A linear account of session types in the pi calculus

Transcription

1 A linear account of session types in the pi calculus Marco Giunti 1 and Vasco T. Vasconcelos 2 1 Iuav University, Venice 2 LaSIGE, Faculty of Sciences, University of Lisbon Abstract. We present a reconstruction of session types in a conventional pi calculus where types are qualified as linear or unrestricted. Linearly typed communication channels are guaranteed to occur in exactly one thread, possibly multiple times. We equip types with a constructor that denotes the two ends of a same communication channel. In order to assess the flexibility of the new type system, we provide three distinct encodings (from the linear lambda calculus, from the linear pi calculus, and from the pi calculus with polarized variables) into our system. For each language we present operational and typing correspondences, showing that our system effectively subsumes the linear pi calculus as well as foregoing works on session types. 1 Pi Calculus This section introduces the pi-calculus, its syntax and semantics, as well as our type system. The syntax is in Figure 1. We rely on a set of variables, ranged over by x, y, z. Values include variables and the booleans true and false. For processes we have (synchronous, unary) output and input, in the forms x v.p and x(y).p, as well as a parallel composition, conditional, scope restriction, replication and the terminated process. The binders for the language appear in parenthesis: x is bound in both y(x).p and (νx)p. Free and bound variables in processes are defined accordingly, and so is alpha conversion, substitution of a variable x by a value v in a process P, denoted P [v/x]. We follow Barendregt s variable convention, requiring bound variables to be distinct from free variables in any mathematical context. Structural congruence is the smallest relation on processes including the rules in the same figure. The first three rules say that parallel composition is commutative, associative and has 0 for neutral element. The last rule on the first line captures the essence of replication as an unbounded number of identical processes. The rules in the second line deal with scope restriction. The first, scope extrusion, allows the scope of x to encompass Q; due to variable convention, x bound in (νx)p, cannot be free in Q. The other two rules state that restricting over a terminated process has no effect, and allow exchanging the order of restrictions.

2 Syntax b ::= Booleans: P ::= Processes: true true x v.p output false false x(x).p input v ::= Values: P P composition b boolean value if v then P else P conditional x variable (νx)p restriction Rules for structural congruence P replication 0 inaction P Q Q P (P Q) R P (Q R) P 0 P P P P (νx)p Q (νx)(p Q) (νx)0 0 (νx)(νy)p (νy)(νx)p Rules for reduction x v.p x(y).q P Q[v/y] [R-Com] if true then P else Q P if false then P else Q Q [R-IfT] [R-IfF] P Q (νx)p (νx)q P Q P R Q R P P P Q Q Q P Q [R-Res] [R-Par] [R-Struct] Fig. 1. Pi calculus: Syntax and operational semantics The reduction reduction is the smallest relation on processes including the rules in Figure 1. The [R-Com] rule communicates value v from an output prefixed one x v.p to an input prefixed process x(y).q; the result is the parallel composition of the continuation processes, where the bound variable y is replaced by value v in the input process. The rules for the conditional are straightforward. The rules in the last line allow reduction to happen underneath scope restriction and parallel composition, and incorporate structural congruence into reduction. The syntax of types is described in Figure 2. Types include the boolean type, end point types and channel types. The novelty with respect linear and sessionbased systems for the pi calculus is the introduction of a new type constructor to describe the two ends of a same channel, (S 1, S 2 ), where S 1 details the behaviour of one end, whereas S 2 details that of the other end. An end point type S can be a pre type qualified with lin or un, a recursive type or a type variable. Each qualifier in a type controls the number of times the channel can be used at that point: exactly once for lin; zero or more times for un. A pre type of the form!t.s describes a channel end able to send a value of type T and to proceed as prescribed by S. Similarly, pre type?t.s describes a channel end able to receive a value of type T and continue as S. Pre type end describes a channel end on which no further interaction is possible. For recursive (end point) types we rely

