Cooperative decoupled processes

Abstract

Event-driven programming has become a major paradigm in developing concurrent, distributed systems. Its benefits are often informally captured by the key tenet of “decoupling,” a notion which roughly captures the ability of processes to join and leave (or fail) applications dynamically, and to be developed by independent parties. Programming models for event-driven programming either make it hard to globally reason about control flow, thus hampering sound execution, or sacrifice decoupling to aid in reasoning about control flow. This work fills the gap by introducing a programming model—dubbed cooperative decoupled processes—that achieves both decoupling and global reasoning about control flow. We introduce this programming model through an event calculus, loosely inspired by the Join calculus, that enables reasoning about cooperative decoupled processes through the concepts of pre- and postconditions. A linear type system controls aliasing of events to avoid a break of control flow and thus safe exchange of shared events. Fundamental properties of the type system such as subject reduction, migration safety, and progress are established.

Appendices

Appendix A: Combination of types and typing rules for the runtime

Combination of types for the runtime include combination of postcondition and product events created during evaluation:

to capture exchange of events at runtime. The typing rule for the runtime include typing of init and reactants:

$${init}:{l}_{r}{l}_{p} \vdash_{pre} {init} \quad {\lfloor\textsc{T-RInit}\rfloor}\qquad {l}:rp \vdash_{r} {l} \quad {\lfloor{\textsc{T-RRName}}\rfloor} $$

to preserve the static type with the runtime type, after stated (declared) events are consumed. These rules allow statement and proof of subject reduction. Combination with other products for the name in the \(\vdash _{r}\) judgment will combine to the same type rp.

Appendix B: Properties

This section gives the full proof of subject congruence and reduction, migration safety, progress along lemmas used in their proofs. We describe the approach taken for proving type safety for our system. We define important conditions and present the key lemmas needed for proving subject reduction (preservation) and migration safety. We consider all cases for both subject reduction and migration safety. For subject reduction, we use the following lemmas and propositions. Given typeable terms, the first lemma describes structure properties of type environments where I, J, K, M, N denote sets of naturals.

Lemma 1 (Type environment inversion)

1. (1)

   If \({\Gamma } \vdash {M}\) then \({\Gamma } = \{{l}_{i}:\alpha _{i}^{i \in I}\}\) where \(\alpha _{i} = \{{l}_{p}@A_{i}, p@ \tilde {A}_{i}\}\).

2. (2)

   If \({\Gamma } \vdash _{r} {M}\) then Γ = {l _i : r ^i∈I}@A.

3. (3)

   If \({\Gamma } \vdash _{p} {M}\) then Γ = {l _i : p ^i∈I}@A.

4. (4)

   If \({\Gamma } \vdash _{D} {D}\) then \({\Gamma } = \{{l}_{i} : \alpha _{i}^{i \in I} \} \cup \{{l}_{i} : \beta _{i}^{i \in J}\} \cup \{{l}_{i} : {l}_{p}@A_{i}^{i \in K}\} \cup \{{l}_{i} : p@\tilde {A}_{i}^{i \in L}\}\) where \(\alpha _{i} \in \{{l}_{r}@\tilde {A}_{i}, {l}_{r}{l}_{p}@\tilde {A}_{i}\}\) and \(\beta _{i} = \{r@\tilde {A}_{i}, rp@A_{i}\}\) .

5. (5)

   If \({\Gamma } \vdash {\textup {\textsf {def}}\ {D} \ \textup {\textsf {in}}\ {M}}\) then \({\Gamma } = \{{l}_{i} : \alpha _{i}^{i \in I} \} \cup \{{l}_{i} : \beta _{i}^{i \in J}\} \cup \{{l}_{i} : {l}_{p}@A_{i}^{i \in K}\} \cup \{{l}_{i} : p@\tilde {A}_{i}^{i \in L}\}\) where \(\alpha _{i} \in \{{l}_{r}@\tilde {A}_{i}, {l}_{r}{l}_{p}@\tilde {A}_{i}\}\) and \(\beta _{i} = \{r@\tilde {A}_{i}, rp@A_{i}\}\) .

Proof

The proof is tedious but straightforward by typing and combination rules. □

We note \(\mathsf {dom_{ln}}({\Gamma }) = \{{l}_{i}^{i \in I}\}\) if \({l}:{l}_{r}@ \tilde {A}, {l}:{l}_{p}@A, {l}:{l}_{r}{l}_{p}@\tilde {A} \in {\Gamma }\) as the set of names denoting linear types: preconditions and postconditions.

