Deconfined Global Types for Asynchronous Sessions

Multiparty sessions with asynchronous communications and global types play an important role for the modelling of interaction protocols in distributed systems. In designing such calculi the aim is to enforce, by typing, good properties for all participants, maximising, at the same time, the accepted behaviours. Our type system improves the state-of-the-art by typing all asynchronous sessions and preserving the key properties of Subject Reduction, Session Fidelity and Progress when some well-formedness conditions are satisfied. The type system comes together with a sound and complete type inference algorithm. The well-formedness conditions are undecidable, but an algorithm checking an expressive restriction of them recovers the effectiveness of typing.


Introduction
Multiparty sessions [HYC08,HYC16] are at the core of communication-based programming, since they formalise message exchange protocols.A key choice in the modelling is synchronous versus asynchronous communications, giving rise to synchronous and asynchronous multiparty sessions.In the multiparty session approach global types play the fundamental role of describing the whole scenario, while the behaviour of participants is implemented by processes.A natural question is when a set of processes agrees with a global type, meaning that participants behave according to the protocol described by the global type.The straightforward answer is the design of type assignment systems relating processes and global types.Typically, global types are projected onto participants to get the local behaviours prescribed by the protocol and then the processes implementing the participants are checked against such local behaviours.In conceiving such systems one wants to permit all possible typings which guarantee desirable properties: the mandatory Subject Reduction, but also Session Fidelity and Progress.Session Fidelity [HYC08,HYC16] means that the content and the order of exchanged messages respect the prescriptions of the global type.
Progress [DY11,CDCYP16] requires that all participants willing to communicate will be able to do it and, in case of asynchronous communication, also that all sent messages (which usually are in a queue) will be received.
A standard way of getting more permissive typings is through subtyping [GH05], which is used to compare local behaviours obtained by projection to the actual behaviours of participants.Following the substitution principle [LW94], we can safely put a process of some type where a process of a bigger type is expected.In the natural subtyping for synchronous multiparty sessions, bigger types have less inputs and more outputs [DH12].This subtyping is not only correct, but also complete, that is, any extension of this subtyping would be unsound [GJP + 19].A powerful subtyping for asynchronous sessions was proposed in [MYH09] and recently proved to be complete [GPP + 21].The key idea of this subtyping is the possibility of anticipating outputs before inputs to improve efficiency.This additional flexibility is justified by the fact that in an asynchronous setting outputs are non-blocking operations, hence they never prevent subsequent actions to be performed.An important issue of this subtyping is its undecidability [BCZ17,LY17], that makes the whole type assignment system undecidable.To overcome this problem, some decidable restrictions of this subtyping were proposed [BCZ17, LY17, BCZ18] and a sound, but necessarily not complete, decision algorithm is presented in [BCL + 21].
Asynchronous communications better represent the exchange of messages between participants in different localities, and they are more suitable for implementations.So it is interesting to find alternatives to subtyping which increase typability of asynchronous multiparty sessions, and still ensure all desired properties.Recently a more permissive design of global types has been proposed [CDG21].The key idea is to make the syntax of global types much closer to processes.This allows us to simplify the type assignment and to recover its decidability.Then, we study well-formedness conditions on global types ensuring the desired properties on processes.In other words, instead of directly deriving such properties from the syntax of global types through the type assignment, we split the problem in two steps: we first assign global types to networks and then transfer properties from types to processes through the typing relation.In this way, potential undecidability issues are confined to the second step, that is, they only depend on the complexity of the property one tries to enforce.In this way, the type assignment remains decidable and provides an abstraction from a local to a global perspective, which simplifies reasoning on global properties; however, by itself it does not ensure any of such properties.
More in detail, the formalism proposed in [CDG21] is based on the simple idea of splitting outputs and inputs in the syntax of global types, rather than modelling each communication action as a whole.In this way outputs can anticipate inputs, thus capturing their non-blocking nature directly at the level of global types.We dub "deconfined" such global types.The freedom gained by this definition is rather limited in [CDG21], whose main focus was to define an event structure semantics for asynchronous multiparty sessions.In particular, the well-formedness conditions that global types had to satisfy in [CDG21] still strongly confined their use.
In the present paper (which is the journal version of [DGD21]) we extend the syntax of global types in [CDG21,DGD21], allowing input choices for global types, and significantly enlarging the set of well-formed global types.In this way we are able to type also an example requiring a subtyping which fails for the algorithm in [BCL + 21].The idea is that the well-formedness of global types must guarantee that all participants waiting for a message are not stuck and that all sent messages find the corresponding readers.This last condition is particularly delicate for non-terminating computations in which the number of unread messages may grow indefinitely.Under this condition the type system enjoys Subject Reduction, Session Fidelity and Progress.Not surprisingly, the well-formedness of global types turns out to be undecidable, hence we design a decidable restriction to keep our system effective.The proposed algorithm extends similar ones presented in [CDG21,DGD21], adapting them to the more expressive syntax of our global types.In particular, we gain expressivity by: • requiring that at least one input in a choice of inputs matches an output or a message in the queue; • allowing an unbound number of unread messages when all of them will be eventually read.
We illustrate the proposed calculus with a running example in which the number of unread messages is unbounded.We choose this example since typing this session in standard type systems for multiparty sessions requires subtyping.Indeed, this is the running example of [BCL + 21], where a decidable restriction of asynchronous subtyping is presented.In addition this example is typable neither in [CDG21] nor in [DGD21].
