\lmcsdoi

2045 \lmcsheadingLABEL:LastPageOct. 05, 2023Oct. 07, 2024

[a] [c] [b]

Fair Asynchronous Session Subtyping

Mario Bravetti\lmcsorcid0000-0001-5193-2914 , Julien Lange\lmcsorcid0000-0001-9697-1378 and Gianluigi Zavattaro\lmcsorcid0000-0003-3313-6409 University of Bologna, ITALY [email protected] University of Bologna / INRIA OLAS Team, ITALY [email protected] Royal Holloway, University of London, Egham, UK [email protected]

Abstract.

Session types are widely used as abstractions of asynchronous message passing systems. Refinement for such abstractions is crucial as it allows improvements of a given component without compromising its compatibility with the rest of the system. In the context of session types, the most general notion of refinement is asynchronous session subtyping, which allows message emissions to be anticipated w.r.t. a bounded amount of message consumptions. In this paper we investigate the possibility to anticipate emissions w.r.t. an unbounded amount of consumptions: to this aim we propose to consider fair compliance over asynchronous session types and fair refinement as the relation that preserves it. This allows us to propose a novel variant of session subtyping that leverages the notion of controllability from service contract theory and that is a sound characterisation of fair refinement. In addition, we show that both fair refinement and our novel subtyping are undecidable. We also present a sound algorithm which deals with examples that feature potentially unbounded buffering. Finally, we present an implementation of our algorithm and an empirical evaluation of it on synthetic benchmarks.

This work has been partially supported by the research project FREEDA (CUP: I53D23003550006) funded by the framework PRIN 2022 (MUR, Italy), the French ANR project SmartCloud ANR-23-CE25-0012, and the H2020-MSCA-RISE project ID 778233 “Behavioural Application Program Interfaces (BEHAPI)”

1. Introduction

The coordination of software components via message-passing techniques is becoming increasingly popular in modern programming languages and development methodologies based on actors and microservices, e.g., Rust, Go, and the Twelve-Factor App methodology [twelvefactor]. Often the communication between two concurrent or distributed components takes place over point-to-point fifo channels.

Abstract models such as communicating finite-state machines [BZ83] and asynchronous session types [HYC16] are essential to reason about the correctness of such systems in a rigorous way. In particular these models are important to reason about mathematically grounded techniques to improve concurrent and distributed systems in a compositional way. The key question is whether a component can be refined independently of the others, without compromising the correctness of the whole system. In the theory of session types, the most general notion of refinement is the asynchronous session subtyping [ESOP09, CDY2014, MariangiolaPreciness], which leverages asynchrony by allowing the refined component to anticipate message emissions, but only under certain conditions. Notably asynchronous session subtyping rules out candidate subtypes that occur naturally in communication protocols where, e.g., two parties simultaneously send each other a finite but unspecified amount of messages before removing them from their buffers.

We illustrate this key limitation of the asynchronous session subtyping with Figure 1, which depicts possible communication protocols between a spacecraft and a ground station that communicate via two unbounded asynchronous channels (one in each direction). For convenience, the protocols are represented as session types (bottom) and equivalent communicating finite-state machines (top). Consider $T_{S}$ and $T_{G}$ first. Session type $T_{S}$ is the abstraction of the spacecraft. It may send a finite but unspecified number of telemetries ( $\mathit{tm}$ ), followed by a message $\mathit{over}$ — this phase of the protocol typically models a for loop and its exit. In the second phase, the spacecraft receives a number of telecommands ( $\mathit{tc}$ ), followed by a message $\mathit{done}$ . Session type $T_{G}$ is the abstraction of the ground station. It is the dual of $T_{S}$ , written $\overline{T_{S}}$ , as required in standard binary session types without subtyping. Since $T_{G}$ and $T_{S}$ are dual of each other, the theory of session types guarantees that they form a correct composition, namely no communication errors can be generated and the communication protocol can always terminate successfully, with empty queues.

However, it is clear that this protocol is not efficient: the communication is half-duplex, i.e., it is never the case that more than one party is sending at any given time. Using full-duplex communication is crucial in distributed systems with intermittent connectivity, e.g., in this case ground stations are not always visible from low orbit satellites.

The abstraction of a more efficient ground station is given by type $T^{\prime}_{G}$ , which sends telecommands before receiving telemetries. In this way $T^{\prime}_{G}$ and $T_{S}$ interact in a symmetric manner: they first send all of their messages and then consume the messages sent from the other partner. No communication error can occur, and the communication protocol can always terminate successfully, with empty queues. Unfortunately $T^{\prime}_{G}$ is not an asynchronous subtype of $T_{G}$ according to earlier definitions of session subtyping [ESOP09, MariangiolaPreciness, CDY2014]. Hence they cannot formally guarantee that $T^{\prime}_{G}$ is a safe replacement for $T_{G}$ . Note that the composition of $T^{\prime}_{G}$ and $T_{S}$ is not existentially bounded, hence it cannot be verified by techniques based on communicating finite-state machines [LangeY19, BouajjaniEJQ18, GenestKM06, GenestKM07].


$T^{\prime}_{G}$	$T_{G}=\overline{T_{S}}$	$T_{S}$

$T^{\prime}_{G}$	=	$\mu\mathbf{t}.\oplus\{\mathit{tc}:\mathbf{t},\mathit{done}:\mu\mathbf{t^{% \prime}}.~{}\&\{\mathit{tm}:\mathbf{t^{\prime}},\mathit{over}:\mathbf{end}\}\}$
$T_{G}$	=	$\mu\mathbf{t}.~{}\&\{\mathit{tm}:\mathbf{t},\mathit{over}:\mu\mathbf{t^{\prime% }}.\oplus\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end}\}\}$
$T_{S}$	=	$\mu\mathbf{t}.\oplus\{\mathit{tm}:\mathbf{t},\mathit{over}:\mu\mathbf{t^{% \prime}}.~{}\&\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end}\}\}$

Figure 1. Satellite protocols.

T^{\prime}_{G}

is the refined session type of the ground station,

T_{G}

is the session type of ground station, and

T_{S}

is the session type of the spacecraft.

Technically speaking, previous asynchronous session subtyping relations do not capture our spacecraft example due to the notion of correct composition that they consider. For instance, the notion of correct composition considered in [MariangiolaPreciness] imposes that all sent messages are guaranteed to be consumed along all possible computations of the receiver. Following this approach the above type $T^{\prime}_{G}$ is not a correct refinement of $T_{G}$ because $T^{\prime}_{G}$ can start by performing infinitely many outputs without consuming any incoming message.

The alternative notion of correct composition that we consider is weaker in that we do not impose a sent message to be consumed along all possible paths of the receiver, but we only require that, for all possible computation of the receiver either the message has been already consumed or there exists a continuation of the computation in which the message will be consumed. More precisely, our notion of correctness is as follows: given the composition of two session types, for every computation there always exists a continuation of such computation reaching successful termination (with empty queues). This is a reasonable assumption, e.g., for programs that can conceptually run indefinitely but must account for graceful termination (e.g., to release acquired resources).

According to this notion of correct composition, $T^{\prime}_{G}$ and $T_{S}$ are correct partners in that for every reachable state, we can always find a way to terminate successfully the interaction. This way to termination can be selected by exiting from the initial loops of outputs of both $T^{\prime}_{G}$ and $T_{S}$ . The theory that we will develop will allow us to conclude that $T^{\prime}_{G}$ is a correct refinement of $T_{G}$ for every possible partner, not only for the partner $T_{S}$ .

The use of this notion of correct composition is new in the context of asynchronous session types, but it has been already considered in several related contexts. First of all, we observe that according to the terminology in [GlabbeekH19], our notion of correctness coincides with imposing that successful termination is a liveness-property which holds under the assumption of full fairness. For this reason, we name fair compliance our notion of correct composition. Fair compliance has been already considered in the context of synchronous session types [Padovani16, CicconeP22], in the definition of should testing [RV07] where “every reachable state is required to be on a path to success”, and applied also to behavioural contracts [BravettiZ08, wsfm08].

Given our notion of fair compliance defined on an operational model for asynchronous session types, we define fair refinement the refinement relation that preserves it. Then, we propose a novel variant of session subtyping called fair asynchronous session subtyping, that leverages the notion of controllability from service contract theory, and which is a sound characterisation of fair refinement. We show that both fair refinement and fair asynchronous session subtyping are undecidable, but give a sound algorithm for the latter. Our algorithm covers session types that exhibit complex behaviours (including the spacecraft example and variants). Our algorithm has been implemented in a tool available online [tool].

Structure of the paper

The rest of this paper is structured as follows. In § 2 we recall syntax and semantics of asynchronous session types, we define fair compliance and the corresponding fair refinement. In § 3 we introduce fair asynchronous subtyping, the first relation of its kind to deal with examples such as those in Figure 1. In § 4 we propose a sound algorithm for subtyping that supports examples with unbounded accumulations, including the ones discussed in this paper. In § 5 we discuss the implementation of this algorithm. In § 6 we present an evaluation of our implementation on generated session types. Finally, in § 7 we discuss related and future work. The paper includes also an the appendix containing details of proofs that are not necessary in order to understand the main results that we have proved and the corresponding proof techniques.

This paper is based on the conference publication [BravettiLZ21]. The main novelties w.r.t. [BravettiLZ21] are: the inclusion of all the proofs of our results, a completely new empirical evaluation of the implementation of our algorithm for checking fair asynchronous session subtyping (see § 6), an enriched and more comprehensive related work section.

2. Fair Refinement for Asynchronous Session Types

In this section we first recall the syntax of two-party session types, their reduction semantics, and a notion of compliance centred on the successful termination of interactions. We define our notion of refinement based on this compliance and show that it is generally undecidable whether a type is a refinement of another.

2.1. Preliminaries: Binary Session Types

Syntax

The formal syntax of two-party session types is given below. We follow the simplified notation used in, e.g., [BravettiCZ17, BCZ18], without dedicated constructs for sending an output/receiving an input. Additionally we abstract away from message payloads since they are orthogonal to the results of this paper.

{defi}

[Session Types] Given a set of labels $\mathcal{L}$ , ranged over by $l$ , the syntax of two-party session types is given by the following grammar:

\begin{array}[]{lrl}T&::=&\ \ \oplus\{{l}_{i}:{T}_{i}\}_{i\in I}\quad\mid\quad% \&\{{l}_{i}:{T}_{i}\}_{i\in I}\quad\mid\quad\mu\mathbf{t}.T\quad\mid\quad% \mathbf{t}\quad\mid\quad\mathbf{end}\end{array}

Output selection $\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}$ represents a guarded internal choice, specifying that a label $l_{i}$ is sent over a channel, then continuation $T_{i}$ is executed. Input branching $\&\{{l}_{i}:{T}_{i}\}_{i\in I}$ represents a guarded external choice, specifying a protocol that waits for messages. If message $l_{i}$ is received, continuation $T_{i}$ takes place. In selections and branchings each branch is tagged by a label $l_{i}$ , taken from a global set of labels $\mathcal{L}$ . In each selection/branching, these labels are assumed to be pairwise distinct. In what follows, we leave implicit the index set $i\in I$ in input branchings and output selections when it is clear from the context. Types $\mu\mathbf{t}.T$ and $\mathbf{t}$ denote standard recursion constructs. We assume recursion to be guarded in session types, i.e., in $\mu\mathbf{t}.T$ , the recursion variable $\mathbf{t}$ occurs within the scope of a selection or branching. Session types are closed, i.e., all recursion variables $\mathbf{t}$ occur under the scope of a corresponding binder $\mu\mathbf{t}.T$ . Terms of the session syntax that are not closed are dubbed (session) terms. Type $\mathbf{end}$ denotes the end of the interactions.

The dual of session type $T$ , written $\overline{T}$ , is inductively defined as follows: $\overline{\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}}=\&\{{l}_{i}:{\overline{T}}_{i}\}% _{i\in I}$ , $\overline{\&\{{l}_{i}:{T}_{i}\}_{i\in I}}=\oplus\{{l}_{i}:{\overline{T}}_{i}\}% _{i\in I}$ , $\overline{\mathbf{end}}=\mathbf{end}$ , $\overline{\mathbf{t}}=\mathbf{t}$ , and $\overline{\mu\mathbf{t}.T}=\mu\mathbf{t}.\overline{T}$ .

2.2. Asynchronous Fair Refinement

We now define our notion of fair refinement. We first define a reduction semantics formalizing the interaction between two binary session types assuming asynchronous communication via FIFO buffers. Then we formalize the notion of successful final configuration; intuitively a configuration is successful if both communicating types have completed their send/receive operations and the buffers are empty. Compliance is then defined as follows: two session types are compliant if, for every reachable configuration (according to the reduction semantics), the interaction can continue to reach a successful configuration. Finally, we say that a type $T$ refines another type $S$ if it can safely replace $S$ , i.e., if $S$ is compliant with a type $S^{\prime}$ then also $T$ is compliant with $S^{\prime}$ .

In the definition of the reduction semantics for types we need some auxiliary notation. Hereafter, we let $\omega$ range over words in $\mathcal{L}^{\ast}$ , write $\epsilon$ for the empty word, and write $\omega_{1}\!\cdot\!\omega_{2}$ for the concatenation of words $\omega_{1}$ and $\omega_{2}$ , where each word may contain zero or more labels. Also, we write $T\{\nicefrac{{T^{\prime}}}{{\mathbf{t}}}\}$ for $T$ where every free occurrence of $\mathbf{t}$ is replaced by $T^{\prime}$ .

We give an asynchronous semantics of session types via transition systems whose states are configurations of the form: $[T_{1},\omega_{1}]|[T_{2},\omega_{2}]$ where $T_{1}$ and $T_{2}$ are session types equipped with two sequences $\omega_{1}$ and $\omega_{2}$ of incoming messages (representing unbounded buffers). We use $s$ , $s^{\prime}$ , etc. to range over configurations.

In this paper, we use explicit unfoldings of session types, as defined below. {defi}[Unfolding] Given session type $T$ , we define $\mathsf{unfold}(T)$ :

\mathsf{unfold}(T)=\begin{cases}\mathsf{unfold}(T^{\prime}\{\nicefrac{{T}}{{% \mathbf{t}}}\})&\text{if $T=\mu\mathbf{t}.T^{\prime}$}\\ T&\text{otherwise}\end{cases}

Definition 2.2 is standard — an equivalent function is used in the first session subtyping [GH05]. Notice that $\mathsf{unfold}(T)$ unfolds all the recursive definitions in front of $T$ , and it is well defined for session types with guarded recursion (c.f. assumptions in Section 2.1).

{defi}

[Transition Relation] The transition relation $\rightarrow$ over configurations is the minimal relation satisfying the rules below (plus symmetric ones):

(1)

if $j\in I$ then $[\oplus\{{l}_{i}:{T}_{i}\}_{i\in I},\omega_{1}]|[T_{2},\omega_{2}]\rightarrow[% T_{j},\omega_{1}]|[T_{2},\omega_{2}\!\cdot\!l_{j}]$ ;
(2)

if $j\in I$ then $[\&\{{l}_{i}:{T}_{i}\}_{i\in I},l_{j}\!\cdot\!\omega_{1}]|[T_{2},\omega_{2}]% \rightarrow[T_{j},\omega_{1}]|[T_{2},\omega_{2}]$ ;
(3)

if $[\mathsf{unfold}(T_{1}),\omega_{1}]|[T_{2},\omega_{2}]\rightarrow s$ then $[T_{1},\omega_{1}]|[T_{2},\omega_{2}]\rightarrow s$ .

We write $\rightarrow^{*}$ for the reflexive and transitive closure of the $\rightarrow$ relation. Intuitively a configuration $s$ reduces to configuration $s^{\prime}$ when either (1) a type outputs a message $l_{j}$ , which is added at the end of its partner’s queue; (2) a type consumes an expected message $l_{j}$ from the head of its queue; or (3) the unfolding of a type can execute one of the transitions above.

Next, we define successful configurations as those configurations where both types have terminated (reaching $\mathbf{end}$ ) and both queues are empty. We use this to give our definition of compliance which holds when it is possible to reach a successful configuration from all reachable configurations. {defi}[Successful Configuration] The notion of successful configuration is formalised by a predicate $s\surd$ defined as follows:

[T,\omega_{T}]|[S,\omega_{S}]\surd\;\;\mbox{iff}\;\;\mathsf{unfold}(T)\!=\!% \mathsf{unfold}(S)\!=\!\mathbf{end}\ \text{ and }\ \omega_{T}\!=\!\omega_{S}\!% =\!\epsilon

{defi}

[Compliance] Given a configuration $s$ we say that it is a correct composition if, whenever $s\rightarrow^{*}s^{\prime}$ , there exists a configuration $s^{\prime\prime}$ such that $s^{\prime}\rightarrow^{\ast}s^{\prime\prime}$ and $s^{\prime\prime}\surd$ .

Two session types $T$ and $S$ are compliant if $[T,\epsilon]|[S,\epsilon]$ is a correct composition.

Observe that our definition of compliance is stronger than what is generally considered in the literature on session types, e.g., [LangeY19, LY17, DY13], where two types are deemed compliant if all messages that are sent are eventually received, and each non-terminated type can always eventually make a move. Compliance is analogous to the notion of correct session in [Padovani16] but in an asynchronous setting.

A consequence of Definition 2.2 is that it is generally not the case that a session type $T$ is compliant with its dual $\overline{T}$ , as we show in the example below. {exa} The session type $T=\&\{l_{1}:\mathbf{end},\ l_{2}:\mu\mathbf{t}.\oplus\{l_{3}:\mathbf{t}\}\}$ and its dual $\overline{T}=\oplus\{l_{1}:\mathbf{end},\ l_{2}:\mu\mathbf{t}.\&\{l_{3}:% \mathbf{t}\}\}$ are not compliant. Indeed, when $\overline{T}$ sends label $l_{2}$ , the configuration $[\mathbf{end},\epsilon]|[\mathbf{end},\epsilon]$ is no longer reachable.

We introduce a notion of refinement that preserves compliance. This follows previous work done in the context of behavioural contracts [BravettiZ08] and synchronous multi-party session types [Padovani16]. The key difference with these works is that we are considering asynchronous communication based on (unbounded) fifo queues. Asynchrony makes fair refinement undecidable, as we show below.

{defi}

[Refinement] A session type $T$ refines $S$ , written $T\sqsubseteq S$ , if for every $S^{\prime}$ s.t. $S$ and $S^{\prime}$ are compliant then $T$ and $S^{\prime}$ are also compliant. In contrast to traditional (synchronous and asynchronous) subtyping for session types [GH05, MariangiolaPreciness, ESOP09], this refinement is not covariant on outputs, i.e., it does not always allow a refined type to have output selections with less labels.¹¹1The synchronous subtyping in [GH05] follows a channel-oriented approach; hence it has the opposite direction and is contravariant on outputs.

{exa}

Let $T=\mu\mathbf{t}.\oplus\{l_{1}:\mathbf{t}\}$ and $S=\mu\mathbf{t}.\oplus\{l_{1}:\mathbf{t},\ l_{2}:\mathbf{end}\}$ . We have that $T$ is a synchronous (and asynchronous) subtype of $S$ . However $T$ is not a refinement of $S$ . In particular, the type $\overline{S}=\mu\mathbf{t}.~{}\&\{l_{1}:\mathbf{t},\ l_{2}:\mathbf{end}\}$ is compliant with $S$ but not with $T$ , since $T$ does not terminate.

2.3. Undecidability of Fair Refinement

Next, we show that the refinement relation $\sqsubseteq$ is generally undecidable. The proof of undecidability exploits results from the tradition of computability theory, i.e., Turing completeness of queue machines. The crux of the proof is to reduce the problem of checking the reachability of a given state in a queue machine to the problem of checking the refinement between two session types.

Preliminaries

Below we consider only state reachability in queue machines, and not the typical notion of the language recognised by a queue machine (see, e.g., [BravettiCZ17] for a formalisation of queue machines). Hence, we use a simplified formalisation, where no input string is considered.

{defi}

[Queue Machine] A queue machine $M$ is defined by a five-tuple $(Q,\Gamma,\$,s,\delta)$ where:

•

$Q$ is a finite set of states;
•

$\Gamma$ is a finite set denoting the queue alphabet (ranged over by $A,B,C,X$ );
•

$\$\in\Gamma$ is the initial queue symbol;
•

$s\in Q$ is the start state;
•

$\delta:Q\times\Gamma\rightarrow Q\times\Gamma^{*}$ is the transition function ( $\Gamma^{*}$ is the set of sequences of symbols in $\Gamma$ ).

Considering a queue machine $M=(Q,\Gamma,\$,s,\delta)$ , a configuration of $M$ is an ordered pair $(q,\gamma)$ where $q\in Q$ is its current state and $\gamma\in\Gamma^{*}$ is the queue. The starting configuration is $(s,\$)$ , consisting of the start state $s$ and the initial queue symbol $\$$ .

Next, we define the transition relation ( $\rightarrow_{M}$ ), leading a configuration to another, and the related notion of state reachability. {defi}[State Reachability] Given a machine $M\!\!=\!\!(Q,\Gamma,\$,s,\delta)$ , the transition relation $\rightarrow_{M}$ over configurations $Q\times\Gamma^{*}$ is defined as follows. For $p,q\in Q$ , $A\in\Gamma$ , and $\alpha,\gamma\in\Gamma^{*}$ , we have $(p,A\alpha)\rightarrow_{M}(q,\alpha\gamma)$ whenever $\delta(p,A)=(q,\gamma)$ . Let $\rightarrow_{M}^{*}$ be the reflexive and transitive closure of $\rightarrow_{M}$ .

A target state $q_{f}\in Q$ is reachable in $M$ if there is $\gamma\in\Gamma^{*}$ s.t. $(s,\$)\rightarrow_{M}^{*}(q_{f},\gamma)$ .

Since queue machines can deterministically encode Turing machines (see, e.g., [BravettiCZ17]), checking state reachability for queue machines is undecidable.

To prove the undecidability of fair refinement, we consider an arbitrary queue machine $M$ , and a target state $q_{f}$ for which we define two session types $T$ and $S$ such that $T\sqsubseteq S$ if and only if state $q_{f}$ is reachable in $M$ . Hereafter, we use convenient notations for denoting output selections and input branchings. Instead of using labels indexed on an indexing set $I$ , as in the input branching syntax $\&\{{l}_{i}:{T}_{i}\}_{i\in I}$ , we also use explicitly distinct labels, as in $\&\{l:T_{l},m:T_{m}\}$ (we use the same notation for output selections). We also use the union operator to combine disjoint sets of labels, for instance, instead of writing $\oplus\{l_{k}:T_{k}\}_{k\in I\cup J}$ , we use the notation $\oplus\{l_{i}:T_{i}\}_{i\in I}\cup\{l_{j}:T_{j}\}_{j\in J}$ (we use the same notation for input branchings).

We start by defining the type $T=[\![M,q_{f},E]\!]$ .²²2In the definition of the type $T=[\![M,q_{f},E]\!]$ , as well as in the definition $S=[\![M,E]\!]$ , we make the non restrictive assumption that the set of labels $\mathcal{L}$ of the Definition 2.1 of the syntax of session types includes the symbols in the considered queue machine alphabet $\Gamma$ plus the additional symbol $E$ . This type reproduces the finite control of the queue machine $M$ , with a couple of differences: ( $i$ ) it initialises the queue with symbol $\$$ , and ( $ii$ ) the state $q_{f}$ produces the additional ending symbol $E$ to communicate the end of the computation, then it consumes all symbols in the queue and successfully terminates when $E$ is read from the queue. In this way, the queue is empty when the type $T$ successfully terminates.

{defi}

[Finite Control Encoding] Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine, $q_{f}\in Q$ , and $E\not\in\Gamma$ be the additional ending symbol; we define $[\![M,q_{f},E]\!]$ as follows:

[\![M,q_{f},E]\!]\ =\oplus\{\$:[\![{s}]\!]^{\emptyset}\}

where, given $q\in Q\setminus\{q_{f}\}$ and $\mathcal{S}\subseteq Q$ , $[\![{q}]\!]^{\mathcal{S}}$ is defined as follows:

\begin{array}[]{l}[\![{q}]\!]^{\mathcal{S}}=\left\{\begin{array}[]{l}\mu% \mathbf{q}.\&\{{A}\!:\!{\oplus\{{B^{A}_{1}}:{\cdots\oplus\{{B^{A}_{n_{A}}}:{[% \![{q^{\prime}}]\!]^{\mathcal{S}\cup q}}\}}\}}\}_{A\in\Gamma}\\[2.84526pt] \hskip 25.6073pt\text{if }q\not\in{\mathcal{S}}\text{ and }\delta(q,A)=(q^{% \prime},B^{A}_{1}\cdots B^{A}_{n_{A}})\\ \\ \mathbf{q}\qquad\mbox{if $q\in{\mathcal{S}}$}\end{array}\right.\end{array}

while $[\![{q_{f}}]\!]^{\mathcal{S}}=\oplus\big{\{}E:\big{(}\mu\mathbf{\mathbf{t}}.\&% \{{A}\!:\!{\mathbf{t}}\}_{A\in\Gamma}\cup\{E:\mathbf{end}\}\big{)}\ \big{\}}$

We now define the type $S=[\![M,E]\!]$ , that repeatedly behaves like a producer/consumer for all the symbols of the queue alphabet plus the ending symbol $E$ , with the difference that after producing and consuming the ending symbol $E$ , the type becomes $\mathbf{end}$ .

