Location-independent routing in process network overlays

Abstract

In distributed computing, location transparency—the decoupling of objects from their physical location—is desirable in that it can simplify application development and enables efficient resource allocation. Many systems for location transparency are built on TCP/IP. We argue that addressing mobile objects in terms of temporary hosts may not be the best design decision. Object migration makes it necessary to use dedicated routing infrastructures, e.g., location servers, to deliver inter-object messages. This incurs high costs in terms of complexity, overhead, and latency. Here, we defer object overlay routing to a networking layer, by replacing TCP/IP with a location-independent routing scheme which directs messages to destinations determined by flat identifiers instead of IP addresses. Consequently, messages are delivered directly to objects, instead of possibly out-of-date locations. We explore the scheme using a small object-based language with asynchronous message passing, similar to Core Erlang. We provide a standard, network-oblivious operational semantics of this language, and a network-aware semantics which accounts for many aspects of distribution and routing. The main result is that program execution on top of an abstract network of processing nodes connected by asynchronous point-to-point communication channels preserves network-oblivious behavior in a sound and fully abstract way, in the sense of contextual equivalence. This is a novel and strong result for such a low-level model. Previous work has addressed distributed implementations only for fully connected TCP underlays, where contextual equivalence is typically too strong, due to the need for locking to resolve preemption arising from mobility.

Appendix: Proofs

Proposition 1

Suppose \({ cn }\rightarrow { cn }'\). Then, the following holds:

1. 1.

   \(\mathtt{fn}({ cn }') \subseteq \mathtt{fn}({ cn })\).

2. 2.

   If \(\mathsf{o}(o,a)\preceq { cn }\), then \(\mathsf{o}(o,a')\preceq { cn }'\) for some object environment \(a'\).

Proof

For the first property, note that no structural identity nor any reduction rule allows an OID to escape its binder. The result follows. For the second property, inspection reveals that no rule removes an object container from a configuration or changes an OID. \(\square \)

Proposition 2

Let \({ cn }\) be a type 1 configuration. Then, the following holds:

1. 1.

   If \({ cn }\) is a type 1 initial configuration, then \({ cn }\) is WF1.

2. 2.

   If \({ cn }\) is WF1 and \({ cn }\rightarrow { cn }'\), then \({ cn }'\) is WF1.

Proof

By inspection of the definitions and rules. \(\square \)

Proposition 3

Suppose \({ cn }\rightarrow { cn }'\). Then, the following holds:

1. 1.

   If \(\mathsf{n}(u,t)\preceq { cn }\), then \(\mathsf{n}(u,t')\preceq { cn }'\) for some \(t'\).

2. 2.

   If \(\mathsf{l}(u,q,u')\preceq { cn }\), then \(\mathsf{l}(u,q',u')\preceq { cn }'\) for some \(q'\).

3. 3.

   If \({ obj }=\mathsf{o}(o,a,u,q_{in},q_{out})\preceq { cn }\), then there is an object container \({ obj }'=\mathsf{o}(o',a',u',q_{in}',q_{out}')\preceq { cn }'\) (the derivative of \({ obj }\) in \({ cn }'\)) such that \(o'=o\) and for all x, if \(a(x)\downarrow \), then \(a'(x)\downarrow \).

Proof

By inspection of the definitions and rules. \(\square \)

Proposition 4

Let \({ cn }\) be a configuration. Then, the following holds:

1. 1.

   If \({ cn }\) is a type 2 initial configuration, then \({ cn }\) is WF2.

2. 2.

   If \({ cn }\) is WF2 and \({ cn }\rightarrow { cn }'\), then \({ cn }'\) is WF2.

Proof

Similar to the proof of Proposition 2. \(\square \)

Proposition 5

Algorithm 1 terminates.

Proof

In each iteration of the outermost loop of Algorithm 1, exactly one message is enqueued on each proper link, and at least one message is dequeued from all link queues. msg-rcv, msg-delay-1, and obj-rcv cause messages to leave the link queues, except for external messages, which are moved to the self-loop queues. If the link queues have only routing table messages, the algorithm terminates in that iteration. If not, there must be object messages or routable call messages in some link queue. Since no new object messages are enqueued, there must some number of iterations \(n_0\) after which all object messages have been received via obj-rcv and the associated object OIDs o registered on some node u so that \(t(o) = (u,0)\).

Let \(m_0\) be the size of the largest link queue at the point which there are no object messages in transit. After \(n_0 +m_0+1\) iterations, each node u has received at least one table update from each of its neighbors \(u'\), and the last table update applied to u has \(t(o) = 0\). As a result, at point \(n_0+m_0+1\) each node u has \(t(o) = (u',1)\) whenever the host of o is \(u'\) and the minimal length path from u to \(u'\) has length 1. The entry of the routing table of u for o will not change from that point onwards. We say that those entries are stable. Proceeding, let \(m_1\) be the length of the largest link queue at point \(n_0 + m_0 + 1\). After \(n_0 + m_0 + 1 + m_1 + 1\) iterations, each routing table entry with length 2 (or less) will be stable. In the limit, each entry will be stable. It follows that Algorithm 1 must terminate, since, once routing has stabilized, rule msg-route can only be applied a finite number of times before a routable message will be delivered. There is no chance of routable messages getting stuck in self-loop queues, since they are continuously shuffled using msg-delay-3.

The only detail remaining to be checked is that a message can always be read from a link. Table and object messages can always be delivered, and call messages can also always be delivered, if nothing else to the self-loop link, in which case the routing table is not up-to-date or the message is external. This is the only case where msg-delay-1 is used. This completes the argument. \(\square \)

Proposition 6

If \({\mathscr {A}}_1({ cn })\leadsto { cn }'\), then:

1. 1.

   \({ cn }\rightarrow ^* { cn }'\),

2. 2.

   \({ cn }'\) is in stable form,

3. 3.

   \(\mathtt {graph}({ cn }') = \mathtt {graph}({ cn })\),

4. 4.

   \(\mathsf{t}({ cn }') = \mathsf{t}({ cn })\),

5. 5.

   \(\mathsf{o}({ cn }') \cong _1 \mathsf{o}_1({ cn })\), and

6. 6.

   \(\mathsf{m}({ cn }') = \mathsf{m}_1({ cn })\).

Proof

Property 1 and 3 are immediate. Property 2 can be read out of the termination proof. For the remaining three properties, observe first that \(\mathsf{t}\), \(\mathsf{o}_1\), and \(\mathsf{m}_1\) are all invariant under the transitions used in Algorithm 1. The equations follow by noting that only external messages (and so no object closures) are in transit in \({ cn }'\). \(\square \)

Corollary 1

If \({\mathscr {A}}_1({ cn })\leadsto { cn }'\), then \({ cn }\equiv _1 { cn }'\).

Proof

We have . \(\square \)

Lemma 1

\(\equiv _1\) is reduction closed.