A hospital server s waits to receive from a patient p either some data nd or a request to send her a report pr .In our calculus such a process is represented by S = p?{nd ; S 1 , pr ; S 1 }, where p? means an input from participant p and the labels that can be read, in this case nd and pr , are between curly brackets and followed by the process representing the remaining behaviour.After the reception of one of the two labels the server answers by sending either ok or ko and then it waits for another request.This is expressed by S 1 = p!{ok ; S, ko; S}, where p! means an output to participant p and again the two labels ok and ko are put between curly brackets.The patient, to save time, starts by sending some data and then waits for the response from the server, i.e., P = s!nd ; P 1 and P 1 = s?{ok ; P, ko; s!pr ; P }.If the patient receives ok she continues sending next data.In case she receives ko she sends the request for her report and then starts sending next data.So the multiparty session p[[ P ]] s[[ S ]] ∅, where ∅ is the empty queue, can execute as follows: decorating transition arrows with communications and denoting by p, nd , s the message sent from p to s with label nd .The interaction may continue as shown in Figure 1.If the server repeatedly responds ko the queue can grow unboundedly.However, each message will be eventually read by the server.

The network p[[ P ]] s[[ S ]
] can be typed by the global type G = p s!nd ; G 1 , where G 1 = p s?{nd ; G 2 , pr ; G 2 } and G 2 = s p!{ok ; s p?ok ; G, ko; s p?ko; p s!pr ; G}.The type G prescribes that p put in the queue the label nd and then p and s follow the protocol described by G 1 .The type G 1 asks the server to read either the label nd or the label pr and in both cases the interaction follows the communications in G 2 .
Outline.Our calculus of multiparty sessions is presented in Section 2, where the Progress property is defined.Section 3 introduces our type system: we call it "wild" since each network can be typed in it.We define an LTS for global types with queues and we show Session Fidelity.Together with the type system, we give a sound and complete type inference algorithm proving that type inference is decidable.In Section 4 we tame global types to guarantee Subject Reduction and Progress.Unfortunately the balancing predicate, which ensures these properties, is undecidable, as shown in Section 5.The effectiveness of our type Figure 1: A transition of the hospital session.system is recovered in Section 6 by an algorithm that checks an inductive restriction of this predicate.Related and future works are discussed in Section 7.

A Core Calculus for Multiparty Sessions
Since our focus is on typing by means of global types, we only consider one multiparty session instead of many interleaved multiparty sessions.This allows us to depart from the standard syntax of processes with channels [HYC08, BCD + 08] in favour of simpler processes with output and input operators and explicit participants as in [DCGJ + 16, SDC19, GJP + 19].
We assume the following base sets: participants p, q, r ∈ Part, and labels λ ∈ Lab.
Definition 2.1 (Processes).Processes P are defined by: where I = ∅ and λ j = λ h for j = h.
The symbol ::= ρ , in the definition above and in other definitions, indicates that the productions should be interpreted coinductively.That is, they define possibly infinite processes.However, we assume such processes to be regular, i.e., with finitely many distinct subprocesses.In this way, we only obtain processes which are solutions of finite sets of equations, see [Cou83].We choose this formulation as we will use coinduction in some definitions and proofs and, moreover, it allows us to avoid explicitly handling variables, thus simplifying a lot the technical development.
A process of shape p!{λ i ; P i } i∈I (internal choice) chooses a label in the set {λ i | i ∈ I} to be sent to p, and then behaves differently depending on the sent label.A process of shape p?{λ i ; P i } i∈I (external choice) waits for receiving one of the labels {λ i | i ∈ I} from p, and then behaves differently depending on the received label.Note that the set of indexes in choices is assumed to be non-empty, and the corresponding labels to be all different.An internal choice which is a singleton is simply written p!λ; P , analogously for an external choice.We omit traling 0 and we use p † {λ i ; P i } i∈I to denote either p!{λ i ; P i } i∈I or p?{λ i ; P i } i∈I .
In a full-fledged calculus, labels would carry values, namely they would be of shape λ(v).For simplicity, here we consider pure labels.Messages are triples p, λ, q denoting that participant p has sent label λ to participant q.Sent messages are stored in a queue, from which they are subsequently fetched by the receiver.
Message queues M are defined by: The order of messages in the queue is the order in which they will be read.Since order matters only between messages with the same sender and receiver, we always consider message queues modulo the following structural equivalence: Note, in particular, that p, λ, q • q, λ , p ≡ q, λ , p • p, λ, q .These two equivalent queues represent a situation in which both participants p and q have sent a label to the other one, and neither of them has read the message.This situation may happen in a multiparty session with asynchronous communication.Multiparty sessions are comprised of networks, i.e. pairs participant/process of shape p[[ P ]] composed in parallel, each with a different participant p, and a message queue.Definition 2.2 (Networks and multiparty sessions).(1) Networks are defined by where n > 0 and p i = p j for i = j.
(2) Multiparty sessions are defined by N M, where N is a network and M is a message queue.
In the following we use session as short for multiparty session.We assume the standard structural congruence on sessions (denoted ≡), that is, we consider sessions modulo permutation of components and adding/removing components of the shape p[[ 0 ]].To define the asynchronous operational semantics of sessions, we use an LTS whose labels record the outputs and the inputs.To this end, communications (ranged over by β) are either the asynchronous emission of a label λ from participant p to participant q (notation p q!λ) or the actual reading by participant q of the label λ sent by participant p (notation p q?λ).
The LTS semantics of sessions is specified by the two Rules [Send] and [Rcv] given in Figure 2. Rule [Send] allows a participant p with an internal choice (a sender) to send one of its possible labels λ h , by adding the corresponding message to the queue.Symmetrically, Rule [Rcv] allows a participant q with an external choice (a receiver) to read the first message in the queue sent to her by a given participant p, if its label λ h is one of those she is waiting for.
The semantic property we aim to ensure, usually called progress [DY11, CDCYP16, HLV + 16], is the conjunction of a safety property, deadlock-freedom, and two liveness properties: input lock-freedom and orphan message-freedom.Intuitively, a session is deadlock-free if, in every reachable state of computation, it is either terminated (i.e. of the shape p[[ 0 ]] ∅) or it can move.It is input lock-free if every component wishing to do an input can eventually do so.Finally, it is orphan-message-free if every message stored in the queue is eventually read.
The following terminology and notational conventions are standard. If deadlocked if it is neither live nor terminated.
To formalise progress (Definition 2.6) we introduce another transition relation on sessions, which describes their lockstep execution: at each step, all components that are able to move execute exactly one asynchronous output or input.