3 q ::= Qualifiers: a type variable lin linear µa.s recursive type un unrestricted T ::= Types: p ::= Pre Types: bool boolean?t.s receive S end point!t.s send (S, S) channel end termination Γ ::= Contexts: S ::= End Point Types: empty context q p qualified channel Γ, x: T variable binding Fig. 2. Pi calculus: Types and typing contexts on a set of type variables, ranged over by a. Recursive types are required to be contractive, that is, containing no subexpression of the form µa 1... µa n.a 1. Type equality is not syntatic. Instead, we define it as the equality of regular infinite trees obtained by the infinite unfolding of recursive types, modulo pair commutation. The formal definition, which we omit, is co-inductive. In this way we use types (µa.lin!bool.lin?bool.a, un end) and (un end, lin!bool.µb.lin?bool.lin!bool.b) interchangeably, in any mathematical context. This allows us never to consider a type µa.s explicitly (or a for that matter). Instead, we pick another type in the same equivalence class, namely S[µa.S/a]. If the result of the process turns out to start with a µ, we repeat the procedure. Unfolding is bound to terminate due to contractiveness. In other words, we take an equi-recursive view of types [?]. Type duality plays a central role in the theory of session types, ensuring that communication between the two ends of a channel proceeds smoothly. Intuitively, the dual of output is input and the dual of input is output. In particular if S 2 is dual of S 1, then q?t.s 1 is dual of q!t.s 2. Session type end is dual of itself. Rather than providing a co-inductive definition of duality, we start by defining a function from end-point channels into end-point channels as follows. q?t.s = q!t.s q!t.s = q?t.s q end = q end µa.s = µa.s a = a Then, to check that a given end point type S 1 is dual of another type S 2, we first build the dual of S 1 and then check that the thus obtained type is equivalent to S 2. For example, to show that type µa.lin?bool.lin!bool.a is a dual of type lin!bool.µb.lin?bool.lin!bool.b, we build µa.lin?bool.lin!bool.a = µa.lin!bool.lin?bool.a, and then show that µa.lin!bool.lin?bool.a = lin!bool.µb.lin?bool.!bool.b. Qualifiers are important: S and S must be equally qualified so that a linear output process may find a linear input process to embark in reduction. Contexts, or type environments, are inductively defined in Figure 2. In a context Γ, x: T we assume that x does not occur in Γ ; we also assume the various variable bindings in Γ to be unordered. We define predicate un to be true of a)

4 Context splitting rules Γ = Γ 1 Γ 2 T = un p or (un p 1, un p 2) = Γ, x: T = (Γ 1, x: T ) (Γ 2, x: T ) Γ = Γ 1 Γ 2 T = lin p or (lin p 1, lin p 2) Γ = Γ 1 Γ 2 T = lin p or (lin p 1, lin p 2) Γ, x: T = (Γ 1, x: T ) Γ 2 Γ, x: T = Γ 1 (Γ 2, x: T ) Γ = Γ 1 Γ 2 Γ, x: (lin p 1, lin p 2) = (Γ 1, x: lin p 1) (Γ 2, x: lin p 2) Γ = Γ 1 Γ 2 Γ, x: (lin p 1, un p 2) = (Γ 1, x: (lin p 1, un p 2)) (Γ 2, x: un p 2) Γ = Γ 1 Γ 2 Γ, x: (lin p 1, un p 2) = (Γ 1, x: un p 2) (Γ 2, x: (lin p 1, un p 2)) Typing rules for values un(γ ) Γ b: bool Typing rules for processes un(γ ) Γ, x: T x: T Γ v : (S, un p) Γ v : S [T-Bool] [T-Var] [T-Strength] un(γ ) Γ 0 Γ 1 P 1 Γ 2 P 2 Γ P un(γ ) Γ 1 Γ 2 P 1 P 2 Γ P Γ 1 v : bool Γ 2 P 1 Γ 2 P 2 Γ 1 Γ 2 if v then P 1 else P 2 Γ, x: S, y : T P ( ) Γ, x: q?t.s x(y).p Γ, x: (S, S ), y : T P ( ) Γ, x: (q?t.s, S ) x(y).p ( ) q = un q?t.s = S Γ,x: (S, S) P Γ (νx)p Γ 1 v : T Γ 2, x: S P ( ) Γ 1 (Γ 2, x: q!t.s) x v.p [T-Inact] [T-Par] [T-Repl] [T-If] [T-Res] [T-In],[T-Out] Γ 1 v : T Γ 2, x: (S, S ) P ( ) Γ 1 (Γ 2, x: (q!t.s, S )) x v.p [T-InC],[T-OutC] ( ) q = un q!t.s = S Fig. 3. Pi calculus: Typing the empty context, as well as of b) context Γ, x: bool, context Γ, x: un p, and context Γ, x: (un p 1, un p 2 ), whenever un(γ ). Typing relies on the context splitting operation described in Figure 3. It should be easy to understand: unrestricted types are copied into both contexts, linear types are placed in one of the two resulting contexts. The first four rules are standard [?], the last three rules are new to this work; the philosophy however remains the same. We omit three rules, duals to the last three, obtained by interchanging the end point types in the channel type (e.g., (un p 2, lin p 1 ) in the last rule), for the effect can obtained by a suitable choice of the type in its equivalence class (recall that pair types are unordered).