Proof

Suppose \({ cn }_1 \equiv _1 { cn }_2\), where both \({ cn }_1\) and \({ cn }_2\) are WF2. Assume \({ cn }_1 \rightarrow { cn }'_1\); we need to find \({ cn }'_2\) such that \({ cn }_2 \rightarrow ^* { cn }'_2\) and \({ cn }'_1 \equiv _1 { cn }'_2\). We proceed by case analysis on the transition \({ cn }_1 \rightarrow { cn }'_1\), eliding uses of ctxt-1. For the cases t-send, t-rcv, msg-rcv, msg-route, msg-delay-1, obj-rcv, msg-delay-3, and obj-reg, we take \({ cn }'_2 = { cn }_2\), since in those cases the stable form is unaffected, i.e., \({ cn }_1 \equiv _1 { cn }'_1\). The remaining cases include the rules for sequential control, msg-send, call-send-2, msg-delay-2, call-rcv-2, new-2, and obj-send. The rules for sequential control are handled in a structurally similar way; take wfield as an example, with a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l,x=e;s)\\&\quad \rightarrow { cn }\ \mathsf{o}(o,a[v/x],u,q_{ in },q_{ out })\ \mathsf{t}(o,l,s) \end{aligned}$$

where \([\![{e}]\!]_{(a, l)} = v\) and \(x \in \mathtt {dom}(a)\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_1({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _1\), there is a task container \(\mathsf{t}(o,l,s)\) and an object container \(\mathsf{o}(o,a,u,q'_{ in },q_{ out })\) in \({ cn }''_2\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{o}(o,a,u,q'_{ in },q_{ out })\ \mathsf{t}(o,l,x=e;s)\\&\quad \rightarrow { cn }'\ \mathsf{o}(o,a[v/x],u,q'_{ in },q_{ out })\ \mathsf{t}(o,l,s) \end{aligned}$$

and we have

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a[v/x],u,q_{ in },q_{ out })\ \mathsf{t}(o,l,s)\\&\quad \equiv _1 { cn }'\ \mathsf{o}(o,a[v/x],u,q'_{ in },q_{ out })\ \mathsf{t}(o,l,s), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side.

msg-send: Consider a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{n}(u,t)\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{l}(u,q,u')\\&\quad \rightarrow { cn }\ \mathsf{n}(u,t)\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {deq}}(q_{ out }))\\&\qquad \quad \! \mathsf{l}(u,{\mathtt {enq}}({ msg }, q),u') \end{aligned}$$

where \({\mathtt {hd}}(q_{out}) ={ msg }\), \({\mathtt {dst}}({ msg }) = o'\), and \({\mathtt {nxt}}(o',t) = u'\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_1({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _1\), there are containers \(\mathsf{n}(u,t')\), \(\mathsf{o}(o,a,u,q'_{ in },q_{ out })\), and \(\mathsf{l}(u,q',u'')\), such that \({\mathtt {nxt}}(o',t') = u''\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{n}(u,t')\ \mathsf{o}(o,a,u,q'_{ in },q_{ out })\ \mathsf{l}(u,q',u'')\\&\quad \rightarrow { cn }'\ \mathsf{n}(u,t')\ \mathsf{o}(o,a,u,q'_{ in },{\mathtt {deq}}(q_{ out }))\\&\qquad \quad \! \mathsf{l}(u,{\mathtt {enq}}({ msg }, q'),u'') \end{aligned}$$

and we have

$$\begin{aligned}&{ cn }\ \mathsf{n}(u,t)\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {deq}}(q_{ out }))\ \mathsf{l}(u,{\mathtt {enq}}({ msg }, q),u')\\&\quad \equiv _1 { cn }'\ \mathsf{n}(u,t')\ \mathsf{o}(o,a,u,q'_{ in },{\mathtt {deq}}(q_{ out }))\\&\qquad \quad \mathsf{l}(u,{\mathtt {enq}}({ msg }, q'),u''), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side.

call-send-2: Consider a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow { cn }\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}), q_{ out }))\ \mathsf{t}(o,l,s) \end{aligned}$$

where \([\![{e_1}]\!]_{(a, l)} = o'\) and \([\![{\overline{e_2}}]\!]_{(a, l)} = \overline{v}\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_1({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _1\), there is a task container \(\mathsf{t}(o,l,e_1!m(\overline{e_2});s)\) and an object container \(\mathsf{o}(o,a,u',q'_{ in },q_{ out })\) in \({ cn }''_2\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{o}(o,a,u',q'_{ in },q_{ out })\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow { cn }'\ \mathsf{o}(o,a,u',q'_{ in },{\mathtt {enq}}(\mathsf{call}(o',m, \overline{v}),q_{ out }))\ \mathsf{t}(o,l,s) \end{aligned}$$

and we have

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}), q_{ out }))\ \mathsf{t}(o,l,s)\\&\quad \equiv _1 { cn }'\ \mathsf{o}(o,a,u',q'_{ in },{\mathtt {enq}}(\mathsf{call}(o',m, \overline{v}),q_{ out }))\ \mathsf{t}(o,l,s), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side.

The other cases are proved similarly. \(\square \)

Lemma 2

\(\equiv _1\) is context closed.

Proof

Suppose that \({ cn }_1 \equiv _1 { cn }_2\). Then, \({ cn }_1\) and \({ cn }_2\) are WF2. Assume \({ cn }_1\ { cn }\) is WF2 for a context configuration \({ cn }\). We first show that \({ cn }_2\ { cn }\) is WF2. For OID Uniqueness, it suffices to consider the case where we have

$$\begin{aligned}&\mathsf{o}(o_1,a_1,u_1,q_{ in ,1},q_{ out ,1}) \preceq { cn }_{2},\\&\mathsf{o}(o_2,a_2,u_2,q_{ in , 2}, q_{ out , 2})\preceq { cn }. \end{aligned}$$

Then, if \(o_1 = o_2\), there is a clash between OIDs in \({ cn }_1\) and \({ cn }\), since there is an object container with OID \(o_1\) in \({ cn }_1\) by property 5 of Proposition 6. For Task-Object existence, it suffices to consider the case where \(\mathsf{t}(o,l,s)\preceq { cn }\); then, if there is no object container with OID o in \({ cn }_2\ { cn }\), there is no such container in \({ cn }_1\) either, violating WF2. For Object-Node Existence, suppose \(\mathsf{o}(o,a,u,q_{ in }, q_{ out })\preceq { cn }\), but that there is no vertex u in \(\mathtt {graph}({ cn }_2\ { cn })\); since the graphs for \({ cn }_1\) and \({ cn }_2\) coincide, and there are no nodes in \({ cn }\), this means that there is no such node in \(\mathtt {graph}({ cn }_1\ { cn })\), violating the WF2 assumption. For Buffer Cleanliness, it suffices to note that the property distributes over configuration composition. For Local Routing Consistency, note again that \({ cn }\) introduces no nodes or links, and \({ cn }_2\) is WF2. For External OID, note that \({ cn }\) cannot have an object container with OID \( ext \) since \({ cn }_1\ { cn }\) is WF2, and that \({ cn }\) does not change the nodes or links.