Proposition 3 (Associativity of ⊎)

Given \({\Gamma }_{1} = \{{l}_{i} : \alpha _{i}^{i \in I} \} \cup \{{l}_{i} : \beta _{i}^{i \in J}\} \cup \{{l}_{i} : {l}_{p}@A_{i}^{i \in K}\} \cup \{{l}_{i} : p@\tilde {A}_{i}^{i \in L}\}\) , \({\Gamma }_{2} = \{{l}_{i}:p@\tilde {A}_{i}^{i \in N}\} \cup \{{l}_{i}:{l}_{p}@A_{i}^{i \in N^{\prime }}\}\) , \({\Gamma }_{3} = \{{l}_{i}:p@\tilde {A}_{i}^{i \in M}\} \cup \{{l}_{i}:{l}_{p}@A_{i}^{i \in M^{\prime }}\}\) where \(\alpha _{i} \in \{{l}_{r}@\tilde {A}_{i}, {l}_{r}{l}_{p}@\tilde {A}_{i}\}\) and \(\beta _{i} = \{r@\tilde {A}_{i}, rp@A_{i}\}\) is defined if and only if Γ₁ ⊎ _S (Γ₂ ⊎Γ₃)is defined, (Γ₁ ⊎ _S Γ₂) ⊎Γ₃ = Γ₁ ⊎ _S (Γ₂ ⊎Γ₃)and \(\mathsf {dom_{ln}}({\Gamma }_{1}) \cap \mathsf {dom_{ln}}({\Gamma }_{2}) \cap \mathsf {dom_{ln}}({\Gamma }_{3}) = \emptyset \) .

Proof

Case analysis on the membership of type assertions in Γ₁,Γ₂and Γ₃. We give the proofof “if (Γ₁ ⊎ _S Γ₂) ⊎Γ₃is definedthen Γ₁ ⊎ _S (Γ₂ ⊎Γ₃)is defined”.The proof of “if Γ₁ ⊎ _S (Γ₂ ⊎Γ₃)is defined then (Γ₁ ⊎ _S Γ₂) ⊎Γ₃is defined” is symmetric.

Case l :

∈ d o m(Γ₁), d o m(Γ₂), d o m(Γ₃).We have that \({\Gamma }_{1}({l}) \in \{{l}_{r}@\tilde {A}, {l}_{r}{l}_{p}@\tilde {A}, {l}_{p}@A, r@\tilde {A}\),\(rp@A, p@\tilde {A}\}, {\Gamma }_{2}({l}) \in \{{l}_{p}@B, p@\tilde {B}\}\),\({\Gamma }_{3}({l}) \in \{{l}_{p}@C, p@\tilde {C}\}\).\(\{{l}_{r}@\tilde {A}, {l}_{r}{l}_{p}@\tilde {A}, {l}_{p}@A\),\( r@\tilde {A}, rp@A, p@\tilde {A}\} \uplus _{S} \{{l}_{p}@B\),\(p@\tilde {B}\}\)is defined by assumption and the result is \(\{{l}_{r}{l}_{p}@\{\tilde {A}, B\}\),\( {l}_{p}@A, rp@\{A, B\}, p@\{\tilde {A}, B\}\}\)by definition of combination rules. Next, we have that\(\{{l}_{r}{l}_{p}@\{\tilde {A}, B\}, {l}_{p}@A, rp@\{A, B\}\),\( p@\{\tilde {A}, \tilde {B}\}\} \uplus \{{l}_{p}@C, p@\tilde {C}\}\)is defined only for the nonlinear names \(\{rp@A, p@\{\tilde {A}, \tilde {B}, \tilde {C}\}\}\).Two linear types and, one linear and one nonlinear do notcombine by definition. On the other side, we have that (Γ₁ ⊎ _S (Γ₂⊎Γ₃))(l) =Γ₁(l)⊎ _S (Γ₂⊎Γ₃)(l) =Γ₁(l)⊎ _S (Γ₂(l)⊎Γ₃(l)).In here, \(\{{l}_{p}@B, p@\tilde {B}\} \uplus \{{l}_{p}@C, p@\tilde {C}\}\)is defined only for nonlinear events by hypothesis, resulting in\(\{p@\{\tilde {B}, \tilde {C}\}\}\).\(\{{l}_{r}@\tilde {A}, {l}_{r}{l}_{p}@\tilde {A}, {l}_{p}@A\),\(r@\tilde {A}, rp@A, p@\tilde {A}\} \uplus _{S} \{p@\{\tilde {B}, \tilde {C}\}\}\)is defined only for nonlinear events, resulting in {r p@A,\(p@\{\tilde {A}, \tilde {B}, \tilde {C}\}\}\).

Case l :

∈ d o m(Γ₁), d o m(Γ₂), l∉d o m(Γ₃).So, ((Γ₁ ⊎ _S Γ₂)⊎Γ₃)(l) = (Γ₁ ⊎ _S Γ₂)(l) =Γ₁(l)⊎ _S Γ₂(l)is defined by assumption. On the other side, we have that (Γ₁ ⊎ _S (Γ₂ ⊎Γ₃)) (l) =Γ₁(l) ⊎ _S (Γ₂ ⊎Γ₃)(l) =Γ₁(l) ⊎ _S Γ₂(l)is defined by hypothesis.

Cases l :

∈ d o m(Γ₁), d o m(Γ₃), l∉d o m(Γ₂)and l ∈ d o m(Γ₂), d o m(Γ₃), l∉d o m(Γ₁)are similar to the one above.

Cases l :

∈ d o m(Γ₁), l∉d o m(Γ₂), d o m(Γ₃)and l ∈ d o m(Γ₂), l∉d o m(Γ₁), d o m(Γ₃)and l ∈ d o m(Γ₃), l∉d o m(Γ₂), d o m(Γ₁) are trivial.

