subtyping and interference subtyping.

Our definition of concurrent behavioral subtyping allows concurrent behavioral subtyping to be reduced to standard and well-known interface subtyping [45, 96, 104] in the presence of encapsulated inheritance [155]. In encapsulated inheritance a module accesses the state of the module it inherits from through its procedures and not directly. Our empirical studies of 554,864 Java and 416 Akka projects in GitHub reveal that more than 90% of these projects respect encapsulated inheritance. This means for majority of the projects in this study concurrent subtyping can be guaranteed using only standard interface subtyping [96, 104]. Interface subtyping can be easily guaranteed syntactically using techniques like specification inheritance [45] that automatically combine behavior specifications of modules in an inheritance hierarchy.

### 6.3 Order Types

Order types guarantee that a well-formed concurrent program is free from message races. Freedom from message races allows for tractable modular reasoning about message orders. Existential order type
of a module allows encoding of its unknown dependencies and enables bottom-up program design and construction. Abstraction decreases complexity by hiding local messaging behavior for abstraction-eligible modules, which in turn could improve the scalability of type checking. Blame assignment enables programmers to quickly ascertain racy modules to be fixed or replaced by properly blaming the module responsible for a bad module composition or bad message composition and not the module in which the race happens. Disallowing message races can not only enable modular reasoning but also prevent bugs due to these races [93, 163] which are hard to find and fix.

6.4 Future Work

There are several avenues for future work that we would like to investigate.

6.4.1 Modular Reasoning about Traditionally Global Properties

In this thesis, we enable modular reasoning about concurrency, a property that is traditionally thought to be global. An avenue of future work is to study how to enable modular reasoning about other traditionally global properties. Security and privacy [149, 150, 164] and communication properties [80, 121] are few examples of these properties. The challenge in reasoning about these properties is that they could lead to global reasoning techniques and analyses that may not be as scalable as modular reasoning techniques or lead to global specifications that may impede bottom-up software construction. To address this challenge we anticipate the use of linguistic constructs that allow security and communication information of interest to be explicated in the interface of a module. Such interfaces include sufficient information to allow sound modular reasoning about the property of interest and at the same time not expose the unnecessary implementation details of a module. Abstraction could prevent exposure of unnecessary implementation details and also decrease the complexity of checking these properties. Construction of these interfaces should not extensively add to the burden of the programmer of the module. Automatic inference of these interfaces along with light-weight programmer annotations could be used to reduce the programmer’s burden.

Another way to address the reasoning challenge, in top-down software construction, is to integrate local order types and global behavioral types (global specifications) such as session types [80, 116].
Session types allow modular reasoning about communication properties for enforcing of communication protocols and prevention of deadlocks. The challenge in using session types is that they are designed for channel-based programming using sessions that is not supported in mainstream programming languages. To address this challenge we anticipate to support session-based programming in our programming model. With addition of sessions, the global session type for participants of a protocol can be automatically inferred using local order types of its participants [116].

6.4.2 Concurrent Behavioral Subtyping and Hoare-style Reasoning

Another avenue of future work is to study the expressiveness of concurrent behavioral subtyping. We anticipate to investigate if concurrent subtyping is expressive enough to encode behavioral subtyping for both sequential and concurrent software with and without interference. Standard behavioral subtyping [10], strong behavioral subtyping [104] and weak behavioral subtyping [44] are few examples of behavioral subtyping for sequential and concurrent software.

Another avenue of future work is to study if our Hoare-style modular reasoning could be augmented to encode previous reasoning techniques. Thread-modular [67], rely-guarantee [87], deny-guarantee [48] and concurrent abstract predicates [47] are examples of these reasoning techniques. The challenge in encoding these reasoning techniques is that some are built on top of low-level logics such as concurrent separation logic [127] and use fine-grained access permissions [34] that are not supported in our programming model and logic. To address this challenge we anticipate integrating concurrent behavioral subtyping and separation logic using permissions.

6.4.3 Interference Closure and Interference Behavior

Another avenue of future work is to study the granularity of interference closure and its behavior. One challenge is that the interference closure including all procedure of a module is coarse. To address this challenge we anticipate the use of order types to know which procedures of the module may not be invoked by other modules and therefore excluded from its interference closure. However, this could lead to a reasoning in which to understand a module one need to look at the interface of all modules that invoke the procedures of the module which may not be as desirable. Another challenge is the need for an oracle that knows about the behavior of an interference closure. To address this challenge we anticipate
to use techniques that automatically infer loop invariants using functional behaviors of procedures [70] or ask programmers to specify the behavior of them interference closure.

6.4.4 Applicability

The last avenue of future work is to further study the integration of our proposed programming model with programming languages and models for mobile programming such as Android, message passing programming such as Message Passing Interface (MPI) [1] and actor programming such as Akka [8]. The challenge is that our programming model requires typed messages, sequential process execution and encapsulation. To address this challenge we anticipate to integrate these languages with a light-weight ownership model to guarantee encapsulation and use variations of these models that do not rely on ambiguous interfaces [72]. A module with ambiguous interface accepts a single message and relies on its implementation to process the message differently based on its attributes. Ambiguous interfaces are popular in languages and models with event loops [74]. Another challenge is that the addition of encapsulation may decrease the expressiveness of a programming model. We would like to study this hypothesis by extending our experimental evaluation of encapsulated inheritance using visibility-based encapsulation to include encapsulation in general. In this study we would like to consider semantic features such as aliasing and global variables that may lead to violation of encapsulation.


