When a call is in progress and at the beginning of the feature, the caller can send messages or payments to the contract. We use S to denote the set of all states that can occur in a run of the contract as defined below.

Fig. 2. A rock-paper-scissors contract.

Objective Function and Values of Contracts

We use Ξ to denote the set of all randomized policy profiles, Ξi for randomized policies i, and Ξ− to denote the set of randomized policy profiles for all parties except . Each such randomized policy profile induces a unique probability measure on the set of runs, denoted Probξ[·].

Examples

However, even if one of the sides refuses to play uniformly at random, the resulting probabilities of winning remain the same because each side's probability of winning is independent of her own choice, assuming others play randomly. The global clock can be modeled after the number of the current block in the blockchain, and simultaneous interactions can be implemented using commitment schemes.

Fig. 3. A buggy auction contract (left) and its fixed version (right).

4 Bounded Analysis and Games

Bounded Analysis

In the context of smart contracts, we analogously assume that the number of parties and function calls is bounded. We limit the analysis only to a limited number of parties that interact with the smart contract.

Concurrent Games

We assume that player 1 is trying to maximize u, while player 2's goal is to minimize it. This models the fact that player 1 is trying to maximize utility in the first steps of the round, while player 2 is minimizing it.

Translating Contracts to Games

Note that in (1), restricting player 2 to pure strategies does not change the value of the game. Therefore, we can assume that player 2 is an arbitrarily strong, non-deterministic opponent and gets exactly the same results.

5 Abstraction for Quantitative Concurrent Games

Abstraction for Quantitative Concurrent Games

Sa=Π∪D, where D=Π×A×A is a set of dummy conditions to give more power to one of the players. In practice, however, it is not necessary to create them, since the choices can be allowed to the respective players in the predecessor state.

Abstraction: Soundness, Refinement, and Completeness in Limit

Let Π2 Π1 be two partitions of the state space of the game (G, u), then the abstractions corresponding to Π1, Π2 satisfy the refinement property. Equivalently, this means that if we want to approximate the value of the original game within some predefined error threshold, we can do so by repeatedly improving the abstraction.

Interval Abstraction

This consists of the contract balance, numerical variables and m[p]s where mis is a map variable and pi is a lot. Refinement heuristic. We can start with large intervals and continuously break them into smaller intervals to get refined abstractions and a finer approximation of game value.

6 Experimental Results

7 Comparison with Related Work

In [18] a quantitative framework for abstraction refinement has been considered; however, there is no game-theoretic interaction. Abstraction refinement for games has also been considered [20,36]; however, these works do not consider simultaneous interaction games nor quantitative objectives.

Table 1. Experimental results for correct and buggy contracts. l := υ ( G ↓ , u ↓ ) denotes the lower value and u := υ ( G ↑ , u ↑ ) is the upper value

8 Conclusion

Partial order methods for the verification of concurrent systems : an approach to the state explosion problem. The third-party images or other materials in this chapter are included in the Creative Commons license of the chapter, unless otherwise noted in a line of credit accompanying the materials.

1 Introduction

To indicate that our contracts imply refinement-based contracts, we encode refinement types in our model by translating the refinements to monitors. In Section 4, we show how to check that a monitoring process is a partial identity and prove that the method is correct.

2 Session Types

From a typing perspective, this is a restricted form of the usual rule of two premises⊗R, as it requires that the first premise be an identity. Finally, in order to successfully monitor the computation, we need the ability to stop the computation.

3 Contract Examples

Perfection. The simplest type of monitoring process we can write is one that models a refinement of an integer type; for example, a process that checks whether each element in the list is positive. We can now run the monitor on the mapper, in the mapper process, before applying the mapper to the l-list.

4 Monitors as Partial Identity Processes

Buffering Values

Conversely, if we send b along, the message must be equal to the message at the front of the queue (and therefore must be a variable). Since the queue is empty, the two sides of the monitor must be of the same type.

Spawning New Processes

Transparency

To generalize this, we need to define a queue that corresponds to a sequence of messages. In addition, we need to generalize property (6) to (8) and (9) to allow the simultaneous operation of multiple monitors in a configuration.