□

Lemma 2 (Subject congruence)

If P ≡ Q then \({\Gamma } \vdash {P}\) iff \({\Gamma } \vdash {Q}\) .

Proof

By induction on the proof of P ≡ Q.We present only the case for rule ⌊STR-DEF⌋.Other cases are trivial. □

Case(Rule STR-DEF)

$$({\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ {M}_{1}})\ \textsf{\&}\, {M}_{2} \equiv {\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ ({M}_{1}\ \textsf{\&}\, {M}_{2})} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash {(\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ {M}_{1}})\ \textsf{\&}\, {M}_{2} \text{Assumption}\\ &&{\Gamma}_{1} \vdash {\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ {M}_{1}}~\text{and}~{\Gamma}_{2} \vdash {M}_{2}~\text{where}~{\Gamma} = {\Gamma}_{1} \uplus {\Gamma}_{2}~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{3} \vdash_{D} {D}~\text{and}~{\Gamma}_{4} \vdash {M}_{1}~\text{where}~{\Gamma}_{1} = {\Gamma}_{3} \uplus_{S} {\Gamma}_{4}~\text{is defined}\text{By inversion}\\ &&{\Gamma}_{2} = \{{l}_{i}:\alpha_{i}^{i \in I}\}, {\Gamma}_{4} = \{{l}_{i}:\alpha_{i}^{i \in I^{\prime}}\}~\text{where}~\alpha_{i} \in \{{l}_{p}@\tilde{A}_{i}, p@\tilde{A}_{i}\} \text{By Prop. 1(1)}\\ &&{\Gamma}_{2} \uplus {\Gamma}_{4}~\text{is defined}~\text{By Prop. 3} \\ &&{\Gamma}_{2} \uplus {\Gamma}_{4} \vdash {M}_{1}\ \textsf{\&}\, {M}_{2}\text{{B}y rule } {\lfloor{\textsc{T-GPar}}\rfloor}\\ &&{\Gamma}_{3} = \{{C}_{i} : \alpha^{i \in I} \} \cup \{{l}_{i} : \beta^{i \in J}\} \cup \{{C}^{\prime}_{i} : {l}_{p}^{i \in K}\} \cup \{{l}_{i} : p^{i \in L}\}\\ &&\text{where}~\alpha \in \{{l}_{r}, {l}_{r}{l}_{p}\}~\text{and}~\beta = \{r, rp\}\text{{B}y Prop. 1(4)}\\ &&{\Gamma}_{3} \uplus_{S} ({\Gamma}_{4} \uplus {\Gamma}_{2})~\text{is defined and}~({\Gamma}_{3} \uplus_{S} {\Gamma}_{4}) \uplus {\Gamma}_{2}= {\Gamma}_{3} \uplus_{S} ({\Gamma}_{4} \uplus {\Gamma}_{2})\text{{B}y Prop. 3}\\ &&{\Gamma}_{3} \uplus_{S} ({\Gamma}_{4} \uplus {\Gamma}_{2}) \vdash ({\textsf{def}}\ {D} \ {\textsf{in}}~ {M}_{1})\, \textsf{\&}\, {M}_{2} \text{By rule}~{\lfloor{\textsc{T-Def}}\rfloor}\\ &&\text{Note that}~{\Gamma} = ({\Gamma}_{3} \uplus_{S} {\Gamma}_{4}) \uplus {\Gamma}_{2} \end{array} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash \textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ ({M}_{1} \textsf{\&} {M}_{2}) \text{{A}ssumption}\\ &&{\Gamma}_{1} \vdash {D}~\text{and}~{\Gamma}_{2} \vdash {M}_{1}\ \textsf{\&}\, {M}_{2}~\text{where}~{\Gamma} = {\Gamma}_{1} \uplus_{S} {\Gamma}_{2}~\text{is defined}\text{{B}y inversion}\\ &&{\Gamma}_{3} \vdash {M}_{1}~\text{and}~{\Gamma}_{4} \vdash {M}_{2}~\text{where}~{\Gamma}_{2} = {\Gamma}_{3} \uplus {\Gamma}_{4}~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{1} \uplus_{S} {\Gamma}_{3}~\text{is defined}~\text{{B}y Prop. 3}\\ &&{\Gamma}_{1} \uplus_{S} {\Gamma}_{3} \vdash {\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ {M}_{1}}\text{{B}y rule}~{\lfloor\textsc{{T-Def}}\rfloor}\\ &&({\Gamma}_{1} \uplus_{S} {\Gamma}_{3}) \uplus {\Gamma}_{4}~\text{is defined and}~{\Gamma}_{1} \uplus_{S} ({\Gamma}_{3} \uplus {\Gamma}_{4})= ({\Gamma}_{1} \uplus_{S} {\Gamma}_{3}) \uplus {\Gamma}_{4}\text{{B}y Prop. 3}\\ &&({\Gamma}_{1} \uplus_{S} {\Gamma}_{3}) \uplus {\Gamma}_{4} \vdash (\textup{\textsf{def}}\ {D} \ \textup{\textsf{in}}\ {M}_{1})\ \textsf{\&} {M}_{2} \text{{B}y rule}~ {\lfloor\textsc{{T-Par}}\rfloor}\\ &&\text{Note that}~{\Gamma} = {\Gamma}_{1} \uplus_{S} ({\Gamma}_{3} \uplus {\Gamma}_{4}) \end{array} $$