It remains to show that we have \({ cn }_1\ { cn }\ \equiv _1 { cn }_2\ { cn }\). The WF2 property is immediate. Suppose \({\mathscr {A}}_1({ cn }_1\ { cn }) \leadsto { cn }'_1\) and \({\mathscr {A}}_1({ cn }_2\ { cn }) \leadsto { cn }'_2\). It suffices to show \({ cn }'_1\ {\mathscr {R}}_1\ { cn }'_2\). We prove the conditions in turn.

$$\begin{aligned} \mathtt {graph}({ cn }'_1)&\!=\! \mathtt {graph}({ cn }_1\ { cn }) = \mathtt {graph}({ cn }_1) \\&\!=\!\mathtt {graph}({ cn }_2) \!=\! \mathtt {graph}({ cn }_2\ { cn })\\&= \mathtt {graph}({ cn }'_2). \\ \mathsf{t}({ cn }'_1)&= \mathsf{t}({ cn }_1\ { cn }) = \mathsf{t}({ cn }_1) \cup \mathsf{t}({ cn }) \\&=\mathsf{t}({ cn }_2) \cup \mathsf{t}({ cn }) = \mathsf{t}({ cn }_2\ { cn }) = \mathsf{t}({ cn }'_2). \\ \mathsf{o}({ cn }'_1)&\cong _1 \mathsf{o}_1({ cn }_1\ { cn }) = \mathsf{o}_1({ cn }_1) \cup \mathsf{o}_1({ cn }) \\&=\mathsf{o}_1({ cn }_2) \cup \mathsf{o}_1({ cn }) = \mathsf{o}_1({ cn }_1\ { cn }) \cong _1 \mathsf{o}({ cn }'_2). \\ \mathsf{m}({ cn }'_1)&= \mathsf{m}_1({ cn }_1\ { cn }) = \mathsf{m}_1({ cn }_1) \cup \mathsf{m}_1({ cn }) \\&=\mathsf{m}_1({ cn }_2) \cup \mathsf{m}_1({ cn }) = \mathsf{m}_1({ cn }_2\ { cn }) \!=\! \mathsf{m}({ cn }'_2). \end{aligned}$$

The proof of converse context closure is symmetric. \(\square \)

Proposition 7

\(\equiv _1\) is a type 2 witness relation.

Proof

We have that \(\equiv _1\) is reduction closed by Lemma 1 and context closed by Lemma 2. Hence, it suffices to show barb preservation in both directions. Suppose \({ cn }_1 \equiv _1 { cn }_2\) and \({ cn }_1 \downarrow obs \), where \( obs = ext !m(\overline{v})\). Then, there is a message \(\mathsf{call}( ext ,m,\overline{v})\) at the head of some self-loop queue in \({ cn }_1\). Consequently, after running Algorithm 1 on \({ cn }_2\), this message will be found in some self-loop queue, from which it can be brought to the head by means of repeated application of msg-delay-3. Thus, \({ cn }_2 \Downarrow obs \). The proof of converse barb preservation is symmetric. \(\square \)

Corollary 2

If \({\mathscr {A}}_1({ cn }) \leadsto { cn }'\), then \({ cn }\simeq _2 { cn }'\).

Proof

By Proposition 7 and Corollary 1. \(\square \)

Proposition 8

Algorithm 2 terminates.

Proof

Routing is stable after each run of Algorithm 1, and none of the rules applied in the first inner loop affect routing stability. Also, after the first run of Algorithm 1, links contain only external calls. Whenever an object out-queue is nonempty, one of msg-send or msg-delay-2 will be enabled. By Buffer Cleanliness, call-rcv-2 will be applicable if the object in-queue is nonempty, decreasing in-queue size by one. Thus, when the first while loop is exited, object queues are empty. The second while loop terminates when all objects not yet at u have been put on the wire. At the end of each outer loop, routing is stabilized and link queues emptied (except for external messages). Once emptied, out-queues remain empty. In-queues may contain messages at the start of the second iteration, but after that, only external messages remain in either link or object queues, except for object closures, which are consumed once they reach u. \(\square \)

Proposition 9

If \({ cn }\) is WF2 and \({\mathscr {A}}_2({ cn }) \leadsto { cn }'\), then:

1. 1.

   \({ cn }\rightarrow ^* { cn }'\),

2. 2.

   \({ cn }'\) is in normal form,

3. 3.

   \(\mathtt {graph}({ cn }') = \mathtt {graph}({ cn })\),

4. 4.

   \(\mathsf{t}({ cn }') = \mathsf{t}_2({ cn })\),

5. 5.

   \(\mathsf{o}({ cn }') = \mathsf{o}_2({ cn })\), and

6. 6.

   \(\mathsf{m}({ cn }') = \mathsf{m}_2({ cn })\).

Proof

Property 1 and 3 are immediate. We consider the requirements of property 2 in turn. By virtue of Proposition 6, \({ cn }'\) has stable routing and external link messages. By the termination requirements of Algorithm 2, all object queues are empty, meaning that all call messages have been delivered, and there are no object containers in transit, yielding \(\mathsf{t}({ cn }')=\mathsf{t}_2({ cn }')\), \(\mathsf{o}({ cn }') = \mathsf{o}_2({ cn }')\), and \(\mathsf{m}({ cn }') = \mathsf{m}_2({ cn }')\).

For property 4, observe first that the function \(\mathsf{t}_2\) is invariant under transitions used in Algorithm 2. On termination of Algorithm 2, only external messages are in transit, and since no rule causes a task to be modified, the property follows.

For property 5, suppose \(\mathsf{o}(o_2,a_2,u_2,q_{in,2},q_{out,2})\preceq \mathsf{o}({ cn }')\). We need to show that \(\mathsf{o}(o_2,a_2,u_2,q_{in,2},q_{out,2})\preceq \mathsf{o}_2({ cn })\). By definition, \(q_{in,2}=q_{out,2}=\varepsilon \) and \(u_2 = u_0\). We know that there is an object container \(\mathsf{o}(o,a',u',q_{in},q_{out})\preceq { cn }\), as there is a one-to-one correspondence between object containers in pre- and poststate for each transition used in Algorithm 2. We also know that \(a'(x) = a_2(x)\) for all x, which suffices.

For property 6, note again that all object queues are empty, link queues only have external messages, and finally that no new external messages are generated by the rules used in Algorithm 2. \(\square \)

Corollary 3

\(\equiv _1 \subseteq \equiv _2\).

Proof

If \({ cn }_1 \equiv _1 cn_2\), the two configurations have the same task containers and the same object-bound messages. In addition, there is a one-to-one mapping between object containers where identifiers and object environments coincide. The result follows by noting that any remaining differences between the containers will disappear after running Algorithm 2. \(\square \)

Corollary 4

If \({\mathscr {A}}_2( { cn }) \leadsto { cn }'\), then \( { cn }\equiv _2 { cn }'\).