{defi}

[Producer/consumer] Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine and $E\not\in\Gamma$ be the ending symbol. We define $[\![M,E]\!]$ as

[\![M,E]\!]=\mu\mathbf{\mathbf{t}}.\oplus\{{A}:{\&\{A:\mathbf{t}\}}\}_{A\in% \Gamma}\cup\{E:\&\{E:\mathbf{end}\}\}

While $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ may appear unrelated, we have that under some conditions $T\sqsubseteq S$ holds. Namely, $T\sqsubseteq S$ if and only if $q_{f}$ is reachable in $M$ . To prove this, we first characterize the set of types that are compliant with $S$ . This set consists of types that have the same behaviour (according to type bisimilarity) of $\overline{S}$ , i.e., the dual of $S$ . The type $\overline{S}$ , instead of being a producer/consumer, is a consumer/producer which sends the messages it receives back to the partner. This simulates a FIFO queue that receives messages and sends messages in the same order of reception. Hence, the finite control encoding $T$ , when combined with such consumer/producer (i.e. any type having the same behaviour of $\overline{S}$ ), faithfully reproduces the same behaviour of the encoded queue machine. A successful configuration can be reached only if the type modeling the finite control terminates, and this is possible only if the final state $q_{f}$ is reached.

As mentioned above, the proof relies on the notion of type bisimilarity.

{defi}

[Type bisimilarity]

A relation $\,\mathcal{R}\!\!\;$ on session types is a bisimulation whenever $(T,S)\in\mathcal{R}$ implies:

(1)

if $T=\mathbf{end}$ then $\mathsf{unfold}(S)=\mathbf{end}$ ;
(2)

if $T=\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}$ then ${\mathsf{unfold}(S)}=\oplus\{{l}_{i}:{S}_{i}\}_{i\in I}$ with $\forall i\in I.\,(T_{i},S_{i})\in\mathcal{R}$ ;
(3)

if $T=\&\{{l}_{i}:{T}_{i}\}_{i\in I}$ then ${\mathsf{unfold}(S)}=\&\{{l}_{i}:{S}_{i}\}_{i\in I}$ with $\forall i\in I.\,(T_{i},S_{i})\in\mathcal{R}$ ;
(4)

if $T=\mu\mathbf{t}.{T^{\prime}}$ then $(T^{\prime}\{T/\mathbf{t}\},S)\in\mathcal{R}$ .

$T$ is bisimilar to $S$ , written $T\sim S$ , if there is a bisimulation $\mathcal{R}$ such that $(T,S)\in\mathcal{R}$ .

Session type bisimilarity will be used only in the proof of undecidability of refinement and will not be involved in further developments in the remainder of the paper. Namely, we need bisimilarity in Lemma 3 to characterise the session types that are compliant with $S=[\![M,E]\!]$ . Notice also that the relation $\sim$ is symmetric, i.e., if $(S,T)\in\ \sim$ then also $(T,S)\in\ \sim$ . In fact, the first three items of the above Definition simply check whether the l.h.s. and the r.h.s. terms are either both $\mathbf{end}$ or have the same branching structure (i.e., the same set of labels) up-to unfolding of the r.h.s. But the same effect of unfolding on the r.h.s. can be obtained on the l.h.s. by (possibly repeated) application of the fourth item of the above definition.

In the proof of undecidability of refinement we need a result about bisimilar session types, i.e., bisimilarity preserves compliance. Namely, we have that $T$ is compliant with $S$ if and only if $T^{\prime}$ is compliant with $S^{\prime}$ assuming $T\sim T^{\prime}$ and $S\sim S^{\prime}$ . This is an immediate corollary of the following Lemma (which directly follows from the bisimilarity of the considered types $T$ and $R$ ).

Lemma 1.

Consider the configuration $[T,\omega_{T}]|[S,\omega_{S}]$ and the session type $R$ s.t. $T\sim R$ . We have that:

•

$[T,\omega_{T}]|[S,\omega_{S}]\surd$ if and only if $[R,\omega_{T}]|[S,\omega_{S}]\surd$ ;
•

$[T,\omega_{T}]|[S,\omega_{S}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T^{% \prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]$ if and only if there exists $R^{\prime}\sim T^{\prime}$ s.t. $[R,\omega_{T}]|[S,\omega_{S}]\stackrel{{\scriptstyle}}{{\rightarrow}}[R^{% \prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]$ .

Corollary 2.

Consider two pairs of bisimilar session types: $T\sim T^{\prime}$ and $S\sim S^{\prime}$ . We have that $T$ is compliant with $S$ if and only if $T^{\prime}$ is compliant with $S^{\prime}$ . Moreover, we have that $T\sqsubseteq S$ if and only if $T^{\prime}\sqsubseteq S^{\prime}$ .

As informally mentioned above, type bisimilarity allows us to characterize the set of types that are compliant with a producer/consumer type $S=[\![M,E]\!]$ , for some queue machine $M$ and additional ending symbol $E$ . This result is formalized by the following Lemma (proof in Appendix A.1).

Lemma 3.

Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine and $E\not\in\Gamma$ the additional ending symbol. Posing $S=[\![M,E]\!]$ , for every session type $S^{\prime}$ with input/output labels in $\Gamma\cup\{E\}$ we have that $S^{\prime}$ is compliant with $S$ if and only if $S^{\prime}\sim\overline{S}$ .

The type $\overline{S}$ behaves like a FIFO queue, which simply returns the messages it has received from the partner (in the same order). Hence a type simulating the finite control $T=[\![M,q_{f},E]\!]$ , for the same queue machine $M$ and additional ending symbol $E$ as above, turns out to be compliant with $\overline{S}$ if and only if the final state $q_{f}$ is reachable in $M$ (remember that only the encoding of $q_{f}$ allows to reach $\mathbf{end}$ ). This result is formalized in the next theorem (proof in Appendix A.1).

Theorem 4.

Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine, $q_{f}\in Q$ , $E\not\in\Gamma$ the additional ending symbol. Posing $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ , we have that $T$ is compliant with $\overline{S}$ if and only if $q_{f}$ is reachable in $M$ .

Notice that the above theorem formalizes a reduction from the reachability problem in queue machines to the verification of compliance between session types. Hence, we can already conclude that the compliance relation is undecidable.

We now combine Corollary 2, Lemma 3 and Theorem 4 to prove the undecidability of refinement. Consider the two above types $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ . By Lemma 3 we have that $S$ is compliant only with $\overline{S}$ and its bisimilar types. Given that bisimulation preserves compliance (Corollary 2) we have that $T$ refines $S$ if and only if it is compliant with $\overline{S}$ . But the latter holds if and only if $q_{f}$ is reachable in $M$ (Theorem 4). In this way we reduce the reachability problem in queue machines to the verification of refinement between session types. We formally state this result in the theorem below (proof in Appendix A.1).

Theorem 5.

Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine, $q_{f}\in Q$ , $E\not\in\Gamma$ the additional ending symbol. Posing $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ , we have that $T\sqsubseteq S$ if and only if $q_{f}$ is reachable in $M$ .

As a direct consequence of the above theorem and the undecidability of reachability in queue machines, we can conclude that refinement (Definition 2.2) is also undecidable.

Corollary 6.

Given two session types $T$ and $S$ , it is in general undecidable to check whether $T\sqsubseteq S$ holds.

2.4. Controllability and its Decidability

Given a notion of compliance, controllability amounts to checking the existence of a compliant partner (see, e.g., [Loh08, Wei08, BZ09a]). In our setting, a session type is controllable if there exists another session type with which it is compliant.

Checking for controllability algorithmically is not trivial as it requires to consider infinitely many potential partners. For the synchronous case, an algorithmic characterisation was studied in [Padovani16]. In the asynchronous case, the problem is even harder because each of the infinitely many potential partners may generate an infinite state computation (due to unbounded buffers): specifically this reflects in the proof of its algorithmic characterisation. The main contribution of this subsection is, thus, to give an algorithmic characterisation of controllability in the asynchronous setting that is proven to be sound and complete. Doing this is important because controllability is an essential ingredient for defining fair asynchronous subtyping, see Section 3.

Figure 2. Example of an uncontrollable session type, see Example 2.4.

{defi}

[Characterisation of Controllability, $T\,\mathsf{ctrl}$ ] We preliminarly define judgement $T\,\mathsf{ok}$ for session types $T$ having single input choices, i.e. such that all their input branches include just one possible choice. $T\,\mathsf{ok}$ is defined inductively as follows: {mathpar} \inferrule end ok

\inferrule

end∈T T{ $\nicefrac{{\mathbf{end}}}{{\mathbf{t}}}$ } ok μt.T ok

\inferrule

T ok &{l:T} ok

\inferrule

∀i ∈I . T_i ok ⊕{l_i:T_i}_i∈I ok where $\mathbf{end}\in T$ holds if $\mathbf{end}$ occurs in $T$ .

We now define predicate $T\,\mathsf{ctrl}$ over arbitrary session types $T$ as follows. $T\,\mathsf{ctrl}$ holds true if and only if there exists $T^{\prime}$ such that:

(1)

$T^{\prime}$ is obtained from $T$ by syntactically replacing every input choice $\&\{{l}_{i}:{T}_{i}\}_{i\in I}$ occurring in $T$ with a term $\&\{{l_{j}}:{T^{\prime}_{j}}\}$ (with $j\in I$ ). Formally this is denoted by $T\;\mathsf{sin}\;T^{\prime}$ , where $\mathsf{sin}$ (standing for “single input choices”) is defined as the smallest relation over session types such that: {mathpar} \inferrule end sin end

\inferrule
t sin t

\inferrule
T sin T’ μt.T sin μt.T’

\inferrule
T_j sin T’_j j ∈I &{l_i:T_i}_i∈I sin &{l_j:T’_j}

\inferrule
∀i ∈I . T_i sin T’_i ⊕{l_i:T_i}_i∈I sin ⊕{l_i:T’_i}_i∈I In the following we use $\mathsf{sin}(T)$ to denote the set of single input choice types $T^{\prime}$ such that $T\;\mathsf{sin}\;T^{\prime}$ .
(2)

$T^{\prime}\,\mathsf{ok}$ holds true.

A type $T$ such that $T\,\mathsf{ctrl}$ is indeed controllable, in that $\overline{T^{\prime}}$ , the dual of type $T^{\prime}$ considered above, is compliant with $T$ (the predicate $\mathbf{end}\!\in\!T$ in the premise of the rule for recursion guarantees that a successful configuration is always reachable while looping). Moreover the above definition naturally yields a simple algorithm that decides whether or not $T\,\mathsf{ctrl}$ holds for a type $T$ , i.e., we first pick a single branch for each input prefix syntactically occurring in $T$ (there are finitely many of them) and then we inductively check if $T^{\prime}\,\mathsf{ok}$ holds.

{exa}

Consider the session type $T$ (see Figure 2 for a graphical representation):

T=\mu\mathbf{t}.~{}\&\{l_{1}:\&\{l_{2}:\oplus\{l_{4}:\mathbf{end},\ l_{5}:\mu% \mathbf{t^{\prime}}.\oplus\{l_{6}:\mathbf{t^{\prime}}\}\},\ l_{3}:\mathbf{t}\}\}

$T\,\mathsf{ctrl}$ does not hold because it is not possible to construct a $T^{\prime}$ as specified in Definition 2 for which $T^{\prime}\,\mathsf{ok}$ holds. In this case we have just two possible types $T^{\prime}$ that can be obtained by input choice replacement: $T^{\prime}=\mu\mathbf{t}.~{}\&\{l_{1}:\&\{l_{3}:\mathbf{t}\}\}$ and $T^{\prime}=\mu\mathbf{t}.~{}\&\{l_{1}:\&\{l_{2}:\oplus\{l_{4}:\mathbf{end},\ l% _{5}:\mu\mathbf{t^{\prime}}.\oplus\{l_{6}:\mathbf{t^{\prime}}\}\}\}\}$ . For the former $T^{\prime}\,\mathsf{ok}$ does not hold because there is no $\mathbf{end}$ in the body of $\mu\mathbf{t}$ ; for the latter, instead, $T^{\prime}\,\mathsf{ok}$ does not hold because there is no $\mathbf{end}$ in the body of $\mu\mathbf{t^{\prime}}$ .

As a result of Theorem 7 (below), there is no session type $S$ that is compliant with $T$ . Hence $T$ is not controllable.

The following theorem shows that the judgement $T\,\mathsf{ctrl}$ , as defined above, precisely characterises controllability (i.e., the existence of a compliant type). Its proof is rather complex (it requires introducing significant auxiliary technical machinery) and can be found in Appendix A.2.

Theorem 7.

$T\,\mathsf{ctrl}$ holds if and only if there exists a session type $S$ such that $T$ and $S$ are compliant.

Sketch of the proof. The proof relies on expressing session types via a set of equations, where each of the variables $\mathbf{t}$ is mapped to an equation. In essence, from $T$ controllable we show that there exists a compliant type by considering the type $\overline{T^{\prime}}$ (in equation set notation), where $T^{\prime}$ is the type with single input branches obtained from $T$ by input choice replacement. The more difficult part of the proof is the opposite implication, where from the existence of any compliant $S$ we show that $T$ is controllable. This amounts to show that it is possible to build $T^{\prime}$ from the transition system of the correct composition $[T,\epsilon]|[S,\epsilon]$ (in equation set notation), which is, in general, infinite state. ∎

3. Fair Asynchronous Session Subtyping

In this section, we present our novel variant of asynchronous subtyping which we call fair asynchronous subtyping.

First, we need to define a distinctive notion of unfolding. As anticipated in the introduction (see the discussion about Figure 1), our subtyping will identify the type $T^{\prime}_{G}$ as a subtype of $T_{G}$ , with

T_{G}\ =\ \mu\mathbf{t}.~{}\&\{\mathit{tm}:\mathbf{t},\mathit{over}:\mu\mathbf% {t^{\prime}}.\oplus\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end% }\}\}

Following the approach taken in other definitions of asynchronous subtyping [MY15, MariangiolaPreciness, CDY2014], our definition will require to decompose the candidate supertype ( $T_{G}$ in our case) as an input context, with holes filled with subtypes starting with output selections. Notice that the subterm $\oplus\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end}\}$ of $T_{G}$ which starts with an output selection is not a correct subtype because it contains the free occurrence of the recursive variable $\mathbf{t^{\prime}}$ . Our distinctive notion of unfolding, will replace such free variable with its definition. More precisely, we define the function $\mathsf{selUnfold}(T)$ to unfold type $T$ by replacing recursion variables with their corresponding definitions only if they are guarded by an output selection. In the definition, we use the predicate $\oplus\mathit{g}(\mathbf{t},T)$ which holds if all instances of variable $\mathbf{t}$ are output selection guarded, i.e., $\mathbf{t}$ occurs free in $T$ only inside subterms ${\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}}$ .

{defi}

[Selective Unfolding] Given a term $T$ , we define $\mathsf{selUnfold}(T)=$

\begin{cases}\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}&\text{if }T={\oplus\{{l}_{i}:{% T}_{i}\}_{i\in I}}\\ \&\{l_{i}:\mathsf{selUnfold}(T_{i})\}_{i\in I}&\text{if }T={\&\{{l}_{i}:{T}_{i% }\}_{i\in I}}\\ T^{\prime}\{\nicefrac{{\mu\mathbf{t}.T^{\prime}}}{{\mathbf{t}}}\}&\text{if }T=% {\mu\mathbf{t}.T^{\prime}}\text{, $\oplus\mathit{g}(\mathbf{t},T^{\prime})$}\\ \mu\mathbf{t}.\mathsf{selUnfold}(\mathsf{selRepl}(\mathbf{t},\mathbf{\hat{t}},% T^{\prime})\{\nicefrac{{\mu\mathbf{t}.T^{\prime}}}{{\mathbf{\hat{t}}}}\})\ % \mathit{with}\ \mathbf{\hat{t}}\ \mathit{fresh}&\text{if }T={\mu\mathbf{t}.T^{% \prime}}\text{, $\lnot\oplus\mathit{g}(\mathbf{t},T^{\prime})$}\\ \mathbf{t}&\text{if }T={\mathbf{t}}\\ \mathbf{end}&\text{if }T={\mathbf{end}}\end{cases}

where, $\mathsf{selRepl}(\mathbf{t},\mathbf{\hat{t}},T^{\prime})$ is obtained from $T^{\prime}$ by replacing the free occurrences of $\mathbf{t}$ that are inside a subterm $\oplus\{{l}_{i}:{S}_{i}\}_{i\in I}$ of $T^{\prime}$ by $\mathbf{\hat{t}}$ .

{exa}

Consider the type $T=\mu\mathbf{t}.\&\{l_{1}:\mathbf{t},\,l_{2}:\oplus\{l_{3}:\mathbf{t}\}\}$ , then we have

\mathsf{selUnfold}(T)=\mu\mathbf{t}.\&\{l_{1}:\mathbf{t},\,l_{2}:\oplus\{l_{3}% :\mu\mathbf{t}.~{}\&\{l_{1}:\mathbf{t},\,l_{2}:\oplus\{l_{3}:\mathbf{t}\}\}\}\}

i.e., the type is only unfolded within output selection sub-terms. Note that $\mathbf{\hat{t}}$ is used to identify where unfolding must take place, e.g.,
$\mathsf{selRepl}(\mathbf{t},\mathbf{\hat{t}},\&\{l_{1}:\mathbf{t},\,l_{2}:% \oplus\{l_{3}:\mathbf{t}\}\})={\&\{l_{1}:\mathbf{t},\,l_{2}:\oplus\{l_{3}:% \mathbf{\hat{t}}\}\}}$ .

The last auxiliary notation required to define our notion of subtyping is that of input contexts, which are used to record inputs that may be delayed in a candidate super-type. In contrast to previous works on asynchronous subtyping, these input contexts may include recursive constructs. {defi}[Input Context] An input context $\mathcal{A}$ is a session type with several holes defined by the syntax:

\mathcal{A}\ ::=\ \quad[\,]^{k}\quad\mid\qquad\&\{{l}_{i}:{\mathcal{A}}_{i}\}_% {i\in I}\quad\mid\qquad\mu\mathbf{t}.{\mathcal{A}}\quad\mid\qquad\mathbf{t}

where the holes $[\,]^{k}$ , with $k\in K$ , of an input context $\mathcal{A}$ are assumed to be pairwise distinct. We assume that recursion is guarded, i.e., in an input context $\mu\mathbf{t}.{\mathcal{A}}$ , the recursion variable $\mathbf{t}$ must occur within a subterm $\&\{{l}_{i}:{\mathcal{A}}_{i}\}_{i\in I}$ .

We write $\mathit{holes}(\mathcal{A})$ for the set of hole indices in $\mathcal{A}$ . Given a type $T_{k}$ for each $k\in K$ , we write $\mathcal{A}[{T_{k}}]^{k\in K}$ for the type obtained by filling each hole $k$ in $\mathcal{A}$ with the corresponding $T_{k}$ .

In contrast to previous works [MariangiolaPreciness, ESOP09, CDY2014, BravettiCZ17, sefm19, BCLYZ19], these input contexts may contain recursive constructs. This is crucial to deal with examples such as Figure 1.

We are now ready to define the fair asynchronous subtyping relation, written $\operatorname{\leq}$ . The rationale behind asynchronous session subtyping is that under asynchronous communication it is unobservable whether or not an output is anticipated before an input, as long as this output is executed along all branches of the candidate super-type. Besides the usage of our new recursive input contexts the definition of fair asynchronous subtyping differs from those in [MariangiolaPreciness, ESOP09, CDY2014, BravettiCZ17, sefm19, BCLYZ19] in that controllability plays a fundamental role: the subtype is not required to mimic supertype inputs leading to uncontrollable behaviours.

{defi}

[Fair Asynchronous Subtyping, $\operatorname{\leq}$ ]

A relation $\,\mathcal{R}\!\!\;$ on session types is a controllable subtyping relation whenever

$(T,S)\in\mathcal{R}$ implies:

(1)

if $T=\mathbf{end}$ then $\mathsf{unfold}(S)=\mathbf{end}$ ;
(2)

if $T=\mu\mathbf{t}.{T^{\prime}}$ then $(T^{\prime}\{\nicefrac{{T}}{{\mathbf{t}}}\},S)\in\mathcal{R}$ ;
(3)

if $T=\&\{{l}_{i}:{T}_{i}\}_{i\in I}$ then $\mathsf{unfold}(S)=\&\{{l}_{j}:{S}_{j}\}_{j\in J}$ , $I\supseteq K$ , and $\forall k\in K\ldotp(T_{k},S_{k})\in\mathcal{R}$ , where $K=\{k\in J\;|\;S_{k}\text{ is controllable}\}$ ;
(4)

if $T=\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}$ then $\mathsf{selUnfold}(S)\!=\!\mathcal{A}[{\oplus\{{l}_{i}\!:\!{S_{k}}_{i}\}_{i\in I% }}]^{k\in K}$ and $\forall i\!\in\!I.\,(T_{i},\mathcal{A}[{{S_{ki}}}]^{k\in K})\!\in\!\mathcal{R}$ .

$T$ is a controllable subtype of $S$ if there is a controllable subtyping relation $\mathcal{R}$ s.t. $(T,S)\,\in\,\mathcal{R}$ .

$T$ is a fair asynchronous subtype of $S$ , written $T\,\operatorname{\leq}\,S$ , whenever: $S$ controllable implies that $T$ is a controllable subtype of $S$ . Notice that the top-level check for controllability in the above definition is consistent with the inner controllability checks performed in Case $(3)$ .

Subtyping simulation game

Session type $T$ is a fair asynchronous subtype of $S$ if $S$ is not controllable or if $T$ is a controllable subtype of $S$ . Intuitively, the above co-inductive definition says that it is possible to play a simulation game between a subtype $T$ and its supertype $S$ as follows. Case (1) says that if $T$ is the $\mathbf{end}$ type, then $S$ must also be $\mathbf{end}$ . Case (2) says that if $T$ is recursively defined, then $T$ is replaced by the unfolding of its definition, $S$ is left unchanged and the simulation game continues. Case (3) says that if $T$ is an input branching, then the sub-terms in $S$ that are controllable can reply by inputting at most some of the labels $l_{i}$ in the branching (contravariance of inputs), and the simulation game continues (see Example 3). Case (4) says that if $T$ is an output selection, then $S$ can reply by outputting all the labels $l_{i}$ in the selection, possibly after executing some inputs, after which the simulation game continues. We comment further on Case (4) with Example 3.

{exa}

Consider $T=\&\{l_{1}:\mathbf{end},\ l_{2}:\mathbf{end}\}$ and $S=\&\{l_{1}:\mathbf{end},\ l_{3}:\mu\mathbf{t}.\oplus\{l_{4}:\mathbf{t}\}\}$ . We have $T\operatorname{\leq}S$ . Once branch $l_{3}$ , that is uncontrollable, is removed from $S$ , we can apply contravariance for input branching. We have $I=\{1,2\}\supseteq\{1\}=K$ in Definition 3.

{exa}

Consider $T_{G}$ and $T^{\prime}_{G}$ from Figure 1. For the pair $(T^{\prime}_{G},T_{G})$ , we apply Case (4) of Definition 3 for which we compute

\mathsf{selUnfold}(T_{G})=\mathcal{A}[\oplus\{\mathit{tc}:\mu\mathbf{t^{\prime% }}.\oplus\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end}\},% \mathit{done}:\mathbf{end}\}]

with $\mathcal{A}=\mu\mathbf{t}.\&\{\mathit{tm}:\mathbf{t},\mathit{over}:[\,]^{1}\}$ . Observe that $\mathcal{A}$ contains a recursive sub-term, such contexts are not allowed in previous works [MariangiolaPreciness, ESOP09, CDY2014].

The use of selective unfolding makes it possible to express $T_{G}$ in terms of a recursive input context $\mathcal{A}$ with holes filled by types (i.e., closed terms) that start with an output prefix. Indeed selective unfolding does not unfold the recursion variable $\mathbf{t}$ (not guarded by an output selection), which becomes part of the input context $\mathcal{A}$ . Instead it unfolds the recursion variable $\mathbf{t}^{\prime}$ (which is guarded by an output selection) so that the term that fills the hole, which is required to start with an output prefix, is a closed term.

Case (4) of Definition 3 requires us to check that the following pairs are in the relation: ( $i$ ) $(T^{\prime}_{G},\mathcal{A}[\mu\mathbf{t^{\prime}}.\oplus\{\mathit{tc}:\mathbf% {t^{\prime}},\mathit{done}:\mathbf{end}\}])$ and ( $ii$ ) $(\mu\mathbf{t^{\prime}}.~{}\&\{\mathit{tm}:\mathbf{t^{\prime}},\mathit{over}:% \mathbf{end}\},\mathcal{A}[\mathbf{end}])$ . Observe that $T_{G}=\mathcal{A}[\mu\mathbf{t^{\prime}}.\oplus\{\mathit{tc}:\mathbf{t^{\prime% }},\mathit{done}:\mathbf{end}\}]$ . Hence, we have $T^{\prime}_{G}\leq T_{G}$ with

\mathcal{R}\!=\!\left\{(T^{\prime}_{G},T_{G}),(\mathbf{end},\mathbf{end}),(\mu% \mathbf{t^{\prime}}.\&\{\mathit{tm}\!:\mathbf{t^{\prime}},\mathit{over}\!:% \mathbf{end}\},\mu\mathbf{t}.\&\{\mathit{tm}\!:\mathbf{t},\mathit{over}\!:% \mathbf{end}\})\right\}

and $\mathcal{R}$ is a controllable subtyping relation.

We show that fair asynchronous subtyping is sound w.r.t. fair refinement. In fact, fair asynchronous subtyping can be seen as a sound coinductive characterisation of fair refinement. Namely this result gives an operational justification to the syntactical definition of fair asynchronous session subtyping. Note that $\operatorname{\leq}$ is not complete w.r.t. $\sqsubseteq$ , see Example 3.