5 Refinements as Contracts

• Syntax and Typing Rules
• Translation to Monitors
• Metatheory
• Casts are transparent)

Because of the typing rules, we are assured that channel b must conform to the typeB. The translation is of the form: [[A ⇐Bρ]]a,b =P, where A, B are types; the channels and have the presentation channel and monitoring channel (respectively) for the resulting monitoring processP; enρis a label of the monitor (i.e. the contract).

Fig. 4. Cast translation

6 Related Work

7 Conclusion

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution, and reproduction in any medium or format, provided you give proper credit to the original author(s) and source, link to the Creative Commons license, and indicate whether changes have been made. If the material is not covered by a Creative Commons Chapter license and your intended use is not permitted by law or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Crash Failure Handling in Distributed Systems

Our type system carefully reworks many of the key elements of standard MPSTs to handle the complex handling of crash errors. In the try-handle construct t(..)h(..), the try block t(..) provides the normal (ie error-free) flow of the protocol, and h(..) contains the explicit handling of potential crashes.

2 System and Failure Model

If a worker crashes ({wi}:..), the other worker will also take over the calculation of the crashed worker, allowing the system to still produce a valid result. The coordinator assumption (4) implicitly means that the number of concurrent failures among coordinator replicas is assumed to remain in the minority and that failed replicas are replaced in time (to tolerate further failures).

3 Global Types for Explicit Handling of Partial Failures

The second condition asserts that if the environment for handling a try handle contains a handler for F, then there is no external try handle with a handler for F such that F ⊆F. The goal is for the respective roles to eventually converge in the execution of handling the outermost trial handle, possibly by interrupting the handling of the inner trial handle.

4 A Process Calculus for Coordinator-Based Failure Handling

If the global queue contains a completed notification ψ,pφ sent by the coordinator, then all participants in φ have completed their local actions, which means that the tentative handling of φ can be completed. When a process receives notification of done φ from the coordinator, it can complete the trial process φ and reduce to continue η.

Fig. 5. Grammar for processes, applications, systems, and evaluation contexts.

5 Local Types

Given s: h with h= h· ψ,pφ·h and Fset(h,p)=∅, the rule (TryHdl) is not applicable to the try-handleφ of the process playing the role p. The main rule is (1): ifp appears somewhere in the target try-handle global type, then the endpoint type has a try-handle annotated withκ and the default logic (i.e. F.

6 Type System

The T-rule states that a part of system S can initiate a private session, say with , if S is well-typed with respect to Γ Δs , which is coherent (defined shortly). The T-sys rule states that a system ΨN is well-typed if an application N is well-typed and there is a coordinator Ψ to handle this application.

Fig. 11. Typing rules for applications and systems.

7 Properties

Subject Reduction)

After all processes inS have ended, the failure messages sent by coordinators remain; so the final system can have the form Ψs:h. Ψs :h, where h, .., h have fault messages sent by coordinators, so reduction rules (CollectDone), (IssueDone) and (F) are not applied.

8 Related Work

While it enables extensive fault handling by connecting (endpoint) processes to runtime monitors, the model does not address the fault tolerance of runtime monitors themselves. Since monitors can interact in complex ways, replication doesn't seem to be a viable option, at least not without potentially impacting performance (much like simple replication of entire applications).

9 Final Remarks

1] propose session types for connection errors that extend session types with an optional block that surrounds the process and contains default values. Carbone, M., Lindley, S., Montesi, F., Sch¨urmann, C., Wadler, P.: Coherence generalises duality: a logical explanation of multiparty session types.

A Tale of Two (Fully Abstract) Encodings

In addition, the coding directly provides a strong normalization property of the higher-order session account. We show results of full abstraction and mutual inversion, and derive strong normalization of the higher-order session calculus from the coding.

2 Polymorphic Session π -Calculus

Processes and Typing

Operational semantics. The operational semantics of our calculus is presented as a standard named transition system (Fig.1) in the style of the early system for the π-calculus [46]. Observational equivalences. We briefly summarize the typed congruence and logical equivalence with polymorphism, which gives rise to a suitable notion of relational parametricity in the sense of Reynolds [41], defined as a contextual logic.