We define the player of a communication as the sender in case of output and as the receiver in case of input: play(p q!λ) = p play(p q?λ) = q Let ∆ denote a non empty set of communications.We say that ∆ is coherent for a session N M if (1) for all β 1 , β 2 ∈ ∆, play(β 1 ) = play(β 2 ) implies β 1 = β 2 , and (2) for all β ∈ ∆, N M β − →.
The lockstep transition relation The notion of derivative can be reformulated for lockstep computations as follows. If derivative is a derivative, but not vice versa.
A lockstep computation is an either finite or infinite sequence of lockstep transitions, and it is complete if either it is finite and cannot be extended (because the last session is not live), or it is infinite.Let γ range over lockstep computations.
Formally, a lockstep computation γ can be denoted as follows, where x ∈ N ∪ {ω} is the length of γ: That is, γ is represented as the set of its successive lockstep transitions, where the arrow subscript k is used to indicate that the transition occurs in the k-th step of the computation.This is needed in order to distinguish equal transitions occurring in different steps.For instance, in the session N p, λ, q , where N = p[[ P ]] q[[ Q ]] with P = q!λ; P and Q = p?λ; Q, all lockstep transitions with k ≥ 1 are of the form N p, λ, q {p q!λ,p q?λ} = ======= ⇒ k N p, λ, q We can now formalise the progress property: there exists h < x such that p q?λ j ∈ ∆ h for some j ∈ I. Definition 2.5 (Queue-consuming session).A session N M is queue-consuming if M ≡ p, λ, q • M implies that, for all complete Definition 2.6 (Progress).A session has the progress property if: (1) (Deadlock-freedom) None of its lockstep derivatives is deadlocked; (2) (No locked inputs) All its lockstep derivatives are input-enabling; (3) (No orphan messages) All its lockstep derivatives are queue-consuming.
It is easy to see that deadlock-freedom implies no locked inputs and no orphan messages for finite computations.
The unique complete lockstep computation of N ∅ is the following: It is easy to check that N ∅ has the progress property.Indeed, every input communication in Q is eventually enabled, and, even though the queue grows at each step of the lockstep computation, every message in the queue is eventually read.

A Wild Type System
In this section we first present global types and the type system for networks, then we give an LTS for global types in parallel with queues which allows us to get Session Fidelity.Lastly, we present a sound and complete type inference algorithm.We call wild this type system since the freedom in the syntax of global types allows us to type all networks, see Theorem 3.8. [End] End where I = ∅, p = q and λ j = λ h for j = h.
As for processes, ::= ρ indicates that global types are regular.
The global type p q!{λ i ; G i } i∈I specifies that player p sends a label λ k with k ∈ I to participant q and then the interaction described by the global type G k takes place.The global type p q?{λ i ; G i } i∈I specifies that player q receives a label λ k with k ∈ I from participant p and then the interaction described by the global type G k takes place.An output choice which is a singleton is simply written p q!λ; G and similarly for an input choice.We omit trailing End and we use p q † {λ i ; G i } i∈I to denote either p q!{λ i ; G i } i∈I or p q?{λ i ; G i } i∈I .
We define play(p q!{λ i ; G i } i∈I ) = p and play(p q?{λ i ; G i } i∈I ) = q.The set of players of a global type, notation players(G), is the smallest set of participants satisfying the following equations: Notice that the sets of players are always finite thanks to the regularity of global types.
Global types are an abstraction of networks, usually described by projecting global types to local types which are assigned to processes.The simplicity of our calculus and the flexibility of our global types allow us to formulate a type system deriving directly global types for networks, judgments G N, see Figure 3.The double line here and in the following indicates that the rules are coinductive.Rules [Out] and [In] just add simultaneously outputs and inputs to global types and to corresponding processes inside networks.Rule [Out] requires the same outputs in the process and in the global type, while the subtyping for session types [DH12] allows less outputs in the process than in the global type.The only consequence of our choice is that less global types are derivable for a given network.The gain is a formulation of Session Fidelity ensuring that networks implement corresponding global types, see Theorem 3.9.Instead Rule [In] allows more inputs in the process than in the global type, just mimicking the subtyping for session types [DH12].
The condition players(G i ) \ {p} = players(N) for all i ∈ I ensures that the players of N and of G coincide whenever G N, as stated in the following lemma, whose proof is straightforward.

This lemma forbids for example to derive G p[[
and Q arbitrary, since q is not a player of G. Anyway the given type system is wild since it allows us to type networks with non-matching inputs and outputs, as shown in Example 3.3.This motivates the well-formedness conditions on global types we will discuss in Section 4.
Example 3.3.We can derive pq!λ; pq?λ p[[ q!λ ]] q[[ p?λ ]] and this network in parallel with the empty queue evolves to q[[ p?λ ]] p, λ, q which is deadlocked.The regularity of processes and global types ensures the decidability of type checking.
We now show that our type system allows us to type any network, thus justifying the name "wild".We start by defining the map gt which associates a pair, made of a network and a list of participants, with a global type.We denote by the empty list, by • the concatenation of lists and by the lexicographic order on labels.We use π to range over lists of participants and write part(π) for the set of participants occurring in π.Essentially gt(N, π) is the global type whose first communication is done by the first participant p of π having a process different from 0. If p does an output, then the global type is an output with the same set of labels.If p does an input, then the global type is an input with only one label.For inputs the global type could have as set of labels any subset of the set of labels in the process; our choice produces simpler global types, which make examples more readable.Definition 3.5.Let N be a network and π be a list of participants.The global type gt(N, π) associated with N and π is corecursively defined by the following equations: These examples show that we can obtain different global types for the same network starting from different lists of participants, i.e. we can get gt(N, π) = gt(N, π ) when π = π .Notice that there is no π such that N is the network and gt(N, π) is the global type of Figure 4, since in the two branches of the derivation D the participants p and s alternate in different ways.