5 Equipped with the notions of type duality, unrestricted contexts, and context splitting we are ready to introduce the typing rules in Figure 3. The first two typing rules for values are standard. Rule [T-Strength] is central to our system with channels described as pairs of types; we discuss it after introducing the remaining typing rules. For processes, rule [T-Inact] says that the terminated process can only be typed in an unrestricted context, ensuring that linear channels are given a chance to be consumed. Rule [T-Par] uses context splitting to partition linearly typed variables between the two processes: the incoming context is split into Γ 1 and Γ 2, and we use the former to type check process P 1 and the latter to type check process P 2. Rule [T-Repl] for replication requires the typing context not to contain linear values, for P may be used an unrestricted number of types. Rule [T-If] for the conditional process splits the incoming context in two parts: one used to check the condition, the other to check both branches. The same context for the two branches is justified by the fact that only one of P 1 or P 2 will be executed. Rule [T-Res] allows restricting channels whose end points are dual, making sure that communication on the channel happens according to the plan. Allowing to restrict a end point type S type would not break type preservation, Theorem 1, but we believe that such an alternative rule does not fit well in a linear system, where we expect linear channels to be given an opportunity to be consumed. Even though unrestricted end point types cannot be directly restricted, we can show that, for each derivation of Γ, x: S P, there is a derivation of Γ, x: (S, un p) P, thus allowing to apply scope restriction to an otherwise unrestricted channel end. We have two rules for input, [T-In] and [T-InC], depending on the type for channel x in the context. Rule [T-In] deals with end point types. If x is typed with q?t.s, we know that the bound variable y is of type T, and we type check P under the extra assumption y : T. Equally important is the fact that the continuation uses channel x at continuation type S, that is, process x(y).p uses channel x at type q?t.s whereas P may use the same channel this time at type S. Finally, unrestricted channels, given that they may be shared, must retain their behavior throughout computation, hence the side condition. A solution to the equation in the side condition is µa?t.a for a not in T, which we abbreviate to?t (and similarly for output). Rule [T-InC] follows the same pattern, consuming one end point and keeping the other unchanged. Similarly to input, we have two rules for output. Rule [T-Out], splits the context in two parts, one to check v and the other to check continuation P. Notice that the context in the conclusion, Γ 1 (Γ 2, x: q!t.s) allows to type process x x with a context x: S with type S such that S = un!s.s. Rule [T-Strength] allows for a fine grained control of the channel ends of a given channel. A process holding the two ends of a given channel x, say (!bool,?bool), may pass the output capability only by using [T-Var] followed by [T-Strength] to obtain Γ, x: (!bool,?bool) x:!bool and then compose with rule [T-Out] or [T-OutC] in a process of the form y x.p. The rule is also fundamental in establishing the main result of this section.