3 To Linear-F and Back

Encoding Linear-F into Session π-Calculus

Such representations of the booleans are adequate to parametricity [6] and suitable for our purposes of relating the session calculus (which has no primitive notion of value or result type) to the λ calculus precisely because of the close correspondence between the two calculi. The encoding of the coupling of M1 and M2 produces a new name that will indicate the behavior of (the encoding of) M1, and then the behavior of the encoding of M2 is presented opz.

Operational Correspondence)

• Encoding Session π-calculus to Linear-F
• Inversion and Full Abstraction

However, the translation of the process above leads to the term λz:1.let1= ((λy:A.P1)P2)in let1=sin, where the redex corresponding to the process reduction is present, but hidden under the binder for z (corresponding to the input langsw). We can simply combine the above full abstraction with Theorem 3.11 to obtain full abstraction of the translation.

Fig. 3. Translation on typing derivations (excerpt – see [52])

4 Applications of the Encodings

Inductive and Coinductive Session Types

While a full formal development of the representation of inductive and coinductive types in the system F would lead us far astray, here we summarize the key concepts that apply to the λ-calculus (the interested reader can refer to [19] for full categorical details). We note that the resulting encoding resembles the encoding of lists from [30] (where zero is an empty list and succ is a weakness cell).

Fig. 4. Diagrams for initial F -algebras and final F -coalgebras

Communicating Values – Sess πλ

At the process level, offering a session of the type τ∧A (i.e. a process of the form zM.P) is encoded according to the translation of the type: we first send a new namex which will be used to access the encoding of the expression M. While the reduction of the encoded process and the encoding of the encoded process and the encoding of the latter are reductively equivalent, reductive processes. behavior available in the previous onx.

Operational Correspondence)

• Higher-Order Session Processes – Sessπλ +

We extend the value-passing framework of the previous section, accounting for process (i.e. higher-order) passing in a session-type environment. Finally, the elimination form encoding for monadic expressions behaves doubly, composing the encoding of the monadic expression with a sequence of outputs that instantiate the consumed nouns accordingly (via forwarding).

5 Related Work and Concluding Remarks

ACM 47(3), 531–584 (2000)

Toninho, B., Yoshida, N.: On polymorphic sessions and functions: a tale of two (fully abstract) encodings (long version).

The specification for this protocol requires that the query occur before receiving the message, but the push action is independent, and it can be performed simultaneously. Intuitively, this means that the specification lists the necessary dependencies, but the implementation may introduce more.

2 Overview of the Completeness Proof

The conclusion of this expression would be e↓ = (ab): finitely many repetitions of a and b do indeed appear in parallel, repeating infinitely long. For other operators, the conclusion of the result can be achieved by applying the same operator to the conclusions of its arguments.

3 Preliminaries

Pomsets

This means that we can focus on computing the closure for the specific case of parallel compilation. ii). We remove the sequential composition operator when we explicitly construct a pomset from primitive pomsets, i.e. we write abin instead of a·b for the pomset obtained by sequentially composing the (primitive) pomsets a and b.

Fig. 2. Splitting pomsets in the interpolation lemma

Concurrent Kleene Algebra

We can see that ≡BKA includes the well-known axioms of KA, stipulating that it is commutative and associative with unit 1 and annihilator 0, as well as distributive over. Given a term e ∈ T, we can syntactically determine whether its (BKA or CKA) semantics contains the empty pomset, using the function defined below.

Linear Systems

It is not very difficult to show that the least solutions of a linear system are unique, up to ≡T; we therefore speak of the least solution of a linear system. In the basis, where is empty, the solution is trivial; for the inductive step it is sufficient to reduce the problem to the least solution of a strictly smaller linear system.

4 Completeness of CKA

Preclosure

In the base, we can discount the case where = 0, because then the requirement is empty. In that case, we can choose =e and r= 1 to find that Δer, V ∈BKA and W ∈rBKA that satisfy the requirement.