The proof of soundness of fair asynchronous subtyping w.r.t. fair refinement is rather complex and can be found in Appendix A.3, here we report the two main results and a sketch of their proofs.

Proposition 8.

Given two session types $T$ and $S$ , if $T\operatorname{\leq}S$ then, for every $\omega$ , $R$ , and $\omega_{R}$ such that $[S,\omega]|[R,\omega_{R}]$ is a correct composition, there exist $T^{\prime}$ , $\omega^{\prime}$ , $R^{\prime}$ , and $\omega_{R}^{\prime}$ such that $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[T^{% \prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ and $[T^{\prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]\surd$ .

Sketch of the proof. Given that $[S,\omega]|[R,\omega_{R}]$ is a correct composition, there exist $S^{\prime}$ , $\omega^{\prime\prime}$ , $R^{\prime\prime}$ , and $\omega_{R}^{\prime\prime}$ such that $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]$ and $[S^{\prime},\omega^{\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ . The thesis is proved by induction on the length of this sequence of transitions.

If the length is 0, then $[S,\omega]|[R,\omega_{R}]\surd$ , that implies $\mathsf{unfold}(S)=\mathbf{end}$ , that also implies $\mathsf{unfold}(T)=\mathbf{end}$ (because $T\operatorname{\leq}S$ ), from which we have $[T,\omega]|[R,\omega_{R}]\surd$ .

If the length is greater than 0, we proceed by case analysis on the first possible transition $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[S^{\prime% \prime},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{% \prime\prime\prime}]$ .

If the transition is inferred by $R$ it is sufficient to observe that $S^{\prime\prime}=S$ and $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T,\omega^{% \prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ , and then apply the inductive hypothesis because $[S^{\prime\prime},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_% {R}^{\prime\prime\prime}]$ is a correct composition in that it is reachable from a correct composition.

We now consider that the transition is inferred by $S$ .
There are three possible cases:

(1)

$\mathsf{unfold}(S)=\oplus\{{l}_{i}:{S}_{i}\}_{i\in I}$ ,
(2)

$\mathsf{unfold}(S)=\&\{{l}_{i}:{S}_{i}\}_{i\in I}$ and $T$ starts with an input branching (i.e., $\mathsf{unfold}(T)=\&\{l_{j}:T_{j}\}_{j\in J}$ ),
(3)

$\mathsf{unfold}(S)=\&\{{l}_{i}:{S}_{i}\}_{i\in I}$ and $T$ starts with an output branching (i.e., $\mathsf{unfold}(T)=\oplus\{l_{j}:T_{j}\}_{j\in J}$ ).

In the first two cases we have that the above initial transition is $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}\linebreak[S_% {i},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime% \prime\prime}]$ , for some $i\in I$ . Given that $T\operatorname{\leq}S$ , it is possible to show that $i\in J$ , that $T_{i}\operatorname{\leq}S_{i}$ , and also $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ . Then we can apply the inductive hypothesis because $T_{i}\operatorname{\leq}S_{i}$ and $[S_{i},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime% \prime\prime}]$ is a correct composition.

In the third case, given that $T\operatorname{\leq}S$ , and $S$ is controllable, we have that $\mathsf{selUnfold}(S)=\mathcal{A}[{\oplus\{{l}_{i}:{S_{k}}_{i}\}_{i\in J}}]^{k% \in K}$ , and $\mathsf{unfold}(T)=\oplus\{l_{j}:T_{j}\}_{j\in J}$ with $T_{j}\operatorname{\leq}\mathcal{A}[{S_{kj}}]^{k\in K}$ , for every $j\in J$ . We first observe that the sequence of transitions $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]$ , with $[S^{\prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ , includes at least one output selection $l_{j}$ executed by one of the output selections filling the holes in $\mathcal{A}$ . This label $l_{j}$ is the first one emitted by the l.h.s. type after it has executed input branchings in $\mathcal{A}$ . We have that the same sequence of transitions, excluding the output of $l_{j}$ , can be executed from the configuration $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]$ . Such a sequence is $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]\stackrel{% {\scriptstyle}}{{\rightarrow}}^{*}[S^{\prime},\omega^{\prime\prime}]|[R^{% \prime\prime},\omega_{R}^{\prime\prime}]$ , with $[S^{\prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ ; notice that it is shorter than the above one. We now consider $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T_{i},\omega% ]|[R,\omega_{R}\!\cdot\!{l_{j}}]$ . We can now apply the inductive hypothesis on the shorter sequence $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]\stackrel{% {\scriptstyle}}{{\rightarrow}}^{*}[S^{\prime},\omega^{\prime\prime}]|[R^{% \prime\prime},\omega_{R}^{\prime\prime}]$ , because $T_{j}\operatorname{\leq}\mathcal{A}[{S_{kj}}]^{k\in K}$ (and because it is possible to prove that $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]$ is also a correct composition, see Proposition 22 in Appendix A.3). ∎

Theorem 9.

Given two session types $T$ and $S$ , if $T\operatorname{\leq}S$ then $T\sqsubseteq S$ .

Sketch of the proof. If $S$ is not controllable, then the thesis trivially holds because $T\sqsubseteq S$ for every $T$ .

Consider now $S$ controllable. The thesis is proved by showing that if $T\operatorname{\leq}S$ then, for every $\omega$ , $R$ , and $\omega_{R}$ such that $[S,\omega]|[R,\omega_{R}]$ is a correct composition, we have that the following holds:

if $[T,\omega]|[R,\omega_{R}]\rightarrow[T^{\prime},\omega^{\prime}]|[R^{\prime},% \omega_{R}^{\prime}]$ then there exists $S^{\prime}$ such that $T^{\prime}\operatorname{\leq}S^{\prime}$ and $[S^{\prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ is a correct composition.

The above implies the thesis because, given $T\operatorname{\leq}S$ and the correct composition $[S,\epsilon]|[R,\epsilon]$ , if there exists a computation $[T,\epsilon]|[R,\epsilon]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[T^{% \prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ , we can apply the above result on each step of the computation to prove that there exists $S^{\prime}$ such that $T^{\prime}\operatorname{\leq}S^{\prime}$ and $[S^{\prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ is a correct composition. Then, by Proposition 8, we have that there exist $T^{\prime\prime}$ , $\omega^{\prime\prime}$ , $R^{\prime\prime}$ , and $\omega_{R}^{\prime\prime}$ such that $[T^{\prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]\stackrel{{% \scriptstyle}}{{\rightarrow}}^{*}[T^{\prime\prime},\omega^{\prime\prime}]|[R^{% \prime\prime},\omega_{R}^{\prime\prime}]$ and $[T^{\prime\prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime% \prime}]\surd$ . ∎

{exa}

Let $T=\oplus\{l_{1}:\&\{l_{3}:\mathbf{end}\}\}$ and $S=\&\{l_{3}:\!\oplus\{l_{1}:\mathbf{end},\ l_{2}:\mathbf{end}\}\}$ . We have $T\sqsubseteq S$ , but $T$ is not a fair asynchronous subtype of $S$ since $\{l_{1}\}\neq\{l_{1},l_{2}\}$ , i.e., covariance of outputs is not allowed.

3.1. Undecidability of fair asynchronous session subtyping

In this section we address the problem of checking fair asynchronous session subtyping, and we show that it is actually undecidable. We have already proved that the fair refinement relation $\sqsubseteq$ is undecidable (Corollary 6) and that the fair asynchronous subtyping relation $\operatorname{\leq}$ is a subset of the refinement relation $\sqsubseteq$ (Theorem 9). From these results we cannot immediately conclude that fair asynchronous subtyping is also undecidable; hence we need a specific proof for this additional undecidability result. The approach we take has some commonalities with the one adopted in Section 2.3, as we also proceed by reduction from undecidability properties in queue machines. Nevertheless, there are several relevant differences. First, we consider termination in queue machines instead of state reachability. Then we need to slightly modify the encodings of both the finite control and of the queue of the considered machine. And finally, the proof of correctness of the encoding is significantly different as subtyping is defined on the syntax of types, while refinement is defined on the operational semantics of (the parallel composition of) session types.

As anticipated above, we reduce the problem of checking the (non)termination of a queue machine to the problem of checking subtyping between two session types. In Definition 2.3 we have defined $(q,\gamma)\rightarrow_{M}(q^{\prime},\gamma^{\prime})$ denoting computation steps of a queue machine. We have that one queue machine $M$ terminates if and only if there exists a configuration with empty queue that is reachable from the initial configuration, i.e., $(s,\$)\rightarrow_{M}^{*}(q^{\prime},\epsilon)$ . This holds because the transition function is total in queue machines, hence if the queue is not empty there is always a possible transition. In case the queue machine does not terminate, we have that $(q,\$)\rightarrow_{M}^{*}(q^{\prime},\gamma^{\prime})$ implies the existence of an additional computation step $(q^{\prime},\gamma^{\prime})\rightarrow_{M}(q^{\prime\prime},\gamma^{\prime% \prime})$ .

Given a queue machine $M=(Q,\Gamma,\$,s,\delta)$ and an additional ending symbol $E\not\in\Gamma$ , we now define the types $T=[\![\![{M,\_,E}]\!]\!]$ and $S=[\![\![{M,E}]\!]\!]$ in such a way that $M$ does not terminate if and only if $T\operatorname{\leq}S$ . The encodings $[\![\![{M,\_,E}]\!]\!]$ and $[\![\![{M,E}]\!]\!]$ are similar to the corresponding encodings $[\![M,q_{f},E]\!]$ and $[\![M,E]\!]$ defined in Definitions 2.3 and 2.3, but with the following differences:

•

there is no specific target state $q_{f}$ ;
•

the encoding $[\![\![{M,E}]\!]\!]$ starts with an input branching with only one branch labeled with the initial queue symbol $\$$ and continuation corresponding to the producer/consumer $[\![M,E]\!]$ as defined in Definition 2.3;
•

in order to be a potential subtype of $S=[\![\![{M,E}]\!]\!]$ , all of the output selections in $T=[\![\![{M,\_,E}]\!]\!]$ must have branchings for all of the symbols in $\Gamma\cup\{E\}$ (because these are the labels in the output selection in the potential supertype); among all of these branchings only one will be consistent with the encoding of the finite control, while the continuations in the other branchings are guaranteed to be always good subtypes (this is guaranteed by a type that nondeterministically produces symbols, and that after producing the ending symbol $E$ it is able to recursively consume all possible symbols in $\Gamma$ , and then become $\mathbf{end}$ after consuming the ending symbol $E$ ).

{defi}

[New Finite Control Encoding] Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine and let $E\not\in\Gamma$ be the additional ending symbol. We define $[\![\![{M,\_,E}]\!]\!]$ as follows:

[\![\![{M,\_,E}]\!]\!]\ =[\![\![{s}]\!]\!]^{\emptyset}

with, given $q\in Q$ and $\mathcal{S}\subseteq Q$ , $[\![\![{q}]\!]\!]^{\mathcal{S}}$ is defined as follows:

\begin{array}[]{l}[\![\![{q}]\!]\!]^{\mathcal{S}}=\left\{\begin{array}[]{l}\mu% \mathbf{q}.\&\{{A}\!:\!{{\{\!\!\{{B^{A}_{1}\cdots B^{A}_{n_{A}}}\}\!\!\}}_{q^{% \prime}}^{\mathcal{S}\cup\{q\}}}\}_{A\in\Gamma}\\[2.84526pt] \hskip 25.6073pt\text{if }q\not\in{\mathcal{S}}\text{ and }\delta(q,A)=(q^{% \prime},B^{A}_{1}\cdots B^{A}_{n_{A}})\\ \\ \mathbf{q}\qquad\mbox{if $q\in{\mathcal{S}}$}\end{array}\right.\end{array}

where

\begin{array}[]{l}{\{\!\!\{{B_{1}\cdots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\!=\!% \left\{\!\!\begin{array}[]{ll}\!{[\![\![{r}]\!]\!]}^{\mathcal{T}}&\text{if }m=% 0\\ \begin{array}[]{ll}\!\!\!\!\oplus&\!\!\!\!\big{(}\big{\{}B_{1}:{\{\!\!\{{B_{2}% \ldots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\big{\}}\cup\\ &\!\big{\{}{A:V}\big{\}}_{A\in\Gamma\setminus\{B_{1}\}}\cup\{E:V^{\prime}\}% \big{)}\end{array}&\text{otherwise}\end{array}\right.\end{array}

{defi}

[New Producer/consumer] Let $M=(Q,\Gamma,\$,s,\delta)$ be a queue machine and $E\not\in\Gamma$ be the ending symbol. We define $[\![\![{M,E}]\!]\!]$ as

[\![\![{M,E}]\!]\!]=\&\{\$:[\![M,E]\!]\}

with $[\![M,E]\!]$ as defined in Definition 2.3.

We now prove that the above two types $T=[\![\![{M,\_,E}]\!]\!]$ and $S=[\![\![{M,E}]\!]\!]$ are such that $T\operatorname{\leq}S$ if and only if the machine $M$ does not terminate. We report a sketch of the proof, the details are in Appendix A.4.

Theorem 10.

Given a queue machine $M$ and the ending symbol $E$ , consider $T=[\![\![{M,\_,E}]\!]\!]$ and $S=[\![\![{M,E}]\!]\!]$ . We have that $T\operatorname{\leq}S$ if and only if $M$ does not terminate.

Sketch of the proof. The only-if part is proved by considering the contrapositive statement, that is, if the queue machine $M$ terminates then $T\not\!\!\!\,\operatorname{\leq}S$ . If the queue machine terminates, we have that $(s,\$)\rightarrow_{M}^{*}(q^{\prime},\epsilon)$ . Consider now the pair of types $(T,S)$ with $T=[\![\![{M,\_,E}]\!]\!]$ and $S=[\![\![{M,E}]\!]\!]$ . If, by contradiction, $T\operatorname{\leq}S$ , since $S$ is controllable (it is compliant, e.g., with its dual) we have that by Definition 3 there exists a fair asynchronous subtyping relation $\mathcal{R}$ such that $(T,S)\in\mathcal{R}$ . By applying the definition of fair asynchronous subtyping relation we have that $\mathcal{R}$ will have to include other pairs of types $(T^{\prime\prime},S^{\prime\prime})$ corresponding with configurations $(q^{\prime\prime},\gamma^{\prime\prime})$ reachable in the queue machine $M$ . The types $T^{\prime\prime}$ represent the corresponding state $q^{\prime\prime}$ , while the types $S^{\prime\prime}$ represent the corresponding queue $\gamma^{\prime\prime}$ . Consider now the pair of types $(T_{f},S_{f})$ corresponding with the final configuration $(q^{\prime},\epsilon)$ : $T_{f}$ starts with an input branching (representing the willingness to consume one symbol from the queue) while $S_{f}$ starts with an output selection (in fact, the representation of the queue starts with a sequence of input branchings, one for each symbol in the queue, followed by an output selection and, given that it represents the empty queue, the initial sequence of input branching is absent). Summarising, we have that $(T_{f},S_{f})\in\mathcal{R}$ , $T_{f}$ starts with an input branching, and $S_{f}$ with an output selection: hence there is a pair in $\mathcal{R}$ which does not satisfy the item for input selection in Definition 3, thus contradicting the initial assumption about $\mathcal{R}$ being a fair asynchronous subtyping relation.

The if part is proved by showing that if the queue machine $M$ does not terminate then there exists a fair asynchronous subtyping relation $\mathcal{R}$ that contains the pair $(T,S)$ , hence $T\operatorname{\leq}S$ . There are two kinds of pairs in $\mathcal{R}$ : (i) the pairs discussed in the above only-if part of the proof that corresponds to the path in the subtyping simulation game that reproduces the computation of the queue machine $M$ , and (ii) other pairs corresponding to alternative paths. Here, we only comment the new pairs of kind (ii). The l.h.s. types in these pairs are generated by considering the alternative branches in the types ${\{\!\!\{{B_{1}\cdots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}$ in Definition 3.1, namely those involving the types denoted with $V$ and $V^{\prime}$ . These types are of two kinds: (a) they are able to recursively perform all possible outputs until the label $E$ is selected (type $V$ ), or (b) they are able to recursively perform all possible inputs until the label $E$ is selected (type $V^{\prime}$ ). All of these pairs satisfy the constraints in Definition 3 (under the assumption that also a final pair $(\mathbf{end},\mathbf{end})$ belongs to $\mathcal{R}$ ). Summarising, there exists a fair asynchronous subtyping relation $\mathcal{R}$ such that $(T,S)\in\mathcal{R}$ in that this is the first pair of the kind (i) above. Hence we can conclude that $T\operatorname{\leq}S$ . ∎

As a direct consequence of the above theorem and the undecidability of termination in queue machines, we can conclude that fair asynchronous subtyping (Definition 3) is also undecidable.

Corollary 11.

Given two session types $T$ and $S$ , it is in general undecidable to check whether $T\operatorname{\leq}S$ .

4. A Sound Algorithm for Fair Asynchronous Subtyping

We propose an algorithm which soundly verifies whether a session type is a fair asynchronous subtype of another. The algorithm relies on building a tree whose nodes are labelled by configurations of the simulation game induced by Definition 3. The algorithm analyses the tree to identify witness subtrees which contain input contexts that are growing following a recognisable pattern.

{exa}

Recall the satellite communication example (Figure 1). The spacecraft with protocol $T_{S}$ may be a replacement for an older generation of spacecraft which follows the more complicated protocol $T^{\prime}_{S}$ , see Figure 3. Type $T^{\prime}_{S}$ notably allows the reception of telecommands to be interleaved with the emission of telemetries. The new spacecraft may safely replace the old one because $T_{S}\operatorname{\leq}T^{\prime}_{S}$ .

However, checking $T_{S}\operatorname{\leq}T^{\prime}_{S}$ leads to an infinite accumulation of input contexts, hence it requires to consider infinitely many pairs of session types. E.g., after $T_{S}$ selects the output label $\mathit{tm}$ twice, the subtyping simulation game considers the pair $(T_{S},T^{\prime\prime}_{S})$ , where $T^{\prime\prime}_{S}$ is given in Figure 3. The pairs generated for this example illustrate a common recognisable pattern where some branches grow infinitely (the $\mathit{tc}$ -branch), while others stay stable throughout the derivation (the $\mathit{done}$ -branch). The crux of our algorithm is to use a finite parametric characterisation of the infinitely many pairs occurring in the check of $T_{S}\operatorname{\leq}T^{\prime}_{S}$ .

The simulation tree for $T\operatorname{\leq}S$ , written $\mathit{simtree}(T,S)$ , is the labelled tree representing the simulation game for $T\operatorname{\leq}S$ , i.e., $\mathit{simtree}(T,S)$ is a tuple $(N,n_{0},\twoheadrightarrow,\lambda)$ where $N$ is its set of nodes, $n_{0}\in N$ is its root, $\twoheadrightarrow$ is its transition relation, and $\lambda$ is its labelling function, such that $\lambda(n_{0})=(S,T)$ . We omit the formal definition of $\twoheadrightarrow$ , as it is straightforward from Definition 3 following the subtyping simulation game discussed after that definition. We give an example below.

Notice that the simulation tree $\mathit{simtree}(T,S)$ is defined only when $S$ is controllable, since $T\operatorname{\leq}S$ holds without needing to play the subtyping simulation game if $S$ is not controllable. We say that a branch of $\mathit{simtree}(T,S)$ is successful if it is infinite or if it finishes in a leaf labelled by $(\mathbf{end},\mathbf{end})$ . All other branches are unsuccessful. Under the assumption that $S$ is controllable, we have that all branches of $\mathit{simtree}(T,S)$ are successful if and only if $T\operatorname{\leq}S$ . As a consequence checking whether all branches of $\mathit{simtree}(T,S)$ are successful is generally undecidable. It is possible to identify a branch as successful if it visits finitely many pairs (or node labels), see Example 3; but in general a branch may generate infinitely many pairs, see Examples 4 and 4.

$T^{\prime}_{S}$	=	$\mu\mathbf{t}$	$.\&\big{\{}$	$\mathit{tc}:$	$\oplus\{\mathit{tm}:\mathbf{t},\mathit{over}:\mu\mathbf{t^{\prime}}.~{}\&\{% \mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:\mathbf{end}\}\},$
				$\mathit{done}:$	$\mu\mathbf{t^{\prime\prime}}.\oplus\{\mathit{tm}:\mathbf{t^{\prime\prime}},% \mathit{over}:\mathbf{end}\}\big{\}}$

$T^{\prime\prime}_{S}$	=	$\phantom{.}\&\big{\{}$	$\mathit{tc}:$	$\&\{$	$\mathit{tc}:$	$T^{\prime}_{S}$ ,
					$\mathit{done}:$	$\mu\mathbf{t^{\prime\prime}}.\oplus\{\mathit{tm}:\mathbf{t^{\prime\prime}},% \mathit{over}:\mathbf{end}\}$	$\}$ ,
			$\mathit{done}:$	$\mu\mathbf{t^{\prime\prime}}.\oplus\{\mathit{tm}:\mathbf{t^{\prime\prime}},% \mathit{over}:\mathbf{end}\}$			$\big{\}}$

Figure 3.

T^{\prime}_{S}

is an alternative session type for

T_{S}

, see Example 4.

In order to support types that generate unbounded accumulation, we characterise finite subtrees — called witness subtrees, see Definition 4 — such that all the branches that traverse these finite subtrees are guaranteed to be successful.

Notation

We give a few auxiliary definitions and notations. Hereafter $\mathcal{A}$ and $\mathcal{A}^{\prime}$ range over extended input contexts, i.e., input contexts that may contain distinct holes with the same index. These are needed to deal with unfoldings of input contexts, see Example 4.

The set of reductions of an input context $\mathcal{A}$ is the minimal set $\mathcal{S}$ s.t. {enumerate*}[label=()]

$\mathcal{A}\in\mathcal{S}$ ;

if $\&\{l_{i}:\mathcal{A}_{i}\}_{i\in I}\in\mathcal{S}$ then $\forall i\in I.\mathcal{A}_{i}\in\mathcal{S}$ and

if $\mu\mathbf{t}.\mathcal{A}^{\prime}\in\mathcal{S}$ then $\mathcal{A}^{\prime}\{\nicefrac{{\mu\mathbf{t}.\mathcal{A}^{\prime}}}{{\mathbf% {t}}}\}\in\mathcal{S}$ . Notice that due to unfolding (item 4), the reductions of an input context may contain extended input contexts. Moreover, given a reduction $\mathcal{A}^{\prime}$ of $\mathcal{A}$ , we have that $\mathit{holes}(\mathcal{A}^{\prime})\subseteq\mathit{holes}(\mathcal{A})$ .

{exa}

Consider the following extended input contexts: {mathpar} A_1 = μt . &{ l_1 : [ ]^1, l_2 : &{ l_3 : t } }

A_2 = &{ l_3 : μt . &{ l_1 : [ ]^1, l_2 : &{ l_3 : t } } }

unfold(A_1) = &{ l_1 : [ ]^1, l_2 : &{ l_3 : μt . &{ l_1 : [ ]^1, l_2 : &{ l_3 : t } } } } Context $\mathcal{A}_{2}$ is a reduction of $\mathcal{A}_{1}$ , i.e., one can reach $\mathcal{A}_{2}$ from $\mathcal{A}_{1}$ , by unfolding $\mathcal{A}_{1}$ and executing the input $l_{2}$ . Context $\mathsf{unfold}(\mathcal{A}_{1})$ is also a reduction of $\mathcal{A}_{1}$ . Observe that $\mathsf{unfold}(\mathcal{A}_{1})$ contains two distinct holes indexed by $1$ .

Given an extended context $\mathcal{A}$ and a set of hole indices $K$ such that $K\subseteq\mathit{holes}(\mathcal{A})$ , we use the following shorthands. Given a type $T_{k}$ for each $k\in K$ , we write $\mathcal{A}\lfloor T_{k}\rfloor^{k\in K}$ for the extended context obtained by replacing each hole $k\in K$ in $\mathcal{A}$ by $T_{k}$ . Also, given an extended context $\mathcal{A}^{\prime}$ we write $\mathcal{A}\langle\mathcal{A}^{\prime}\rangle^{K}$ for the extended context obtained by replacing each hole $k\in K$ in $\mathcal{A}$ by $\mathcal{A}^{\prime}$ . When $K=\{k\}$ , we often omit $K$ and write, e.g., $\mathcal{A}\langle\mathcal{A}^{\prime}\rangle^{k}$ and $\mathcal{A}\lfloor T_{k}\rfloor^{k}$ .

Figure 4. Simulation tree for

T_{S}\leq T^{\prime}_{S}

(Figures 1 and 3), the root of the tree is in bold.

{exa}

Using the above notation and posing $\mathcal{A}=\&\{\mathit{tc}:[\,]^{1},\mathit{done}:[\,]^{2}\}$ , we can rewrite $T^{\prime\prime}_{S}$ (Figure 3) as $\mathcal{A}\langle\mathcal{A}\lfloor T^{\prime}_{S}\rfloor^{1}\rangle^{1}% \lfloor\mu\mathbf{t^{\prime\prime}}.\oplus\{\mathit{tm}:\mathbf{t^{\prime% \prime}},\mathit{over}:\mathbf{end}\}\rfloor^{2}$ .

{exa}

Consider the session type below

S=\&\{l_{1}:\&\{l_{1}:T_{1},\ l_{2}:T_{2},\ l_{3}:T_{3}\},\;l_{2}:\&\{l_{1}:T_% {1},\ l_{2}:T_{2},\ l_{3}:T_{3}\},\;l_{3}:T_{3}\}.