6 To lighten the syntax in examples, we omit all unrestricted qualifiers and only annotate linear types. We also omit the trailing un end in types, as well as the trailing 0 in processes. As an example, consider the type?(lin!bool).s of an unrestricted channel that receives a linear channel capable of outputting a boolean value. The following sequent is easy to establish, x:?(lin!bool).s x(z).z true x(w).w false but only for an appropriate type S. Reading rule [T-In], we realize that S must be equivalent to?(lin!bool).s, that is S must be (equivalent to) µa.?(lin!bool).a, abbreviated to?(lin!bool). Continuing with the example, if P is the above process, then P (νy)x y is not typable, for the linear input capability of channel y is never exercised. But P (νy)(x y y(u)) is typable under context x: (?(lin!bool),!(lin?bool)). Given that a type (un p 1, lin p 2 ) cannot possibly be restricted in a process (cf. rule [T-Res]), the reader may wonder why we consider them at all. It turns out that free channel output may lead to situations where a thread holds the two ends of a same channel [?]. For instance, process z x z(w).w(y).x true, typable under context z : (?S,!S), x: (S, S) with S = lin?bool, reduces to process P = x(y).x true, which we want to type under the same context. By applying rule [T-InC] to P we obtain a judgment with a un-lin type, namely z : (?S,!S), x: (end, lin!bool) x true. A further application of rule [T-OutC] gets rid of the un-lin type, yielding z : (?S,!S), x: (end, end) 0 typable under rule [T-Inact]. We conclude the section with the main result of our system. Reduction preserves typability only for a certain kind of contexts. To understand why reduction does not preserve typability in the presence of arbitrary contexts, take for P the process x(z).if z then 0 else 0 (νy)x y. We can easily see that P is typable under the (non balanced) context x: (lin!end.end, lin?bool.end). But P reduces to process (νy)if y then 0 else 0 which is not typable. The whole purpose of balancing is to make sure that the type of y in the output is that of z in the input. We define predicate balanced to be true of a) the empty context, and b) context Γ, x: bool and context Γ, x: (S, S) whenever Γ is balanced. Theorem 1 (Type Preservation). If Γ 1 P 1 with Γ 1 balanced and P 1 P 2, then Γ 2 P 2 with Γ 2 balanced. Proof (Sketch). Albeit standard, the proof is quite long due to the combinatorics introduced by (the various rules in) context splitting, the lin-un qualifiers and the four rules for input and for output. We rely on several standard auxiliary results, including unrestricted context weakening, context strengthening, a substitution lemma (stating that if Γ 1 v : T and Γ 2, x: T P and Γ 1 Γ 2 is defined then Γ 1 Γ 2 P [v/x]), and balanced context preservation for structural congruence. In order to proceed by induction on the derivation of the reduction step when [T-Par] is the last rule, we need a stronger statement that details the relation between Γ 1 and Γ 2, namely Γ 2 = Γ 1 or Γ 1 = Γ, x: (q?t.s, q!t.s) and Γ 2 = Γ, x: (S, S).

7 A Algoritmic Type Checking The typing rules provided in the previous sections give a concise specification of what we understand by well formed programs. They cannot however be implemented directly for three main reasons. One is the difficulty of implementing the non-deterministic splitting operation, Γ = Γ 1 Γ 2, for we must guess how to split an incoming context Γ in two parts. The other is the problem of guessing the types to include in the context when in presence of scope restriction. To solve the first problem, we restructure the type checking rules to avoid having to guess context splitting. To address the second difficulty we seek the help of programmers by requiring explicit annotations in the scope restriction constructor and write (νx: (S 1, S 2 ))P. Changes are in Figure 4. The central idea of the new type checking system is that, rather than splitting the context into two parts before checking a complex process, we pass the entire context to the first subprocess and have it return the unused part. This output is then passed to the second subprocess, which in turn returns the unused portion of the context, and so on. The output of the last subprocess is then the output of the process under consideration. To make a clear distinction among the used and unused part of a typing context we introduce starred or used end-point types S. We let T range over bool, S and (S, S ) where is empty or is. Type environments I are a map from values to starred types T. The algoritmic rules for values have the form I 1 A v : T I 2 where I 2 is the type enviroment produced as output. Notice that the judgement for the value is plain, i.e. stars are not considered when typing values. When T is a linear channel type we have I 2 = I 1 \v. Similarly, when T is a linear end point type and I(v) is a channel type we keep the other end-point, otherwise we remove the entry for v. When T is an unrestricted channel or end-point type we have I 2 = I 1. The cases for mixed channel types are similar. The rules for processes have the form I 1 A P I 2. Most of the technical device is required in rules [A-Inact],[A-Par] to remove the used part of the environment. We let I 1 \I 2 be the environment obtained by removing all the