Closure

In the former case, we can choose =aandr= 1 to satisfy the requirement; the latter case can be treated in the same way. With the closure of parallel composition, we can construct a closure for any expression and therefore conclude the completeness of CKA.

5 Discussion and Further Work

Furthermore, although Laurence and Struth do not seem to use any basic non-constructive argument, their proof does not obviously provide an algorithm to efficiently compute the closure of a given expression. Since we can build such pomsets of arbitrary depth, it follows that no syntactic closure of the expression a exists.

A Worked Example: A Non-trivial Closure

In summary, x is a solution to the linear system and, by construction, it is also the smallest solution. The algorithm used to solve arbitrary linear systems in Lemma3.12 does not make use of the commutation law to simplify terms, thus avoiding this pitfall.

Collector for Actor Languages

We do not define judgments, but instead assume the existence of judgments that determine whether a path is readable or writable from a given actor. With an (uninterpreted) precondition for any heap mutation, we require that no alias allows an actor's writable object to be readable/writable from any other actor.

2 Host Language Requirements

Actors and Objects

We achieved parametricity by concentrating on the effects rather than the mechanisms of language. Thus, when the message is sent by a mutable object, the actor must consume or destroy its reference to that object.

Capabilities and Accessibility

If an actor shares an object with another actor, then either it gives up the object or neither actor has the ability to write to that object. Note that the existence of a path from an actor to an object does not imply that the object is accessible to the actor: In Fig.1(a), there is a path from α2 to ω3, but α2 cannot access ω3.

Causality

Figure 2 shows the capabilities assigned to the paths in Fig.1: α1.f1.f5 has the ability to write, so α1 can read and write to the object accessible from that path. Note that the capabilities assigned to paths are immutable, while the contents of those paths can change.

3 Overview of ORCA

• Mutation and Collection
• Local Collection
• Messages and Collection
• Example

I2 An object accessed from a message queue or from a non-owning actor has reference count greater than zero in the ownership actor. I3If a non-owning actor can access an object through a path from its fields or call stack, its reference count for this object is greater than 0.

Fig. 3. Black arrows are references, numbered in creation order. Blue solid arrows are application messages and blue dashed arrows ORCA -level message

4 The ORCA Protocol

Runtime entities and notation) C ∈ Config = Heap × Actors

• Well-Formed Configurations
• Actor States

Dynamic paths (in short paths) start at the actor's fields or frame, or at some pending message in an actor's queue (the latter is not navigable yet, but will be navigable later when the message is dequeued). The second and third cases above ensure that the possibility of a message path is the same as when the message has been dequeued and placed on the frame.

Fig. 4. Configuration C 0 . ω 1 is absent in the ref. counts, it has not been shared.

Actor States, Working sets, and Marks)

• Garbage Collection
• Receiving and Sending Messages
• Actor Behaviour

The actor sets its state to RECEIVED (line 5), follows from the message arguments, and stores all accessible addresses (line 7). After that, the actor sets its frame to that of the message (line 17), and goes to the EXECUTE state (line 18).

Fig. 6. Pseudo-code for garbage collection.

5 Soundness and Completeness

• I 1 and I 2 Support Safe Local GC
• Completeness
• Dealing with Fine-Grained Concurrency
• AMC and OMC – full definition) OMC C ( ι ) ≡
• Soundness

I7 provides the following four guarantees: [a] The effect of a message queue prefix leaves the LRC non-negative. 17] machine-controlled a state-of-the-art, on-the-fly, competitor, mark-and-sweep garbage collector [32].

7 Conclusions

Clebsch, S., Blessing, S., Franco, J., Drossopoulou, S.: Ownership and reference count based garbage collection in the actor world. Owicki, S., Gries, D.: An axiomatic proof technique for parallel programs I. fragmentation-tolerant real-time garbage collection. etc.).