Posing $\mathcal{A}=\&\{l_{1}:[\,]^{1},l_{2}:[\,]^{2},l_{3}:[\,]^{3}\}$ we have $\mathit{holes}(\mathcal{A})=\{1,2,3\}$ . Assuming $J=\{1,2\}$ and $K=\{3\}$ , we can rewrite $S$ as $\mathcal{A}\langle\mathcal{A}\lfloor T_{j}\rfloor^{j\in J}\rangle^{J}\lfloor T% _{k}\rfloor^{k\in K}$ .

{exa}

Figure 4 shows the partial simulation tree for $T_{S}\leq T^{\prime}_{S}$ , from Figures 1 and 3 (ignore the dashed edges for now). Notice how the branch leading to the top part of the tree visits only finitely many node labels (see dotted box), however the bottom part of the tree generates infinitely many labels, see the path along the $!{\mathit{\mathit{tm}}}$ transitions in the dashed box.

Witness subtrees

Next, we define witness trees which are finite subtrees of a simulation tree which we prove to be successful. The role of the witness subtree is to identify branches that satisfy a certain accumulation pattern. It detects an input context $\mathcal{A}$ whose holes fall in two categories: ( $i$ ) growing holes (indexed by indices in $J$ below) which lead to an infinite growth and ( $ii$ ) constant holes (indexed by indices in $K$ below) which stay stable throughout the simulation game. The definition of witness trees relies on the notion of ancestor of a node $n$ , which is a node $n^{\prime}$ (different from $n$ ) on the path from the root $n_{0}$ to $n$ . We illustrate witness trees with Figure 4 and Example 4. {defi}[Witness Tree] A finite tree $(N,n_{0},\twoheadrightarrow,\lambda)$ is a witness tree for $\mathcal{A}$ , such that $\mathit{holes}(\mathcal{A})=I$ , with $\emptyset\subseteq K\subset I$ and $J=I\setminus K$ , if all the following conditions are satisfied:

(1)
for all $n\in N$ either $\lambda(n)=(T,\mathcal{A}^{\prime}\langle\mathcal{A}\lfloor S_{j}\rfloor^{j\in J% }\rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$ or
$\lambda(n)=(T,\mathcal{A}^{\prime}\langle\mathcal{A}\langle\mathcal{A}\lfloor S% _{j}\rfloor^{j\in J}\rangle^{J}\rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$ , where $\mathcal{A}^{\prime}$ is a reduction of $\mathcal{A}$ , and it holds that
- •
  
  $\mathit{holes}(\mathcal{A}^{\prime})\subseteq K$ implies that $n$ is a leaf and
- •
  
  if $\lambda(n)=(T,\mathcal{A}[S_{i}]^{i\in I})$ and $n$ is not a leaf then $\mathsf{unfold}(T)$ starts with an output selection;
(2)
each leaf $n$ of the tree satisfies one of the following conditions:
1. (a)
  
  $\lambda(n)=(T,S)$ and $n$ has an ancestor $n^{\prime}$ s.t. $\lambda(n^{\prime})=(T,S)$
2. (b)
  
  $\lambda(n)=(T,\mathcal{A}\langle\mathcal{A}\lfloor S_{j}\rfloor^{j\in J}% \rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$ and $n$ has an ancestor $n^{\prime}$ s.t. $\lambda(n^{\prime})\!=\!(T,\mathcal{A}[S_{i}]^{i\in I})$
3. (c)
  
  $\lambda(n)=(T,\mathcal{A}[S_{i}]^{i\in I})$ and $n$ has an ancestor $n^{\prime}$ s.t. $\lambda(n^{\prime})\!=\!(T,\mathcal{A}\langle\mathcal{A}\lfloor S_{j}\rfloor^{% j\in J}\rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$
4. (d)
  
  $\lambda(n)=(T,\mathcal{A}^{\prime}[S_{k}]^{k\in K^{\prime}})$ where $K^{\prime}\subseteq K$
and for all leaves $(T,S)$ of type (2c) or (2d) $T\operatorname{\leq}S$ holds.

Intuitively Condition (1) says that a witness subtree consists of nodes that are labelled by pairs $(T,S)$ where $S$ contains a fixed context $\mathcal{A}$ (or a reduction/repetition thereof) whose holes are partitioned in growing holes ( $J$ ) and constant holes ( $K$ ). Whenever all growing holes have been removed from a pair (by reduction of the context) then this means that the pair is labelling a leaf of the tree. In addition, if the initial input is limited to only one instance of $\mathcal{A}$ , the l.h.s. type starts with an output selection so that this input cannot be consumed in the subtyping simulation game.

Condition 2 says that all leaves of the tree must validate certain conditions from which we can infer that their continuations in the full simulation tree lead to successful branches. Leaves satisfying Condition (2a) straightforwardly lead to successful branches as the subtyping simulation game, starting from the corresponding pair, has been already checked starting from its ancestor having the same label. Leaves satisfying Condition (2b) lead to an infinite but regular “increase” of the types in $J$ -indexed holes — following the same pattern of accumulation from their ancestor. The next two kinds of leaves must additionally satisfy the subtyping relation — using witness trees inductively or based on the fact they generate finitely many labels. Leaves satisfying Condition (2c) lead to regular “decrease” of the types in $J$ -indexed holes — following the same pattern of reduction from their ancestor. Leaves satisfying Condition (2d) use only constant $K$ -indexed holes because, by reduction of the context $\mathcal{A}^{\prime}$ , the growing holes containing the accumulation $\mathcal{A}$ have been removed.

Remark 12.

Definition 4 is parameterised by an input context $\mathcal{A}$ . We explain how such contexts can be identified while building a simulation tree in Section 5.

{exa}

In the tree of Figure 4 we highlight two subtrees. The subtree in the dotted box is not a witness subtree because it does not validate Condition (1) of Definition 4, i.e., there is an intermediary node with a label in which the r.h.s type does not contain $\mathcal{A}$ .

The subtree in the dashed box is a witness subtree with 3 leaves, where the dashed edges represent the ancestor relation, $\mathcal{A}=\&\{\mathit{tc}:[\,]^{1},\mathit{done}:[\,]^{2}\}$ , $J=\{1\}$ and $K=\{2\}$ . We comment on the leaves clockwise, starting from $(\mathbf{end},\mathbf{end})$ , which satisfies Condition (2d). The next leaf satisfies condition (2c), while the final leaf satisfies Condition (2b).

Algorithm

Given two session types $T$ and $S$ we first check whether $S$ is uncontrollable. If this is the case we immediately conclude that $T\operatorname{\leq}S$ . Otherwise, we proceed in four steps.

S1

We compute a finite fragment of $\mathit{simtree}(T,S)$ , stopping whenever ( $i$ ) we encounter a leaf (successful or not), ( $ii$ ) we encounter a node that has an ancestor as defined in Definition 4 (Conditions (2a), (2b), and (2c)), ( $iii$ ) or the length of the path from the root of $\mathit{simtree}(T,S)$ to the current node exceeds a bound set to two times the depth of the AST of $S$ . This bound allows the algorithm to explore paths that will traverse the super-type at least twice. We have empirically confirmed that it is sufficient for all examples mentioned in Section 5.
S2

We remove subtrees from the tree produced in S1 corresponding to successful branches of the simulation game which contain finitely many labels. Concretely, we remove each subtree whose each leaf $n$ is either successful or has an ancestor $n^{\prime}$ such that $n^{\prime}$ is in the same subtree and $\lambda(n)=\lambda(n^{\prime})$ .
S3

We extract subtrees from the tree produced in S2 that are potential candidates to be subsequently checked. The extraction of these finite candidate subtrees is done by identifying the forest of subtrees rooted in ancestor nodes which do not have ancestors themselves.
S4

We check that each of the candidate subtrees from S3 is a witness tree.

If an unsuccessful leaf is found in S1, then the considered session types are not related. In S1, if the generation of the subtree reached the bound before reaching an ancestor or a leaf, then the algorithm is unable to give a decisive verdict, i.e., the result is unknown. Otherwise, if all checks in S4 succeed then the session types are in the fair asynchronous subtyping relation. In all other cases, the result is unknown because a candidate subtree is not a witness.

{exa}

We illustrate the algorithm above with the tree in Figure 4. After S1, we obtain the whole tree in the figure (11 nodes). After S2, all nodes in the dotted boxed are removed. After S3 we obtain the (unique) candidate subtree contained in the dashed box. This subtree is identified as a witness subtree in S4, hence we have $T_{S}\operatorname{\leq}T^{\prime}_{S}$ .

Soundness of the algorithm

The soundness of our algorithm w.r.t. fair asynchronous session subtyping relies on proving that given a witness tree $(N,n_{0},\twoheadrightarrow,\lambda)$ such that $\lambda(n_{0})=(T,S)$ , then $T\operatorname{\leq}S$ . We formalize this in Theorem 15 further down below.

The definition of witness tree consider nestings of input contexts $\mathcal{A}$ . In the proof of Theorem 15 we need the notation $\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j\in J}$ , to generalize to nestings of input contexts with parametric depth, defined as follows:

•

$\mathcal{A}^{1}\lfloor S_{j}\rfloor^{j\in J}$ is $\mathcal{A}\lfloor S_{j}\rfloor^{j\in J}$
•

$\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j\in J}$ is $\mathcal{A}\langle\mathcal{A}^{h-1}\lfloor S_{j}\rfloor^{j\in J}\rangle^{J}$ , when $h>1$ .

Given a witness tree for $\mathcal{A}$ , we define a family of isomorphic trees with labels in which the r.h.s. type has incrementally increased nestings of the input context $\mathcal{A}$ in the growing holes.

{defi}

[ $h$ -th Witness Tree]Given a witness tree $\mathcal{T}=(N,n_{0},\twoheadrightarrow,\lambda)$ for $\mathcal{A}$ , and $h\geq 1$ , we inductively define $\mathcal{T}^{h}$ as follows:

•

$\mathcal{T}^{1}=\mathcal{T}$ ;
•

for $h>1$ , given $\mathcal{T}^{h-1}=(N^{h-1},n_{0}^{h-1},\twoheadrightarrow^{h-1},\lambda^{h-1})$ we define $\mathcal{T}^{h}=(N^{h},n_{0}^{h},\twoheadrightarrow^{h},\lambda^{h})$ with $N^{h}=N^{h-1}$ , $n_{0}^{h}=n_{0}^{h-1}$ , $\twoheadrightarrow^{h}=\twoheadrightarrow^{h-1}$ , and
$\lambda^{h}(n)=\mathcal{A}^{\prime}\langle\mathcal{A}^{h}\lfloor S_{j}\rfloor^% {j\in J}\rangle^{J}\lfloor S_{k}\rfloor^{k\in K}$ if $\lambda^{h-1}(n)=\mathcal{A}^{\prime}\langle\mathcal{A}^{h-1}\lfloor S_{j}% \rfloor^{j\in J}\rangle^{J}\lfloor S_{k}\rfloor^{k\in K}$ .

We now present a preliminary Lemma stating that, given a witness subtree $\mathcal{T}$ of a simulation tree, all the trees in the family $\mathcal{T}^{h}$ faithfully represent the subtyping simulation game (proof in Appendix A.5).

Lemma 13.

Consider a witness tree $\mathcal{T}^{1}=(N^{1},n_{0}^{1},\twoheadrightarrow^{1},\lambda^{1})$ contained in a simulation tree. For every $h\geq 1$ , we have that $\twoheadrightarrow^{h}$ in $\mathcal{T}^{h}=(N^{h},n_{0}^{h},\twoheadrightarrow^{h},\lambda^{h})$ is compatible with the subtyping simulation game, i.e., $n\twoheadrightarrow^{h}n^{\prime}$ is present in $\mathcal{T}^{h}$ if and only if there exists a simulation tree $(M,m_{0},\twoheadrightarrow,\lambda)$ including $m\twoheadrightarrow^{h}m^{\prime}$ with $\lambda(m)=\lambda^{h}(n)$ and $\lambda(m^{\prime})=\lambda^{h}(n^{\prime})$ .

We now move to a proposition stating that, given a witness subtree $\mathcal{T}$ of a simulation tree, we have that all branches in the simulation tree that traverse $\mathcal{T}$ follows paths also present in the family of trees $\mathcal{T}^{h}$ or in simulation trees $\mathit{simtree}(T^{\prime},S^{\prime})$ where $(T^{\prime},S^{\prime})$ is a leaf of $\mathcal{T}$ for which we know that $T^{\prime}\operatorname{\leq}S^{\prime}$ (proof in Appendix A.5). In the statement of this proposition we use $\twoheadrightarrow\!\!{}^{*}$ to denote the reflexive and transitive closure of $\twoheadrightarrow$ .

Proposition 14.

Let $T$ and $S$ be two session types with $\mathit{simtree}(T,S)=(N,n_{0},\twoheadrightarrow,\lambda)$ . If $\mathit{simtree}(T,S)$ contains a witness tree $\mathcal{T}$ with root $n$ , then for every node $n^{\prime}\in N$ such that $n\twoheadrightarrow\!\!{}^{*}\,n^{\prime}$ we have that $\lambda(n^{\prime})$ is a label present either in $\mathcal{T}^{h}$ , for some $h$ , or in $\mathit{simtree}(T^{\prime},S^{\prime})=(N^{\prime},n_{0}^{\prime},% \twoheadrightarrow,\lambda^{\prime})$ with $T^{\prime}\operatorname{\leq}S^{\prime}$ .

We can now present the main result needed to prove the soundness of our algorithm.

Theorem 15.

Let $T$ and $S$ be session types s.t. $\mathit{simtree}(T,S)=(N,n_{0},\twoheadrightarrow,\lambda)$ . If $\mathit{simtree}(T,S)$ contains a witness subtree with root $n$ then for every node $n^{\prime}\in N$ s.t. $n\twoheadrightarrow\!\!{}^{*}\,n^{\prime}$ , either $n^{\prime}$ is a successful leaf, or there exists $n^{\prime\prime}$ s.t. $n^{\prime}\twoheadrightarrow{}n^{\prime\prime}$ .

In the light of this last theorem, we can finally conclude that if the candidate subtrees of $\mathit{simtree}(T,S)$ identified with the steps S1-3 explained above are also witness subtrees (check done in the step S4), then we have $T\operatorname{\leq}S$ .

5. Implementation

To evaluate our algorithm, we have produced a Haskell implementation of it, which is available on GitHub [tool]. It implements a version of the algorithm presented in Section 4, which internally represents session types as automata (LTS) (see, e.g., [BravettiZ21]). In this context it is also natural to use bisimulation in place of the syntactic equality for session types. These design choices helped us to concretise an implementation of the algorithm in Section 4 and allowed us to implement an optimisation which minimises the input types. We comment on this below.

Using automata internally makes it easier to identify candidate input contexts as we can keep track of states that correspond to the input context computed when applying Case (4) of Definition 3. In particular, we augment each local state in the automata representation of the candidate supertype with two counters: the $c$ -counter keeps track of how many times a state has been used in an input context; the $h$ -counter keeps track of how many times a state has occurred within a hole of an input context. We illustrate this with Figure 5 which depicts the internal data structures our tool manipulates when checking $T_{S}\leq T^{\prime}_{S}$ from Figures 1 and 3. The state indices of the automata in Figure 5 correspond to the ones in Figure 1 (2^nd column) and Figure 3 (3^rd column).

The first row of Figure 5 represents the root of the simulation tree, where both session types are in their respective initial state and no transition has been executed. We use state labels of the form $n_{c,h}$ where $n$ is the original identity of the state, $c$ is the value of the $c$ -counter, and $h$ is the value of the $h$ -counter. The second row depicts the configuration after firing transition $!{\mathit{\mathit{tm}}}$ , via Case (4) of Definition 3. While the candidate subtype remains in state $0$ (due to a self-loop) the candidate supertype is unfolded with $\mathsf{selUnfold}(T^{\prime}_{S})$ (Definition 3). The resulting automaton contains an additional state and two transitions. All previously existing states have their $h$ -counter incremented, while the new state has its $c$ -counter incremented. The third row of the figure shows the configuration after firing transition $!{\mathit{\mathit{over}}}$ , using Case (4) of Definition 3 again. In this step, another copy of state $0$ is added. Its $c$ -counter is set to $2$ since this state has been used in a context twice; and the $h$ -counters of all other states are incremented.

Using this representation, we construct a candidate input context by building a tree whose root is a state $q_{c,h}$ such that $c>1$ . The nodes of the tree are taken from the states reachable from $q_{c,h}$ , stopping when a state $q^{\prime}_{c^{\prime},h^{\prime}}$ such that $c^{\prime}<c$ is found. A leaf $q^{\prime}_{c^{\prime},h^{\prime}}$ becomes a hole of the input context. The hole is a constant ( $K$ ) hole when $h^{\prime}=c$ , and growing ( $J$ ) otherwise. Given this strategy and the configurations in Figure 5, we successfully identify the context $\mathcal{A}=\&\{\mathit{tc}:[\,]^{1},\mathit{done}:[\,]^{2}\}$ with $J=\{1\}$ and $K=\{2\}$ .

Thanks to our automata representation, it is also possible to minimise (up-to bisimulation) each session-type automaton before performing Steps S1-S4. Concretely our tool accepts an optional command-line flag that turns on the minimisation of each session type after it has been transformed into an automaton. We discuss the benefits of this optimisation in the next section.

Last transition	State of $T_{S}$	Representation of $T^{\prime}_{S}$
$\epsilon$	$0$
$!{\mathit{\mathit{tm}}}$	$0$
$!{\mathit{\mathit{over}}}$	$1$

Figure 5. Internal representation of the simulation tree for

T_{S}\leq T^{\prime}_{S}

(fragment).

We have run our tool on a dozen of examples handcrafted to test the limits of our algorithm (inc. the examples discussed in this paper), as well as on the 174 tests taken from [BCLYZ19]. All of these tests terminate under a second.

Additionally, for debugging and illustration purposes, the tool can optionally generate graphical representations of the subtyping simulation game and of witness trees.

6. Empirical Evaluation on Synthetic Benchmarks

To evaluate the cost of our algorithm and its implementation, wrt. runtime and memory usage, we have performed an empirical evaluation based on a family of pairs of sub/supertype of increasing sizes. We perform our evaluation with and without our minimisation-based optimisation and discuss the results.

Experimental setup

The family of types we consider is based on variants from our spacecraft example: the subtype is based on variants of $T_{S}$ in Figure 1, while the supertype is based on variants of $T^{\prime}_{S}$ in Figure 3. The shape and size of each variant is determined by three parameters which respectively affect the number of choices in branches (branching width), the number of inputs that can be accumulated in the supertype (input depth), and the number of choices in selections (selection width).

\begin{array}[]{lcl}\mathit{Test}(n,m,k)&=&T_{\textit{L}}({n,k)}\leq T_{% \textit{R}}(n,m,k)\\[5.69046pt] T_{\textit{L}}({n,k)}&=&\mu\mathbf{t}.\oplus\{{\mathit{tm}}_{i}:{\mathbf{t}},% \ \mathit{over}:\mathit{TBranL}({n})\}_{1\leq i\leq k}\\[5.69046pt] T_{\textit{R}}(n,m,k)&=&\mu\mathbf{t}.\mathit{TBran}({n,m,k})\\[5.69046pt] \mathit{TBran}({n,m,k})&=&\begin{cases}\&\{{\mathit{tc}}_{i}:{\mathit{TBran}({% n,m{-}1,k})},\ \mathit{done}:\mathit{TSelL}({k})\}_{1\leq i\leq n}&\text{if }m% >0\\ \&\{{\mathit{tc}}_{i}:{\mathit{TSel}({n,k})},\ \mathit{done}:\mathit{TSelL}({k% })\}_{1\leq i\leq n}&\text{otherwise}\end{cases}\\[5.69046pt] \mathit{TSel}({n,k})&=&\oplus\{{\mathit{tm}}_{i}:{\mathbf{t}},\ \mathit{over}:% \mathit{TBranL}({n})\}_{1\leq i\leq k}\\[5.69046pt] \mathit{TBranL}({n})&=&\mu\mathbf{t^{\prime}}.\&\{{\mathit{tc}}_{i}:{\mathbf{t% }^{\prime}},\ \mathit{done}:\mathbf{end}\}_{1\leq i\leq n}\\[5.69046pt] \mathit{TSelL}({k})&=&\mu\mathbf{t^{\prime\prime}}.\oplus\{{\mathit{tm}}_{i}:{% \mathbf{t}^{\prime\prime}},\ \mathit{over}:\mathbf{end}\}_{1\leq i\leq k}\end{array}

Figure 6. Generation of parameterised sub-type/super-type pairs. Function

T_{\textit{R}}(n,m,k)

is the super-type and

T_{\textit{L}}({n,k)}

is the sub-type, where

n

is the branching width (the number of messages the type can receive at a given point),

m

is the branching depth (the number of messages the type can receive consecutively), and

k

is the selection width (the number of messages the type can send at a given point).

Given values $n$ , $m$ , and $k$ for each of these parameters, we generate a subtyping problem $\mathit{Test}(n,m,k)$ as described in Figure 6. We assume that $n\geq 1$ , $m\geq 0$ , and $k\geq 1$ — the branching/selection parameters need to provide at least one branch, while input depth could be zero (no anticipation). Each test applies our algorithm to verify that $T_{\textit{L}}({n,k)}$ is a fair asynchronous subtype of $T_{\textit{R}}(n,m,k)$ (by construction the test always succeeds).

We describe Figure 6 in more details. The subtype $T_{\textit{L}}({n,k)}$ only depends on two parameters: branching width ( $n$ ) and selection width ( $k$ ). It is similar to $T_{S}$ in Figure 1 except that it can send (resp. receive) different telemetry (resp. telecommand) messages. It is a recursive type that immediately chooses between sending one of the $k$ telemetries ( $\mathit{tm}_{i}$ ) then recurse, or send a termination signal ( $\mathit{over}$ ). In the latter case, the behaviour continues with $\mathit{TBranL}({n})$ , i.e., another recursive definition followed by a branching construct where the type expects to receive either one of the $n$ telecommands ( $\mathit{tc}_{i}$ ) then recurse, or receive the termination signal $\mathit{done}$ .

The supertype $T_{\textit{R}}(n,m,k)$ depends on three parameters: branching width ( $n$ ), input depth ( $m$ ), and selection width ( $k$ ). This type is similar to $T^{\prime}_{S}$ in Figure 3 but can send (resp. receive) different telemetry (resp. telecommand) messages and allows the reception of $m$ telecommands to precede the emission of a telemetry message. $T_{\textit{R}}(n,m,k)$ relies on four additional definitions. $\mathit{TBran}({n,m,k})$ encodes the sequence of $m+1$ inputs that can precede the emission of telemetries. $\mathit{TSel}({n,k})$ performs the selections that precede the final series of inputs in $\mathit{TBranL}({n})$ . $\mathit{TSelL}({k})$ performs the final series of outputs.

Figure 7. Minimised versions of

T_{\textit{L}}({2,4)}

(subtype, left) and

T_{\textit{R}}(2,3,4)

(supertype, right).

Figure 7 gives a graphical representation of the session-type automata generated by the definitions in Figure 6 after minimisation up to bisimulation. The figure shows a subtype (left) that can send four different $\mathit{tm}_{i}$ messages ( $k=4)$ , then can receive two different $\mathit{tc}_{i}$ messages ( $n=2$ ). The state labels correspond to the ones of $T_{S}$ in Figure 1.

The supertype (right) is more complex. It can also send four different $\mathit{tm}_{i}$ messages ( $k=4)$ , and receive two different $\mathit{tc}_{i}$ messages ( $n=2$ ). Additionally, it may postpone the emission of telemetries and receive up to $4$ telecommands first ( $m+1=4$ ). The state labels correspond to the ones of $T^{\prime}_{S}$ in Figure 3. Note that because of minimisation the two final states of $T^{\prime}_{S}$ are merged into their $3,5$ counterpart in Figure 7. Since the emission of $\mathit{tm}_{i}$ in $T_{\textit{R}}(2,3,4)$ is further postponed compared to $T^{\prime}_{S}$ , we also obtain several variants of state $0$ , labelled by $0_{i}$ and highlighted in gray in Figure 7.

Refer to caption — Figure 8. Increasing branching width, without (left) and with minimisation (right)

Experimental results

Figures 10, 10, and 10 give the results of running the implementation of our algorithm on increasingly large instances of the subtyping problem $\mathit{Test}(n,m,k)$ . Each figure shows the runtime (larger data points in blue, left y-axis) and peak memory usage (smaller data points in red, right y-axis) for each instance of the problem. Each figure includes two x-axes: the bottom one represents the number of transitions in the automata representation of the candidate supertype (which we consider a good measure of the size of the subtyping problem); the top one represents the value of the variable parameter for each experiment (e.g., branching with). Plots on the left show the result without minimisation, plots on the right show results using minimisation up to bisimulation. Each figure depicts 20 data points unless our implementation timed out (more than 300 seconds). The yellow curve highlights the runtime trend. It is computed using SciPy’s curve_fit function.

All the benchmarks in this paper were run on a MacBook Pro with an Intel i5 CPU with 16GB RAM running macOS 13.4. The time was measured by taking the difference between the system clock before and after our tool was invoked. The memory usage refers to the maximum resident set size as reported by the /usr/bin/time -l command. Each test was ran 3 times, the plots report the average time (resp. memory) measurements. All our test data and infrastructure are available on our GitHub repository [tool].