Since processes are regular terms, they have finite sets of subterms.Therefore given a network N the set of networks N such that, if p[[ P ]] ∈ N , then p[[ P ]] ∈ N and P is a subterm of P is finite.Moreover the number of rotations of a list is the length of the list.Therefore gt(N, π) is a regular term, since it is generated by a finite number of equations.
The following lemma shows why we use the list π to build the global type gt(N, π).
Namely, this lemma ensures that, when players(N) ⊆ part(π), each player of the network N is also a player of gt(N, π).
Proof.The inclusion players(gt(N, π)) ⊆ players(N) easily follows from Definition 3.5.In fact, only a player of N which occurs as first element of π becomes a player of gt(N, π) and then gt is applied to networks N such that players(N ) ⊆ players(N).
To show the reverse implication, i.e. players(N) ⊆ players(gt(N, π)), we define the position of participant p in the list π, notation pos(π, p), by: Let p be a player of N. The condition players(N) ⊆ part(π) implies n = pos(π, p) ≥ 1.We prove by induction on n that p ∈ players(gt(N, π)).If n = 1, then π = p • π and, since p is a player of N, we have or q p?λ k ; G k , where k ∈ I and λ k λ i for all i ∈ I. Hence p ∈ players(gt(N, π)).If n > 1, then π = q • π with p = q and pos(π, p) = 1 + pos(π , p).We distinguish two cases.
Proof.The proof is by coinduction, hence we show that the set is consistent with respect to the rules defining the typing judgement G N, i.e., any (G, N) ∈ GN is the consequence of one of the typing rules whose premises are again in GN .Let (G, N) ∈ GN and split cases on the shape of G.
• If G = End, then End = gt(N, π) for some π such that players(N) ⊆ part(π).By Lemma 3.7 then, by definition of GN , we have p q!{λ i ; G i } i∈I = gt(N, π) for some π such that players(N) ⊆ part(π).By Definition 3.5 gt(N, π) = p q!{λ i ; for all i ∈ I.So players(G i ) \ {p} = players(N ) and Rule [Out] can be used to derive • If G is an input type, then, by definition of GN , we get G = q p?λ; G for some λ and G and q p?λ; G = gt(N, π) for some π such that players(N) ⊆ part(π).By Definition 3.5 gt(N, π) = and Rule [In] can be used to derive q p?λ; G N from premises in GN .Then, the thesis follows, since (gt(N, Global types provide an overall description of asynchronous multiparty protocols and their semantics is specified by an LTS on types in parallel with queues, dubbed type configurations.Reduction rules are reported in Figure 5.The first two rules reduce outputs and inputs at top level in the standard way.The remaining two rules reduce inside output and input choices.These rules are needed to enable interleaving between independent communications despite the sequential structure of global types.For example, we want to allow p q!λ; r s!λ ∅ r s!λ − −− → p q!λ r, λ , s when p = r, because, intuitively, actions performed by different players should be independent.This justifies the conditions p = play(β) and q = play(β) in Rules [Inside-Out] and [Inside-In], respectively.The requirements on the shapes of queues in these rules are more interesting.They enforce that inputs and outputs on the same channel, namely, the same ordered pair of participants, happen in the order prescribed by the global type, that is, an input cannot consume a message produced by a subsequent output.Indeed, if we would take the following version of Rule [Inside-In] we would get p q?λ; p q!λ ∅ p q!λ − −− → p q?λ p, λ, q p q?λ − −− → End ∅.This reduction breaks the order on the channel pq prescribed by the global type p q?λ; p q!λ, which is to do first an input and then the corresponding output.In our LTS p q?λ; p q!λ ∅ is instead stuck, as it should.In fact, the shape of the queue in Rule [Inside-In] ensures that β is not the matching output for any input in the choice.Similarly, the shapes of queues in Rule [Inside-Out] ensures that β is not the matching input for any output in the choice.
A last remark is that the LTS rules are inductive.Therefore, the premises of Rules [Inside-Out] and [Inside-In] oblige play(β) to occur in all G i for i ∈ I.This condition is in line with the boundedness of global types, see Definition 4.2.
We are now ready to state and prove Session Fidelity, showing that a session can correctly perform the protocol described by the global type derivable for its network.The reverse property, i.e. that the sessions can only do inputs and outputs allowed by the global types of their networks, will be proved for "tamed" global types in the Subject Reduction Theorem, Theorem 4.7.
Proof.The proof is by induction on the reduction rules.
[Top-In]: Then G = p q?{λ i ; G i } i∈I and M ≡ p, λ h , q • M and β = p q?λ h and G = G h with h ∈ I. Since G N must be derived using rule [In] we get N ≡ p[[ q?{λ j ; P j } j∈J ]] N 0 with I ⊆ J and q for all i ∈ I and p = play(β).Since G N must be derived using rule [Out] we get N ≡ p[[ q!{λ i ; The condition p = play(β) ensures that these reductions do not modify the processes of participant p, i.e.N i ≡ p[[ P i ]] N 0 for all i ∈ I and some N 0 .Moreover these reductions do not depend on the messages p, λ i , q , which are in the queue before and after these reductions.We get The proofs for the remaining rules are similar.
We extend the properties of multiparty sessions to type configurations.Let us define the Definition 3.10 (Input-enabling type configuration).A type configuration G M is inputenabling if p ∈ players(G) implies that, for all complete This definition ensures that no player is stuck, and this coincides with input enabling, since outputs can always be done.
with G 0 M 0 = G M, there exists h < x such that p q?λ ∈ ∆ h .

Type Inference.
In this subsection, we will describe an algorithm to infer global types from networks, proving its soundness and completeness with respect to the typing system.
That is, the algorithm applied to a network N enumerats all and only those global types which can be derived for N. Note that, since a network may have more than one global type, to be complete, the algorithm needs to be non-deterministic.The first step towards defining an algorithm is the introduction of a finite representation for global types.2Since global types are regular terms, from results in [Cou83,AMV06], they can be represented as finite systems of regular syntactic equations formally defined below.First, a global type pattern is a finite term generated by the following grammar: where X is a variable taken from a countably infinite set.We denote by vars(G) the set of variables occurring in G.
