, we link ProtoError to MsgError using contracts. Second, we link the run-time semantics to the proof-dependent operational semantics. Third, we link the absence of memory leaks in the proof to the same property for the run-time semantics. The first point proceeds directly from the subject reduction lemma

, For all programs p, for all states ? , if the following holds ? ? is well-formed ? p, ? * ProtoError ? p, ? * OwnError then p, ? * MsgError, Lemma, vol.60

. Msgerror, Since the contract is valid, the latter configuration cannot be faulty and hence is distinct from (q, q , w, w ). It suffices to show that CONFS(? , ?, ? ) contains exactly one configuration to derive a contradiction: ? if the error is an orphan message, then ?, ? are fully owned at closure, so their states are uniquely determined

, ? if the error is an unspecified reception, then ? must be owned, but note that cstate(? )(? ) may be undefined. This means that q 1 = q, but not necessarily that q 1 = q. However, due to the definition of unspecified receptions, vol.2

, The connection between the run-time semantics and the proof-based semantics uses flattening of open states (Definition 32)

, For all p, ? , ? , 1. if p, ? ? error, then p

. ?-or-p,-?-*-p, for some ? such that C(p ) = p and C(flat(? )) = ?. By straightforward induction, this lemma states that any error in the run-time semantics can be lifted to an error in the instrumented semantics: if p, ? ? * error

, We prove each point separately. For the first point, assume that p, ? ? error; one of the following cases holds: ? an OwnError is triggered because C(p), C(flat(? )) ? OwnError: then we also have p, ? OwnError thanks to safety monotonicity, Proof. Assume C(flat(? ))

, C(flat(? )) ? MsgError: the error depends only on the first message identifier in the queue causing the error, which is the same in ? and C(flat(? )), hence p, ? an MsgError is triggered because C(p)

, C(flat(? )) ? p , ? under emp(?), and if p, ? error, p, ? p , ? under ?. Then the footprint lost from (resp. added to) h 1 during that step will go inside, ? A channel instruction is executed that transfers ownership: C(p)

, ? Any other operational rule is triggered: the semantics match

, Finally, the following lemma will be the cornerstone of the proof that proved programs do not leak memory that is not

, Android Open Source Project, 2013.

L. Bettini, M. Coppo, L. D'antoni, M. D. Luca, M. Dezani-ciancaglini et al., Global progress in dynamically interleaved multiparty sessions, CONCUR, pp.418-433, 2008.

V. Bono, C. Messa, and L. Padovani, Typing copyless message passing, ESOP, pp.57-76, 2011.

V. Bono and L. Padovani, Typing copyless message passing, Log. Methods Comput. Sci, vol.8, 2012.

R. Bornat, C. Calcagno, P. W. O'hearn, and M. J. Parkinson, Permission accounting in separation logic, pp.259-270, 2005.

J. Boyland, Checking interference with fractional permissions, pp.55-72, 2003.

D. Brand and P. Zafiropulo, On communicating finite-state machines, J. ACM, vol.30, pp.323-342, 1983.

S. D. Brookes, A semantics for concurrent separation logic, CONCUR 2004-Concurrency Theory, pp.16-34, 2004.

C. Calcagno, P. W. O'hearn, and H. Yang, Local action and abstract separation logic, LICS, pp.366-378, 2007.

P. M. Deniélou and N. Yoshida, Dynamic multirole session types, POPL, ACM, pp.435-446, 2011.

P. M. Deniélou and N. Yoshida, Multiparty session types meet communicating automata, ESOP, pp.194-213, 2012.

R. Dockins, A. Hobor, and A. W. Appel, A fresh look at separation algebras and share accounting, APLAS, pp.161-177, 2009.

M. Fähndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. Hunt et al., Language support for fast and reliable message-based communication in Singularity OS, pp.177-190, 2006.

A. Francalanza, J. Rathke, and V. Sassone, Permission-based separation logic for message-passing concurrency, 2011.

M. Giunti, A type checking algorithm for qualified session types, pp.96-114, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00644061

M. Giunti and V. T. Vasconcelos, A linear account of session types in the pi calculus, CONCUR, pp.432-446, 2010.

A. Gotsman, J. Berdine, B. Cook, N. Rinetzky, and M. Sagiv, Local reasoning for storable locks and threads, pp.19-37, 2007.

M. Gouda, E. Manning, and Y. Yu, On the progress of communication between two finite state machines, Inf. Control, vol.63, pp.200-216, 1984.

A. Hobor and C. Gherghina, Barriers in concurrent separation logic, ESOP, pp.276-296, 2011.

K. Honda, V. T. Vasconcelos, and M. Kubo, Language primitives and type discipline for structured communication-based programming, pp.122-138, 1998.

R. Hu, N. Yoshida, and K. Honda, Session-based distributed programming in Java, ECOOP, pp.516-541, 2008.

G. C. Hunt and J. R. Larus, Singularity: rethinking the software stack, vol.41, pp.37-49, 2007.

N. Kobayashi, A partially deadlock-free typed process calculus, ACM Trans. Program. Lang. Syst, vol.20, pp.436-482, 1998.

K. R. Leino, P. Müller, and J. Smans, Deadlock-free channels and locks, Proceedings of ESOP 2010, pp.407-426, 2010.

É. Lozes and J. Villard, Reliable contracts for unreliable half-duplex communications, WS-FM, pp.2-16, 2011.

É. Lozes and J. Villard, Shared contract-obedient endpoints, pp.17-31, 2012.

M. Merro, Locality in the pi-calculus and applications to distributed objects, 2000.

P. W. O'hearn and . Resources, CONCUR 2004-Concurrency Theory, pp.49-67, 2004.

M. Raza and P. Gardner, Footprints in local reasoning, Log. Methods Comput. Sci, vol.5, 2009.

K. Takeuchi, K. Honda, and M. Kubo, An interaction-based language and its typing system, PARLE, pp.398-413, 1994.

A. J. Turon and M. Wand, A resource analysis of the pi-calculus, CoRR, 2011.

J. Villard, Heaps and hops, 2011.

J. Villard, É. Lozes, and C. Calcagno, Proving copyless message passing, pp.194-209, 2009.