informations of I 2 from I 1 ; the formal definition is in Figure 4. In rule [A-Inact] we check that the starred types in (the codomain of) the output environment are unrestricted.this enforces linear continuations to be consumed whithin a single thread by (i) using them as input/output or (ii) delegate them. In Rule [A-Par] we type the next thread with the output environment pruned by the starred entries. We have four rules for output processes corresponding to linear channel and end-point types ([A-Out-L],[A-OutC-L]) and to unrestricted channel and endpoint types ([A-Out-Un],[A-OutC-Un]). In rule [A-Out-L] we type the sent value without using the typing for the output channel. The continuation type for the output channel is first starred to flag that a linear capability has been used and then added to the context to type the process. Rule [A-OutC-L] is similar but here remove and update only the channel-end used to type the output

8 channel. In rules [A-Out-Un] and [A-OutC-Un] we keep the same context to type the sent value and we let the continuation type for the output channel be starred only if the type for the output channel was already starred. The rules for input prefixes [A-In-L],[A-InC-L],[A-In-Un] and [A-InC-Un] follow the same rationale: the continuation of a linear input is starred while a continuation of unrestricted input is starred only if the type was already starred. Differently from [A-Inact] in the input rules we need to enforce that the linear capabilities associated to the (bound) variable for the input has been consumed within a single thread. For this very reason we reject processes that returns such variable not unrestricted. The same holds for rule [A-Res]. To illustrate the starring mechanism, consider the following judgement I 1, x : lin!bool.q!bool A x true.0 P inferred from the following judgements in [A-Par]: I 1, x : lin!bool.q!bool A x true.0 I 2 ( ) and I 2 \I 2 A P By applying [A-Out-L] and typying for linear values to (*) we infer the judgements I 1 A true : bool I 1 I 1, x : q!bool A 0 (I 1, x : q!bool ) The qualifier q is equal to un because rule [A-Inact] requires the starred closure of I 1, x : q!bool (which includes the entry x : q!bool ) to be unrestricted. Indeed if we let q to be linear we would have un unsound solution because we do not have any guarantee that the linear output will be consumed in thread P. For this very reason we first check in [A-Inact] that starred entries are unrestricted and then in [A-Par] we type the next thread by using the environment pruned by such entries. To prove that the algoritmic system is sound we first need some auxiliar result. The first Lemma says that the output environment is smaller. Lemma 1. If I 1 A P I 2 then dom(i 2 ) dom(i 1 ). The next Lemma says that linear starred entries cannot be returned. Lemma 2. If I 1 A P I 2 then un(i 2 ). An important Corollary is that linear typings are preserved, in the following sense. Corollary 1 (Linear Type Invariance). Let I 1 A P I 2. If I 1 (x) = linp 1 then I 2 (x) = linp 2 implies p 1 = p 2 and = ɛ; If I 1 (x) = (linp 1, linp 2) then I 2 (x) = (linp 3, linp 4) implies p 1 = p 2 and p 3 = p 4 and = ɛ; If I 1 (x) = (linp 1, linp 2) then I 2 (x) = linp 3 implies linp 1 = linp 3 or linp 2 = linp 3.

9 For (non-starred) unrestricted typings we have type preservation. Lemma 3 (Type preservation). Let I 1 A P I 2. If I 1 (x) = unp 1, (unp 1, unp 2 ) then I 2 (x) = I 1 (x); If I 1 (x) = (unp 1, S 1) then I 2 (x) = (unp 1, S 2) or I 2 (x) = unp 1. The linear-closure of a type environment I, noted I l, is obtained by projecting all the linear assumptions in I. l = (I, x: unp ) l = I l (I, x : linp) l = I l, x : linp (I, x : (linp 1, linp 2)) l = I l, x : (linp 1, linp 2)) (I, x : (linp 1, unp 2)) l = I l, x : linp 1 (I, x : (unp 1, linp 2)) l = I l, x : linp 2 (I, x: (unp 1, unp 2)) = I l We let erase be the function removing stars from type environments I and type annotations from processes. Function erase map type enviroments I to type enviroments Γ. Lemma 4. I 1 A P I 2 implies erase(i 1 \I l 2) erase(p ). Proof. We proceed by induction on the length of the inference. In the output cases we rely on a similar result for values stating that I 1 A v : T I 2 implies erase(i 1 \I l 2) v : T. [A-Inact] We have I A 0 I. From un(erase(i\i l )) and [T-Inact] we infer erase(i\i l ) 0, as requested. [A-Par] Assume I 1 A P Q I 3 inferred from I 1 A P I 2 and I 2 \I2 A Q I 3. By induction hypothesis we infer We prove that erase(i 1 \I l 2) erase(p ) (1) erase((i 2 \I 2 )\I l 3) erase(q) (2) erase(i 1 \I l 3) erase(p Q) by applying [T-Par] to (1,2) whenever the split of erase(i 1 \I l 2) and erase((i 2 \I 2 )\I l 3) is defined otherwise by applying [T-Par] to (1) and erase(q) (3) where is obtained by unrestricted weakening of the environment in (2). We proceed by case analysis on I 1 (x) = T. T = linp 1. We apply [T-Par] to (1,2). Indeed by linear type invariance if I 2 (x) is linear then is equal to T. In such case x dom(i 1 \I l 2). Therefore ((I 2 \I 2 )\I l 3)(x) = (I 1 \I l 3)(x), as required. Otherwise assume I 2 (x) = un p. We have x (I 2 \I 2 ) and by Lemma 1 we deduce that x dom(i 3 ). Thus (I 1 \I l 2)(x) = T = (I 1 \I l 3)(x). Similarly when x dom(i 2 ) we have x dom(i 3 ) and (I 1 \I l 2)(x) = T = (I 1 \I l 3)(x).