Figure 10 shows the result of checking $\mathit{Test}(n,1,1)$ , with $n$ (branching width) increasing by step of $1$ , from $1$ to $20$ . The left-hand side plot shows that the tool quickly runs out of resource without optimisation: only $n\in\{1,2,3\}$ terminate in reasonable time. While the asymptotic cost of the algorithm with minimised automata is still exponential, the tool can deal with much larger input using this optimisation as show on the right.

Figure 10 shows the result of checking $\mathit{Test}(1,m,1)$ , with $m$ (input depth) increasing by step of $3$ , from $1$ to $58$ ( $20$ data points). Observe that minimisation nearly halves the number of transitions in the candidate supertypes. As a consequence, the version of the tool that minimises its input before applying the subtyping algorithm runs much faster and uses much less memory than its non-optimised counterpart.

Figure 10 shows the result of checking $\mathit{Test}(1,1,k)$ , with $k$ (selection width) increasing by step of $3$ , from $1$ to $58$ ( $20$ data points). In this case minimisation has a lesser effect on the number of transitions in the candidate supertypes, but it has still a significant effect on runtime, e.g., the largest problem takes 20s on the minimised automata and 37s on the non-minimised ones.

7. Related and Future Work

Related work

The relationship between refinement and subtyping in the context of synchronous session types has been thoroughly investigated both for binary and multiparty session types. For instance, Bernardi and Hennessy [BernardiH16] establish a correspondence between binary session subtyping and an observational preorder on session types interpreted as contracts. A similar result has been obtained in the context of multiparty session types by Severi and Dezani-Ciancaglini [SeveriD19], where the subtyping is dubbed structural preorder, while the refinement is named observational preorder. Concerning asynchronous communication we can mention previous works on refinement for asynchronous communication by some of the authors of this paper. The work in [wsfm08] also considers fair compliance, however here we consider binary (instead of multiparty) communication and we use a unique input queue for all incoming messages instead of distinct named input channels. Moreover, in the present paper we provide a sound characterisation of fair refinement using coinductive subtyping and provide a sound algorithm and its implementation. In [sefm19, BravettiZ21] the asynchronous subtyping of [MY15] is used to characterise refinement for a notion of correct composition based on the impossibility to reach a deadlock, instead of the possibility to reach a final successful configuration as done in the present paper. The refinement from [sefm19] does not support examples such as those in Figure 1.

Concerning fairness in the context of session types, Padovani studied a notion of fair subtyping for synchronous multi-party session types in [Padovani16]. This work notably considers the notion of viability which corresponds, in the synchronous multiparty setting, to our notion of controllability. We use the term controllability instead of viability following the tradition of service contract theories like those based on Petri nets [Loh08, Wei08] or process calculi [BZ09a]. Compared to [Padovani16], asynchronous communication makes it much more involved to prove soundness and completeness of the decidable characterisation of controllability, as we do in this paper. Indeed in the asynchronous case, transition systems arising from the communication of two types are, in general, infinite state (due to unbounded queues), while they are always finite state in the synchronous case. Fair refinement in [Padovani16] is characterised by defining a coinductive relation on normal form of types, obtained by removing inputs leading to uncontrollable continuations. Instead of using normal forms, we remove these inputs during the asynchronous subtyping check. A limited form of variance on output is also admitted in [Padovani16]. Covariance between the outputs of a subtype and those of a supertype is possible when the additional branches in the supertype are not needed to have compliance with potential partners. In [Padovani16] this check is made possible by exploiting a difference operation [Padovani16, Definition 3.15] on types, which synthesises a new type representing branches of one type that are absent in the other. We observe that the same approach cannot work to introduce variance on outputs in an asynchronous setting. Indeed the interplay between output anticipation and recursion could generate differences in the branches of a subtype and a supertype that cannot be statically represented by a (finite) session type.

Padovani also studied an alternative notion of fair synchronous subtyping in [Padovani13]. Although the contribution of that paper refers to session types, the formal framework therein seems to deviate from the usual session type approach. In particular, it considers shared channel communication instead of binary channels: when a partner emits a message, it is possible to have a race among several potential receivers for consuming it. As a consequence of this alternative semantics, the subtyping in [Padovani13] does not admit variance on input. Another difference with respect to session type literature is the notion of success among interacting sessions: a composition of session is successful if at least one participant reaches an internal successful state. This approach has commonalities with testing [DH84], where only the test composed with the system under test is expected to succeed, but differs from the typical notion of success considered for session types. In [Barbanerad10, BernardiH16] (resp. [MariangiolaPreciness]) it was proved that the Gay-Hole synchronous session subtyping (resp. orphan message free asynchronous subtyping) coincides with refinement induced by a successful termination notion requiring interacting processes to be both in the $\mathbf{end}$ state (with empty buffers, in the asynchronous case).

More recently, van Glabbeek et al. [GlabbeekHH21] introduce a type system for multiparty sessions that assumes fairness. Nevertheless, the notion of fairness used in that paper is different with respect to the notion considered by Padovani [Padovani16] (in the synchronous case) and in this paper (in the asynchronous case). In fact, in [GlabbeekHH21] weak fairness is considered, consisting of a minimal fairness assumption that “guarantees only that concurrent transitions cannot prevent each other from happening”. On the other hand, Padovani [Padovani16] and ourselves consider a stronger notion of fairness, namely, according to the terminology in [GlabbeekH19], we consider the composition of two session types correct if their successful termination is a liveness property which holds under the assumption of full fairness. In [GlabbeekH19] it is proved that, for finite state transition systems, full fairness collapses to strong fairness of transitions, i.e., a transition which is (relentlessly) enabled infinitely many times during a computation, it is also executed infinitely often in such computation. Session types are finite states, but we consider asynchronous communication via unbounded FIFO buffers, hence our transition system (Definition 2.2) describing the composition of two session types is not finite because buffers can store an unbounded amount of messages. On the contrary, in the context of synchronous communication the transition system describing the composition of two session types is finite state, hence the above correspondence result between full fairness and strong fairness applies. A strong fair session subtyping has been recently used in a type system that guarantees fair termination of sessions for a $\pi$ -calculus like language with binary sessions [CicconeP22]. The subtype defined in that paper differs from previous strong fair subtypings because it also deals with higher-order types (useful to type process languages including primitives for session creation and delegation) and because it is only sound but not complete w.r.t. fair session type refinement. More precisely, it is complete only for bounded processes and it does not capture subtypes like those discussed in Example 3, where the supertype has an uncontrollable (infinite) branch.

Several variants of asynchronous session subtyping have been proposed in [ESOP09, MariangiolaPreciness, CDY2014, MY15, GhilezanPPSY21] and further studied in our earlier work [BravettiCZ17, BravettiCLYZ21, sefm19, BCLYZ19]. All these variants have been shown to be undecidable [BCZ18, LY17, BravettiCZ17]. Moreover, all these subtyping relations are (implicitly) based on an unfair notion of compliance. Some of these papers consider binary session types [MariangiolaPreciness, CDY2014, MY15] as we do in this paper. An interesting technical difference with these papers is that they use finite input contexts (i.e. without recursion) while we also consider infinite input contexts which may contain recursion — this is necessary to obtain $T^{\prime}_{G}\operatorname{\leq}T_{G}$ and $T_{S}\operatorname{\leq}T^{\prime}_{S}$ (see Figures 1 and 3). Moreover, the papers [MariangiolaPreciness, CDY2014] impose additional constraints in the definition of asynchronous subtyping to guarantee absence of orphan-messages. Such constraints require the subtype not to have output loops whenever an output anticipation is performed, thus guaranteeing that at least one input is performed in all possible paths. In this paper, absence of orphan messages between compatible types is guaranteed as successful termination is enforced under the assumption of full-fairness. Notice that not imposing this orphan-message-free constraint is consistent with our recursive input contexts that allows for input loops in the supertype whenever an output anticipation is performed. The other papers [ESOP09, GhilezanPPSY21] consider asynchronous subtyping for multiparty session types. In the binary case, a subtype can only anticipate (under some specific conditions) outputs w.r.t input. In the multiparty context additional differences are allowed, for instance, a subtype can anticipate also an input w.r.t. other inputs of messages coming from other partners. Intuitively, this is possible because in the considered operational model messages coming from different partners are stored in distinct message queues. A difference between [ESOP09] and [GhilezanPPSY21] is that the former concentrates on deadlock freedom, while the latter considers also orphan message freedom. Notably, the subtyping in [GhilezanPPSY21] is proved to be precise (i.e. sound and complete), w.r.t. a notion of refinement that preserves orphan message freedom, deadlocks, and starvation, for a $\pi$ -calculus like language with multiparty sessions.

In [BCLYZ19, BravettiCLYZ21], we proposed a sound algorithm for the (unfair) asynchronous subtyping in [MariangiolaPreciness]. The sound algorithm that we present in this paper substantially differs from that of [BCLYZ19, BravettiCLYZ21]. Here we use witness trees that take under consideration both increasing and decreasing of accumulated input. In [BCLYZ19, BravettiCLYZ21], instead, only regular growing accumulation is considered. It is worth mentioning that in the context of multiparty session types there exist alternative sound (but not complete) algorithmic approaches. In particular, in [DagninoGD23] a multiparty approach is adopted: they study properties of networks of communicating end-point types instead of studying a subtyping relation on binary session types in isolation, as we do in this paper. A first phase of their algorithm infers global types from networks, and a second phase checks the well formedness of the inferred global types. Using techniques similar to ours (i.e. reduction from queue machines) well formedness is proved to be undecidable, but a sound algorithmic characterisation is proposed which is based on the notion of balancing. The authors of that paper show that, following their approach, one of the examples not captured by the algorithm in [BCLYZ19, BravettiCLYZ21] can be managed.

Finally, we mention work about refinement/subtyping in the context of asynchronous multiparty sessions, where the use of global types allows for the definition of decidable type systems. More precisely, both Castellani et al. [CastellaniDG21] and Li et al. [LiSW24] study a notion of refinement for (asynchronous) multiparty session types that ensures that the implementation of a given role can be replaced by another in the context of a specific global type. This means that the relation considers not only the component being refined, but also the other components of the system. Unlike most subtyping relation for asynchronous session types, this relation is decidable — this is notably due to the relation being restricted to the specific context of a given global type.

Future work

In future work, we will investigate the possibility to characterize a notion of fair asynchronous session subtyping which is complete with respect to our notion of fair refinement, in particular, we are interested in a less restrictive subtyping which includes also some form of output variance. We also plan to lift our study of fairness from binary to multiparty session types; in fact, the notions of fair compliance and refinement extend naturally to several partners. Finally, we will investigate a more refined termination condition for our algorithm using ideas from [BravettiCLYZ21, Theorem 3.8]. In particular, we plan to identify conditions similar to those in Definition 4 such that it is always guaranteed to find, during the computation of each branch of the simulation tree, a node with an ancestor satisfying such conditions. Then, the initial phase of the algorithm dedicated to the identification of the candidate subtrees can terminate when such nodes are detected, and the subsequent phase will continue to check whether such candidate subtrees are also witness subtrees.

Acknowledgments

We thank the anonymous reviewers for their valuable feedback and insightful suggestions, which have improved the quality of this work.

References

[Ada17] Adam Wiggins. The Twelve Factor methodology. https://12factor.net, 2017.
[BCL⁺19] Mario Bravetti, Marco Carbone, Julien Lange, Nobuko Yoshida, and Gianluigi Zavattaro. A sound algorithm for asynchronous session subtyping. In CONCUR, volume 140 of LIPIcs, pages 38:1–38:16. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019.
[BCL⁺21] Mario Bravetti, Marco Carbone, Julien Lange, Nobuko Yoshida, and Gianluigi Zavattaro. A sound algorithm for asynchronous session subtyping and its implementation. Log. Methods Comput. Sci., 17(1), 2021. URL: https://lmcs.episciences.org/7238.
[BCZ17] Mario Bravetti, Marco Carbone, and Gianluigi Zavattaro. Undecidability of asynchronous session subtyping. Inf. Comput., 256:300–320, 2017.
[BCZ18] Mario Bravetti, Marco Carbone, and Gianluigi Zavattaro. On the boundary between decidability and undecidability of asynchronous session subtyping. Theor. Comput. Sci., 722:19–51, 2018.
[Bd10] Franco Barbanera and Ugo de’Liguoro. Two notions of sub-behaviour for session-based client/server systems. In PPDP’10, pages 155–164. ACM, 2010.
[BEJQ18] Ahmed Bouajjani, Constantin Enea, Kailiang Ji, and Shaz Qadeer. On the completeness of verifying message passing programs under bounded asynchrony. In CAV (2), volume 10982 of Lecture Notes in Computer Science, pages 372–391. Springer, 2018.
[BH16] Giovanni Tito Bernardi and Matthew Hennessy. Modelling session types using contracts. Mathematical Structures in Computer Science, 26(3):510–560, 2016.
[BLZ21] Mario Bravetti, Julien Lange, and Gianluigi Zavattaro. Fair refinement for asynchronous session types. In Stefan Kiefer and Christine Tasson, editors, Proc. FOSSACS 2021, volume 12650 of Lecture Notes in Computer Science, pages 144–163. Springer, 2021. doi:10.1007/978-3-030-71995-1\_8.
[BZ83] Daniel Brand and Pitro Zafiropulo. On communicating finite-state machines. J. ACM, 30(2):323–342, 1983.
[BZ08a] Mario Bravetti and Gianluigi Zavattaro. Contract Compliance and Choreography Conformance in the Presence of Message Queues. In WS-FM’08, volume 5387 of Lecture Notes in Computer Science, pages 37–54. Springer, 2008.
[BZ08b] Mario Bravetti and Gianluigi Zavattaro. A foundational theory of contracts for multi-party service composition. Fundam. Inform., 89(4):451–478, 2008. URL: http://content.iospress.com/articles/fundamenta-informaticae/fi89-4-05.
[BZ09] Mario Bravetti and Gianluigi Zavattaro. A theory of contracts for strong service compliance. Math. Struct. Comput. Sci., 19(3):601–638, 2009. doi:10.1017/S0960129509007658.
[BZ19] Mario Bravetti and Gianluigi Zavattaro. Relating session types and behavioural contracts: The asynchronous case. In SEFM, volume 11724 of Lecture Notes in Computer Science, pages 29–47. Springer, 2019.
[BZ21] Mario Bravetti and Gianluigi Zavattaro. Asynchronous session subtyping as communicating automata refinement. Softw. Syst. Model., 20(2):311–333, 2021. doi:10.1007/s10270-020-00838-x.
[CDCY14] Tzu-Chun Chen, Mariangiola Dezani-Ciancaglini, and Nobuko Yoshida. On the preciseness of subtyping in session types. In PPDP 2014, pages 146–135. ACM Press, 2014.
[CDG21] Ilaria Castellani, Mariangiola Dezani-Ciancaglini, and Paola Giannini. Global types and event structure semantics for asynchronous multiparty sessions. CoRR, abs/2102.00865, 2021. URL: https://arxiv.org/abs/2102.00865, arXiv:2102.00865.
[CDSY17] Tzu-Chun Chen, Mariangiola Dezani-Ciancaglini, Alceste Scalas, and Nobuko Yoshida. On the preciseness of subtyping in session types. Logical Methods in Computer Science, 13(2), 2017.
[CP22] Luca Ciccone and Luca Padovani. Fair termination of binary sessions. Proc. ACM Program. Lang., 6(POPL):1–30, 2022. doi:10.1145/3498666.
[DGD23] Francesco Dagnino, Paola Giannini, and Mariangiola Dezani-Ciancaglini. Deconfined global types for asynchronous sessions. Log. Methods Comput. Sci., 19(1), 2023. doi:10.46298/LMCS-19(1:3)2023.
[DY13] Pierre-Malo Deniélou and Nobuko Yoshida. Multiparty compatibility in communicating automata: Characterisation and synthesis of global session types. In Proc. ICALP 2013, volume 7966 of Lecture Notes in Computer Science, pages 174–186, 2013. doi:10.1007/978-3-642-39212-2\_18.
[GH05] Simon J. Gay and Malcolm Hole. Subtyping for session types in the pi calculus. Acta Inf., 42(2-3):191–225, 2005. doi:10.1007/s00236-005-0177-z.
[GKM06] Blaise Genest, Dietrich Kuske, and Anca Muscholl. A Kleene theorem and model checking algorithms for existentially bounded communicating automata. Inf. Comput., 204(6):920–956, 2006. doi:10.1016/j.ic.2006.01.005.
[GKM07] Blaise Genest, Dietrich Kuske, and Anca Muscholl. On communicating automata with bounded channels. Fundam. Inform., 80(1-3):147–167, 2007. URL: http://content.iospress.com/articles/fundamenta-informaticae/fi80-1-3-09.
[GPP⁺21] Silvia Ghilezan, Jovanka Pantovic, Ivan Prokic, Alceste Scalas, and Nobuko Yoshida. Precise subtyping for asynchronous multiparty sessions. Proc. ACM Program. Lang., 5(POPL):1–28, 2021. doi:10.1145/3434297.
[HYC16] Kohei Honda, Nobuko Yoshida, and Marco Carbone. Multiparty asynchronous session types. J. ACM, 63(1):9, 2016. doi:10.1145/2827695.
[Loh08] Niels Lohmann. Why does my service have no partners? In WS-FM, volume 5387 of Lecture Notes in Computer Science, pages 191–206. Springer, 2008.
[LSW24] Elaine Li, Felix Stutz, and Thomas Wies. Deciding subtyping for asynchronous multiparty sessions. In ESOP (1), volume 14576 of Lecture Notes in Computer Science, pages 176–205. Springer, 2024.
[LY17] Julien Lange and Nobuko Yoshida. On the undecidability of asynchronous session subtyping. In FOSSACS’17, volume 10203 of Lecture Notes in Computer Science, pages 441–457, 2017.
[LY19] Julien Lange and Nobuko Yoshida. Verifying asynchronous interactions via communicating session automata. In CAV (1), volume 11561 of Lecture Notes in Computer Science, pages 97–117. Springer, 2019.
[MY15] Dimitris Mostrous and Nobuko Yoshida. Session typing and asynchronous subtyping for the higher-order $\pi$ -calculus. Inf. Comput., 241:227–263, 2015. doi:10.1016/j.ic.2015.02.002.
[MYH09] Dimitris Mostrous, Nobuko Yoshida, and Kohei Honda. Global principal typing in partially commutative asynchronous sessions. In ESOP, volume 5502 of Lecture Notes in Computer Science, pages 316–332. Springer, 2009.
[NH84] Rocco De Nicola and Matthew Hennessy. Testing Equivalences for Processes. Theoretical Computer Science, 34:83–133, 1984.
[Pad13] Luca Padovani. Fair subtyping for open session types. In ICALP, volume 7966 of Lecture Notes in Computer Science, pages 373–384. Springer, 2013.
[Pad16] Luca Padovani. Fair subtyping for multi-party session types. Math. Struct. Comput. Sci., 26(3):424–464, 2016.
[RV07] Arend Rensink and Walter Vogler. Fair testing. Inf. Comput., 205(2):125–198, 2007. doi:10.1016/j.ic.2006.06.002.
[SD19] Paula Severi and Mariangiola Dezani-Ciancaglini. Observational equivalence for multiparty sessions. Fundam. Informaticae, 170(1-3):267–305, 2019. doi:10.3233/FI-2019-1863.
[The20] The Authors. Fair refinement for asynchronous session types. https://github.com/julien-lange/fair-asynchronous-subtyping, 2020.
[vGH19] Rob van Glabbeek and Peter Höfner. Progress, justness, and fairness. ACM Comput. Surv., 52(4):69:1–69:38, 2019.
[vGHH21] Rob van Glabbeek, Peter Höfner, and Ross Horne. Assuming just enough fairness to make session types complete for lock-freedom. In 36th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2021, Rome, Italy, June 29 - July 2, 2021, pages 1–13. IEEE, 2021. doi:10.1109/LICS52264.2021.9470531.
[Wei08] Daniela Weinberg. Efficient controllability analysis of open nets. In WS-FM, volume 5387 of Lecture Notes in Computer Science, pages 224–239. Springer, 2008.

Appendix A Proofs

A.1. Undecidability of Fair Refinement

Let $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ ; we have that $T\sqsubseteq S$ if and only if $q_{f}$ is reachable in $M$ . To prove this, we first characterize the set of types that are compliant with $S$ .

See 3

Proof A.1.

Let $S=[\![M,E]\!]$ .

We first prove the if part. Let $S^{\prime}$ be a session type with input/output labels in $\Gamma\cup\{E\}$ s.t. $S^{\prime}\sim\overline{S}$ . We now prove that $S^{\prime}$ is compliant with $S$ . It is trivial to see that $\overline{S}$ is compliant with $S$ ; this holds because in the configuration $[S,\epsilon]|[\overline{S},\epsilon]$ the two parties alternate inputs and outputs in such a way that their buffers have maximal length 1, and moreover the possibility to successfully terminate by selecting the ending label $E$ is never disallowed. By Corollary 2 we have that also all types $S^{\prime}\sim\overline{S}$ are compliant with $S$ .

We now move to the only-if part. Let $S^{\prime}$ be a session type with input/output labels in $\Gamma\cup\{E\}$ s.t. $S^{\prime}$ is compliant with $S$ , i.e., $[S,\epsilon]|[S^{\prime},\epsilon]$ is a correct composition. We have that $\mathsf{unfold}(S^{\prime})$ cannot start with an output selection; in fact, if, for instance, it starts with an output selection and it selects any label $A$ , the type $S$ can select a branch with a different label $A^{\prime}$ , thus blocking. The initial input branching of $\mathsf{unfold}(S^{\prime})$ must have branchings labeled with all the symbols in $\Gamma$ plus the ending symbol $E$ , in that these are the labels that can be initially selected by $S$ . In each continuation of $S^{\prime}$ , the unfolding of the type should start with an output selection, otherwise the entire system is blocked in that the continuation of $S$ after the initial output selection starts with an input branching. Moreover, given that these input branchings of the continuation of $S$ have only the initially selected label, the output selection in the continuation of $S^{\prime}$ can have only such label. After each of these output selections of the continuation of $S^{\prime}$ , the same reasoning can be applied, excluding the case in which the label $E$ was initially selected. In this case, the continuation of $S^{\prime}$ should be such that its unfolding is $\mathbf{end}$ . This because, the continuation of $S$ becomes $\mathbf{end}$ after executing the input branching labeled with $E$ . These constraints that we have just proved holding for the type $S^{\prime}$ guarantee that $S^{\prime}\sim\overline{S}$ .

In order to prove the undecidability of refinement, we first show that $T$ is compliant with $\overline{S}$ if and only if $q_{f}$ is reachable in $M$ .

See 4

Proof A.2.

Consider the queue machine $M$ , the types $T=[\![M,q_{f},E]\!]$ and $S=[\![M,E]\!]$ and the initial configuration $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\epsilon]$ . The first transition is $[T,\epsilon]|[\overline{S},\epsilon]\stackrel{{\scriptstyle}}{{\rightarrow}}[[% \![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]$ .

We now define a partial mapping function $\{\!\!\{{\,}\}\!\!\}$ from configurations (reachable from the initial configuration $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]$ ) to configurations in the queue machine computation:

•
$\{\!\!\{{[[\![{q}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{\prime}]% }\}\!\!\}=(q,\omega_{T}\cdot\omega\cdot(\omega_{S}^{\prime})^{R})$ where
- –
  
  $\omega=\epsilon$ if $S^{\prime}$ starts with an input branching, or $\omega=A$ if $S^{\prime}$ starts with an output selection with unique label $A$ ,
- –
  
  the operator $\cdot$ stands for concatenation, and
- –
  
  and $\beta^{R}$ is the reverse of $\beta$ .

Notice that $\{\!\!\{{[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]}\}\!\!\}$ is defined and it coincides with the initial configuration of the queue computation $(s,\$)$ . In the following we use the following notation:

•
$[[\![{q}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{\prime}]% \Rightarrow[[\![{q^{\prime}}]\!]^{\emptyset},\omega_{T}^{\prime}]|[S^{\prime% \prime},\omega_{S}^{\prime\prime}]$ if
- –
  
  $[[\![{q}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{\prime}]\stackrel% {{\scriptstyle}}{{\rightarrow}}^{*}[[\![{q^{\prime}}]\!]^{\emptyset},\omega_{T% }^{\prime}]|[S^{\prime\prime},\omega_{S}^{\prime\prime}]$ and
- –
  
  all intermediary traversed configurations are not in the domain of the partial mapping function $\{\!\!\{{\,}\}\!\!\}$ .

Given that, excluding the final state $q_{f}$ , for each state $q$ of the queue machine $[\![{q}]\!]^{\emptyset}$ reproduces the dequeue/enqueue actions of state $q$ and $\overline{S}$ is a simple forwarder that repeatedly produces and consumes the same labels, we have that given $q\neq q_{f}$ we have $(q,\gamma)\rightarrow_{M}(q^{\prime},\gamma^{\prime})$ if and only if $[[\![{q}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{\prime}]% \Rightarrow[[\![{q^{\prime}}]\!]^{\emptyset},\omega_{T}^{\prime}]|[S^{\prime% \prime},\omega_{S}^{\prime\prime}]$ with $\{\!\!\{{[[\![{q}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{\prime}]% }\}\!\!\}=(q,\gamma)$ and $\{\!\!\{{[[\![{q^{\prime}}]\!]^{\emptyset},\omega_{T}^{\prime}]|[S^{\prime% \prime},\omega_{S}^{\prime\prime}]}\}\!\!\}=(q^{\prime},\gamma^{\prime})$ .