Proposition 4

If \((\{{l}_{i}:{l}_{p}\}^{i \in I}@A, {\Gamma }) \uplus _{S} {\Gamma }^{\prime }\) is defined and \(\{l_{i}\}^{i \in I}\) ⊄ \(dom({\Gamma }^{\prime })\) where \({\Gamma } = \{{l}_{i}:p@\tilde {A}_{i}\}^{i \in J}, {\Gamma }^{\prime }=\{{l}^{\prime }_{i}:\alpha _{i}\}^{i \in K}\) and \(\alpha \in \{{l}_{p}@A, p@\tilde {A}_{i}\}\) then \(({l}:\{{l}_{i}:{l}_{p}\}^{i \in I}@A, \{{l}_{i}:p@\tilde {A}_{i}\}^{i \in J}) \uplus \{{l}^{\prime }_{i}:\alpha _{i}\}^{i \in K}\) is defined.

Proof

Straightforward. By\(p@\tilde {A}_{i} \uplus p@\tilde {A}_{j} = p@\tilde {A}_{i}, \tilde {A}_{j}\)and combination rules. □

Proposition 5

If \((({\Gamma }, \{{l}_{i}:{l}_{r}@\tilde {A}_{i}\}^{i \in I}) \uplus _{H} ({\Gamma }^{\prime }, \{k:{l}_{p}@A_{i}\}^{i \in J})) \uplus _{S} ({\Gamma }_{1} \uplus {\Gamma }_{1}^{\prime })\) is defined, and {k}^i∈J ⊄\(dom{({\Gamma }_{1}^{\prime })}\) then \((({\Gamma }, \{{l}_{i}:{l}_{r}@\tilde {A}_{i}\}^{i \in I}) \uplus _{H} ({\Gamma }^{\prime }, \{k:{l}_{p}@A_{i}\}^{i \in J})) \uplus _{S} (\{k:{l}_{p}@A_{i}\}^{i \in J},{\Gamma }^{\prime } \uplus {\Gamma }_{1}^{\prime })\) is defined.

Proof

By assumption {k}^i∈J ⊄ \(dom{({\Gamma }_{1}^{\prime })}\)then \(\{{k}:{l}_{p}@A_{i}\}^{i \in J} \uplus {\Gamma }_{1}^{\prime }\)is defined. We must show that assumptions of linear types in\({\Gamma }_{1}^{\prime }\)are not on names appearing as well on assumptions of nonlinear\({\Gamma }^{\prime }\). By Prop. 3, we have that \((({\Gamma }, \{{l}_{i}:{l}_{r}@\tilde {A}_{i}\}^{i \in I}) \uplus _{H} ({\Gamma }^{\prime }, \{{k}:{l}_{p}@A_{i}\}^{i \in J})) \uplus _{S} ({\Gamma }_{1} \uplus {\Gamma }_{1}^{\prime }) = (({\Gamma }, \{{l}_{i}:{l}_{r}@\tilde {A}_{i}\}^{i \in I}) \uplus _{H} ({\Gamma }^{\prime }, \{{k}:{l}_{p}@A_{i}\}^{i \in J})\uplus {\Gamma }_{1}^{\prime }) \uplus _{S} {\Gamma }_{1}\).This implies that \(({\Gamma }^{\prime }, \{{k}:{l}_{p}@A_{i}\}^{i \in J})\uplus {\Gamma }_{1}^{\prime }\)is defined. By Prop 4, we conclude that \(({\Gamma }^{\prime }, \{{k}:{l}_{p}@A_{i}\}^{i \in J})\uplus {\Gamma }_{1}^{\prime }\)is defined. From here, one can easily conclude that\((({\Gamma }, \{{l}_{i}:{l}_{r}@\tilde {A}_{i}\}^{i \in I}) \uplus _{H} ({\Gamma }^{\prime }, \{{k}:{l}_{p}@A_{i}\}^{i \in J})) \uplus _{S} (\{{k}:{l}_{p}@A_{i}\}^{i \in J},{\Gamma }^{\prime } \uplus {\Gamma }_{1}^{\prime })\) is defined. □

Proposition 6

If (Γ₁ ⊎ _D Γ₂) ⊎ _S Γ₃ is defined then Γ₁ ⊎ _S Γ₃ is defined.

Proof

Straightforward since Γ₁ ⊎ _D Γ₂(l) ∈ {l _r , l _r l _p , r, r p, l _p , p}and Γ₁(l) ∈ {l _r , l _r l _p , r, r p, l _p , p}. □

Theorem 4 (Subject reduction)

If \({\Gamma } \vdash {P}\) and P → Q then \({\Gamma } \vdash {Q}\) .