10 T = linp 1. We apply [T-Par] to (1,2). Indeed by Lemma 2 we infer that x dom(i 2 ) and we proceed as above. T = unp 1. By type preservation I 2 (x) = T and in turn erase(i 1 \I l 2) erase((i 2 \I 2 )\I l 3)(x) = T. We have (I 1 \I l 3)(x) = T and by applying [T-Par] to (1,2) we have done. T = unp 1, (unp 1, unp 2). We apply [T-Par] to (1,4). We have x dom((i 2 \I 2 )\I l 3). By unrestricted weakening (Lemma??) we infer the judgement erase((i 2 \I 2 \I l 3), x : T ) erase(q) (4) We have ((I 1 \I l 2) )(x) = unp 1 = (I 1 \I l 3)(x) where is the environment of (4). T = (unp 1, unp 2). We have (I 1 \I l 2)(x) = T and ((I 2 \I 2 )\I l 3)(x) = unp 1. By unrestricted weakening we have erase((i 2 \I 2 \I l 3) x : unp 2) erase(q) (5) We apply [T-Par] to (1,5) and we have done. T = (linp 1, linp 2). Assume I 2 (x) = (S1, S2). By linear type invariance we know that each Si or is linear and equal to linp i or is unrestricted and starred. For instance, let S1irc c = linp 1, S2 = un p 3. We have (I 1 \I2)(x) l = linp 2 and (I 2 \I2 )(x) = linp 1. We have (I 1 \I2) l ((I 2 \I2 ))(x) = T and in turn (I 1 \I2) l ((I 2 \I2 )\Il 3)(x) equal to (I 1\I3)(x). l We apply [T-Par] to (1,2) and we have done. Now let I 2 (x) = S1. If S1 = linp i for some i = 1, 2 then (I 1 \I2)(x) l = linp j where j = 1 when i = 2 and vice versa. We proceed as above and we close the proof. Otherwise we have S1 = unp 3 and (I 1 \I2)(x) l = linp i for some i = 1, 2. From x dom(i 2\I2 ) and in turn x dom(i 3 ) we infer the desired result by applying [T-Par] to (1,2). Finally when x dom(i 2 ) we proceed as in the previous case. T = (linp 1, unp 2 ) We could have (I 1 \I2)(x) l = unp 2 and (I 2 \I2 )(x) = T or (I 1 \I2)(x) l = T and (I 2 \I2 )(x) = unp 2. In all cases we infer (I 1 \I2) l (I 2 \I2 \Il 3)(x) equal to (I 1\I3)(x) l and we conclude by applying [T-Par] to (1,2). T = (linp 1, unp 2) If (I 1 \I2)(x) l = T then x dom(i 2 \I2 ). We apply [T-Par] to (1,4) and we have done. Otherwise if (I 1 \I2)(x) l = unp 2 then (I 2 \I2 ) = linp 1. We apply [T-Par] to (1,5) and we have done. The remaining cases for T = (unp 1, unp 2 ), (unp 1, linp 2) are similar to the symmetric cases. [A-Out-L] We have I 1, x: lin!t.s A x v.p I 3 inferred from I 1 A v : T I 2 and I 2 x : S A P I 3. Since x I 2 we could write I 2, x : S A P I 3. We use the result erase(i 1 \I l 2) v : T together with the inductive hypothesis erase((i 2, x : S )\I l 3) erase(p ) to infer the desired result. First we note that x dom(i l 3). This is immediate for S = unp while for S = linp we exploit Corollary 2. We rewrite the context as erase(i 2 \I l 3, x : S ). It s easy to check that erase(i 1 \I l 2) erase(i 2 \I l 3, x : lin!t.linp ) is defined. We apply [T-Out] and obtain erase(i 1 \I l 2) erase(i 2 \I l 3, x : lin!t.linp ) erase(x v.p )