An equation has shape X G and a (regular) system of equations E is a finite set of equations such that X G 1 and X G 2 ∈ E imply G 1 = G 2 .We denote by vars(E) the set {vars(G) ∪ {X} | X G ∈ E} and by dom(E) the set {X | X G ∈ E}.A solution of a system E is a substitution θ such that vars(E) ⊆ dom(θ) and, for all X G ∈ E, θ(X) = Gθ holds.We denote by sol(E) the set of all solutions of E and note that The algorithm follows essentially the structure of coSLD resolution of coinductive logic programming [Sim06, SBMG07, SMBG06, AD15], namely, the extension of standard SLD resolution capable to deal with regular terms and coinductive predicates.A goal is a pair (N, X) of a network N and a variable X.The algorithm takes as input a goal (N, X) and returns a set of equations E such that the solution for the variable X in E is a global type for the network N. The key idea borrowed from coinductive logic programming is to keep track of already encountered goals to detect cycles, avoiding non-termination.
The inference judgement has the following shape S (N, X) ⇒ E, where S is a set of goals, all with different variables which are all different from X. Rules defining the inference algorithm are reported in Figure 6.For a terminated network the algorithm returns just one equation X End (Rule [I-End]).For other networks, the algorithm selects a participant and analyses its process.If the process is an output choice (Rule [I-Out]), the algorithm continues analysing all branches of the output choice.If the process is an input choice (Rule [I-In]), the algorithm selects a subset of its branches and continues analysing them.In both cases, subnetworks are analysed adding to the set S the goal in the conclusion of the rule, to be able to subsequently recognise when a cycle is encountered.After having evaluated subnetwork, the algorithm collects all the resulting equations plus another one for the current variable.Note that variables for goals in the premises are fresh.This is important to ensure that the set of equations E in the conclusion is indeed a regular system of equations (there is at most one equation for each variable).Finally, Rule [I-Cycle] detects cycles: if the network in the current goal appears also in the set S the algorithm can stop, returning just one equation unifying the two variables associated with the network.
In Rules [I-Out] and [I-In], the side condition players(S ; E i ; Y i ) \ {p} = players(N) for all i ∈ I is needed to ensure that the resulting global type associated with the variable X satisfies the conditions on players required by Rules [Out] and [In] in Figure 3.The set players(S; E; G) is defined as the set of players of a global type, but with the following additional clause to handle variables: Let E be a system of equations and S a set of goals.A solution θ ∈ sol(E) agrees with S if (N, X) ∈ S implies players(θ(X)) = players(N) for all X ∈ vars(E).We denote by sol S (E) the set of all solutions of E agreeing with S. We say that a system of equations E is guarded if X Y and Y G in E imply that G is not a variable.Finally, E is S-closed if it is guarded and dom(E) ∩ vars(S) = ∅ and vars(E) \ dom(E) ⊆ vars(S).
Example 3.12.Figure 7 shows an application of the inference algorithm to the hospital network for getting a set of equations whose solution is the global type derived for this network in Figure 4. We notice that I and I in Figure 7 only differ for the names of variables, so they become the same derivation D in Figure 4.The set of obtained equation is X p s!nd ; X 1 X 1 p s?{nd ; X 2 , pr ; X 2 } X 2 s p!{ok ; X 3 , ko; X 5 } X 3 s p?ok ; X 4 X 4 X X 5 s p?ko; X 6 X 6 p s!pr ; X 7 X 7 X X 2 s p!{ok ; X 3 , ko; X 5 } X 3 s p?ok ; X 4 X 4 X X 5 s p?ko; X 6 X 6 p s!pr ; X 7 X 7 X Toward proving properties of the inference algorithm, we check a couple of auxiliary lemmas.
Proof.By a straightforward induction on the derivation of S (N, X) ⇒ E. Lemma 3.14.If E is an S-closed system of equations and vars(G) ⊆ vars(E), then players(S; E; G) = players(Gθ) for all θ ∈ sol S (E).
Proof.To prove the inclusion players(Gθ) ⊆ players(S; E; G), let p ∈ players(Gθ).We show p ∈ players(S; E; G) by induction on the least distance d of a communication with player p from the root of Gθ.First of all, it is easy to see that there is G such that players(S; E; G) = players(S; E; G ) and Gθ = G θ and either and players(S; E; G 1 ) = players(S; E; G 2 ) and, since E is S-closed and so guarded, we have that G 2 is not a variable.
To show soundness and completeness of our inference algorithm, it is handy to formulate an inductive version of our typing rules, see Figure 8, where N ranges over sets of pairs (N, G).We can give an inductive formulation since all infinite derivations using the typing rules of Figure 3 are regular, i.e. the number of different subtrees of a derivation for a judgement G N is finite.In fact, it is bounded by the product of the number of different subterms of G and the number of different subnetworks of N, which are both finite as G and (processes in) N are regular.Applying the standard transformation according to [Dag21, Theorem 5.2] (see Definition 5.1 for the notational convention) from a coinductive to an inductive formulation we get the typing rules shown in Figure 8.
In the following two lemmas we relate inference and inductive derivability.
[I-In]: We have N ≡ p[[ q?{λ j ; P j } j∈J ]] N and S, (N, X) N and players(S, (N, X); E i ; Y i ) \ {p} = players(N ) for all i ∈ I ⊆ J, Being θ ∈ sol S (E), Lemma 3.14 implies players(S; E; X) = players(N).So we get that θ agrees with S, (N, X).Then, by induction hypothesis, we have Sθ, (N, θ(X) for all i ∈ I.The thesis follows by Rule [I -In], since θ(X) = q p?{λ i ; θ(Y i )} i∈I and players(S, (N, X) for all i ∈ I by Lemma 3.14.