Proof

We use induction on the derivation of P → Q. □

Case(R-Occ)

$$\begin{array}{@{}rcl@{}} && {\textsf{def}}\ {[{J}_{1}]}\ \textsf{\&}\, {J}_{2}\, \rhd\, [ {J}_{3}] \ \textsf{\&}\, {J}_{4}~ {\textsf{in}}\ ({{J}}_{1}\ \textsf{\&}\ {J}_{2}\ \textsf{\&}\, {M}) \longrightarrow {\textsf{def}}\ [{J}_{\textsf{1}}]\ \textsf{\&}\ {J}_{2}\, \rhd\, [{J}_{3}]\ \textsf{\&}\, {J}_{4}~{\textsf{in}}\ ({{J}}_{3}\ \textsf{\&}\, {J}_{4}\ \textsf{\&}\, {M})\\ && fn(J_{3}) \cap fn({M}) = \emptyset \end{array} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash {\textsf{def}}\ [{J}_1]\ \textsf{\&}\ {J}_{2}\, \rhd\, {[{J}_3]}\ \textsf{\&}\, {J}_{4}\ {\textsf{in}}\ ({{J}}_{1}\ \textsf{\&}\ {J}_{2}\ \textsf{\&}\ {M}) \text{{A}ssumption} \\ &&{\Gamma}_{1} \vdash [{J}_1]\ \textsf{\&}\, {J}_{2}\, \rhd\, {[{J}_3]}\ \textsf{\&}\, {J}_{4}~\text{and}~{\Gamma}_{2} \vdash ({{J}}_{1}\ \textsf{\&}\ {J}_{2}\ \textsf{\&}\ {M})\\ &&\text{where}~{\Gamma} = {\Gamma}_{1} \uplus_{S} {\Gamma}_{2}~\text{is defined} \text{By inversion}\\ &&{\Gamma}_{2}^{\prime} \vdash {{J}}_{1}\ \textsf{\&}\, {J}_{2}~\text{and}~{\Gamma}_{2}^{\prime\prime} \vdash {M}~\text{where}~{\Gamma}_{2} = {\Gamma}_{2}^{\prime} \uplus {\Gamma}_{2}^{\prime\prime}~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{3} \vdash_{pre} {J}_{1}, {\Gamma}_{4} \vdash_{r} {J}_{2}, {\Gamma}_{5} \vdash_{post} {J}_{3}~\text{and}~{\Gamma}_{6} \vdash_{p} {J}_{4} \\ &&{\Gamma}_{1} = ({\Gamma}_{3} \uplus_{rea} {\Gamma}_{4}) \uplus_{H} ({\Gamma}_{5} \uplus_{pro} {\Gamma}_{6})~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{3}, {\Gamma}_{4}~\text{and}~{\Gamma}_{5}, {\Gamma}_{6} \text{By rules in Fig. 6}\\ &&{\Gamma}_{5} = \{{l}_{i}:{l}_{p}\}^{i \in J}@A \quad {\Gamma}_{6} = \{{l}_{i}:p\}^{i \in I}@A \text{By Lemma 1(2)}\\ &&{\Gamma}_{5} \uplus {\Gamma}_{6} \vdash {J}_{1}\ \textsf{\&}\, {J}_{2}\text{{B}y rule}~{\lfloor\textsc{{T-Par}}\rfloor}\\ &&{\Gamma}_{5} \uplus {\Gamma}_{6} \uplus {\Gamma}_{2}^{\prime\prime}~\text{is defined}\text{{B}y Prop 4}\\ &&{\Gamma}_{6} \uplus {\Gamma}_{5} \uplus {\Gamma}_{2}^{\prime\prime}\vdash {J}_{1}\ \textsf{\&}\, {J}_{2}\ \textsf{\&}\, {M} \text{{B}y rule}~{\lfloor{\textsc{T-Par}}\rfloor}\\ &&{\Gamma}^{\prime} = (({\Gamma}_{3} \uplus_{rea} {\Gamma}_{4}) \uplus_{H} ({\Gamma}_{4} \uplus_{pro} {\Gamma}_{5})) \uplus_{S} ({\Gamma}_{5} \uplus {\Gamma}_{6} \uplus {\Gamma}_{2}^{\prime\prime})~\text{is defined} \text{By Prop. 5}\\ &&{\Gamma}^{\prime} \vdash {\textsf{def}}\ [{J}_1]\ \textsf{\&}\, {J}_{2}\, \rhd\, [{J}_3]\ \textsf{\&}\, {J}_{4}\ {\textsf{in}}\ ({{J}}_{3}\ \textsf{\&}\, {J}_{4}\ \textsf{\&}\, {M}) \text{{B}y rule}~{\lfloor{\textsc{T-Def}}\rfloor} \end{array} $$

Note that \((({\Gamma }_{3} \uplus _{rea} {\Gamma }_{4}) \uplus _{H} ({\Gamma }_{4} \uplus _{pro} {\Gamma }_{5})) \uplus _{S} ({\Gamma }_{2}^{\prime } \uplus {\Gamma }_{2}^{\prime \prime }) = (({\Gamma }_{3} \uplus _{rea} {\Gamma }_{4}) \uplus _{H} ({\Gamma }_{4} \uplus _{pro} {\Gamma }_{5})) \uplus _{S} ({\Gamma }_{5} \uplus {\Gamma }_{6} \uplus {\Gamma }_{2}^{\prime \prime })\).