Proof

By Proposition 9. \(\square \)

Lemma 3

\(\equiv _2\) is reduction closed.

Proof

Suppose \({ cn }_1 \equiv _2 { cn }_2\), where \({ cn }_1\) and \({ cn }_2\) are WF2. Assume \({ cn }_1 \rightarrow { cn }'_1\); we need to find \({ cn }'_2\) such that \({ cn }_2 \rightarrow ^* { cn }'_2\) and \({ cn }'_1 \equiv _2 { cn }'_2\). We proceed by case analysis on the transition \({ cn }_1 \rightarrow { cn }'_1\), eliding uses of ctxt-1. For the cases t-send, t-rcv, msg-send, msg-rcv, msg-route, msg-delay-1, msg-delay-2, msg-delay-3, call-rcv-2, obj-reg, obj-send, and obj-rcv, we take \({ cn }'_2 = { cn }_2\), since in those cases the normal form is unaffected, i.e., \({ cn }_1 \equiv _2 { cn }'_1\). The remaining cases include the rules for sequential control, call-send-2, and new-2. The rules for sequential control are handled in a structurally similar way; take wfield as an example, with a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l,x=e;s)\\&\quad \rightarrow { cn }\ \mathsf{o}(o,a[v/x],u,q_{ in },q_{ out })\ \mathsf{t}(o,l,s), \end{aligned}$$

where \([\![{e}]\!]_{(a, l)} = v\) and \(x \in \mathtt {dom}(a)\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_2({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _2\), there is a task container \(\mathsf{t}(o,l,x=e;s)\) and an object container \(\mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\) in \({ cn }''_2\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l,x=e;s) \\&\quad \rightarrow { cn }'\ \mathsf{o}(o,a[v/x],u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l,s), \end{aligned}$$

and we have that

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a[v/x],u,q_{ in },q_{ out })\ \mathsf{t}(o,l,s)\\&\quad \equiv _2 { cn }'\ \mathsf{o}(o,a[v/x],u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l,s), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side.

call-send-2: Consider a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow { cn }\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}), q_{ out }))\ \mathsf{t}(o,l,s) \end{aligned}$$

where \([\![{e_1}]\!]_{(a, l)} = o'\) and \([\![{\overline{e_2}}]\!]_{(a, l)} = \overline{v}\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_2({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _2\), there is a task container \(\mathsf{t}(o,l,e_1!m(\overline{e_2});s)\) and an object container \(\mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\) in \({ cn }''_2\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow { cn }'\ \mathsf{o}(o,a,u',\varepsilon ,{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}),\varepsilon ))\ \mathsf{t}(o,l,s) \end{aligned}$$

and we have

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}), q_{ out }))\ \mathsf{t}(o,l,s)\\&\quad \equiv _2 { cn }'\ \mathsf{o}(o,a,u',\varepsilon ,{\mathtt {enq}}(\mathsf{call}(o',m,\overline{v}),\varepsilon ))\ \mathsf{t}(o,l,s), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side.

new-2: Consider a transition of the form

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l,\mathbf {new}\ C(\overline{e}); s)\\&\quad \rightarrow { cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a',u,\varepsilon ,\varepsilon ) \end{aligned}$$

where \({\mathtt {newo}}(u) = o'\), \([\![{\overline{e}}]\!]_{(a, l)} = \overline{v}\), and \(\mathtt {init}(C,\overline{v},o') = a'\). Consider \({ cn }''_2\) such that \({\mathscr {A}}_2({ cn }_2) \leadsto { cn }''_2\). By the definition of \(\equiv _2\), there is a task container \(\mathsf{t}(o,l,\mathbf {new}\ C(\overline{e}); s)\) and an object container \(\mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\) in \({ cn }''_2\). Hence, it is possible to perform a transition

$$\begin{aligned}&{ cn }'\ \mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l,\mathbf {new}\ C(\overline{e}); s)\\&\quad \rightarrow { cn }'\ \mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a',u',\varepsilon ,\varepsilon ) \end{aligned}$$

and we have

$$\begin{aligned}&{ cn }\ \mathsf{o}(o,a,u,q_{ in },q_{ out })\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a',u,\varepsilon ,\varepsilon )\\&\quad \equiv _2 { cn }'\ \mathsf{o}(o,a,u',\varepsilon ,\varepsilon )\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a',u',\varepsilon ,\varepsilon ), \end{aligned}$$

as needed, setting \({ cn }'_2\) to the right-hand side. \(\square \)

Lemma 4

\(\equiv _2\) is context closed.

Proof

Suppose \({ cn }_1 \equiv _2 { cn }_2\). Then, \({ cn }_1\) and \({ cn }_2\) are WF2. Assume \({ cn }_1\ { cn }\) is WF2 for a context configuration \({ cn }\). We first show that \({ cn }_2\ { cn }\) is WF2. For OID Uniqueness, it suffices to consider the case where

$$\begin{aligned}&\mathsf{o}(o_1,a_1,u_1,q_{ in ,1},q_{ out ,1})\preceq { cn }_2,\\&\mathsf{o}(o_2,a_2,u_2,q_{ in , 2}, q_{ out , 2})\preceq { cn }. \end{aligned}$$

Then, if \(o_1 = o_2\), there is a clash between OIDs in \({ cn }_1\) and \({ cn }\), since there is an object container with OID \(o_1\) in \({ cn }_1\) by normal form equivalence, but this is ruled out by \({ cn }_1\ { cn }\) being WF2. For Task-Object existence, it suffices to consider the case where \(\mathsf{t}(o,l,s)\preceq { cn }\); then, if there is no object container with OID o in \({ cn }_2\ { cn }\), there is no such container in \({ cn }_1\) either, violating WF2. For Object-Node Existence, suppose we have \(\mathsf{o}(o,a,u,q_{ in }, q_{ out })\preceq { cn }\), but that there is no vertex u in \(\mathtt {graph}({ cn }_2\ { cn })\); since the graphs for \({ cn }_1\) and \({ cn }_2\) coincide, and there are no nodes in \({ cn }\), this means that there is no such node in \(\mathtt {graph}({ cn }_1\ { cn })\), violating the WF2 assumption. For Buffer Cleanliness, it suffices to note that the property distributes over configuration composition. For Local Routing Consistency, note again that \({ cn }\) introduces no nodes or links, and \({ cn }_2\) is WF2. For External OID, note that \({ cn }\) cannot have an object container with OID \( ext \) since \({ cn }_1\ { cn }\) is WF2, and that \({ cn }\) does not change the nodes or links.