Proof.By induction on the derivation of N i N : G. [I -Out]: In this case we have N ≡ p[[ q!{λ i ; P i } i∈I ]] N and G = p q!{λ i ; G i } i∈I and N , (N, G) i N i : G i with N i ≡ p[[ P i ]] N and players(G i ) \ {p} = players(N ), for all i ∈ I.This last condition implies players(G) = players(N).Set σ = σ + {X → G} and S = S, (N, X), then, by induction hypothesis, we get that there are E i and θ i such that S (N i , Y i ) ⇒ E i and θ i ∈ sol S (E i ) and dom(θ i ) = vars(E i ) ∪ vars(S ) and σ θ i and θ i (Y i ) = G i , for all i ∈ I.We can assume that i = j implies Y i = Y j and dom(E i ) ∩ dom(E j ) = ∅ for all i, j ∈ I, because the algorithm always introduces fresh variables.This implies dom(θ i ) ∩ dom(θ j ) = vars(S ) for all i = j, and so θ = i∈I θ i is well defined.Moreover, we have θ ∈ sol S (E i ) and σ θ and θ(X) = G, as σ σ and σ θ i θ for all i ∈ I. From players(G i ) \ {p} = players(N ) we get players(S ; all i ∈ I.This last condition implies players(G) = players(N).Set σ = σ + {X → G} and S = S, (N, X), then, by induction hypothesis, we get that there are E i and θ i such that S (N i , Y i ) ⇒ E i and θ i ∈ sol S (E i ) and dom(θ i ) = vars(E i ) ∪ vars(S ) and σ θ i and θ i (Y i ) = G i , for all i ∈ I.We can assume that i = j implies Y i = Y j and dom(E i ) ∩ dom(E j ) = ∅ for all i, j ∈ I, because the algorithm always introduces fresh variables.This implies dom(θ i ) ∩ dom(θ j ) = vars(S ) for all i = j, and so θ = i∈I θ i is well defined.Moreover, we have θ ∈ sol S (E i ), σ θ and θ(X) = G, as σ σ and σ θ i θ for all i ∈ I. From players(G i ) \ {p} = players(N ) we get players(S ; E i ; Y i ) \ {p} = players(N ) for all i ∈ I by Lemma 3.14.By Rule [I-In], we get S (N, X) ⇒ E with E = {X q p?{λ i ; Y i } i∈I } ∪ i∈I E i and θ ∈ sol S (E), since θ(X) = q p?{λ i ; G i } i∈I = q p?{λ i ; θ i (Y i )} i∈I = (q p?{λ i ; Y i } i∈I )θ and σ θ.
(2).From G N we get i N : G.By Lemma 3.16 this implies that there are E and θ such that (N, X) ⇒ E and θ ∈ sol(E) and θ(X) = G.
Remark 3.18 (Termination).As happens for (co)SLD-resolution in logic programming, the termination of our inference algorithm depends on the choice of a resolution strategy.Indeed, we have many sources of non-determinism: we have to select a goal to be resolved and, for each of such goals, we can either pick a participant of the network and expand it using rules [I-In] or [I-Out], or try to close a cycle using the rule [I-Cycle].A standard way to obtain a sound and complete resolution strategy is to build a tree where all such choices are performed in parallel and then visit the tree using a breadth-first strategy.The tree is potentially infinite in depth, but it is finitely branching, since at each point we have only finitely many different choices, hence this strategy necessarily enumerates all solutions.Moreover, by Theorem 3.8, we know that every network has a type, therefore this strategy necessarily finds a solution, that is, it terminates.Notice that the same network can be typed by a weakly balanced global type and a non weakly balanced global type (weak balancing is defined in Figure 9).For instance the hospital network can be typed by the weakly balanced global type of Figure 4 and the non weakly balanced global types of Example 3.6.

Taming Types
In this section we tame global types so that the resulting typing enforces the required properties, i.e.Subject Reduction and Progress.We start by characterising a class of global types for which, when looking at global types as trees, the first occurrences of players are at a bounded depth in all paths starting from arbitrary nodes.This property, that we call boundedness, is required by the transition Rules [Inside-Out] and [Inside-In].It is also needed for Subject Reduction and Progress.We then pass to formalise a condition on type configurations inspired again by the "inside" rules of the LTS in Figure 5.We require that for each choice of inputs there should be either an output or a message in the queue matching one of the choice labels.We call this property weak balancing, since it only requires matching for inputs.Instead, we call balanced a type configuration in which, in addition to the weak balancing, each output emitted by the global type and each message in the queue must have an input reading it in the type.For a session N M whose network is typed by a global type G, boundedness of G and weak balancing of G M suffice to prove Subject Reduction and the properties of deadlock freedom and input lock-freedom.To prove orphan-message freedom, as expected, we also need balancing of G M.
4.1.Boundedness.To formalise boundedness we use ξ to denote a path in global type trees, i.e., a possibly infinite sequence of communications p q!λ or p q?λ.With ξ n we represent the n-th communication in the path ξ, where 0 ≤ n < x and x ∈ N ∪ {ω} is the length of ξ.
By we denote the empty sequence and by • the concatenation of a finite sequence with a possibly infinite sequence.The function Paths gives the set of paths of global types, which are the greatest sets such that: It is handy to define the depth of a player p in a global type G, depth(G, p).
Note that depth(G, p) = 0 iff p ∈ players(G).Moreover, if p = play(ξ n ) for some path ξ and all n ∈ N, then depth(ξ, p) = inf ∅ = ∞.Hence, if p is a player of a global type G, but it does not occur as a player in some path of G, then depth(G, p) = ∞.
We can now define the condition we were looking for.
Definition 4.2 (Boundedness).A global type G is bounded if depth(G , p) is finite for all participants p ∈ players(G ) and all types G which occur in G.
Example 4.3.The following example shows the necessity of considering all types occurring in a global type for defining boundedness.Consider G = r q!λ; r q?λ; G , where G = p q!{λ 1 ; p q?λ 1 ; q r!λ 3 ; q r?λ 3 , λ 2 ; p q?λ 2 ; G } Then we have: Since global types are regular the boundedness condition is decidable.
It is easy to check that the LTS of type configurations preserves the boundedness of global types.