11 To conclude we need to prove that the environment is equal to erase((i 1, x: lin!t.s )\I3). l This is obtained by noting that erase(i 1 \I2) l erase(i 2 \I3) l = erase(i 1 \I3). l [A-Out-Un] We have I 1, x: un!t.s A x v.p I 3 inferred from I 1, x: un!t.s A v : T I 2 and I 2 A P I 3. We know that erase(i 1, x: un!t.s \I2) l v : T and by I.H. we have erase(i 2 \I3) l A erase(p ). From the rule for typing unrestricted values we know that I 2 (x) = un!t.s. We apply [T-Out] and infer erase(i 1, x: un!t.s \I2) l erase(i 2 \I3) l erase(x v.p ) and we have done since the enviroment is equal to erase(i 1, x: un!t.s \I3). l [A-OutC-L] We have I 1, x: (lin!t.s1, S2) A x v.p I 3 inferred from I 1, x: S2 A v : T I 2 and I 2 x : S1 A P I 3. We exploit erase((i 1, x: S2)\I 2) l A v : T and the inductive hypothesis erase(i 2 x : S1\I 3) l erase(p ). First we note that if x dom(i3) l then it needs to be that S2 = linp; this is deduced by using Corollary 2. In such case we have (I 2 x : S1)\I 3 l = I 2 \I3, l x : S1. Since the split of erase((i 1, x: linp)\i2) l and erase(i 2 \I3, l x : lin!t.s1) is defined and equal to erase((i 1, x: (lin!t.s1, linp))\i3) l we could apply [T-OutC] and conclude: erase((i 1, x: linp)\i l 2) erase(i 2 \I l 3, x : lin!t.s 1) erase(x v.p ) Otherwise assume x dom(i l 3) and S 2 = unp ; if S 2 = linp we proceed as above. In such case we have I 2 x : S 1\I l 3 = (I 2 \x\i l 3), x : (S 1, unp ). We apply [T-OutC] and infer erase((i 1, x: unp )\I l 2) erase((i 2 \x\i l 3), x : (S 1, unp )) erase(x v.p ) [A-OutC-Un] Similar to [A-Out-Un]. [A-In-L] We have I 1, x: lin?t.s A x(y).p I 2 \y inferred from I 1, x: S, y : T A P I 2 where if y dom(i 2 ) then un(i 2 (y)). By I.H. we have erase((i 1, x: S, y : T )\I l 2) erase(p ) We know that x dom(i l 2); this is obtained by using Lemma 2 whever S = linp. The condition on y says that as well y dom(i l 2). Therefore (I 1, x: S, y : T )\I l 2 = I 1, \I l 2, x: S, y : T. We apply [T-In] and infer erase(i 1, \I l 2, x: lin?t.s ) erase(x(y).p ) as requested since erase(i 1, \I2, l x: lin?t.s ) = erase((i 1, x: lin?t.s )\I2). l [A-InC-L] We have I 1, x: (lin?t.s1, S2) A x(y).p I 2 \y inferred from I 1, x: (S1, S2), y : T A P I 2 with y I 2 only if unrestricted. If x dom(i2) l then by Corollary 1 we have S2 = linp = I2(x). l In this case we have (I 1, x: (S1, S2), y : T )\I2 l = (I 1 \I2), l x : S1, y : T since y dom(i2). l We apply [T-In] and infer erase((i 1 \I l 2), x : lin?t.s 1) erase(x(y).p )

12 We rewrite the judgement as erase((i 1, x : (lin?t.s 1, linp))\i l 2) erase(x(y).p ) and we have done. Othwerwise assume x dom(i l 2). We have (I 1, x: (S 1, S 2), y : T )\I l 2 = (I 1 \I l 2), x : (S 1, S 2), y : T. We apply [T-InC] and infer erase((i 1 \I l 2), x : (lin?t.s 1, S 2) erase(x(y).p ) We have done since erase((i 1 \I l 2), x : (lin?t.s 1, S 2) is equal to erase((i 1, x : (lin?t.s 1, S 2))\I l 2). Corollary 2 (Algorithmic Soundness). If I 1 A P I 2 with un(i 2 ) then erase(i 1 ) erase(p ). Proof. Follows from Lemma 4 and I l 2 =. Remark 1. The algorithmic system is not complete. Indeed we have erase(i, x : un!t.s ) x u. erase(p ) x v. erase(q) while I, x : un!t.s A x u.p x v.q.