It remains to show that \({ cn }_1\ { cn }\equiv _2 { cn }_2\ { cn }\). The WF2 property is immediate. Suppose \({\mathscr {A}}_2({ cn }_1\ { cn }) \leadsto { cn }'_1\) and \({\mathscr {A}}_2({ cn }_2\ { cn }) \leadsto { cn }'_2\). It suffices to show \({ cn }'_1\ {\mathscr {R}}_2\ { cn }'_2\). We prove the conditions in turn. Note that since \(\mathsf{t}_2({ cn }_1) = \mathsf{t}_2({ cn }_2)\), we have \(\mathsf{t}_2({ cn }_1\ { cn }) = \mathsf{t}_2({ cn }_2\ { cn })\).

$$\begin{aligned} \mathtt {graph}({ cn }'_1)&= \mathtt {graph}({ cn }_1\ { cn }) = \mathtt {graph}({ cn }_1) \\&\!=\!\mathtt {graph}({ cn }_2) \!=\! \mathtt {graph}({ cn }_2\ { cn }) \!=\! \mathtt {graph}({ cn }'_2). \\ \mathsf{t}({ cn }'_1)&= \mathsf{t}_2({ cn }_1\ { cn }) = \mathsf{t}_2({ cn }_2\ { cn }) = \mathsf{t}({ cn }'_2). \\ \mathsf{o}({ cn }'_1)&= \mathsf{o}_2({ cn }_1\ { cn }) = \mathsf{o}_2({ cn }_1) \cup \mathsf{o}_2({ cn }) \\&=\mathsf{o}_2({ cn }_2) \cup \mathsf{o}_2({ cn }) = \mathsf{o}_2({ cn }_2\ { cn }) = \mathsf{o}({ cn }'_2). \\ \mathsf{m}({ cn }'_1)&= \mathsf{m}_2({ cn }_1\ { cn }) = \mathsf{m}_2({ cn }_1) \cup \mathsf{m}_2({ cn }) \\&=\mathsf{m}_2({ cn }_2) \cup \mathsf{m}_2({ cn }) = \mathsf{m}_2({ cn }_2\ { cn }) = \mathsf{m}({ cn }'_2). \end{aligned}$$

The proof of converse context closure is symmetric. \(\square \)

Proposition 10

\(\equiv _2\) is a type 2 witness relation.

Proof

We have that \(\equiv _2\) is reduction closed by Lemma 3 and context closed by Lemma 4. Hence, it suffices to show barb preservation in both directions. Suppose \({ cn }_1 \equiv _2 { cn }_2\) and \({ cn }_1 \downarrow obs \). Then, there is a message with destination \( ext \) at the head of some self-loop queue in \({ cn }_1\). Consequently, after running Algorithm 2 on \({ cn }_2\), this message will be found in some self-loop queue, from where it can be brought to the head by means of repeated application of msg-delay-3. Thus, \({ cn }_2 \Downarrow obs \). The proof of converse barb preservation is symmetric. \(\square \)

Corollary 5

If \({\mathscr {A}}_2({ cn })\leadsto { cn }'\), then \({ cn }\simeq _2 { cn }'\).

Proof

None of the rules used in Algorithm 2 affects the shape of the normal form. Thus, if \({\mathscr {A}}_2({ cn })\leadsto { cn }'\), then \({ cn }\equiv _2 { cn }'\). But then, \({ cn }\simeq { cn }'\), by Proposition 10. \(\square \)

Proposition 11

If \(\mathsf {bind}\ \overline{o}.{ cn }\) is a WF1 configuration in standard form, then \(\mathtt {net}({ cn })\) is WF2.

Proof

We consider the WF2 conditions in turn. OID Uniqueness and Task-Object Existence follows from the respective WF1 conditions and from how the name representation map is defined. Object-Node Existence holds since all objects are placed on the node \(u_0\), which exists by the definition of \({ cn }_{ graph }\). Buffer Cleanliness holds since all object containers in \(\mathtt {net}({ cn })\) have empty queues. Local Routing Consistency follows from how routing tables in \({ cn }_{ graph }\) are defined. External OID follows from the corresponding WF1 condition and from how routing tables are defined. \(\square \)

Lemma 5

Let \(\mathsf {bind}\ \overline{o}.{ cn }\) be a type 1 well-formed configuration in standard form. Then:

1. 1.

   If \(\mathsf {bind}\ \overline{o}.{ cn }\rightarrow \mathsf {bind}\ \overline{o}'.{ cn }'\), then for some \({ cn }''\), \(\mathtt {net}({ cn }) \rightarrow ^* { cn }''\) and \({ cn }'' \equiv _2 \mathtt {net}({ cn }')\).

2. 2.

   If \(\mathtt {net}({ cn }) \rightarrow { cn }''\), then for some \(\overline{o}'\) and \({ cn }'\), \(\mathsf {bind}\ \overline{o}. { cn } \rightarrow ^* \mathsf {bind}\ \overline{o}'.{ cn }'\) and \({ cn }'' \equiv _2 \mathtt {net}({ cn }')\).

Proof

1. The proof is by case analysis on the possible transitions such that \(\mathsf {bind}\ \overline{o}.{ cn }\rightarrow \mathsf {bind}\ \overline{o}'.{ cn }'\), eliding uses of ctxt-1 and ctxt-2. The remaining sequential control rules in Fig. 4 are straightforward; consider, for instance, the rule wfield, which yields a transition of the form

$$\begin{aligned}&\mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,x=e;s) \\&\quad \rightarrow \mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a[v/x])\ \mathsf{t}(o,l,s), \end{aligned}$$

where \(x\in \mathtt {dom}(a)\) and \(v = [\![{e}]\!]_{(a, l)}\). We calculate:

$$\begin{aligned}&\mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,x=e;s) ) \\&\quad = (\mathtt {net}({ cn },\mathtt {rep}) \circ \mathtt {net}(\mathsf{o}(o,a),\mathtt {rep}) \circ \\&\quad \quad \mathtt {net}(\mathsf{t}(o,l,x=e;s),\mathtt {rep})) ({ cn }_{ graph }) \\&\quad = \mathtt {net}({ cn },\mathtt {rep})(\mathtt {net}(\mathsf{o}(o,a),\mathtt {rep})\\&\quad \quad (\mathtt {net}(\mathsf{t}(o,l,x=e;s),\mathtt {rep})({ cn }_{ graph }))) \\&\quad =\mathtt {net}({ cn },\mathtt {rep}) (\mathtt {net}(\mathsf{o}(o,a),\mathtt {rep})\\&\quad \quad (\mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),x=e;s)\ { cn }_{ graph })) \\&\quad = \mathtt {net}({ cn },\mathtt {rep}) (\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),x=e;s)\ { cn }_{ graph }) \\&\quad \rightarrow \mathtt {net}({ cn },\mathtt {rep}) (\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a)[\mathtt {rep}(v)/x],u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph })\\&\quad = \mathtt {net}({ cn },\mathtt {rep}) (\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a[v/x]),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph })\\&\quad = \mathtt {net}({ cn }\ \mathsf{o}(o,a[v/x])\ \mathsf{t}(o,l,s)) \end{aligned}$$

using the rule wfield-2 to derive the transition.