The undecidability of (weak) balancing
The cornerstone we build on to prove well-typed sessions have progress is the balancing property.This has a non-trivial definition mixing coinduction and induction, hence a natural question which may arise is whether it is decidable.
In this section we answer this question, proving that (weak) balancing is actually undecidable.Then, in the next section, we will define an algorithm to test balancing of a type configuration proving it is sound with respect to the coinductive definition.We carry out these results for the balancing property and only discuss how they can be easily adapted to the weak version.
The undecidability proof follows the same strategy used to show the undecidability of asynchronous session subtyping [BCZ17].Indeed, we provide a reduction from the complement of the acceptance problem on queue machines, known to be undecidable as queue machines are Turing complete [Koz97], to the problem of checking if a given type configuration has the balancing property.We first recall basic definitions about queue machines.Definition 5.1 (Queue machine).A queue machine is a tuple M = Q, Σ, Γ, $, s, δ where • Q is a finite set of states; • Γ is a finite set named queue alphabet; A configuration of M is a pair q, χ ∈ Q × Γ , where q is the current state and χ is a sequence of symbols in Γ modelling the queue.An initial configuration has shape s, χ$ where χ ∈ Σ .
The transition relation → M is a binary relation on configurations of M defined by q, aα → M q , αη if δ(q, a) = q , η Note that, since δ is a total function, computation is deterministic and the only final configurations of the machine M have shape q, .That is, M terminates only when the queue is empty.
We can now define the acceptance condition for a queue machine.As usual, we denote by → M the reflexive and transitive closure of the transition relation.Definition 5.2 (Acceptance).Let M = Q, Σ, Γ, $, s, δ be a queue machine.A sequence χ ∈ Σ is accepted iff s, χ$ → M q, , for some q ∈ Q.
Intuitively, this means that a sequence χ on the input alphabet is accepted iff starting from s, χ$ the machine terminates.
Let us now define the encoding which will give us the reduction.Assume a queue machine M = (Q, Σ, Γ, $, s, δ).We define a global type whose players are p and q and labels are symbols in Γ.Since p is always the sender and q the receiver in defining the global type we avoid prefixing ! and ?by p q. Moreover in the queue we only write the exchanged labels, that is, we identify message queues (in type configurations) with elements of Γ .For every state q ∈ Q, let G q be defined by the following equation: . .b a na ) I.e. the global type G q is an input reading all characters a of the queue alphabet followed by the outputs of the characters b a 1 , . . ., b a na which are put on the queue and then by the global type G q , where q is the following state.
The encoding of the machine configuration q, χ , denoted by [ q, χ ], is the type configuration G q χ.
Our goal is to relate the acceptance problem of the queue machine M with the balancing property of the type configurations obtained through the above encoding.The next theorem formally states this relationship.
Theorem 5.3.The machine M does not accept χ ∈ Σ iff the encoding of its initial configuration s, χ$ is balanced, that is, b G s χ$.
To prove the theorem we rely on some lemmas.The first one shows that diverging computations in a queue machine correspond to derivations of the balancing property.
Proof.Since q, χ diverges, we have a sequence q i , χ i i∈N such that q, χ = q 0 , χ 0 and, for all i ∈ N, q i , χ i → M q i+1 , χ i+1 .By definition of → M we have χ i = a i η i and δ(q i , a i ) = q i+1 , b a i 1 . . .b a i na i . For all i ∈ N, define the set A i of balancing judgments as follows: We prove that A is consistent with respect to the rules defining balancing, then the statement follows by coinduction.
We can easily prove that for every judgement b G η in A, the judgement read (G, η) is derivable.In fact each η only contains symbols in Γ and G always offers some outputs and then a choice of inputs for all symbols in Γ.
Therefore, to conclude, we have just to show that every b G η in A is the consequence of a rule whose premises are still in A. By definition of A, we have that b G η belongs to A i for some i ∈ N. We distinguish three cases.
The following lemma shows that transitions in the queue machine preserve the balancing property.
Lemma 5.5.If q, χ → M q , χ and b G q χ, then b G q χ .Proof.If q, χ → M q , χ , then χ = aα, δ(q, a) = q , η and χ = αη with η = b a 1 . . .b a na .If b G q χ holds, since G q =?{a ; b a 1 ; . . .b a n a ; G q a } a ∈Γ with δ(q, a ) = q a , b a 1 . . .b a n a , we get q a = q and b G q χ is derived by Rule [B-In] with unique premise b !b a 1 ; . . .b a na ; G q α.This premise is obtained by applying n a times Rule [B-Out] to the judgement b G q αb a 1 . . .b a na , hence it holds as needed.Finally, the next lemma shows that a configuration q, χ whose encoding has the balancing property is not stuck.
Proof.By definition we have G q =?{a; !b a 1 ; . ..!b a na ; G qa } a∈Γ with δ(q, a) = q a , b a 1 . . .b a na .Then, b G q χ is derived by Rule [B-In], therefore χ = a χ for some a ∈ Γ and χ ∈ Γ and so q, χ → M q a , χ b a 1 . . .b a n a .Proof of Theorem 5.3.To prove the left-to-right implication, note that if M does not accept χ ∈ Σ , then s, χ$ diverges, hence, by Lemma 5.4, we get b G s χ$.Towards a proof of the other implication, we inductively construct an infinite computations q i , χ i where b G q i χ i holds for all i ∈ N as follows: • set q 0 , χ 0 = s, χ$ , then b G q 0 χ 0 holds by hypothesis; • since b G q i χ i holds by induction hypothesis, by Lemma 5.6, we have q i , χ i → M q , χ and, by Lemma 5.5, we get b G q χ holds.Then, we set q i+1 , χ i+1 = q , χ .Therefore, s, χ$ diverges and so χ is not accepted.
We can get the same result for weak balancing just removing the parts of the proofs dealing with the readability judgement in Lemmas 5.4, 5.5, as they do not play any relevant role in the reduction.