We now prove the only-if part of the theorem. Assume that $T$ is compliant with $\overline{S}$ . This means that there exists a computation leading to the final successful configuration. The unique occurrence of $\mathbf{end}$ is inside the type $[\![{q_{f}}]\!]^{\mathcal{S}}$ , hence we have $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]\Rightarrow\ldots% \Rightarrow[[\![{q_{f}}]\!]^{\emptyset},\omega_{T}]|[S^{\prime},\omega_{S}^{% \prime}]$ thus implying that state $q_{f}$ is reachable in $M$ .

We now prove the if part. Assume that $q_{f}$ is reachable in $M$ . Consider $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]\stackrel{{\scriptstyle}}{% {\rightarrow}}^{*}[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{% \prime}]$ . There are two possible cases: either (i) it is possible to extend the sequence of transitions as follows $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]\stackrel{{% \scriptstyle}}{{\rightarrow}}^{*}[[\![{q}]\!]^{\emptyset},\omega_{T}^{\prime% \prime}]|[S^{\prime\prime},\omega_{S}^{\prime\prime}]$ , for some state $q$ , (ii) or during the sequence of transitions $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]\stackrel{{\scriptstyle}}{% {\rightarrow}}^{*}[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{% \prime}]$ a configuration is traversed in which the l.h.s. type is $[\![{q_{f}}]\!]^{\emptyset}$ .

In the first case (i), we have that $(s,\$)\rightarrow_{M}^{*}\{\!\!\{{[[\![{q}]\!]^{\emptyset},\omega_{T}^{\prime% \prime}]|[S^{\prime\prime},\omega_{S}^{\prime\prime}]}\}\!\!\}$ ; moreover, in this computation of the queue machine the state $q_{f}$ is not traversed. This means that such a queue machine computation can be extended to reach $q_{f}$ , hence the sequence of transitions $[[\![{s}]\!]^{\emptyset},\epsilon]|[\overline{S},\$]\stackrel{{\scriptstyle}}{% {\rightarrow}}^{*}[[\![{q}]\!]^{\emptyset},\omega_{T}^{\prime\prime}]|[S^{% \prime\prime},\omega_{S}^{\prime\prime}]$ can be additionally extended to reach a configuration where the l.h.s. type is $[\![{q_{f}}]\!]^{\emptyset}$ . From such a configuration, we have that there are only finitely many transitions leading to the final successful configuration (in this final transitions both the queues are emptied and both types become $\mathbf{end}$ ).

In the second case (ii), we have that a configuration whose l.h.s. type is $[\![{q_{f}}]\!]^{\emptyset}$ . As just observed, this means that the configuration $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]$ is an intermediary configuration in the final sequence of transitions leading to the final successful configuration (in which both the queues are emptied and both types are $\mathbf{end}$ ).

By combining Theorem 4 with Lemma 3, we can finally prove that our encoding of queue machines into session types correctly reduces state reachability into refinement.

See 5

Proof A.3.

We first prove the only-if part. Let $T\sqsubseteq S$ . By Lemma 3 we have that $S$ is compliant with $\overline{S}$ . Given that $T\sqsubseteq S$ , also $T$ is compliant with $\overline{S}$ . By Theorem 4 this implies that $q_{f}$ is reachable in $M$ .

We now prove the if part. Assume that $q_{f}$ is reachable in $M$ . As discussed in Section 2 (see footnote 2) our encoding of queue machines assumes that the set $\mathcal{L}$ of labels in the Definition 2.1 of session types includes the symbols in the queue machine alphabet $\Gamma$ plus the symbol $E$ . We now consider a queue machine $M^{\prime}=(Q^{\prime},\Sigma,\Gamma^{\prime}\supseteq\Gamma,\$,s,\delta^{% \prime}\supseteq\delta)$ obtained by replacing the queue alphabet $\Gamma$ with a richer alphabet $\Gamma^{\prime}$ such that $\mathcal{L}=\Gamma^{\prime}\cup\{E\}$ , and by extending $\delta$ with a new transition relation $\delta^{\prime}$ which includes also the additional queue symbols in its domain. The behaviour of $\delta^{\prime}$ on these additional symbols is irrelevant because these symbols will never be placed in the queue, given that the input alphabet is still $\Sigma$ . We have that $q_{f}$ is reachable in $M^{\prime}$ , simply because $M^{\prime}$ reproduces the same computations of $M$ . By Theorem 4 we have that $T$ is compliant with $\overline{S}$ . By Corollary 2 we have that $T$ is compliant with all $S^{\prime}$ such that $S^{\prime}\sim\overline{S}$ . Under the assumption that $\mathcal{L}=\Gamma^{\prime}\cup\{E\}$ , by Lemma 3 we have that the set of types $S^{\prime}$ such that $S^{\prime}\sim\overline{S}$ precisely corresponds with the types with which $S$ is compliant. We have observed that $T$ is compliant with all such $S^{\prime}$ , hence we can conclude that $T\sqsubseteq S$ .

A.2. Controllability Characterisation

In this section we will prove the following theorem about controllability characterisation.

See 7

We start by introducing some notions and definitions that will be needed in the proof.

First of all we present an equivalent definition, based on purely structural induction, of the $\,\mathsf{ok}$ predicate introduced in Definition 2 characterizing session type controllability. {defi} Given a session type $T$ , we define the judgment $T\,\mathsf{ok}$ inductively as follows: {mathpar} \inferrule t ok

\inferrule

end ok

\inferrule

end∈ T ∨∃t’ : t’ ≠ t ∧t’ ∈ free(T) T ok μt.T ok
\inferrule T ok &{l:T} ok

\inferrule

∀i ∈I . T_i ok ⊕{l_i:T_i}_i∈I ok where $\mathsf{free}(T)$ is the set of variables $t$ occurring free in $T$ .

In the following we will use a reformulation of session types in terms of equation sets. In equation set notations we will use terms $T$ that have the same syntax as those used to denote session types, excluding the $\mu\mathbf{t}.\_$ recursion operator. Notice that in such notations we consider possibly open terms $T$ (i.e. such that $\mathsf{free}(T)$ is not empty). Session types are, thus, denoted by $T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}$ , with $\mathsf{Vars}$ being a set of variables $\mathbf{t}$ that includes all variables in $\mathsf{free}(T)$ and also in $\mathsf{free}(T_{\mathbf{t}})$ for all $\mathbf{t}\in\mathsf{Vars}$ .

Formally, given a session type $T$ (we assume with loss of generality that each of its recursions uses a variable with a different name) we consider its equivalent equation set notation $\mathsf{esn}(T)=T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in% \mathsf{Vars}\}$ , defined as follows:

•

$\mathsf{Vars}$ is the set of variable names used in the recursions of $T$
•

$T_{\mathsf{init}}$ is the only term without recursion operators satisfying: there exists a set of terms $T^{\prime}_{\mathbf{t}}$ , one for each variable $\mathbf{t}\in\mathsf{free}(T_{\mathsf{init}})$ , such that $T_{\mathsf{init}}\{T^{\prime}_{\mathbf{t}}/\mathbf{t}\mid\mathbf{t}\in\mathsf{% free}(T_{\mathsf{init}})\}=T$
•

each $T_{\mathbf{t}}$ , with $\mathbf{t}\in\mathsf{Vars}$ , is the only term without recursion operators satisfying: there exists a set of variables $\mathsf{Vars}_{\mathbf{t}}\subseteq\mathsf{free}(T_{\mathbf{t}})$ and a set of terms $T^{\prime}_{\mathbf{t}^{\prime}}$ , one for each variable $\mathbf{t}^{\prime}\in\mathsf{Vars}_{\mathbf{t}}$ , such that $T_{\mathbf{t}}\{T_{\mathbf{t}^{\prime}}/\mathbf{t}^{\prime}\mid\mathbf{t}^{% \prime}\in\mathsf{Vars}_{\mathbf{t}}\}=T^{\prime\prime}$ with $\mu\mathbf{t}.T^{\prime\prime}$ occurring in $T$ .

{defi}

[Unfolding]Given session type in equation set notation we define its unfolding $\mathsf{unfold}(T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\})$ as follows:

\mathsf{unfold}(T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\})=% \begin{cases}\mathsf{unfold}(T_{\mathbf{t}^{\prime}}\{\mathbf{t}=T_{\mathbf{t}% }\mid\mathbf{t}\in\mathsf{Vars}\})&\text{if $T=\mathbf{t}^{\prime}$}\\ T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}&\text{otherwise}% \end{cases}

Notice that unfolding is well defined because we consider session types with guarded recursion in equation set notation.

The transition relation for configurations $[T_{1}\{\mathbf{t}=T_{1,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}_{1}\},\omega% _{1}]|[T_{2}\{\mathbf{t}=T_{2,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}_{2}\},% \omega_{2}]$ , with $T_{i}\{\mathbf{t}=T_{i,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}_{i}\}$ , for $i\in\{1,2\}$ , being session types in equation set notation, is defined as in Definition 2.2 by using the above definition of unfolding (and by assuming that the $\{\mathbf{t}=T_{i,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}_{i}\}$ equational part is copied, for both $T_{1}$ and $T_{2}$ , after every transition).

Given $T_{1}$ and $T_{2}$ session types, it obviously holds (by standard arguments) that the transition system of $[T,\epsilon]|[S,\epsilon]$ is bisimilar to that of $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ , hence that: $T$ and $S$ are compliant if and only if $\mathsf{esn}(T)$ and $\mathsf{esn}(S)$ are compliant.

We now define predicate $\,\mathsf{ctrl}$ for session types in equation set notation. $\,\mathsf{ctrl}$ is defined as in Definition 2, by assuming that predicate $\,\mathsf{ok}$ is, instead, defined as follows. $T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}\,\mathsf{ok}$ if there exists an indexing (total order) ${\mathbf{t}}_{i}$ on the variables of $\mathsf{Vars}$ such that $\{\mathbf{t}_{i}\mid 1\leq i\leq n\}=\mathsf{Vars}$ and, for all $i$ , with $1\leq i\leq n$ , it, holds:

\mathbf{end}\!\in\!T_{i}\vee\exists\mathbf{t}_{j}\!:\!j<i\wedge\mathbf{t}_{j}% \!\in\!\mathsf{free}(T_{i})

Moreover, as in Definition 2, in order to establish $\,\mathsf{ctrl}$ of a session type $T\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}$ input prefix replacement must preliminarily be performed, so to obtain session types $T^{\prime}\{\mathbf{t}=T^{\prime}_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}^{% \prime}\}$ where $\mathsf{Vars}^{\prime}\subseteq\mathsf{Vars}$ and in both term $T^{\prime}\in\mathsf{sin}(T)$ and all terms $T^{\prime}_{\mathbf{t}}\in\mathsf{sin}(T_{\mathbf{t}})$ , with $\mathbf{t}\in\mathsf{Vars}^{\prime}$ , all input prefixes have a single label.

Proposition 16.

$T$ $\,\mathsf{ctrl}$ if and only if $\mathsf{esn}(T)$ $\,\mathsf{ctrl}$ .

Proof A.4.

We first show that $T$ $\,\mathsf{ctrl}$ implies $\mathsf{esn}(T)$ $\,\mathsf{ctrl}$ . Given $T^{\prime}$ obtained by input prefix replacement from $T$ (so to have input prefixes with single choices) that satisfies the $\,\mathsf{ok}$ predicate, we correspondingly consider $\mathsf{esn}(T^{\prime})$ , which is an input prefix replacement of $\mathsf{esn}(T)$ . $\mathsf{esn}(T^{\prime})\,\mathsf{ok}$ is an immediate consequence of $T^{\prime}\,\mathsf{ok}$ by considering the indexing ${\mathbf{t}}_{i}$ of variable names used in the recursions of $T$ obtained as follows. We incrementally assign indexes to variables (starting from $1$ ) according to a depth-first visit of the syntax tree of $T$ as follows. When we are at a $\mu\mathbf{t}.T^{\prime\prime}$ node, we have two cases. Either $\mathbf{t}$ has already an assigned index (not possibile at the beginning) or not. In the latter case: we consider all $\mu\mathbf{t}^{\prime}.\_$ operators occurring in $T^{\prime\prime}$ , if any, that syntactically include $\mathbf{end}$ or variable $\mathbf{t}^{\prime\prime}$ such that $\mathbf{t}^{\prime\prime}\!\neq\!\mathbf{t}\wedge\mathbf{t}^{\prime\prime}\!% \in\!\mathsf{free}(T^{\prime\prime})$ and we assign an index to all such $\mathbf{t}^{\prime}$ (incrementing the last assigned index) in increasing order from the innermost to the outermost; then we assign an index to $\mathbf{t}$ (incrementing the last assigned index). Finally, in both cases, we visit all the $\mu\mathbf{t}^{\prime}.\_$ descendants (with no other recursion node in-between) of the $\mu\mathbf{t}.\_$ node, if any.

We now show that $\mathsf{esn}(T)$ $\,\mathsf{ctrl}$ implies $T$ $\,\mathsf{ctrl}$ . Given $T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}$ obtained by input prefix replacement from $\mathsf{esn}(T)$ that satisfies the $\,\mathsf{ok}$ predicate, we correspondingly consider the only term $T^{\prime}$ which is an input prefix replacement of $T$ such that $\mathsf{esn}(T^{\prime})=T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid% \mathbf{t}\in\mathsf{Vars}\}$ . We show that $T^{\prime}\,\mathsf{ok}$ (Definition A.2 above) by structural induction:

•

For the base cases ${\mathbf{t}\,\mathsf{ok}}$ and ${\mathbf{end}\,\mathsf{ok}}$ we have nothing to show.
•

$\&\{{l}:{T^{\prime\prime}}\}\,\mathsf{ok}$ and $\oplus\{{l}_{i}:{T^{\prime\prime}}_{i}\}_{i\in I}\,\mathsf{ok}$ are a direct consequence of the induction hypothesis, i.e. $T^{\prime\prime}\,\mathsf{ok}$ and $\forall i\in I.\ T^{\prime\prime}_{i}\,\mathsf{ok}$ , respectively.
•
$\mu\mathbf{t}.T^{\prime\prime}\,\mathsf{ok}$ is a direct consequence of the induction hypothesis $T^{\prime\prime}\,\mathsf{ok}$ and of the fact that: $\mathbf{end}\!\in\!T^{\prime\prime}\vee\exists\mathbf{t}^{\prime}\!:\!\mathbf{% t}^{\prime}\!\neq\!\mathbf{t}\wedge\mathbf{t}^{\prime}\!\in\!\mathsf{free}(T^{% \prime\prime})$ . The latter is shown as follows. From $T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}\,% \mathsf{ok}$ we know that there exists a variable indexing ${\mathbf{t}}_{i}$ such that, for all $i\in I$ it, holds: $\mathbf{end}\!\in\!T_{i}\vee\exists\mathbf{t}_{j}\!:\!j<i\wedge\mathbf{t}_{j}% \!\in\!\mathsf{free}(T_{i})$ . So, given index $i$ such that $\mathbf{t}_{i}=\mathbf{t}$ , we have to show: $\mathbf{end}\!\in\!T^{\prime\prime}\vee\exists z\!:\!z\!\neq\!i\wedge\mathbf{% \mathbf{t}}_{z}\!\in\!\mathsf{free}(T^{\prime\prime})$ . What we know is that $\mathbf{end}\!\in\!T_{i}\vee\exists\mathbf{t}_{j}\!:\!j<i\wedge\mathbf{t}_{j}% \!\in\!\mathsf{free}(T_{i})$ , so there are two cases:
1. (1)
  
  Either it holds $\mathbf{end}\!\in\!T^{\prime\prime}\vee\mathbf{t}_{j}\!\in\!\mathsf{free}(T^{% \prime\prime})$ and we are done (with $z=j$ ).
2. (2)
  
  Or $\mu\mathbf{t}_{j}.T^{\prime\prime\prime}$ , for some $T^{\prime\prime\prime}$ , is a subterm of $T^{\prime\prime}$ . In this case we show that: $\mathbf{end}\!\in\!T^{\prime\prime\prime}\vee\exists z\!:\!z\!\neq\!i\wedge% \mathbf{\mathbf{t}}_{z}\!\in\!\mathsf{free}(T^{\prime\prime\prime})$ . To do this we consider index $j$ and the defining term $T_{j}$ in its equation: we know that $\mathbf{end}\!\in\!T_{j}\vee\exists\mathbf{t}_{k}\!:\!k<j\wedge\mathbf{t}_{k}% \!\in\!\mathsf{free}(T_{j})$ . Now again we have the same two cases, considering index $k$ instead of $j$ and term $T^{\prime\prime\prime}$ instead of term $T^{\prime\prime}$ . Notice that we cannot proceed like this forever because the syntax of $T^{\prime\prime}$ is finite, hence case $1.$ must eventually apply. Moreover when this happens, we are sure that the variable $\mathbf{t}_{z}$ that we detect is different from $\mathbf{t}=\mathbf{t}_{i}$ (i.e. $z\neq i$ ) because the indexing of the variables that we consider are always strictly smaller than $i$ .

We are now in a position to prove the desired theorem. We prove implications in the two opposite directions one at a time.

Theorem 17.

If there exists a session type $S$ such that $T$ and $S$ are compliant then $T$ $\,\mathsf{ctrl}$ .

Proof A.5.

Since $T$ and $S$ are compliant, as observed above, we have also that $\mathsf{esn}(T)$ and $\mathsf{esn}(S)$ are compliant. Therefore (the transition system of) configuration $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ is a correct composition according to Definition 2.2.

We now show that $\mathsf{esn}(T)$ $\,\mathsf{ctrl}$ : by Proposition 16 this implies that $T$ $\,\mathsf{ctrl}$ . In order to do this we need to enrich the transition system representation of the behaviour of configurations $[T_{1}\{\mathbf{t}=T_{1,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{1}}\},\omega% _{1}]|[T_{2}\{\mathbf{t}=T_{2,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{2}}\},% \omega_{2}]$ . We assume the transition relation $\rightarrow$ defined in Definition 2.2 to be enriched as follows: $\rightarrow$ transitions originated from outputs of $T_{1}$ (rule $1.$ of Definition 2.2) are assumed to be decorated with the label $l_{j}$ of the performed output (denoted by $\,\mathop{\longrightarrow}\limits^{\overline{l_{j}}}\,$ ), while $\rightarrow$ transitions originated from inputs of $T_{1}$ (rule $2.$ of Definition 2.2) are assumed to be decorated with the label $l_{j}$ of the performed input (denoted by $\,\mathop{\longrightarrow}\limits^{l_{j}}\,$ ). Notice that, in case of transitions originated from inputs or outputs of $T_{2}$ no decoration is added to transitions $\rightarrow$ . Moreover, rule $3.$ (about recursion unfolding) of Definition 2.2 is assumed to just copy the decoration labeling the transition (if there is any).

We now consider such an enriched transition system over configurations $[T_{1}\{\mathbf{t}=T_{1,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{1}}\},\omega% _{1}]|[T_{2}\{\mathbf{t}=T_{2,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{2}}\},% \omega_{2}]$ . We use $s$ to range over these configurations. We say that a configuration $s=[T_{1}\{\mathbf{t}=T_{1,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{1}}\},% \omega_{1}]|[T_{2}\{\mathbf{t}=T_{2,\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars_{% 2}}\},\omega_{2}]$ exposes variable $\mathbf{t}^{\prime}\in\mathsf{Vars_{1}}$ if $T_{1}=\mathbf{t}^{\prime}$ . Moreover, we denote transition systems paths starting from a given configuration $s$ , i.e. finite sequences of transitions $s\,\mathop{\longrightarrow}\limits^{\alpha_{1}}\,s_{1}\,\mathop{% \longrightarrow}\limits^{\alpha_{2}}\,s_{2}\dots\,\mathop{\longrightarrow}% \limits^{\alpha_{n}}\,s_{n}$ (where $\alpha_{i}$ decorations can be $\varepsilon$ in case of non decorated $\rightarrow$ transitions), by means of strings $\langle\alpha_{1},s_{1}\rangle\langle\alpha_{2},s_{2}\rangle\dots\langle\alpha% _{n},s_{n}\rangle$ (strings over pairs $\langle\alpha^{\prime},s^{\prime}\rangle$ with $\alpha^{\prime}$ being a decoration or $\varepsilon$ and $s^{\prime}$ a configuration).

Assuming $\mathsf{esn}(T)=T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in% \mathsf{Vars}\}$ , we now construct an indexing on the variables in the subset $\mathsf{Vars^{\prime}}$ of $\mathsf{Vars}$ , which includes variables $\mathbf{t}$ such that: a configuration $s$ that exposes $\mathbf{t}$ is reachable from the initial configuration $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ . We proceed as follows. If $\mathsf{Vars^{\prime}}\neq\emptyset$ , then we consider any reachable configuration $s$ that exposes some variable $\mathbf{t}\in\mathsf{Vars}$ . Since $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ is a correct composition, the configuration $s$ must reach a configuration $s^{\prime}$ such that $s^{\prime}\surd$ . We consider the path from $s$ to $s^{\prime}$ and the last configuration $s^{\prime\prime}$ of such a path that exposes a variable. We denote such a variable with $\mathbf{t}_{1}$ , the configuration $s^{\prime\prime}$ that exposes it with $s_{1}$ , and the path (string) from $s_{1}$ that leads to $s^{\prime}$ (part of the path from $s$ to $s^{\prime}$ considered above) with $\mathsf{path}_{1}$ . In any subsequent $k$ -th step, with $k\geq 2$ , we consider the set $\mathsf{Vars}_{k}=\mathsf{Vars^{\prime}}-\{\mathbf{t}_{h}\mid h<k\}$ . If $\mathsf{Vars}_{k}\neq\emptyset$ , then we consider any reachable configuration $s$ that exposes some variable $\mathbf{t}\in\mathsf{Vars}_{k}$ . Since $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ is a correct composition, the configuration $s$ must reach a configuration $s^{\prime}$ such that $s^{\prime}\surd$ . We consider the path from $s$ to $s^{\prime}$ and the first configuration $s^{\prime\prime}$ of such a path that either exposes a variable in $\{\mathbf{t}_{h}\mid h<k\}$ or is such that $s^{\prime\prime}\surd$ . Again we consider the path from $s$ to $s^{\prime\prime}$ and the last configuration $s^{\prime\prime\prime}$ of such a path that: is different from $s^{\prime\prime}$ and exposes a variable (such a variable must exist, because $s$ exposes a variable, and belong to $\mathsf{Vars}_{k}$ because of the way we have selected $s^{\prime\prime}$ ). We denote such a variable with $\mathbf{t}_{k}$ , the configuration $s^{\prime\prime\prime}$ that exposes it with $s_{k}$ , and the path (string) from $s_{k}$ that leads to $s^{\prime\prime}$ (part of the path from $s$ to $s^{\prime\prime}$ considered above) with $\mathsf{path}_{k}$ .

We now consider terms $T^{\prime}_{k}$ for each variable $\mathbf{t}_{k}\in\mathsf{Vars^{\prime}}$ . We build $T^{\prime}_{k}$ terms inductively by taking $T^{\prime}_{k}=\mathsf{term}(T_{\mathbf{t}_{k}},s_{k},\mathsf{path}_{k})$ , where $\mathsf{term}(T^{\prime},s,\mathsf{optpath})$ , with $\mathsf{optpath}$ being either a $\mathsf{path}$ or $*$ (that represents being outside the path), is defined as follows.

•

$\mathsf{term}(\mathbf{t},s,\varepsilon)=\mathbf{t}$
•

$\mathsf{term}(\mathbf{end},s,\varepsilon)=\mathbf{end}$
•

$\mathsf{term}(\&\{{l}_{i}:{T}_{i}\}_{i\in I},s,\langle l_{j},s^{\prime}\rangle% \mathsf{path})=\&\{{l_{j}}:{\mathsf{term}(T_{j},s^{\prime},\mathsf{path})}\}$
•

$\mathsf{term}(\oplus\{{l}_{i}:{T}_{i}\}_{i\in I},s,\langle\overline{l_{j}},s^{% \prime}\rangle\mathsf{path})=\oplus\{{l}_{i}:{T^{\prime}}_{i}\}_{i\in I}$
where $T^{\prime}_{j}\!=\!\mathsf{term}(T_{j},s^{\prime},\mathsf{path})$ and, for all $i\!\in\!I$ , $i\!\neq\!j$ : $T^{\prime}_{i}\!=\!\mathsf{term}(T_{i},s_{i},*)$ with $s\,\mathop{\longrightarrow}\limits^{\overline{l_{i}}}\,s_{i}$
•

$\mathsf{term}(T^{\prime},s,\langle\varepsilon,s^{\prime}\rangle\mathsf{path})=% \mathsf{term}(T^{\prime},s^{\prime},\mathsf{path})$
•

$\mathsf{term}(\mathbf{t},s,*)=\mathbf{t}$
•

$\mathsf{term}(\mathbf{end},s,*)=\mathbf{end}$
•

$\mathsf{term}(\&\{{l}_{i}:{T}_{i}\}_{i\in I},s,*)=\&\{{l_{j}}:{\mathsf{term}(T% _{j},s_{j},*)}\}$ if $s$ has some $\,\mathop{\longrightarrow}\limits^{l}\,$ transition
where $j$ is any $i\in I$ such that $s\,\mathop{\longrightarrow}\limits^{l_{j}}\,s_{j}$
•

$\mathsf{term}(\oplus\{{l}_{i}:{T}_{i}\}_{i\in I},s,*)=\oplus\{{l}_{i}:{\mathsf% {term}(T_{i},s_{i},*)}_{i}\}_{i\in I}$ if $s$ has some $\,\mathop{\longrightarrow}\limits^{\overline{l}}\,$ transition
where, for all $i\!\in\!I$ , $s\,\mathop{\longrightarrow}\limits^{l_{i}}\,s_{i}$
•

$\mathsf{term}(T^{\prime},s,*)=\mathsf{term}(T^{\prime},s^{\prime},*)$ if $T^{\prime}\notin\{\mathbf{t},\mathbf{end}\}$ and $s$ has neither $\,\mathop{\longrightarrow}\limits^{l}\,$ nor $\,\mathop{\longrightarrow}\limits^{\overline{l}}\,$ transitions
where $s^{\prime}$ is the first configuration having some $\,\mathop{\longrightarrow}\limits^{l}\,$ transition or some $\,\mathop{\longrightarrow}\limits^{\overline{l}}\,$ transition in the path from $s$ to a configuration $s^{\prime\prime}$ such that $s^{\prime\prime}\surd$ (such a path must exist because $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ is a correct composition)

where we use $\varepsilon$ to represent the empty string.