Case(Rule R-AddPre)

$${{l}\ \textsf{\&}~ {\textsf{def}}\ \textsf{[}{J}_{1}\textsf{]}\ \textsf{\&}\, {J}_{2}\, {{\rhd}}\, \textsf{[}{J}_{3}\textsf{]}\ \textsf{\&~} {J}_{4}\ {\textsf{in}}\ {M} \longrightarrow\ {\textsf{def}}\ \textsf{[}{J}_{1}\textsf{]}\ \textsf{\&}\, {J}_{2}\, {{\rhd}}\, \textsf{[}{J}_{3}\textsf{]}\ \textsf{\&}\, {J}_{4}~\textsf{in}\ ({l}\ \textsf{\&}\, {M})}\quad {l}\ \in\ dn({J}_{1}) $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash {l}\ \textsf{\&}~ \textsf{def}\ \textsf{[}{J}_1\textsf{]}\ \textsf{\&}\, {J}_{2}\, {{\rhd}}\, \textsf{[}{J}_3\textsf{]}\ \textsf{\&}\, {J}_{4}\ \textsf{in}\ {M}~\text{and}~{l}\in{dn}({J}_{1}) \text{{A}ssumption}\\ &&{\Gamma}_{1} \vdash {l}~\text{and}~{\Gamma}_{2} \vdash {\textsf{def}}\ \textsf{[}{J}_1\textsf{]}\ \textsf{\&}\, {J}_{2} \,{{\rhd}}\, \textsf{[}{J}_3\textsf{]}\ \textsf{\&}\ {J}_{4}\ \textsf{in}\ {M}\\ &&\text{where}~{\Gamma} = {\Gamma}_{1} \uplus {\Gamma}_{2}~\text{is defined}\text{{B}y inversion}\\ &&{\Gamma}_{1} = {l}: {l}_{p}\text{{B}y Lemma 1(1)}\\ &&{\Gamma}_{3} \vdash \textsf{[}{J}_1\textsf{]}\ \textsf{\&}~{J}_{2}\, {{\rhd}}\,\textsf{[}{J}_3\textsf{]}\ \textsf{\&}~ {J}_{4}~\text{and}~{\Gamma}_{4} \vdash {M}, \text{where}~{\Gamma}_{2} = {\Gamma}_{3} \uplus_{S} {\Gamma}_{4}~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{4} = \{{l}_{i}:{l}_{p}^{i \in N}\}\text{{B}y Lemma 1(1)}\\ &&{\Gamma}_{4} \uplus {l}:{l}_{p}~\text{is defined} \text{{B}y Prop 3}\\ &&{\Gamma}_{4} \uplus {l}:{l}_{p} \vdash {M}\ \textsf{\&}~ {l} \text{By rule}~\lfloor{\textsc{T-Par}}\rfloor\\ &&{\Gamma}_{3} \uplus_{S} ({\Gamma}_{4} \uplus {l}:{l}_{p})~\text{is defined}\text{{B}y Prop 3}\\ &&{\Gamma}_{3} \uplus_{S} ({\Gamma}_{4} \uplus {l}:{l}_{p}) \vdash {\textsf{def}}\ \textsf{[}{J}_1{]} ~\textsf{\&}\, {J}_{2}\, {{\rhd}}\, \textsf{[}{J}_3{]}\ \textsf{\&}\, {J}_{4}\ \textup{\textsf{in}}\ {l}\ \textsf{\&}\, {M}\text{{B}y rule}~{\lfloor{\textsc{T-Def}}\rfloor} \end{array} $$

One can easily observe that \({\Gamma } = {\Gamma }^{\prime }\).

Case(Rule R-DisO)

$$\textup{\textsf{def}}\ {D}\ \textup{\textsf{or}}\ {E}\ \textup{\textsf{in}}\ {M}\ \longrightarrow\ \textup{\textsf{def}}\ {D}\ \textup{\textsf{or}}\ {E}\ \textup{\textsf{in}}\ {M}^{\prime} \text{ if}~ \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}\ \longrightarrow\ \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}^{\prime} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{or}}\ {E}\ \textup{\textsf{in}}\ {M} \text{{A}ssumption}\\ &&{\Gamma}_{1} \vdash {D}\ \textup{\textsf{or}}\ {E}~\text{and}~{\Gamma}_{2} \vdash {M}~\text{where}~{\Gamma} = {\Gamma}_{1} \uplus_{S} {\Gamma}_{2}~\text{is defined} \text{{B}y inversion}\\ &&{\Gamma}_{3} \vdash {D}~\text{and}~{\Gamma}_{4} \vdash {E}~\text{where}~{\Gamma}_{1} = {\Gamma}_{3} \uplus_{D} {\Gamma}_{4}~\text{is defined}\text{{B}y inversion}\\ &&{\Gamma}_{2} \uplus_{S} {\Gamma}_{3}~\text{is defined} \text{{B}y Prop 6}\\ &&{\Gamma}_{2} \uplus_{S} {\Gamma}_{3} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}\text{{B}y rule}~{\lfloor\textsc{{T-Def}}\rfloor}\\ &&{\Gamma}_{5}^{\prime} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}^{\prime}~\text{for}~{\Gamma}_{5} = {\Gamma}_{2} \uplus_{S} {\Gamma}_{3} \text{By induction}\\ &&{\Gamma}_{6} \vdash {D}~\text{and}~{\Gamma}_{7} \vdash {M}^{\prime} \text{By inversion}\\ &&\text{where}~{\Gamma}_{5} = {\Gamma}_{6} \uplus_{S} {\Gamma}_{7}~\text{and}~{\Gamma}_{6} = {\Gamma}_{3}~\text{so}~{\Gamma}_{2} \uplus_{S} {\Gamma}_{3} = {\Gamma}_{3} \uplus_{S} {\Gamma}_{7}\\ &&({\Gamma}_{3} \uplus_{D} {\Gamma}_{4}) \uplus_{S} {\Gamma}_{7}~\text{is defined}~\text{{B}y Prop 5}\\ &&({\Gamma}_{3} \uplus_{D} {\Gamma}_{4}) \uplus_{S} {\Gamma}_{7} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{or}}\ {E}\ \textup{\textsf{in}}\ {M}^{\prime} \text{By rule}~{\lfloor{\textsc{T-Def}}\rfloor} \end{array} $$