Recovering effectiveness
In order to recover from the undecidability result in Corollary 5.7, we define an inductive version of the balancing property, proving it is sound with respect to the coinductive definition (Theorem 6.8), thus getting a sound algorithm to check balancing.Note that this soundness result is enough to ensure that well-typed sessions -where the corresponding type configuration is successfully checked by this algorithm -has progress, thus obtaining an effective type system.This inductive definition, described by the rules in Figure 13, follows a standard pattern used to deal with regular structures: we consider an enriched judgement H I b G M, where H is an auxiliary set of pairs of types, queues used to detect cycles in global types and test a condition on them (see the side condition of Rule [IB-Cycle]), thus avoiding non-termination.Other rules are essentially the same as in the coinductive version.
To make this pattern work, we have to appropriately define the judgement ok (G, M, M ).One obvious possibility is to require M ≡ M and read (G, M), which is always sound, because it forces derivations to be regular.However, this is too restrictive, as it accepts 3:31 H, (p q!{λ i ; G i } i∈I , M) I b G i M • p, λ i , q ∀i ∈ I H I b p q!{λ i ; G i } i∈I M read (p q!{λ i ; G i } i∈I , M) H, (p q?{λ i ; G i } i∈I , p, λ h , q • M) I b G h M H I b p q?{λ i ; G i } i∈I p, λ h , q • M read (p q?{λ i ; G i } i∈I , p, λ h , q • M) h ∈ I only type configurations where the queue cannot grow indefinitely.This for instance is not the case for our running example.Therefore, we consider a more sophisticated definition of ok (G, M, M ) which goes beyond regular derivations.The judgement is defined in Figure 14.
The first condition we require is the equivalence M ≡ M • M .This is needed because, if a message in M is not in M , then a coinductive derivation of the judgement b G M would get stuck on Rule [B-In], i.e., the judgement would not be derivable, making the algorithm unsound.However, we allow the presence of additional messages, so that the queue between two occurrences of the same global type can grow.
In order to ensure that the messages in the queue M do not interfere with the balancing of G, we demand that they can be exchanged with the outputs of G.This condition is checked H, (p q!{λ i ; G i } i∈I , M) agr (G i , M i ) ∀i ∈ I H agr (p q!{λ i ; H, (p q?{λ i ; G i } i∈I , M) agr (G i , M) ∀i ∈ I H agr (p q?{λ i ; G i } i∈I , M) G, p q!{λ i ; G i } i∈I dread (G i , M) ∀i ∈ I G dread (p q!{λ i ; G i } i∈I , M) G, p q?{λ i ; G i } i∈I dread (G i , M) ∀i ∈ I G dread (p q?{λ i ; G i } i∈I , M) i ∈ I. Lemma 6.7 implies dread (G i , M i ) for all i ∈ I. From M ≡ G M 1 • M 2 we have M • p, λ i , q ≡ G i M 1 • p, λ i , q • M i for all i ∈ I.
[IB-In]: In this case we have G = p q?{λ i ; G i } i∈I , read ( G, M 1 ) and M 1 ≡ p, λ h , q • M and H, ( G, M 1 ) I b G h M for some h ∈ I.We need to show that read ( G, M) and G h M • M 2 belongs to A, then the statement follows by Rule [B-In].Note that read ( G, M) follows from M ≡ G M 1 • M 2 and read ( G, M 1 ) and dread ( G, M 2 ) by Lemma 6.3(5) and Proposition 6.4(1).We now prove that G h M • M 2 belongs to A. The coherence of H implies the coherence of H, ( G, M 1 ).From agr ( G, M 2 ) we get agr (G h , M 2 ) by Lemma 6.5(2).From dread ( G, M 2 ) we get dread (G h , M 2 ) by Lemma 6.3(3).
Finally, we observe that we can obtain a sound inductive version of weak balancing as well.We just have to remove premises involving readability and deep readability from the rules in Figure 13.
In Figures 16, 17, 18 and 19 we prove that the hospital global type with the empty queue is inductively balanced using the agreement, deep read and read judgments.Notice that in Figure 17 we need p, pr , s • p, nd , s ≡ G 1 p, nd , s • p, pr , s .This holds since the messages p, pr , s and p, nd , s are G 1 -indistinguishable, being G 1 = p s?{nd ; G 2 , pr ; G 2 }, where G 2 does not contain different inputs from p to s.
This abbreviation is justified by the associativity and commutativity of .We define players(N) = {p | p[[ P ]] ∈ N}.

Example 3. 4 .
The typing of the running example discussed in the Introduction is the content of Figure 4. Notice that the premises of the application of Rule [In] with conclusion G 1 p[[ P 1 ]] s[[ S ]] are two occurrences of the derivation D, since the process S is p?{nd ; S 1 , pr ; S 1 }.

Figure 6 :
Figure 6: Rules of the inference algorithm.

Figure 7 :
Figure 7: An application of the inference algorithm to the hospital network, where P , P 1 , S, S 1 , G, G 1 and G 2 are defined in the caption of Figure 4.
Definition 4.1 (Depth of a player).Let G be a global type.For ξ ∈ Paths(G) set depth(ξ, p) = inf{n | play(ξ n ) = p}, and define depth(G, p), the depth of p in G, as follows: Proposition 4.4.If G is bounded and G M β − → G M , then G is bounded.Proof.By induction on the transition rules of Figure 5.4.2.Balancing.The weak balancing predicate of Figure9ensures that at least one of the labels of every input choice of the global type is matched either by a message in the queue or by a preceding output in the global type.Rule [WB-Out] removes an output choice from the type and puts the corresponding message in the queue.This allows a subsequent input choice to be matched by one of its output messages.Rule [WB-In] says that every initial input choice should find one of its corresponding messages in the queue.Notice the similarity between these two rule and Rules [Inside-Out], [Inside-In] of Figure5.Example 4.5.Figure 10 displays the initial part of the weakly balancing derivation for the type configuration G ∅, where G, G 1 and G 2 are defined in the caption of Figure 4.
Theorem 4.20 (Progress).If G N and G is bounded and b G M, then N M has the progress property.