Kalas

a verified, end-to-end compiler for a choreographic language


Johannes Åman Pohjola
🗣Alejandro Gómez-Londoño
James Shaker
Michael Norrish

CakeML


  • SML-like functional language
  • Verified compiler

HOL4


  • An LFC interactive theorem prover

Concurrency is hard

Shared-memory concurrency is ridiculously hard

+ concurrency?

+ concurrency?


🤷?

Choreographies


Message passing concurrency

Choreographies are a way of describing communicating systems as global programs

A

💃

B

🕺🏽

A

💃

B

🕺🏽

        A.x -> B.x
      

        A.x -> B.x
      

A


        Send("B",x)
      

B


        x = Receive("A")
      

        A.x -> B.x
        let y@A = foo()
        let w@B = bar()
      

A


        Send("B",x)
        y = foo()
      

B


        x = Receive("A")
        w = bar()
      

        A.x -> B.x
        let y@A = crunch()
        let w@B = crunch()
      

        A.x -> B.x
        let y@A = crunch()
        let w@B = crunch()
        if y@A
          A->B[T]
          ...
        else
          A->B[F]
          ...
      

        A.x -> B.x
        let y@A = crunch()
        let w@B = crunch()
        if y@A
          A->B[T]
          ...
        else
          A->B[F]
          ...
      

A


        if y
          Choose("B",T)
          ...
        else
          Choose("B",F)
          ...
      

B


        if Choice("A")
          ...
        else
          ...
      

Features


+ concurrency?


        A.x -> B.x
        B.y -> C.y
        ...
      


      A.x -> B.x
      B.y -> C.y
      ...
    

A
B
C
G::= A.x -> B.y; G(com)
| A -> B[b]; G(sel)
| Let x@A = foo(..); G(let)
| If x@A Then G Else G(if)
| Fix fn G(fix)
| Call fn(call)
| End(end)

$(s,c) \xrightarrow{(\tau,l)} (s',c')$


Where:

Communication


A.x -> B.y;C

Communication


S
A.x -> B.y;C

Communication


S(A,x) = d
A.x -> B.y;C

Communication


A.x -> B.y;C
S[(B,y)|->d]

Communication


S[(B,y)|->d]
C

        A.x -> B.x
        B.y -> C.y
        ...
      


        A.x -> B.x
        B.y -> C.y
        ...
      

EPN

An endpoint language

EP::= Send p x; EP
| Receive p y; EP
| InternalChoice p b; EP
| ExternalChoice p EP EP
| Let v f vl in EP
| If v Then EP Else EP
| Fix fn EP
| Call fn
| End
EPN::= <p,s,q,EP>(Single)
| <p,s,q,EP> || EPN(Parallel)

Where:

<A,sa,qa,>


        Send "B" x
        ...
      

sa(x) = d

<B,sb,qb,>


        Receive "A" x
        ...
      

<A,sa,qa,>


        ...
      

sa(x) = d

<B,sb,qb',>


        Receive "A" x
        ...
      

qb' = ("A",d)::qb

<A,sa,qa,>


        ...
      

<B,sb',qb,>


        ...
      

sb' = sb[x |-> d]

EPN

EPN

Selection

Payload

Closure

Selection removal


        IntChoice b p
        ...
      


        Let fv = b
        Send p fv
        ...
      

        ExternalChoice p e1 e2
      


        Receive p fv
        If fv Then e1 Else e2
      

Fix-sized payloads


        Send p vlm
        ...
      


        Send p v
        Send p l
        Send p m
        ...
      

        Receive p vlm
        ...
      


        Receive p v
        Receive p l
        Receive p m
        ...
      
*Wildly oversimplified

Introduction of closures


        Fix fn
          Let x = ...
          Receive p y
          ...
      


        Letrec fn(x,y,...)
          Let x = ...
          Receive p y
          ...
      

        A.x -> B.x
        B.y -> A.y
        ...
      


        let x@A = [1,2,3]
        A.x -> B.y
        let y@B = sort x
        B.y -> A.y
        ...
      

A


        Let x = [1,2,3]
        Send B x
        Receive A y
        ...
      

B


        Receive A x
        Let y = sort x
        Send A y
        ...
      

A


        Let x = [1,2,3]
        Send B x
        Receive A y
        ...
      

B


        Receive A x
        Let y = sort x
        Send A y
        ...
      

A


        let x = [1,2,3]
        let _ = #send B x
        let x = #receive A
        ...
      

B


        let x = #receive A
        let y = sort x
        let _ = #send A y
        ...
      

        A.x -> B.x
        B.y -> A.y
        ...
      


Semantic preservation

$(s,c)\xrightarrow{}(s',c')$
$\exists{c'',s''.\;}(s',c')\rightarrow^{\ast}(s'',c'')\,\land\, [\![s,c]\!]\rightarrow^{\ast}[\![s'',c'']\!]$

Semantic reflection

$[\![s,c]\!]\xrightarrow{}epn$
$\exists{c',s'.\;}epn\rightarrow^{\ast}[\![s',c']\!]\,\land\, (s,c)\rightarrow^{\ast}(s',c')$

Deadlock-freedom*

$\text{fv}(c) \subseteq \text{fv}(s)$
$c\equiv end \lor \exists{s' c'.}{(s,c) \rightarrow (s',c')}$

?