We also take $T^{\prime}_{\mathsf{init}}=\mathsf{term}(T_{\mathsf{init}},[\mathsf{esn}(T),% \epsilon]|[\mathsf{esn}(S),\epsilon],*)$ .

We now have that $T^{\prime}_{\mathsf{init}}\{\mathbf{t}_{k}=T^{\prime}_{k}\mid\mathbf{t}_{k}\in% \mathsf{Vars}^{\prime}\}$ is a session type in equation notation: $\mathsf{Vars}^{\prime}$ must include all variables in $\mathsf{free}(T^{\prime}_{\mathsf{init}})$ and also in $\mathsf{free}(T^{\prime}_{k})$ for all $\mathbf{t}_{k}\in\mathsf{Vars}^{\prime}$ because, otherwise, a configuration $s$ exposing the variable that is not included in $\mathsf{Vars}^{\prime}$ would have been reachable from the initial configuration $[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ (which contradicts the definition of $\mathsf{Vars}^{\prime}$ ). Moreover, due to the way $\mathsf{term}$ is defined, $T^{\prime}_{\mathsf{init}}\{\mathbf{t}_{k}=T^{\prime}_{k}\mid\mathbf{t}_{k}\in% \mathsf{Vars}^{\prime}\}$ is obtained from $T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\}$ by performing input replacement that yields input prefixes with single inputs. Finally, being $s_{k}$ the last configuration exposing a variable inside a path ending with a configuration $s$ that either exposes a variable in $\{\mathbf{t}_{h}\mid h<k\}$ (and not having previous configurations exposing such variables) or is such that $s\surd$ , each of the $T^{\prime}_{k}$ satisfies the constraint $\mathbf{end}\!\in\!T^{\prime}_{k}\vee\exists\mathbf{t}_{h}\!:\!h<k\wedge% \mathbf{t}_{h}\!\in\!\mathsf{free}(T^{\prime}_{k})$ .

Theorem 18.

If $T$ $\,\mathsf{ctrl}$ then there exists a session type $S$ such that $T$ and $S$ are compliant.

Proof A.6.

If $T$ $\,\mathsf{ctrl}$ then $\mathsf{esn}(T)=T_{\mathsf{init}}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in% \mathsf{Vars}\}$ $\,\mathsf{ctrl}$ . That is, there exists an input prefix replacement that yields a session type $T^{\prime}_{\mathsf{init}}\{\mathbf{t}=T^{\prime}_{\mathbf{t}}\mid\mathbf{t}% \in\mathsf{Vars}^{\prime}\}$ such that $\mathsf{Vars}^{\prime}\subseteq\mathsf{Vars}$ (and in both term $T^{\prime}_{\mathsf{init}}\in\mathsf{sin}(T_{\mathsf{init}})$ and all terms $T^{\prime}_{\mathbf{t}}\in\mathsf{sin}(T_{\mathbf{t}})$ , with $\mathbf{t}\in\mathsf{Vars}^{\prime}$ , all input prefixes have a single label) and that satisfies the $\,\mathsf{ok}$ predicate, i.e. there exists an indexing $\mathbf{t}_{i}$ of the $\mathsf{Vars}^{\prime}$ variables, such that: $\mathbf{end}\!\in\!T^{\prime}_{\mathbf{t}_{i}}\vee\exists\mathbf{t}_{j}\!:\!j<% i\wedge\mathbf{t}_{j}\!\in\!\mathsf{free}(T^{\prime}_{\mathbf{t}_{i}})$ . We assume set $\mathsf{Vars}^{\prime}$ to be minimal, i.e. to not include any defined but unused variable name and we take $S$ to be the unique session type such that $\mathsf{esn}(S)=\overline{T^{\prime}_{\mathsf{init}}}\{\mathbf{t}=\overline{T^% {\prime}_{\mathbf{t}}}\mid\mathbf{t}\in\mathsf{Vars}^{\prime}\}$ .

In the following we will consider configurations $[T_{1}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in\mathsf{Vars}\},\omega_{1}]|% [T_{2}\{\mathbf{t}=\overline{T^{\prime}_{\mathbf{t}}}\mid\mathbf{t}\in\mathsf{% Vars}^{\prime}\},\omega_{2}]$ that are reachable from the initial configuration $s_{\mathsf{init}}=[\mathsf{esn}(T),\epsilon]|[\mathsf{esn}(S),\epsilon]$ . We say that any such configuration exposes variable $\mathbf{t}^{\prime}\in\mathsf{Vars}$ if $T_{1}=\mathbf{t}^{\prime}$ . Now, given any configuration $s$ reachable from the initial configuration $s_{\mathsf{init}}$ , we have that $s$ is such that:

•

$\omega_{1}=\epsilon\vee\omega_{2}=\epsilon$
•

There exists a configuration $s_{\epsilon}$ , which is reached from $s$ with the transitions originated by performing either the non-empty $\omega_{1}$ sequence of inputs in the lefthand type or the non-empty sequence $\omega_{2}$ of inputs in the righthand type, such that $s_{\epsilon}=[T^{\prime}_{1}\{\mathbf{t}=T_{\mathbf{t}}\mid\mathbf{t}\in% \mathsf{Vars}\},\epsilon]|[\overline{T^{\prime}_{2}}\{\mathbf{t}=\overline{T^{% \prime}_{\mathbf{t}}}\mid\mathbf{t}\in\mathsf{Vars}^{\prime}\},\epsilon]$ , with $T^{\prime}_{2}\in\mathsf{sin}(T^{\prime}_{1})$ .

This property of $s$ is, indeed, an invariant property of all configurations reachable from the initial configuration $s_{\mathsf{init}}$ in that: it is satisfied by $s_{\mathsf{init}}$ itself and it is preserved both by transitions originated from outputs of the lefthand or righthand type (which, for a configuration satisfying the above property, can be done only if its own queue is empty, and have the effect of enqueuing in the righthand or lefthand type, respectively, a symbol that it can then, dually, dequeue with an input) and by transitions originated from inputs of the lefthand or righthand type (which just make the already existing input transition sequence to $s_{\epsilon}$ shorter).

We now notice that it is possible to reach, from $s_{\epsilon}$ , by performing outputs of the lefthand or righthand type immediately followed by inputs dually executed by the righthand or lefthand type, respectively: either a configuration $s^{\prime}$ such that $s^{\prime}\surd$ (in case $\mathbf{end}\in T^{\prime}_{2}$ ), or a configuration exposing an indexed variable $\mathbf{t}_{i}\in\mathsf{Vars}^{\prime}$ . In the latter case, we can, similarly, reach: either a configuration $s^{\prime\prime}$ such that $s^{\prime\prime}\surd$ (in case $\mathbf{end}\in T^{\prime}_{\mathbf{t}_{i}}$ ), or a configuration exposing an indexed variable $\mathbf{t}_{j}\in\mathsf{Vars}^{\prime}$ with $j<i$ . In the latter case, we repeat, again, the same step: we are guaranteed to eventually meet the case in which a $\surd$ configuration is reached in that variable indexes strictly decrease at each step. We thus have that $\mathsf{esn}(T)$ and $\mathsf{esn}(S)$ are compliant, hence $T$ and $S$ are compliant.

A.3. Soundness of Fair Asynchronous Subtyping w.r.t. Fair Refinement

Lemma 19.

•

$\mathcal{A}$ does not contain any input branching and $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}P_{1}^{i}$ , for every $i\in J$ ;
•
$\mathcal{A}$ contains an input branching and $P_{1}^{i}$ (for every $i\in J$ ) and $P_{2}$ have at least one outgoing transition.
For every possible transition $P_{1}^{i}\stackrel{{\scriptstyle}}{{\rightarrow}}P_{1}^{\prime}$ we have that one of the following holds:
1. (1)
  
  $P_{1}^{i}$ does not consume the label $l_{i}$ and there exist $\mathcal{A}^{\prime}$ , $W$ , $T^{\prime}_{wj}$ (for every $w\in W$ , $j\in J$ ), $S^{\prime}$ , $\omega_{T}^{\prime}$ and $\omega_{S}^{\prime}$ s.t. $P_{1}^{\prime}=[\mathcal{A^{\prime}}[{T^{\prime}_{wi}}]^{w\in W},\omega_{T}^{% \prime}]{|}[S^{\prime},\omega_{S}^{\prime}\!\cdot\!l_{i}]$ and
  $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}[\mathcal{A^{\prime}}[{\oplus\{{l% }_{j}:{T^{\prime}_{w}}_{j}\}_{j\in J}}]^{w\in W},\omega_{T}^{\prime}]{|}[S^{% \prime},\omega_{S}^{\prime}]$ ;
2. (2)
  
  $P_{1}^{i}$ consumes the label $l_{i}$ , hence $P_{1}^{\prime}=[\mathcal{A}[{T_{ki}}]^{k\in K},\omega_{T}]{|}[S^{\prime},% \omega_{S}]$ , and $\exists j\in\{1,\ldots,m\}$ s.t. $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[T_{ji},\omega_{T}^{\prime}]{% |}[S^{\prime},\omega_{S}]$ and $\omega_{T}=a_{1}\!\cdot\!\dots\!\cdot\!a_{w}\!\cdot\!\omega_{T}^{\prime}$ , where $a_{1},\dots,a_{w}$ are the labels in one of the paths to $[\,]^{j}$ in $\mathcal{A}$ .
For every possible transition $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}P_{2}^{\prime}$ we have that there exist $\mathcal{A}^{\prime}$ , $W$ , $T^{\prime}_{wj}$ (for every $w\in W$ , $j\in J$ ), $S^{\prime}$ , $\omega_{T}^{\prime}$ and $\omega_{S}^{\prime}$ s.t.
$P_{2}^{\prime}=[\mathcal{A^{\prime}}[{\oplus\{{l}_{j}:{T^{\prime}_{w}}_{j}\}_{% j\in J}}]^{w\in W},\omega_{T}^{\prime}]{|}[S^{\prime},\omega_{S}^{\prime}]$ and
$P_{1}^{i}\stackrel{{\scriptstyle}}{{\rightarrow}}[\mathcal{A^{\prime}}[{T^{% \prime}_{wi}}]^{w\in W},\omega_{T}^{\prime}]{|}[S^{\prime},\omega_{S}^{\prime}% \!\cdot\!l_{i}]$ .

Lemma 20.

Consider $P_{1}=[\mathcal{A}[{T_{k}}]^{k\in K},\omega_{T}]{|}[S,\omega_{S}]$ and $P_{2}=[T_{j},\omega_{T}^{\prime}]{|}[S,\omega_{S}]$ with $\omega_{T}=a_{1}\!\cdot\!\dots\!\cdot\!a_{w}\!\cdot\!\omega_{T}^{\prime}$ , where $a_{1},\dots,a_{w}$ are the labels in one of the paths to $[\,]^{j}$ in $\mathcal{A}$ . We have that if $P_{2}$ is a correct composition, then also $P_{1}$ is a correct composition.

Proof A.7.

By contraposition, assume $P_{1}$ is not a correct composition. This implies the existence of $P_{1}^{\prime}$ , from which it is not possible to reach a successful configuration, such that $P_{1}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P_{1}^{\prime}$ . If the labels $a_{1},\dots,a_{w}$ were not consumed, we extend $P_{1}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P_{1}^{\prime}$ to $P_{1}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P_{1}^{\prime\prime}$ by allowing the l.h.s. type to consume all the labels $a_{1},\dots,a_{w}$ . We have that also from $P_{1}^{\prime\prime}$ is not possible to reach a successful configuration. We now reorder the transitions in $P_{1}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P_{1}^{\prime\prime}$ such that in the initial $w$ steps the l.h.s. type consumes the labels $a_{1},\dots,a_{w}$ . After these transitions the configuration $P_{2}$ is reached. This implies that also $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P_{1}^{\prime\prime}$ , but this is not possible because $P_{2}$ is a correct composition and from $P_{1}^{\prime\prime}$ no successful configuration can be reached.

Lemma 21.

Consider the session type $T=\mathcal{A}[{\oplus\{{l}_{j}:{T_{k}}_{j}\}_{j\in J}}]^{k\in K}$ . Let $P_{2}=[T,\omega_{T}]|[S,\omega_{S}]$ and $P_{1}^{i}=[\mathcal{A}[{T_{ki}}]^{k\in K},\omega_{T}]|[S,\omega_{S}\!\cdot\!l_% {i}]$ , for every $i\in J$ . If $P_{2}$ is a correct composition then, for every $i\in J$ , there exists $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]$ such that $P_{1}^{i}\rightarrow^{*}[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S% }^{\prime}]$ and $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]\surd$ .

Proof A.8.

Given that $P_{2}$ is a correct composition, we know that there exists $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]$ s.t. $[\mathcal{A}[{\oplus\{{l}_{j}:{T_{k}}_{j}\}_{j\in J}}]^{k\in K},\omega_{T}]|[S% ,\omega_{S}]\rightarrow^{*}[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega% _{S}^{\prime}]$ and $[T^{\prime},\omega_{T}^{\prime}]|[S^{\prime},\omega_{S}^{\prime}]\surd$ . During this sequence of transitions, the input context $\mathcal{A}$ will become without input branchings, because a configuration that contains one type with an input branching is not successful. In other terms there exist a prefix of the sequence of transitions, at the end of which the input context becomes without input branchings. We proceed by induction on the length of such a prefix. If the length is zero, we can apply the first item of Lemma 19 to conclude that $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}P_{1}^{i}$ , for every $i\in J$ , hence also $P_{1}^{i}$ can reach a successful configuration. In the inductive step, we consider the first transition of $P_{2}$ , we apply the last item of Lemma 19 to show that also $P_{1}^{i}$ , for every $i\in J$ , can perform a transition such that it is possible to apply again the hypothesis on the reached configurations. This is possible because if $P_{2}$ is correct, also the configurations it can reach are correct.

Proposition 22.

Consider the session type $T=\mathcal{A}[{\oplus\{{l}_{j}:{T_{k}}_{j}\}_{j\in J}}]^{k\in K}$ . If $[T,\omega_{T}]|[S,\omega_{S}]$ is a correct composition then, for every $i\in J$ , we have that also $[\mathcal{A}[{T_{ki}}]^{k\in K},\omega_{T}]|[S,\omega_{S}\!\cdot\!l_{i}]$ is a correct composition.

Proof A.9.

By contraposition, assume $i\in J$ s.t. $P_{1}^{i}=[\mathcal{A}[{T_{ki}}]^{k\in K},\omega_{T}]|[S,\omega_{S}\!\cdot\!l_% {i}]$ is not a correct composition. This means the existence of $P_{1}^{i}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P^{\prime}$ such that $P^{\prime}$ cannot reach a successful configuration. By induction on the length of this sequence of transition we show that, differently from what assumed, $P^{\prime}$ can reach a successful configuration. If the length is 0, we simply apply Lemma 21 to show that $P_{1}^{i}=P^{\prime}$ can reach a successful configuration. If the length is not 0, we consider two possible cases: (i) the initial transition of $P_{1}^{i}\stackrel{{\scriptstyle}}{{\rightarrow}}P^{\prime\prime}$ of $P_{1}^{i}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P^{\prime}$ consumes the label $l_{i}$ from the the queue of the r.h.s. type or (ii) it does not. In case (i) we use the corresponding item 2 in Lemma 19 to see that we can apply Lemma 20 on $P_{2}$ and $P^{\prime\prime}$ , in order to conclude that $P^{\prime\prime}$ is a correct composition. Given that $P^{\prime\prime}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P^{\prime}$ we can conclude that $P^{\prime\prime}$ can reach a successful configuration. In case (ii) we use the corresponding item 1 in Lemma 19 to conclude that we can apply again the inductive hypothesis on the shortest sequence of transitions $P^{\prime\prime}\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}P^{\prime}$ . This is possible because $P_{2}$ has a corresponding transition to $P_{2}\stackrel{{\scriptstyle}}{{\rightarrow}}P_{2}^{\prime}$ , such that $P^{\prime\prime}$ and $P_{2}^{\prime}$ still satisfies the assumption in the statement of the Lemma. In particular $P_{2}^{\prime}$ is a correct composition because also $P_{2}$ is a correct composition.

Lemma 23.

If $[S,\omega_{S}]|[R,\omega_{R}]$ is a correct composition then $S$ is controllable.

Proof A.10.

We show the existence of a type $T$ such that $[S,\epsilon]|[T,\epsilon]$ is a correct composition.

Consider a type $T$ defined as follows. Assume $\omega_{S}=l_{1}^{S}\cdots l_{k}^{S}$ and $\omega_{R}=l_{1}\cdots l_{w}^{R}$ . The type $T$ initially performs $k$ outputs with single output labels $l_{1}$ , $\cdots$ , $l_{k}$ , respectively. After such outputs, it becomes like $R$ , with the difference that along all of its paths, the initial $w$ input branchings are replaced by one of its continuation as follows: the $i$ -th input branching is replaced by its continuation in the branch labeled with $l_{i}^{R}$ .

We now show by contraposition that $[S,\epsilon]|[T,\epsilon]$ is a correct composition. If $[S,\epsilon]|[T,\epsilon]$ is not correct, then there exists $[S,\epsilon]|[T,\epsilon]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega_{S}^{\prime}]|[T^{\prime},\omega_{T}^{\prime}]$ such that from $[S^{\prime},\omega_{S}^{\prime}]|[T^{\prime},\omega_{T}^{\prime}]$ it is not possible to reach a successful configuration. It is not restrictive to assume that during $[S,\epsilon]|[T,\epsilon]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega_{S}^{\prime}]|[T^{\prime},\omega_{T}^{\prime}]$ the r.h.s. type has produced the queue $\omega_{S}$ (in fact, if it has not produced them, we continue the computation performing them). We can also assume that outputs in $T$ , corresponding to outputs in $R$ along an initial path with less than $w$ inputs have been all performed (also in this case, if these outputs were not performed, we continue the computation executing them). We have that also $[S,\omega_{S}]|[R,\omega_{R}]$ can perform a computation $[S,\omega_{S}]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega_{S}^{\prime}]|[T^{\prime},\omega_{T}^{\prime}]$ . Given that $[S,\omega_{S}]|[R,\omega_{R}]$ is a correct composition, we have that from $[S^{\prime},\omega_{S}^{\prime}]|[T^{\prime},\omega_{T}^{\prime}]$ will be possible to reach a successful configuration, thus contradicting the above assumption.

See 8

Proof A.11.

Given that $[S,\omega]|[R,\omega_{R}]$ is a correct composition, there exist $S^{\prime}$ , $\omega^{\prime\prime}$ , $R^{\prime\prime}$ , and $\omega_{R}^{\prime\prime}$ such that $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]$ and $[S^{\prime},\omega^{\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ . We proceed by induction on the length of this sequence of transition.

If the length is greater than 0, we proceed by case analysis on the possible first transition $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[S^{\prime% \prime},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{% \prime\prime\prime}]$ .

We now consider that the transition is inferred by $S$ .
We first discuss the case in which $\mathsf{unfold}(S)=\oplus\{{l}_{i}:{S}_{i}\}_{i\in I}$ . In this case, the above transition is $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[S_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ , for some $i\in I$ . Given that $T\operatorname{\leq}S$ , and $S$ is controllable by Lemma 23, we have $\mathsf{unfold}(T)=\oplus\{{l}_{i}:{T}_{i}\}_{i\in I}$ with $T_{i}\operatorname{\leq}S_{i}$ , for every $i\in I$ . This ensures that $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ . Then we can apply the inductive hypothesis because $T_{i}\operatorname{\leq}S_{i}$ and $[S_{i},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime% \prime\prime}]$ is a correct composition.

We now discuss the case in which $\mathsf{unfold}(S)=\&\{{l}_{i}:{S}_{i}\}_{i\in I}$ . There are two possible subcases: (i) also $T$ starts with an input branching, i.e., $\mathsf{unfold}(T)=\&\{l_{j}:T_{j}\}_{j\in J}$ , or (ii) $T$ starts with an output selection, i.e., $\mathsf{unfold}(T)=\oplus\{l_{j}:T_{j}\}_{j\in J}$ .

In case (i), the above transition is $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[S_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ , for some $i\in I$ . Given that $T\operatorname{\leq}S$ , and $S$ is controllable by Lemma 23, we have $\mathsf{unfold}(T)=\&\{{l}_{j}:{T}_{j}\}_{j\in J}$ , $J\supseteq K$ , and $\forall k\in K\ldotp T_{k}\operatorname{\leq}S_{k}$ , where $K=\{k\in I\;|\;S_{k}\text{ is controllable}\}$ . Given that $[S,\omega]|[R,\omega_{R}]$ is a correct composition and $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[S_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ , also the latter configuration is a correct composition. By Lemma 23 we have that $S_{i}$ is controllable. This implies that $i\in K$ , hence also $i\in J$ . This ensures that $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T_{i},\omega% ^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime\prime\prime}]$ . Then we can apply the inductive hypothesis because $T_{i}\operatorname{\leq}S_{i}$ and $[S_{i},\omega^{\prime\prime\prime}]|[R^{\prime\prime\prime},\omega_{R}^{\prime% \prime\prime}]$ is a correct composition.

In case (ii), given that $T\operatorname{\leq}S$ , and $S$ is controllable, we have that $\mathsf{selUnfold}(S)=\mathcal{A}[{\oplus\{{l}_{i}:{S_{k}}_{i}\}_{i\in J}}]^{k% \in K}$ , and $\mathsf{unfold}(T)=\oplus\{l_{j}:T_{j}\}_{j\in J}$ with $T_{j}\operatorname{\leq}\mathcal{A}[{S_{kj}}]^{k\in K}$ , for every $j\in J$ . We first observe that the sequence of transitions $[S,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}^{*}[S^{% \prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]$ , with $[S^{\prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ , includes at least one output selection $l_{j}$ executed by one of the output selections filling the holes in $\mathcal{A}$ . This label $l_{j}$ is the first one emitted by the l.h.s. type after it has executed input branchings in $\mathcal{A}$ . We have that the same sequence of transitions, excluding the output of $l_{j}$ , can be executed from the configuration $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]$ . Such a sequence is $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]\stackrel{% {\scriptstyle}}{{\rightarrow}}^{*}[S^{\prime},\omega^{\prime\prime}]|[R^{% \prime\prime},\omega_{R}^{\prime\prime}]$ , with $[S^{\prime},\omega^{\prime\prime}]|[R^{\prime\prime},\omega_{R}^{\prime\prime}]\surd$ ; notice that it is shorter than the above one. We now consider $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T_{i},\omega% ]|[R,\omega_{R}\!\cdot\!{l_{j}}]$ . We can now apply the inductive hypothesis on the shorter sequence $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]\stackrel{% {\scriptstyle}}{{\rightarrow}}^{*}[S^{\prime},\omega^{\prime\prime}]|[R^{% \prime\prime},\omega_{R}^{\prime\prime}]$ , because $T_{j}\operatorname{\leq}\mathcal{A}[{S_{kj}}]^{k\in K}$ and by Proposition 22 $[\mathcal{A}[{S_{kj}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l_{j}]$ is a correct composition.

See 9

Proof A.12.

If $S$ is not controllable, then the thesis trivially holds because $T\sqsubseteq S$ for every $T$ .

We now consider $S$ controllable, and we prove the thesis by showing that if $T\operatorname{\leq}S$ then, for every $\omega$ , $R$ , and $\omega_{R}$ such that $[S,\omega]|[R,\omega_{R}]$ is a correct composition, we have that the following holds:

•

if $[T,\omega]|[R,\omega_{R}]\rightarrow[T^{\prime},\omega^{\prime}]|[R^{\prime},% \omega_{R}^{\prime}]$ then there exists $S^{\prime}$ such that $T^{\prime}\operatorname{\leq}S^{\prime}$ and $[S^{\prime},\omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ is a correct composition.

We now prove the above result. The transition $[T,\omega]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}}[T^{\prime},% \omega^{\prime}]|[R^{\prime},\omega_{R}^{\prime}]$ can be of four possible kinds:

(1)

the consumption of a message from the r.h.s. queue, i.e. $[T,\omega]|[R,l\!\cdot\!\omega_{R}^{\prime}]\rightarrow[T,\omega]|[R^{\prime},% \omega_{R}^{\prime}]$ ;
(2)

the insertion of a new message in the l.h.s. queue, i.e. $[T,\omega]|[R,\omega_{R}]\rightarrow[T,\omega\!\cdot\!l]|[R^{\prime},\omega_{R}]$ ;
(3)

the consumption of a message from the l.h.s. queue, i.e. $[T,l\!\cdot\!q^{\prime}]|[R,\omega_{R}]\rightarrow[T^{\prime},\omega^{\prime}]% |[R,\omega_{R}]$ ;
(4)

the insertion of a new message in the r.h.s. queue, i.e. $[T,\omega]|[R,\omega_{R}]\rightarrow[T^{\prime},\omega]|[R,\omega_{R}\!\cdot\!l]$ .