Our second contribution is a methodology for verifying composite consensus protocols by reusing their component proofs, specifically targeting Multi-Paxos. We distill protocol-aware system optimizations into a separate semantic layer and show how to obtain realistic Multi-Paxos implementations from SD-Paxos with a series of transformations in the network semantics of the system, as long as these transformations preserve the behavior observed by clients.

2 The Single-Decree Paxos Algorithm

After Phase 1, N1 chooses as a candidate value the one accepted in the largest round of those returned by the quorum acceptors, or the proposed value if all acceptors have returned an undefined value. That way, if a value is already set, any proposer that convinces a quorum to pass its round would get the value set by some of the acceptors in the quorum (recall that two quorums have a non-empty intersection).

3 The Faithful Deconstruction of SD-Paxos

Each acceptor (Fig. 4) retains a value v, a current round r (called the read round), and the round the acceptor's value was last accepted (called the write round). Finally, the Paxos input module on the right side of Figure 5 provides an operation proposalP that takes a proposed value v0 and returns the determined value.

Fig. 3. Implementation of Round-Based Register ( read and write ).

4 Modularly Verifying SD-Paxos

We force the unspecified vD and b to be v and true, respectively, which causes the abstract operation to succeed and return (true, v). In both cases we force the unspecified bto befalse, which causes the abstract operation to fail.

Fig. 8. Specification (top) and instrumented implementation (bottom) of Round-Based Consensus .

5 Multi-Paxos via Network Transformations

Abstract Distributed Protocols

The simple initial operational semantics of the network (=⇒ ⊆p (Σ×℘(M))×(Σ×℘(M))) is parameterized by the protocol and relates the initial configuration (i.e. global state and message set) to the resulting configuration. For the bootstrap run, nodes are assigned initial states from the set Δ0⊆Δ.

Fig. 13. Transition rules of the simple protocol-aware network semantics

Protocol behaviours)

• Out-of-Thin-Air Semantics
• Slot-Replicating Network Semantics

Figure 14 describes a semantics of asslot-replicating (SR) networks that exercise multiple copies of the same protocol instance pi fori ∈I, some, possibly infinite, set of indices, which we will also refer to asslots. Multiple copies of the protocol are incorporated by enhancing the messages from p's vocabulary M with the corresponding indices and implementing the in-place dispatch of the indexed messages to corresponding protocol instances at each node.

Fig. 14. Transition rules of the slot-replicating network semantics.

Slot-replicating protocol behaviours)

• Widening Network Semantics
• Optimised Widening Semantics
• Bunching Semantics
• The Big Picture

Next we consider a version of the SR semantics, extended with a new rule for handling received messages. Basically, the only effect they have is to combine the messages resulting from the execution of the corresponding steps of an optimized expansion (via BStepRecvB) and to decompose the ms messages from a bulk message, adding them back to the soup (BStepRecvU).

6 Putting It All Together

De implementatie van Multi-Paxos die gebruik maakt van een registerprovider en netwerksemantiek bundelt, verfijnt de specificatie in figuur 17. We hebben de register/netwerk-semantiek geïmplementeerd in een proof-of-concept-prototype geschreven in Scala/Akka.5 We vertrouwden op de abstractiemechanismen van Scala, waardoor we de registerlogica, geverifieerd in Sect.4, afzonderlijk van de netwerk-middleware konden implementeren, die een familie van Semantiek van Sect.5 heeft opgeleverd.

7 Related Work

While the proof is structured in a modular way by composing specifications in a manner similar to our decomposition in Sect.3 and 4, this work does not address linearity and does not provide composition of proofs about complex protocols (e.g., Multi-Paxos) from proofs about its subparts. While Verdi's VSTs are similar in purpose and idea to our network transformations, they do not exploit the properties of the protocol, which was essential for us to verify Multi-Paxos' implementation.

8 Conclusion and Future Work

Rahli, V., Guaspari, D., Bickford, M., Constable, R.L.: Formal specification, verification and implementation of fault-tolerant systems using EventML. Wilcox, J.R., Woos, D., Panchekha, P., Tatlock, Z., Wang, X., Ernst, M.D., Anderson, T.E.: Verdi: a framework for implementation and formal verification of distributed systems.