One can easily observe that by having Γ₂ ⊎ _S Γ₃ =Γ₇ ⊎ _S Γ₃, once can conclude that by extending Γ₃ with other handlers Γ₄ that are compatible by assumption then Γ₂ ⊎ _S (Γ₃ ⊎ _D Γ₄) =Γ₇ ⊎ _S (Γ₃ ⊎ _D Γ₄).

Case(Rule R-Par)

$${P}\ \textsf{\&}\, {Q}\ \longrightarrow\ {P}^{\prime}\ \textsf{\&}\, {Q} \text{ if}~ {P} \longrightarrow {P}^{\prime} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash {P}\ \textsf{\&}\, {Q}\text{{A}ssumption}\\ &&{\Gamma}_{1} \vdash {P} \; \; {\Gamma}_{2} \vdash {Q}~\text{for}~{\Gamma} = {\Gamma}_{1} \uplus {\Gamma}_{2} \text{{B}y inversion}\\ &&{\Gamma}_{1} \vdash {P}^{\prime} \text{{B}y induction}\\ &&{\Gamma}_{1} \uplus {\Gamma}_{2} \vdash {P}^{\prime}\ \textsf{\&} {Q} \text{By rule}~{\lfloor{\textsc{T-Par}}\rfloor} \end{array} $$

Case(Rule R-Struct)

$${P}\ \longrightarrow\ {P}^{\prime} \text{ if } {P} \equiv {Q} \text{ and } {Q} \longrightarrow {Q}^{\prime}~and~ {Q}^{\prime} \equiv {P}^{\prime} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \vdash {P} \text{{A}ssumption}\\ &&{\Gamma} \vdash {Q} \text{{B}y Lemma 2}\\ &&{\Gamma} \vdash {Q}^{\prime} \text{{B}y induction}\\ &&{\Gamma} \vdash {P}^{\prime} \text{By Lemma 2} \end{array} $$

Theorem 5 (Subject reduction for programs)

If \(\emptyset {\vdash _{flows}} {P} \) and P → Q then \(\emptyset {\vdash _{flows}} {Q}\)

Proof

Follows as a corollary from Subject reduction Theorem 4. □

Theorem 6 (Migration safety)

Suppose \({\Gamma } \vdash {P}\) then for adding l to \({\mathcal {E}}\) where P \(\equiv {\mathcal {E}}[{l}]\) such that either \(\mathcal {E}\) contains:

1. 1.

   exactly one \({\mathcal {E}}_{pre}\langle {l} \rangle \) and l = i n i t

2. 2.

   exactly one pair of \(\mathcal {E}_{post}\langle {l} \rangle \) and \(\mathcal {E}_{pre}\langle {l} \rangle \)

3. 3.

   exactly one \(\mathcal {E}_{post}\langle {l} \rangle \) and many \(\mathcal {E}_{pre}\langle {l} \rangle \) in only one site

4. 4.

   many \(\mathcal {E}_{r}\langle {l} \rangle \) of the same flow

5. 5.

   many \(\mathcal {E}_{r}\langle {l} \rangle \) and many \(\mathcal {E}_{p}\langle {l} \rangle \) of the same flow

6. 6.

   exactly one \(\mathcal {E}_{r}\langle {l} \rangle \) and many \(\mathcal {E}_{p}\langle {l} \rangle \) of different flows

Proof

Let P ≡ l & P ₀ & Q where P ₀does not containglobal events and Q contains global events. By rule induction, we prove that P ₀ has aname l as a reactant at a reaction of a site or a precondition or a pair of a precondition and postcondition orpairs of a reactant and products.

Case:

(⌊T-GName⌋, ⌊T-RGName⌋, ⌊T-Site⌋, ⌊T-Handler⌋, ⌊T-Dis⌋, ⌊T-GPar⌋, ⌊T-PPar⌋, ⌊T-RPar⌋):Vacuous since the terms do not reduce at l.

Case:

(⌊T-Par⌋): Suppose \({\Gamma } \vdash {P}\) and \({\Gamma }^{\prime } \vdash {Q}\)suchthat \({\Gamma } \uplus {\Gamma }^{\prime }\)is defined. By induction hypothesis, we can assume that P and Q satisfy the required condition.

1. 1.