We proceed to the rules concerning messages and object creation.

call-send: Consider the following type 1 transition:

$$\begin{aligned}&\mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow \mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s)\ \mathsf {c}(o',m,\overline{v}), \end{aligned}$$

where \(o' = [\![{e_1}]\!]_{(a, l)}\) and \(\overline{v} = [\![{\overline{e_2}}]\!]_{(a, l)}\). We calculate:

$$\begin{aligned}&\mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)) \\&\quad = (\mathtt {net}({ cn },\mathtt {rep}) \circ \mathtt {net}(\mathsf{o}(o,a),\mathtt {rep}) \circ \\&\quad \quad \mathtt {net}(\mathsf{t}(o,l,e_1!m(\overline{e_2});s),\mathtt {rep})) ({ cn }_{ graph }) \\&\quad = \mathtt {net}({ cn },\mathtt {rep})(\mathtt {net}(\mathsf{o}(o,a),\mathtt {rep})\\&\quad \quad (\mathtt {net}(\mathsf{t}(o,l,e_1!m(\overline{e_2});s),\mathtt {rep}) ({ cn }_{ graph }))) \\&\quad = \mathtt {net}({ cn },\mathtt {rep}) (\mathtt {net}(\mathsf{o}(o,a),\mathtt {rep})\\&\quad \quad (\mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),e_1!m(\overline{e_2});s)\ { cn }_{ graph })) \\&\quad = \mathtt {net}({ cn },\mathtt {rep}) (\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),e_1!m(\overline{e_2});s)\ { cn }_{ graph }) \\&\quad \rightarrow \mathtt {net}({ cn },\mathtt {rep}') (\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\\&\quad \quad {\mathtt {enq}}(\mathsf{call}(\mathtt {rep}(o'),m,\mathtt {rep}(\overline{v})),\varepsilon ))\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph })\\&\quad \equiv _2 \mathtt {net}({ cn },\mathtt {rep})(\mathsf{o}(\mathtt {rep}(o), \mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ \mathtt {send}(\mathsf{call}(\mathtt {rep}(o'),m,\\&\quad \quad \mathtt {rep}(\overline{v})), { cn }_{ graph }))\\&\quad = \mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s)\ \mathsf {c}(o',m,\overline{v})) \end{aligned}$$

using call-send-2.

call-rcv: Consider the following type 1 transition:

$$\begin{aligned} \mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf {c}(o,m,\overline{v}) \rightarrow \mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s), \end{aligned}$$

where \(l = {\mathtt {locals}}(o,m,\overline{v})\) and \(s = {\mathtt {body}}(o,m)\). We calculate:

$$\begin{aligned}&\mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf {c}(o,m,\overline{v})) \\&\quad = (\mathtt {net}({ cn },\mathtt {rep}) \circ \mathtt {net}(\mathsf{o}(o,a),\mathtt {rep}) \circ \\&\quad \quad \mathtt {net}(\mathsf {c}(o,m,\overline{v}),\mathtt {rep})) ({ cn }_{ graph }) \\&\quad = \mathtt {net}({ cn },\mathtt {rep})(\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathtt {send}(\mathsf{call}(\mathtt {rep}(o),m,\mathtt {rep}(\overline{v})), { cn }_{ graph }))\\&\quad \equiv _2 \mathtt {net}({ cn },\mathtt {rep})(\mathsf{o}(\mathtt {rep}(o), \mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph })\\&\quad = \mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s)) \end{aligned}$$

new: Consider the following type 1 transition:

$$\begin{aligned}&\mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,x=\mathbf {new}\ C(\overline{e});s)\\&\quad \rightarrow \mathsf {bind}\ o'\,\overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a') \end{aligned}$$

where \(\overline{v} = [\![{\overline{e}}]\!]_{(a, l)}\) and \(a' = \mathtt {init}(C,\overline{v},o')\). We calculate:

$$\begin{aligned}&{\texttt {net}}({\textit{cn}}\ {\textsf {o}}(o,a)\ {\textsf {t}}(o,l,x=\mathbf{new }\ C(\overline{e});s)) \\&\quad = {\texttt {net}}({\textit{cn}},{\texttt {rep}})({\textsf {o}}({\texttt {rep}}(o),{\texttt {rep}}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad {\textsf {t}}({\texttt {rep}}(o),{\texttt {rep}}(l),x=\mathbf{new }\ C(\overline{e});s)\ {\textit{cn}}_{\textit{graph}}) \\&\quad \rightarrow {\texttt {net}}({\textit{cn}},{\texttt {rep}}')({\textsf {o}}({\texttt {rep}}'(o),{\texttt {rep}}'(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad {\textsf {t}}({\texttt {rep}}'(o),{\texttt {rep}}'(l)[o''/x],s)\ {\textsf {o}}(o'',{\texttt {rep}}'(a'),u_0,\varepsilon ,\varepsilon )\\&\quad {\textit{cn}}_{\textit{graph}}) \\&\quad = {\texttt {net}}({\textit{cn}},{\texttt {rep}}')(\mathsf{o}({\texttt {rep}}'(o),{\texttt {rep}}'(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad {\textsf {t}}({\texttt {rep}}'(o),{\texttt {rep}}'(l[o''/x]),s)\ {\textsf {o}}(o'',{\texttt {rep}}'(a'),u_0,\varepsilon ,\varepsilon )\\&\quad {\textit{cn}}_{\textit{graph}}) \\&\quad = \texttt {net}({\textit{cn}}\ {\textsf {o}}(o,a)\ {\textsf {t}}(o,l[o'/x],s)\ {\textsf {o}}(o',a')) \end{aligned}$$

where \(\mathtt {rep}' = \mathtt {rep}[o''/o']\) and \(o'' = {\mathtt {newo}}(u_0)\). This completes the proof of property 1.

2. We proceed by cases on the type 2 rule applied to derive \(\mathtt {net}({ cn })\rightarrow { cn }''\), eliding uses of ctxt-1. The rules for sequential control are immediate, since it is straightforward to find \({ cn }'\) such that \(\mathtt {net}({ cn }') = { cn }''\). For t-send, t-rcv, msg-send, msg-rcv, msg-route, msg-delay-1, msg-delay-2, msg-delay-3, call-rcv-2, obj-reg, obj-send, and obj-rcv, we can set \(\overline{o}' = \overline{o}\) and \({ cn }' = { cn }\), since they have no effect on the normal form. We handle the two remaining cases as per below.