13 New syntactic forms P ::=... (νx: (S, S))P T ::= bool S (S, S ) S ::=... ::= ɛ Processes: annotated scope restriction Types: end-point type annotation Context difference \x = (I, x: T )\x = I I \x = I 1 (I, y : T )\x = I 1, y : T I 1\I 2 = {x : I 1(x) x dom(i 2)} {x : S1 I 1(x) = (S1, S2 ) and I 2(x) = S2 } {x : S2 I 1(x) = (S1, S2 ) and I 2(x) = S1 } Context Updating I x : T = I, x : T x dom(i) Starred closure I x : S 2 = (I\x), x : (S 1, S 2 ) I(x) = S 1 = (I, x : S) = I (I, x : S ) = I, x : S (I, x : (S 1, S 2)) = I (I, x : (S 1, S 2 )) = I, x : (S 1, S 2 ) (I, x : (S 1, S 2)) = I, x : S 1 (I, x : (S 1, S 2 )) = I, x : S 2 Typing rules for values I 1, x: (lin p, S ), I 2 A x: lin p I 1, x: S, I 2 I 1, x: (S, lin p ), I 2 A x: lin p I 1, x: S, I 2 T = (lin p 1, un p 2) T = (un p 1, lin p 2) I 1, x: T, I 2 A x: un p 2 I 1, x: T, I 2 I 1, x: T, I 2 A x: un p 1 I 1, x: T, I 2 T = lin p, (lin p I A true, false: bool I 1, lin p 2) T = un p, (un p 1, un p 2) I 1, x: T, I 2 A x: T I 1, I 2 I 1, x: T, I 2 A x: T I 1, x: T, I 2 T = (un p 1, un p 2) T = (un p 1, un p 2) I 1, x: T, I 2 A x: un p 1 I 1, x: T, I 2 I 1, x: T, I 2 A x: un p 2 I 1, x: T, I 2 Typing rules for processes un(i ) I A 0 I I 1 A P I 2 I 2\I 2 A Q I 3 I 1 A P Q I 3 I 1 A P I 2 I 1 A P I 2 ([A-Inact],[A-Par],[A-Repl]) I 1 A v : bool; I 2 I 2 A P : I 3 I 2 A Q: I 3 I 1 A if v then P else Q I 3 I 1, y : (S, S) A P I 2 ( ) I 1 A (νy : (S, S))P I 2\y [A-If] [A-Res] I 1, x: S, y : T A P I 2 ( ) I 1, x: lin?t.s A x(y).p I 2\y I 1, x: un?t.s, y : T A P I 2 ( ) I 1, x: un?t.s A x(y).p I 2\y I 1, x: (S1, S2 ), y : T A P I 2 ( ) I 1, x: (lin?t.s1, S 2 ) A x(y).p I2\y [A-In-L],[A-InC-L] I 1, x: (un?t.s1, S2 ), y : T A P I 2 ( ) I 1, x: (un?t.s1, S 2 ) A x(y).p I2\y [A-In-Un],[A-InC-Un] I 1 A v : T I 2 I 2 x : S A P I 3 I 1, x: S2 A v : T I 2 I 2 x : S1 A P I 3 I 1, x: lin!t.s A x v.p I 3 I 1, x: (lin!t.s1, S 2 ) A x v.p I3 [A-Out-L],[A-OutC-L] I 1, x : un!t.s A v : T I 2 I 2 A P I 3 I 1, x: (un!t.s1, S2 ) A v : T I 2 I 2 A P I 3 I 1, x: un!t.s A x v.p I 3 I 1, x: (un!t.s1, S 2 ) A x v.p I3 [A-Out-Un],[A-OutC-Un] ( ) y dom(i 2) un(i 2(y)) Fig. 4. Algoritmic type checking