a verified, end-to-end compiler for a choreographic language

CakeML

- SML-like functional language
- Verified compiler

HOL4

- An LFC interactive theorem prover

- SML has no concurrency semantics
- CakeML's formal semantics is deterministic
- FFI interface is (must be) deterministic but underspecified

Message passing concurrency

Choreographies are a way of describing communicating systems as global programs

A

💃

B

🕺🏽

A

💃

B

🕺🏽

```
A.x -> B.x
```

```
A.x -> B.x
```

A

```
Send("B",x)
```

B

```
x = Receive("A")
```

```
A.x -> B.x
let y@A = foo()
let w@B = bar()
```

A

```
Send("B",x)
y = foo()
```

B

```
x = Receive("A")
w = bar()
```

```
A.x -> B.x
let y@A = crunch()
let w@B = crunch()
```

```
A.x -> B.x
let y@A = crunch()
let w@B = crunch()
if y@A
A->B[T]
...
else
A->B[F]
...
```

```
A.x -> B.x
let y@A = crunch()
let w@B = crunch()
if y@A
A->B[T]
...
else
A->B[F]
...
```

A

```
if y
Choose("B",T)
...
else
Choose("B",F)
...
```

B

```
if Choice("A")
...
else
...
```

- Concurrency
- Projectability
- Deadlock-freedom

```
A.x -> B.x
B.y -> C.y
...
```

```
A.x -> B.x
B.y -> C.y
...
```

A

B

C

`G` | `::=` |
`A.x -> B.y; G` | (com) |

`|` |
`A -> B[b]; G` | (sel) | |

`|` |
`Let x@A = foo(..); G` | (let) | |

`|` |
```
If x@A
Then G
Else G
``` | (if) | |

`|` |
`Fix fn G` | (fix) | |

`|` |
`Call fn` | (call) | |

`|` |
`End` | (end) |

Where:

- $c$ and $c'$ are choreographies
- $s$ and $s'$ are mappings from pairs of process and variables to values

Communication

`A.x -> B.y;C`

Communication

`S`

`A.x -> B.y;C`

Communication

`S(A,x) = d`

```
A.x -> B.y;C
```

Communication

```
A.x -> B.y;C
```

`S[(B,y)|->d]`

Communication

`S[(B,y)|->d]`

`C`

```
A.x -> B.x
B.y -> C.y
...
```

```
A.x -> B.x
B.y -> C.y
...
```

EPN

An endpoint language

`EP` | `::=` |
`Send p x; EP` |

`|` |
`Receive p y; EP` | |

`|` |
`InternalChoice p b; EP` | |

`|` |
`ExternalChoice p EP EP` | |

`|` |
`Let v f vl in EP` | |

`|` |
```
If v Then EP
Else EP
``` | |

`|` |
`Fix fn EP` | |

`|` |
`Call fn` | |

`|` |
`End` |

`EPN` | `::=` |
`<p,s,q,EP>` | (Single) |

`|` |
`<p,s,q,EP> || EPN` | (Parallel) |

Where:

- (
`p`

) is a process name - (
`s`

) is a mappings from varible names to values representing the process state, - (
`q`

) is a queue of unread messages - (
`EP`

) is the endpoint code

`<A,sa,qa,>`

```
Send "B" x
...
```

`sa(x) = d`

`<B,sb,qb,>`

```
Receive "A" x
...
```

`<A,sa,qa,>`

```
...
```

`sa(x) = d`

`<B,sb,qb',>`

```
Receive "A" x
...
```

`qb' = ("A",d)::qb`

`<A,sa,qa,>`

```
...
```

`<B,sb',qb,>`

```
...
```

`sb' = sb[x |-> d]`

EPN

EPN

~~Selection~~

Payload

Closure

```
IntChoice b p
...
```

```
Let fv = b
Send p fv
...
```

```
ExternalChoice p e1 e2
```

```
Receive p fv
If fv Then e1 Else e2
```

```
Send p vlm
...
```

```
Send p v
Send p l
Send p m
...
```

```
Receive p vlm
...
```

```
Receive p v
Receive p l
Receive p m
...
```

```
Fix fn
Let x = ...
Receive p y
...
```

```
Letrec fn(x,y,...)
Let x = ...
Receive p y
...
```

```
A.x -> B.x
B.y -> A.y
...
```

```
let x@A = [1,2,3]
A.x -> B.y
let y@B = sort x
B.y -> A.y
...
```

A

```
Let x = [1,2,3]
Send B x
Receive A y
...
```

B

```
Receive A x
Let y = sort x
Send A y
...
```

A

```
Let x = [1,2,3]
Send B x
Receive A y
...
```

B

```
Receive A x
Let y = sort x
Send A y
...
```

A

```
let x = [1,2,3]
let _ = #send B x
let x = #receive A
...
```

B

```
let x = #receive A
let y = sort x
let _ = #send A y
...
```

```
A.x -> B.x
B.y -> A.y
...
```

- Local computations are translated to CakeML
- Function
`Send`

and`Receive`

are FFI primitives - The FFI environment for a single process is the rest of the choreography

Semantic preservation

$(s,c)\xrightarrow{}(s',c')$ |

$\exists{c'',s''.\;}(s',c')\rightarrow^{\ast}(s'',c'')\,\land\, [\![s,c]\!]\rightarrow^{\ast}[\![s'',c'']\!]$ |

Semantic reflection

$[\![s,c]\!]\xrightarrow{}epn$ |

$\exists{c',s'.\;}epn\rightarrow^{\ast}[\![s',c']\!]\,\land\, (s,c)\rightarrow^{\ast}(s',c')$ |

Deadlock-freedom*

$\text{fv}(c) \subseteq \text{fv}(s)$ |

$c\equiv end \lor \exists{s' c'.}{(s,c) \rightarrow (s',c')}$ |