   If only one party reduces at l then we conclude.

2. 2.

   If both processes reduce at l,hence Γand \({\Gamma }^{\prime }\),respectively, have a precondition or reactant at l and P and Q are not of the same flow. Then, \({\Gamma } \uplus {\Gamma }^{\prime }\)cannot not be defined by combination rules of ⊎.

□

Theorem 7 (Progress)

If \(\emptyset \vdash _{flows} {P}\) and P is simple then P \(\longrightarrow {P}^{\prime }\) or inactive.

Proof

By induction on the derivation of the typing judgment.

Case

$$\frac{\Gamma \vdash {P} \quad {\Gamma} = \{{l}_{i}:{{l}_{r}{l}_{p}}/rp/{l}_{p}/p @{\Delta}_{i}\}^{i \in I}}{\emptyset \vdash_{flows} {P}}\;\;{{\lfloor\textsc{{T-flows}}\rfloor}} $$

$${\Gamma} \vdash {P} \quad {\Gamma} = \{{l}_{i}:{{l}_{r}{l}_{p}}/rp/{l}_{p}/p @{\Delta}_{i}\}^{i \in I} \text{By inversion} $$

By induction on the derivation of the typing judgment, analyzing all possible cases, we prove thatgiven \({\Gamma } \vdash {P}\) and \({\Gamma } = \{{l}_{i}:{{l}_{r}{l}_{p}}/rp/{l}_{p}/p @{\Delta }_{i}\}^{i \in I}\) and P is simple then \(P \longrightarrow {P}^{\prime }\)or inactive.

Cases ⌊T-Dis⌋, ⌊T-Hand⌋, ⌊TInact⌋, ⌊T-PrePar⌋, ⌊T-RPar⌋, ⌊T-PostPar⌋, ⌊T-PPar⌋, ⌊T-PreName⌋, ⌊T-RName⌋, ⌊T-PostName⌋ and ⌊T-PName⌋ are vacuous.

Case

$$ \frac{\Gamma \vdash {P} \quad {\Gamma}^{\prime} \vdash {Q}}{\Gamma \uplus {\Gamma}^{\prime} \vdash {P}\ \textsf{\&}\ {Q}}\;\;{\lfloor\textsc{{T-Par}}\rfloor} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \uplus {\Gamma}^{\prime} \vdash {P}\ \textsf{\&}\, {Q} \text{By assumption}\\ &&{P}\ \textsf{\&}\, {Q} = {l}\ \textsf{\&}\, (\textup{\textsf{def}}\ {D}_{1}\ \textup{\textsf{in}}\ {M}_{1})\textsf{\&} ...\ \textsf{\&} ...\ (\textup{\textsf{def}}\ {D}_{n}\ \textup{\textsf{in}}\ {M}_{n})\text{First subcase}\\ &&{P} \textsf{\&} {Q} \rightarrow {P} \textsf{\&} {Q} \text{By Theorem 6}\\ &&{\Gamma} \vdash {P} \quad {\Gamma}^{\prime} \vdash {Q} \text{{B}y inversion}\\ &&{P} \rightarrow {P}^{\prime} \text{First subcase}\\ &&{{{P}\ \textsf{\&}\, {Q}\ \longrightarrow\ {P}^{\prime}\ \textsf{\&}\, {Q}} \ \ \text{if}\ \ {{P}\ \longrightarrow\ {P}^{\prime}}} \text{{B}y rule}~{\lfloor\textsc{R-Par}\rfloor}\\ &&{P}\ \text{is\ inactive} \text{Second subcase}\\ &&{Q} \rightarrow {Q}^{\prime} \text{First subsubcase}\\ &&{P}\ \textsf{\&}\, {Q} \rightarrow {P}\ \textsf{\&}\, {Q}^{\prime} \text{By rule}~{\lfloor\textsc{R-Par}\rfloor}\\ &&{Q}\ \text{is\ inactive} \text{Second subsubcase}\\ &&{P}\ \textsf{\&} {Q} \text{ is\ inactive} \end{array} $$

Case

$$\frac{\Gamma \vdash {D} \quad {\Gamma}^{\prime} \vdash {M}}{\Gamma \uplus_{S} {\Gamma}^{\prime} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}}\;\; {\lfloor\textsc{{T-Site}}\rfloor} $$

$$\begin{array}{@{}rcl@{}} &&{\Gamma} \uplus_{S} {\Gamma}^{\prime} \vdash \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}\text{By assumption}\\ &&{{\textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}\ {\longrightarrow}\ \textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}^{\prime}}} \text{By rule}~{\lfloor\textsc{{R-Occ}}\rfloor}\\ &&\textup{\textsf{def}}\ {D}\ \textup{\textsf{in}}\ {M}~\text{is inactive} \text{Second subcase} \end{array} $$

Case

$${{init}:{l}_{p}@[] \vdash {init}} \;\;{\lfloor\textsc{{T-Init}}\rfloor} $$

$$\begin{array}{@{}rcl@{}} &&{init}:{l}_{p}@[] \vdash {init} \text{By assumption}\\ &&\text{We have that}~{init}~\text{is}~\textit{inactive}. \end{array} $$

Similarly for rule ⌊T-GName⌋.

□