In the first two cases, we simply observe that there exists also $[S,\omega]|[R,l\!\cdot\!\omega_{R}^{\prime}]\rightarrow[S,\omega]|[R^{\prime},% \omega_{R}^{\prime}]$ (resp. $[S,\omega]|[R,\omega_{R}]\rightarrow[S,\omega\!\cdot\!l]|[R^{\prime},\omega_{R}]$ ), that $T\operatorname{\leq}S$ , and also $[S,\omega]|[R^{\prime},\omega_{R}^{\prime}]$ (resp. $[S,\omega\!\cdot\!l]|[R^{\prime},\omega_{R}]$ ) is a correct composition because reachable from the correct composition $[S,\omega]|[R,l\!\cdot\!\omega_{R}^{\prime}]$ (resp. $[S,\omega]|[R,\omega_{R}]$ ).

In the third case we have that $\mathsf{unfold}(T)$ starts with an input branching. Given that $T\operatorname{\leq}S$ , and $S$ is controllable, also $\mathsf{unfold}(S)$ must start with an input branching, i.e. $\mathsf{unfold}(S)=\&\{{l}_{i}:{S}_{i}\}_{i\in I}$ . By definition of $\operatorname{\leq}$ we have that $\mathsf{unfold}(T)=\&\{{l}_{j}:{T}_{j}\}_{j\in J}$ , $J\supseteq K$ , and $\forall k\in K\ldotp T_{k}\operatorname{\leq}S_{k}$ , where $K=\{k\in I\;|\;S_{k}\text{ is controllable}\}$ . Given that $[S,l\!\cdot\!q^{\prime}]|[R,\omega_{R}]$ is a correct composition, there exists $i\in I$ s.t. $l=l_{i}$ and $[S,l\!\cdot\!q^{\prime}]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}% }[S_{i},\omega^{\prime}]|[R,\omega_{R}]$ . The former configuration is a correct composition, hence also the latter is such. This implies, by Lemma 23, that $S_{i}$ is controllable, hence $i\in K$ and also $i\in J$ . Thus, we have $[T,l\!\cdot\!q^{\prime}]|[R,\omega_{R}]\stackrel{{\scriptstyle}}{{\rightarrow}% }[T_{i},\omega^{\prime}]|[R,\omega_{R}]$ , with $T_{i}\operatorname{\leq}S_{i}$ . We conclude this case by observing again that $[S_{i},\omega^{\prime}]|[R,\omega_{R}]$ is a correct composition in that reachable from the correct composition $[S,l\!\cdot\!q^{\prime}]|[R,\omega_{R}]$ .

In the fourth and last case, we have that $\mathsf{unfold}(T)$ starts with an output selection, and $T^{\prime}$ is the continuation in the branch with label $l$ . Given that $T\operatorname{\leq}S$ , and $S$ is controllable, we have $\mathsf{selUnfold}(S)=\mathcal{A}[{\oplus\{{l}_{j}:{S_{k}}_{j}\}_{j\in I}}]^{k% \in K}$ , and $T^{\prime}\operatorname{\leq}S_{km}$ , for every $k\in K$ and some $m\in I$ such that $l_{m}=l$ . It remains to show that $[\mathcal{A}[{{S_{km}}}]^{k\in K},\omega]|[R,\omega_{R}\!\cdot\!l]$ is a correct composition, but this follows from Proposition 22 and the fact that $[\mathcal{A}[{\oplus\{{l}_{j}:{S_{k}}_{j}\}_{j\in I}}]^{k\in K},\omega]|[R,% \omega_{R}]$ , with $l=l_{m}$ for some $m\in I$ , is a correct composition. In fact $\mathsf{selUnfold}(S)=\mathcal{A}[{\oplus\{{l}_{j}:{S_{k}}_{j}\}_{j\in I}}]^{k% \in K}$ and $[S,\omega]|[R,\omega_{R}]$ is a correct composition.

A.4. Undecidability of Fair Asynchronous Subtyping

See 10

Proof A.13.

We first consider the only-if part, proving the contrapositive statement, that is, if the queue machine $M$ terminates then $T\not\!\!\!\operatorname{\leq}S$ . If the queue machine terminates, we have that $(s,\$)\rightarrow_{M}^{*}(q^{\prime},\epsilon)$ . Consider now the pair of types $(T,S)$ with $T=[\![\![{M,\_,E}]\!]\!]$ and $S=[\![\![{M,E}]\!]\!]$ . If, by contradiction, $T\operatorname{\leq}S$ , since $S$ is controllable (it is compliant, e.g., with its dual) we have that by Definition 3 there exists a fair asynchronous subtyping relation $\mathcal{R}$ such that $(T,S)\in\mathcal{R}$ . We now show that, by definition of fair asynchronous subtyping relation, $\mathcal{R}$ will have to include other pairs of types $(T^{\prime\prime},S^{\prime\prime})$ corresponding with configurations $(q^{\prime\prime},\gamma^{\prime\prime})$ reachable in the queue machine $M$ . Consider the type $T$ :

\mu\mathbf{s}.\&\{{A}\!:\!{{\{\!\!\{{B^{A}_{1}\cdots B^{A}_{n_{A}}}\}\!\!\}}_{% q^{\prime}}^{\{s\}}}\}_{A\in\Gamma}

assuming $\delta(s,A)=(q^{\prime},B^{A}_{1}\cdots B^{A}_{n_{A}})$ and

\begin{array}[]{l}{\{\!\!\{{B_{1}\cdots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\!=\!% \left\{\!\!\begin{array}[]{ll}\!{[\![\![{r}]\!]\!]}^{\mathcal{T}}&\text{if }m=% 0\\ \begin{array}[]{ll}\!\!\!\!\oplus&\!\!\!\!\big{(}\big{\{}B_{1}:{\{\!\!\{{B_{2}% \ldots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\big{\}}\cup\\ &\!\big{\{}{A:V}\big{\}}_{A\in\Gamma\setminus\{B_{1}\}}\cup\{E:V^{\prime}\}% \big{)}\end{array}&\text{otherwise}\end{array}\right.\end{array}

It starts with an input branching, with labels for each queue alphabet symbol including the initial queue symbol $\$$ . Then it has a sequence of output selections, including the sequence of symbols to be emitted by the queue machine after having consumed $\$$ . Consider now the type $S$ :

\&\{\$:\mu\mathbf{\mathbf{t}}.\oplus\{{A}:{\&\{A:\mathbf{t}\}}\}_{A\in\Gamma}% \cup\{E:\&\{E:\mathbf{end}\}\}\}

It starts with an input branching with only label $\$$ , followed by an output selection on all symbols, including label $E$ having continuation $\&\{E:\mathbf{end}\}$ . The latter ensures that $S$ is controllable. If we consider the constraints imposed by the Definition 3 on fair asynchronous subtyping relations, we can conclude that $\mathcal{R}$ should contain a pair of types $(T^{\prime},S^{\prime})$ where $T^{\prime}$ is the type corresponding to the new state of the queue machine (reached after the above sequence of output selections ${\{\!\!\{{B^{\$}_{1}\cdots B^{\$}_{n_{\$}}}\}\!\!\}}_{q^{\prime}}^{\{s\}}$ to be emitted by the queue machine after having consumed $\$$ ) and $S^{\prime}$ is like $S$ , with the difference that before the output selection there is a sequence of input branchings, each one with only one label, corresponding with the sequence of symbols $B^{\$}_{1}\cdots B^{\$}_{n_{\$}}$ in the queue after the first computation step. This reasoning can be repeatedly applied to prove that $\mathcal{R}$ should also contain other pairs of types $(T^{\prime\prime},S^{\prime\prime})$ , one for each configuration $(q^{\prime\prime},\gamma^{\prime\prime})$ reachable in the queue machine $M$ . Consider now the pair $(T_{f},S_{f})\in\mathcal{R}$ corresponding to the terminating configuration $(q^{\prime},\epsilon)$ . The type $T_{f}$ , as all the types representing states in the queue machine, starts with an input branching. The type $S_{f}$ , on the other hand, represents the empty queue, so it is $\mu\mathbf{\mathbf{t}}.\oplus\{{A}:{\&\{A:\mathbf{t}\}}\}_{A\in\Gamma}\cup\{E:% \&\{E:\mathbf{end}\}\}$ , i.e. it is like $[\![M,E]\!]$ but without input branchings before the output selection. This means that $(T_{f},S_{f})$ does not satisfy the item for input selection in Definition 3. Hence $\mathcal{R}$ cannot be a fair asynchronous subtyping, but this contradicts the above initial assumption about $\mathcal{R}$ being a fair asynchronous session subtyping.

We now move to the if part. Assume that the queue machine $M$ does not terminate. We show that there exists a fair asynchronous subtyping relation $\mathcal{R}$ that contains the pair $(T,S)$ , hence $T\operatorname{\leq}S$ . There are two kinds of pairs in $\mathcal{R}$ : (i) the pairs discussed in the above only-if part of the proof that corresponds to the path in the subtyping simulation game that reproduces the computation of the queue machine $M$ , and (ii) other pairs corresponding to alternative paths. The pairs of types (i) satisfy the constraints imposed by Definition 3 because output selections of the l.h.s. type can always be mimicked by the r.h.s. type (that always include an output selection after a sequence of input branchings with only one label), and input branchings can always be mimicked by the r.h.s. type because under the assumption that the queue machine does not terminate, the queue is always non-empty during the computation. Also the pairs of type (ii) satisfy the constraints imposed by Definition 3. In fact, these pairs are generated considering the alternative branches in the l.h.s. types ${\{\!\!\{{B_{1}\cdots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}$ in Definition 3.1, namely, the branches corresponding with the labels $A$ and $E$ in the definition, that we report here for reader convenience:

\begin{array}[]{l}{\{\!\!\{{B_{1}\cdots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\!=\!% \left\{\!\!\begin{array}[]{ll}\!{[\![\![{r}]\!]\!]}^{\mathcal{T}}&\text{if }m=% 0\\ \begin{array}[]{ll}\!\!\!\!\oplus&\!\!\!\!\big{(}\big{\{}B_{1}:{\{\!\!\{{B_{2}% \ldots B_{m}}\}\!\!\}}_{r}^{\mathcal{T}}\big{\}}\cup\\ &\!\big{\{}{A:V}\big{\}}_{A\in\Gamma\setminus\{B_{1}\}}\cup\{E:V^{\prime}\}% \big{)}\end{array}&\text{otherwise}\end{array}\right.\end{array}

with $V=\mu\mathbf{\mathbf{t}}.\big{(}\oplus\{{A}:{\mathbf{t}}\}_{A\in\Gamma}\cup\{E% :V^{\prime}\}\big{)}$ and $V^{\prime}=\mu\mathbf{\mathbf{t}}.\big{(}\&\{{A}\!:\!{\mathbf{t}}\}_{A\in% \Gamma}\cup\{E:\mathbf{end}\}\big{)}$ . The l.h.s. type in the pairs $(T^{\prime},S^{\prime})$ associated with these branches, are of two kinds: (a) they are able to recursively perform all possible outputs until the label $E$ is selected (type $V$ ), or (b) they are able to recursively perform all possible inputs until the label $E$ is selected (type $V^{\prime}$ ). In the first case (a), the constraints in Definition 3 are satisfied because the r.h.s. type is always able to mimick output selections (see the above observation). In the second case (b), we have that the output $E$ has been previously selected by the last pair of kind (a) considered. Hence, the r.h.s. type is a sequence of input branchings, with only one label, where all inputs excluding the last one are different from $E$ , and the last one, having label $E$ , has continuation $\mathbf{end}$ . This guarantees that all these pairs satisfy the constraints in Definition 3, under the assumption that also a final pair $(\mathbf{end},\mathbf{end})$ belongs to $\mathcal{R}$ . We the conclude by observing that we have proved the existence of a fair session subtyping relation $\mathcal{R}$ such that $(T,S)\in\mathcal{R}$ (in that this is the first pair of the kind (i) above), hence we have that $T\operatorname{\leq}S$ .

A.5. Soundness of the Algorithm w.r.t. Fair Asynchronous Subtyping

See 13

Proof A.14.

We proceed by induction. If $h=1$ , the thesis directly follows from the fact that $\mathcal{T}^{1}$ is contained in a simulation tree.

If $h>1$ , by inductive hypothesis we have that the thesis holds for $\mathcal{T}^{h-1}$ . We prove that the thesis holds also for $\mathcal{T}^{h}$ showing that there exists a simulation tree including $m\twoheadrightarrow{}m^{\prime}$ with $m^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ if and only if there exists a simulation tree including $t\twoheadrightarrow{}t^{\prime}$ with $t^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ . The proof is by case analysis, considering the three possible steps in the subtyping simulation game at the basis of the definition of $\twoheadrightarrow{}$ .

If $T$ starts with a recursive definition, the thesis trivially holds because $\twoheadrightarrow{}$ simply modify the l.h.s. type by unfolding its initial recursion and leaves the r.h.s. type unchanged.

If $T$ starts with an input branching, by Definition 3 we have that the r.h.s. type contains an entire context $\mathcal{A}$ in its growing holes. We initially consider $m\twoheadrightarrow{}m^{\prime}$ with $m^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ . This means that by applying $\mathsf{unfold}($ ) to the r.h.s. type we obtain an input context starting with an input branching satisfying the constraints imposed by Definition 3. The step of the subtyping simulation game corresponding to $m\twoheadrightarrow{}m^{\prime}$ selects a branch of the input branching such that its continuation $\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}}\lfloor S^{\prime}_{j% }\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K}$ is controllable. Now consider $t$ with label $(T,\mathcal{A}^{\prime}\langle\mathcal{A}^{v+1}\lfloor S_{j}\rfloor^{j\in J}% \rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$ . The application of $\mathsf{unfold}($ ) modifies the outer context in the same way thus obtaining a type starting with the same input branching, simply with an additional nesting of $\mathcal{A}$ in the holes in $J$ . The continuation $\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S^{\prime}_% {j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K}$ is also controllable because it is an input contexts with the set of indexed holes, hence the same set of types $S^{\prime}_{j}$ and $S^{\prime}_{k}$ . Hence it is possible to apply a corresponding step in the subtyping simulation game $t\twoheadrightarrow{}t^{\prime}$ with $t^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ . Notice that the same reasoning can be applied assuming that $t\twoheadrightarrow{}t^{\prime}$ with $t^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ to prove that there exists also the corresponding step in the subtyping simulation game $m\twoheadrightarrow{}m^{\prime}$ . In this case we use the assumption that in the growing holes of the r.h.s. type of the label of $m$ we have an entire context $\mathcal{A}$ , thus guaranteeing the presence of the same $S^{\prime}_{j}$ in all the continuations of the initial input branching present in the outer context.

If $T$ starts with an output selection, we initially consider $m\twoheadrightarrow{}m^{\prime}$ with $m^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ . This means that by applying $\mathsf{selUnfold}()$ to the r.h.s. type we obtain an input context filled with types starting with output selections satisfying the constraints imposed by Definition 3. Notice that the application of $\mathsf{selUnfold}()$ to the outer input context does not remove holes, but at most replicates some of them. Moreover, the application of $\mathsf{selUnfold}()$ applies to the innermost types $S_{j}$ and $S_{k}$ by unfolding the variables inside outputs replacing them with their definitions (already present in $S_{j}$ and $S_{k}$ given that these are closed terms). The considered step in the subtyping simulation game modifies (the unfoldings of) $S_{j}$ and $S_{k}$ by resolving initial output selections, thus obtaining $S_{j}^{\prime}$ and $S_{k}^{\prime}$ . Now consider $t$ with label $(T,\mathcal{A}^{\prime}\langle\mathcal{A}^{v+1}\lfloor S_{j}\rfloor^{j\in J}% \rangle^{J}\lfloor S_{k}\rfloor^{k\in K})$ . What we have just observed about the step $m\twoheadrightarrow{}m^{\prime}$ of subtyping simulation game, holds also for this new pair of types. The application of $\mathsf{selUnfold}()$ respectively modifies the outer input context and the inner types $S_{j}$ and $S_{k}$ in the same way, and also the same resolution of the initial output selections in $S_{j}$ and $S_{k}$ is possible. Hence there exists $t\twoheadrightarrow{}t^{\prime}$ with $t^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ . Notice that the same reasoning can be applied assuming that $t\twoheadrightarrow{}t^{\prime}$ with $t^{\prime}$ labeled with $(T^{\prime},\mathcal{A}^{\prime\prime}\langle\mathcal{A}^{v^{\prime}+1}\lfloor S% ^{\prime}_{j}\rfloor^{j\in J}\rangle^{J}\lfloor S^{\prime}_{k}\rfloor^{k\in K})$ to prove that there exists also the corresponding step in the subtyping simulation game $m\twoheadrightarrow{}m^{\prime}$ .

See 14

Proof A.15.

We proceed by induction on the length of $n\twoheadrightarrow\!\!{}^{*}\,n^{\prime}$ .

If the length is 0, then $n^{\prime}$ is the root of $\mathcal{T}$ hence its label is obviously in $\mathcal{T}^{1}$ .

If the length is greater than 1, consider $n\twoheadrightarrow\!\!{}^{*}\,n^{\prime\prime}\twoheadrightarrow{}n^{\prime}$ . By inductive hypothesis we have that $\lambda(n^{\prime\prime})$ is a label present either in $\mathcal{T}^{h}$ , for some $h$ , or in $\mathit{simtree}(T^{\prime},S^{\prime})=(N^{\prime},n_{0}^{\prime},% \twoheadrightarrow,\lambda^{\prime})$ with $T^{\prime}\operatorname{\leq}S^{\prime}$ .

We start from the latter case, i.e., there exists $m^{\prime\prime}$ in $\mathit{simtree}(T^{\prime},S^{\prime})=(N^{\prime},n_{0}^{\prime},% \twoheadrightarrow,\lambda^{\prime})$ such that $\lambda^{\prime}(m^{\prime\prime})=\lambda(n^{\prime\prime})$ . We have that there exists $m^{\prime\prime}\twoheadrightarrow{}m^{\prime}$ in $\mathit{simtree}(T^{\prime},S^{\prime})$ s.t. $\lambda^{\prime}(m^{\prime})=\lambda(n^{\prime})$ .

We now consider the former case, i.e., there exists one node in $\mathcal{T}^{h}$ , for some $h$ , labeled with $\lambda(n^{\prime\prime})$ . Let $m^{\prime\prime}$ be such node. There are two possibilities, either (i) the node $m^{\prime\prime}$ is a leaf in $\mathcal{T}^{h}$ , or (ii) it is not a leaf. In the case (ii) we have that $\mathcal{T}^{h}$ contains $m^{\prime\prime}\twoheadrightarrow{}m^{\prime}$ , with $m^{\prime}$ labeled with $\lambda(n^{\prime})$ . If $m^{\prime\prime}$ is a leaf, we consider the four kinds of leaves separately.

If $m^{\prime\prime}$ is a leaf of type 2a, then there exists an ancestor $m^{\prime\prime\prime}$ of $m^{\prime\prime}$ in $\mathcal{T}^{h}$ with the same label $\lambda(n^{\prime\prime})$ . Given that the ancestor is not a leaf, $\mathcal{T}^{h}$ contains $m^{\prime\prime\prime}\twoheadrightarrow{}m^{\prime}$ , with $m^{\prime}$ labeled with $\lambda(n^{\prime})$ .

If $m^{\prime\prime}$ is a leaf of type 2b in $\mathcal{T}$ , we have $\lambda(n^{\prime\prime})=$ $(T^{\prime},\mathcal{A}^{h+1}\lfloor S_{j}\rfloor^{j\in J}\lfloor S_{k}\rfloor% ^{k\in K})$ . The node $n^{\prime\prime}$ has an ancestor $n^{\prime\prime\prime}$ in $\mathcal{T}^{h}$ s.t. $\lambda(n^{\prime\prime\prime})=(T^{\prime},\mathcal{A}^{h}\lfloor S_{j}% \rfloor^{j\in J}\lfloor S_{k}\rfloor^{k\in K})$ . Consider now the corresponding node $m^{\prime\prime\prime}$ in $\mathcal{T}^{h+1}$ . We have that $m^{\prime\prime\prime}$ is labeled with $(T^{\prime},\mathcal{A}^{h+1}\lfloor S_{j}\rfloor^{j\in J}\lfloor S_{k}\rfloor% ^{k\in K})=\lambda(n^{\prime\prime})$ . Given that $m^{\prime\prime\prime}$ is not a leaf, $\mathcal{T}^{h+1}$ contains $m^{\prime\prime\prime}\twoheadrightarrow{}m^{\prime}$ , with $m^{\prime}$ labeled with $\lambda(n^{\prime})$ .

If $m^{\prime\prime}$ is a leaf of type 2c in $\mathcal{T}$ , we have $\lambda(n^{\prime\prime})=(T^{\prime},\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j% \in J}\lfloor S_{k}\rfloor^{k\in K})$ . We have two cases. If $h=1$ , by definition of witness tree, $T^{\prime}\operatorname{\leq}\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j\in J}% \lfloor S_{k}\rfloor^{k\in K}$ . The node $n^{\prime\prime}$ has the same label as the root of $\mathit{simtree}(T^{\prime},\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j\in J}% \lfloor S_{k}\rfloor^{k\in K})$ . Hence such a simulation tree includes a transition from its root to a node labeled with $\lambda(n^{\prime})$ . If $h>1$ the node $n^{\prime\prime}$ has an ancestor $n^{\prime\prime\prime}$ in $\mathcal{T}^{h}$ such that $\lambda(n^{\prime\prime\prime})=(T^{\prime},\mathcal{A}^{h+1}\lfloor S_{j}% \rfloor^{j\in J}\lfloor S_{k}\rfloor^{k\in K})$ . Consider now the corresponding node $m^{\prime\prime\prime}$ in $\mathcal{T}^{h-1}$ . We have that $m^{\prime\prime\prime}$ is labeled with $(T^{\prime},\mathcal{A}^{h}\lfloor S_{j}\rfloor^{j\in J}\lfloor S_{k}\rfloor^{% k\in K})=\lambda(n^{\prime\prime})$ . Given that $m^{\prime\prime\prime}$ is not a leaf, $\mathcal{T}^{h-1}$ contains $m^{\prime\prime\prime}\twoheadrightarrow{}m^{\prime}$ , with $m^{\prime}$ labeled with $\lambda(n^{\prime})$ .

If $m^{\prime\prime}$ corresponds to leaf of type 2d in $\mathcal{T}$ , we have that the label $\lambda(n^{\prime\prime})$ of $m^{\prime\prime}$ is the same as the label in the corresponding node in $\mathcal{T}$ , i.e. $(T^{\prime},\mathcal{A}^{\prime}[S_{k}]^{k\in K^{\prime}})$ . In fact labels of the leaves of type 2d in $\mathcal{T}$ do not change when moving to $\mathcal{T}^{h}$ . This because the input context $\mathcal{A}^{\prime}$ does not include growing holes. By definition of witness tree we have that $T^{\prime}\operatorname{\leq}\mathcal{A}^{\prime}[S_{k}]^{k\in K^{\prime}}$ . The node $n^{\prime\prime}$ has the same label as the root of $\mathit{simtree}(T^{\prime},\mathcal{A}^{\prime}[S_{k}]^{k\in K^{\prime}})$ . Hence such a simulation tree includes a transition from its root to a node labeled with $\lambda(n^{\prime})$ .

See 15

Proof A.16.

Let $\mathcal{T}$ be the witness subtree with root in $n$ . By Proposition 14 we have that $\lambda(n^{\prime})$ is a label present either in $\mathcal{T}^{h}$ , for some $h$ , or in $\mathit{simtree}(T^{\prime},S^{\prime})=(N^{\prime},n_{0}^{\prime},% \twoheadrightarrow,\lambda^{\prime})$ with $T^{\prime}\operatorname{\leq}S^{\prime}$ . In the latter case the thesis trivially holds because all nodes $m^{\prime}$ in $\mathit{simtree}(T^{\prime},S^{\prime})$ are either successful or there exists $m^{\prime}\twoheadrightarrow{}m^{\prime\prime}$ . In the former case there are two cases: either there exists an intermediary node (non-leaf) in one $\mathcal{T}^{h}$ , for some $h$ , labeled with $\lambda(n^{\prime})$ is an intermediary, or such a node can be only in leaf positions. In the first case the thesis trivially holds because all intermediary nodes have successors. The second case can occur only for leaves of type 2c in $\mathcal{T}$ , or corresponding to leaves of type 2d in $\mathcal{T}$ . Both cases imply that $\lambda(n^{\prime})=(T^{\prime},S^{\prime})$ with $T^{\prime}\operatorname{\leq}S^{\prime}$ . Hence $n^{\prime}$ has the same label as the root of $\mathit{simtree}(T^{\prime},S^{\prime})$ and, as above, the thesis trivially holds because all nodes $m^{\prime}$ in $\mathit{simtree}(T^{\prime},S^{\prime})$ are either successful or there exists $m^{\prime}\twoheadrightarrow{}m^{\prime\prime}$ .

$\mathcal{A}$ $=\;$	$\&\{\mathit{tc}:[\,]^{1},\mathit{done}:[\,]^{2}\}$
$T^{\prime}_{1}$ $=\;$	$\mu\mathbf{t^{\prime\prime}}.\oplus\{\mathit{tm}:\mathbf{t^{\prime\prime}},% \mathit{over}:\mathbf{end}\}$
$T^{\prime\prime}_{1}$ $=\;$	$\mu\mathbf{t^{\prime}}.~{}\&\{\mathit{tc}:\mathbf{t^{\prime}},\mathit{done}:% \mathbf{end}\}$