call-send-2: Consider a transition of the form

$$\begin{aligned}&\mathtt {net}({ cn }, \mathtt {rep})(\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),e_1!m(\overline{e_2});s)\ { cn }_{ graph })\\&\quad \rightarrow \mathtt {net}({ cn }, \mathtt {rep})(\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\\&\quad \quad {\mathtt {enq}}(\mathsf{call}(\mathtt {rep}(o'),m,\mathtt {rep}(\overline{v}), \varepsilon )))\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph }) \end{aligned}$$

where \(o' = [\![{e_1}]\!]_{(a, l)}\) and \(\overline{v} = [\![{\overline{e_2}}]\!]_{(a, l)}\). We have:

$$\begin{aligned}&\mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,e_1!m(\overline{e_2});s)\\&\quad \rightarrow \mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s)\ \mathsf {c}(o',m,\overline{v}) \end{aligned}$$

and we calculate:

$$\begin{aligned}&\mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,s)\ \mathsf {c}(o',m,\overline{v})\\&\quad = \mathtt {net}({ cn }, \mathtt {rep})(\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\\&\quad \quad \mathtt {send}(\mathsf{call}(\mathtt {rep}(o'),m,\mathtt {rep}(\overline{v})), { cn }_{ graph }))\\&\quad \equiv _2 \mathtt {net}({ cn }, \mathtt {rep})(\mathsf{o}(\mathtt {rep}(o),\mathtt {rep}(a),u_0,\varepsilon ,\\&\quad \quad {\mathtt {enq}}(\mathsf{call}(\mathtt {rep}(o'),m,\mathtt {rep}(\overline{v}), \varepsilon )))\\&\quad \quad \mathsf{t}(\mathtt {rep}(o),\mathtt {rep}(l),s)\ { cn }_{ graph }) \end{aligned}$$

new-2: Consider a transition of the form

$$\begin{aligned}&{\texttt {net}}({\textit{cn}}, {\texttt {rep}})({\textsf {o}}({\texttt {rep}}(o),{\texttt {rep}}(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad {\textsf {t}}({\texttt {rep}}(o),{\texttt {rep}}(l),x=\mathbf{new }\ C(\overline{e});s)\\&\quad \rightarrow {\texttt {net}}({\textit{cn}}, {\texttt {rep}}')({\textsf {o}}({\texttt {rep}}'(o),{\texttt {rep}}'(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad {\textsf {t}}({\texttt {rep}}'(o),{\texttt {rep}}'(l)[o''/x],s)\ {\textsf {o}}(o'',{\texttt {rep}}'(a'),u_0,\varepsilon ,\varepsilon )\\&\qquad \qquad {\textit{cn}}_{\textit{graph}}) \end{aligned}$$

where we have \(\overline{v} = [\![{\overline{e}}]\!]_{(a, l)}\), \(a' = \mathtt {init}(C,\overline{v},o')\), \(\mathtt {rep}' = \mathtt {rep}[o''/o']\), and \(o'' = {\mathtt {newo}}(u_0)\). Then:

$$\begin{aligned}&\mathsf {bind}\ \overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l,x=\mathbf {new}\ C(\overline{e});s)\\&\quad \rightarrow \mathsf {bind}\ o'\,\overline{o}.{ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a') \end{aligned}$$

and we calculate:

$$\begin{aligned}&\mathtt {net}({ cn }\ \mathsf{o}(o,a)\ \mathsf{t}(o,l[o'/x],s)\ \mathsf{o}(o',a'))\\&\quad = \mathtt {net}({ cn }, \mathtt {rep}')(\mathsf{o}(\mathtt {rep}'(o),\mathtt {rep}'(a),u_0,\varepsilon ,\varepsilon )\\&\quad \quad \mathsf{t}(\mathtt {rep}'(o),\mathtt {rep}'(l)[o''/x],s)\\&\quad \quad \mathsf{o}(o'',\mathtt {rep}'(a'),u_0,\varepsilon ,\varepsilon )\ { cn }_{ graph }) \end{aligned}$$

This completes the proof of property 2. \(\square \)

Theorem 1

For all well-formed type 1 configurations \(\mathsf {bind}\ \overline{o}.{ cn }\) in standard form, \(\mathsf {bind}\ \overline{o}.{ cn }\simeq \mathtt {net}({ cn })\).

Proof

We exhibit a conflated witness relation \({\mathscr {R}}\), defined as

$$\begin{aligned} {\mathscr {R}} = \{ ( \mathsf {bind}\ \overline{o}.{ cn },{ cn }') \mid \mathtt {net}({ cn }) \equiv _2 { cn }'\}, \end{aligned}$$

where \(\mathsf {bind}\ \overline{o}.{ cn }\) is a WF1 configuration in standard form, and \({ cn }'\) is a WF2 configuration. Note that \((\mathsf {bind}\ \overline{o}.{ cn }, \mathtt {net}({ cn })) \in {\mathscr {R}}\), since the identity relation is included in \(\equiv _2\). We show that \({\mathscr {R}}\) is a conflated type 1 and type 2 witness relation.

Suppose \(\mathsf {bind}\ \overline{o}.{ cn }_1\ {\mathscr {R}}\ { cn }_2\) (or the converse for \({\mathscr {R}}^{-1}\)); then, we have that \(\mathsf {bind}\ \overline{o}.{ cn }_1\) is WF1 and in standard form, \({ cn }_2\) is WF2, and \(\mathtt {net}({ cn }_1) \equiv _2 { cn }_2\).

For reduction closure, assume \(\mathsf {bind}\ \overline{o}.{ cn }_1 \rightarrow \mathsf {bind}\ \overline{o}'.{ cn }'_1\), where \(\mathsf {bind}\ \overline{o}'.{ cn }'_1\) is in standard form. Then, by property 1 of Lemma 5, \(\mathtt {net}({ cn }_1) \rightarrow ^* { cn }''_1 \equiv _2 \mathtt {net}({ cn }'_1)\). This means that, for some \({ cn }'_2\), \({ cn }_2 \rightarrow ^* { cn }'_2 \equiv _2 { cn }''_1\). Hence, by the transitivity of \(\equiv _2\), \(\mathsf {bind}\ \overline{o}.{ cn }'_1\ {\mathscr {R}}\ { cn }'_2\). For converse reduction closure, assume \({ cn }_2 \rightarrow { cn }'_2\). Then, \(\mathtt {net}({ cn }_1) \rightarrow ^* { cn }''_2\) and \({ cn }'_2 \equiv _2 { cn }''_2\). By property 2 of Lemma 5, this means that we have \(\mathsf {bind}\ \overline{o}.{ cn }_1 \rightarrow \mathsf {bind}\ \overline{o}'.{ cn }'_1\) and \({ cn }''_2 \equiv _2 \mathtt {net}({ cn }'_1)\). Hence, by the transitivity of \(\equiv _2\), \({ cn }'_2\ {\mathscr {R}}^{-1}\ \mathsf {bind}\ \overline{o}'.{ cn }'_1\).

For barb preservation, assume \(\mathsf {bind}\ \overline{o}.{ cn }_1 \downarrow obs \). Then, \(\mathtt {net}({ cn }_1) \Downarrow obs \), which by normal form equivalence with \({ cn }_2\) implies that \({ cn }_2 \Downarrow obs \), as needed. For converse barb preservation, assume \({ cn }_2 \downarrow obs \). Then, by normal form equivalence, \(\mathtt {net}({ cn }_1) \Downarrow obs \), and consequently \({ cn }_1 \downarrow obs \), whereby \({ cn }_1 \Downarrow obs \).

For context closure, assume \(\mathsf {bind}\ \overline{o}'.{ cn }_1\ { cn }\) is in standard form and WF1, and consider the configuration \(\mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\), which in effect applies \({ cn }\) to \({ cn }_2\). We first need to show that this resulting configuration is WF2. Object-Node Existence holds, since by the definition of \(\mathtt {net}\), all objects in \({ cn }\) become attached to a node in \({ cn }_2\). Buffer Cleanliness also holds by the definition of \(\mathtt {net}\). For OID Uniqueness, it suffices to consider the case where \(\mathsf{o}(o_1,a_1,u_1,q_{ in ,1},q_{ out ,1})\preceq { cn }_2\) and \(\mathsf{o}(o_2,a_2,u_2,q_{ in ,2},q_{ out ,2})\preceq \mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\) but where it holds that \(\mathsf{o}(o_2,a_2,u_2,q_{ in ,2},q_{ out ,2})\not \preceq { cn }_2\); then, if \(o_1 = o_2\), there is a corresponding clash in \(\mathsf {bind}\ \overline{o}'.{ cn }_1\ { cn }\), violating WF1. For Task-Object Existence, assume \(\mathsf{t}(o,l,s)\preceq \mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\) and \(\mathsf{t}(o,l,s)\not \preceq { cn }_2\); then, if there is no object container \(\mathsf{o}(o,a,u,q_{ in },q_{ out }) \preceq \mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\), there is no corresponding object container in \(\mathsf {bind}\ \overline{o}'.{ cn }_1\ { cn }\), violating WF1 for the tasks corresponding to \(\mathsf{t}(o,l,s)\) in \(\mathsf {bind}\ \overline{o}'.{ cn }_1\ { cn }\). Local Routing Consistency holds since the composition does not add nodes or links and does not change routing tables. The first condition of External OID holds since \( ext \) is not allowed to be bound or defined in \({ cn }\), and the second condition again holds since the context does not add network components.

It remains to show that \(\mathsf {bind}\ \overline{o}'.{ cn }_1\ { cn }\ {\mathscr {R}}\ \mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\). The network graphs of \(\mathtt {net}({ cn }_1\ { cn })\) and \(\mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\) coincide, since applying \({ cn }\) does not introduce any nodes or links. Clearly, if and only if a task or non-external message is in \({ cn }\), a corresponding task or message is introduced by \({ cn }\) in \(\mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\). We already have that the remaining tasks and tasks spawned from messages in \({ cn }_1\) correspond to those in \({ cn }_2\). As for external messages, they are either newly introduced via the context, and are then in both composed configurations, or come from the original configuration, which we already know have coinciding external messages after applying the representation map. With respect to objects, none of the rules used in normalization change object environments, and there is a one-to-one mapping of objects between \({ cn }_1\ { cn }\) and \(\mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\), so after running Algorithm 2, all object containers will coincide. Hence, \(\mathtt {net}({ cn }_1\ { cn }) \equiv _2 \mathtt {net}({ cn }, \mathtt {rep})({ cn }_2)\).

For converse context closure, assume \({ cn }_2\ { cn }\) is WF2 and apply \({ cn }\) to produce \(\mathsf {bind}\ \overline{o}'.\mathtt {ten}({ cn }, \mathtt {rep}^{-1})({ cn }_1)\) in standard form. We first need to show that this resulting configuration is WF1. Let \({ cn }'\) be the multiset difference of \(\mathtt {ten}({ cn }, \mathtt {rep}^{-1})({ cn }_1)\) and \({ cn }_1\). For OID Uniqueness, it suffices to consider when \(\mathsf{o}(o_1,a_1)\preceq { cn }_1\) and \(\mathsf{o}(o_2,a_2)\preceq { cn }'\); then, if \(o_1 = o_2\), there is a corresponding clash in \({ cn }_2\ { cn }\), violating WF2. For Task-Object Existence, assume \(\mathsf{t}(o,l,s)\preceq { cn }'\); then, if there is no object container \(\mathsf{o}(o,a)\preceq { cn }_1\ { cn }'\), this violates WF2 for the task corresponding to \(\mathsf{t}(o,l,s)\) in \({ cn }_2\ { cn }\).

It remains to show that \({ cn }_2\ { cn }\ {\mathscr {R}}^{-1}\ \mathsf {bind}\ \overline{o}'.\mathtt {ten}({ cn }, \mathtt {rep}^{-1})({ cn }_1)\). Again, let \({ cn }'\) be the multiset difference of \(\mathtt {ten}({ cn }, \mathtt {rep}^{-1})({ cn }_1)\) and \({ cn }_1\). The network graphs of \(\mathtt {net}({ cn }_1\ { cn }')\) and \({ cn }_2\ { cn }\) coincide since \({ cn }\) does not contain any nodes or links. Clearly, if and only if a task or non-external message is in \({ cn }\), a corresponding task or message is in \({ cn }'\). We already have that the remaining tasks and tasks spawned from messages in \({ cn }_1\) correspond to those in \({ cn }_2\). As for external messages, they are either newly introduced via the context, and are then in both composed configurations, or come from the original configuration, which we already know have coinciding external messages after applying the representation map. With respect to objects, none of the rules used in normalization change object environments, and there is a one-to-one mapping of objects between \({ cn }_2\ { cn }\) and \({ cn }_1\ { cn }'\), so after running Algorithm 2, objects will coincide. Hence, \(\mathtt {net}({ cn }_1\ { cn }') \equiv _2 { cn }_2\ { cn }\). \(\square \)

Corollary 6

For all WF1 configurations \(\mathsf {bind}\ \overline{o}.{ cn }\) in standard form, \(\langle \mathtt {net}({ cn })\rangle \ \sqsubseteq \ \langle \mathsf {bind}\ \overline{o}.{ cn }\rangle \).

Proof

Suppose \(\rho _1 \rightarrow \rho '_1\) for \(\rho _1 = { cn }_1\cdots { cn }_n\) and \(\rho '_1 = { cn }_1\cdots { cn }_n{ cn }_{n+1}\). We then have \({ cn }_n \rightarrow { cn }_{n+1}\), and \(\rho _1 \downarrow obs \) whenever \({ cn }_n \downarrow obs \). Let \(\rho _2 = { cn }'_1\cdots { cn }'_m\). When \({ cn }_n = \mathtt {net}({ cn })\) and \({ cn }'_m = \mathsf {bind}\ \overline{o}.{ cn }\), as in the present case, \({ cn }_n\) and \({ cn }'_m\) are by Theorem 1 related by some conflated witness relation \({\mathscr {R}}\). We use this relation when constructing the required relation on executions to qualify for inclusion in \(\sqsubseteq \), by straightforwardly transferring configuration properties from \({\mathscr {R}}\) to executions. \(\square \)