Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types

Anson Miu Francisco Ferreira Imperial College London and Bloomberg Imperial College London United Kingdom United Kingdom Nobuko Yoshida Fangyi Zhou Imperial College London Imperial College London United Kingdom United Kingdom

Abstract ACM Reference Format: Modern web programming involves coordinating interac- Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou. tions between browser clients and a server. Typically, the 2021. Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types. In Proceedings of the 30th ACM interactions in web-based distributed systems are informally SIGPLAN International Conference on Compiler Construction (CC ’21), described, making it hard to ensure correctness, especially March 2–3, 2021, Virtual, USA. ACM, New York, NY, USA, 27 pages. communication safety, i.e. all endpoints progress without https://doi.org/10.1145/3446804.3446854 type errors or deadlocks, conforming to a specified protocol. We present STScript, a toolchain that generates TypeScript 1 Introduction APIs for communication-safe web development over Web- Web technology advancements have changed the way peo- Sockets, and RouST, a new session type theory that supports ple use computers. Many services that required standalone multiparty communications with routing mechanisms. applications, such as email, chat, video conferences, or even STScript provides developers with TypeScript APIs gen- games, are now provided in a browser. While the Hypertext erated from a communication protocol specification based Transfer Protocol (HTTP) is widely used for serving web on RouST. The generated APIs build upon TypeScript con- pages, its Request-Response model limits the communication currency practices, complement the event-driven style of patterns — the server may not send data to a client without programming in full-stack web development, and are com- the client first making a request. patible with the Node.js runtime for server-side endpoints The WebSocket Protocol [12] addresses this limitation by and the React.js framework for browser-side endpoints. providing a bi-directional channel between the client and RouST can express multiparty interactions routed via an the server, akin to a Unix socket. Managing the correct usage intermediate participant. It supports peer-to-peer commu- of WebSockets introduces an additional concern in the de- nication between browser-side endpoints by routing com- velopment process, due to a lack of WebSocket testing tools, munication via the server in a way that avoids excessive requiring an (often ad-hoc) specification of the communica- serialisation. RouST guarantees communication safety for tion protocol between server and clients. endpoint web applications written using STScript APIs. We evaluate the expressiveness of STScript for modern B A S web programming using several production-ready case stud- Suggest Query ies deployed as web applications. alt Available arXiv:2101.04622v1 [cs.PL] 12 Jan 2021 CCS Concepts: • Software and its engineering → Source Quote code generation; • Theory of computation → Distributed computing models. alt OK Confirm Keywords: TypeScript, WebSocket, API generation, session No types, deadlock freedom, web programming Reject

CC ’21, March 2–3, 2021, Virtual, USA Full Full © 2021 Association for Computing Machinery. Restart This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 30th ACM SIGPLAN International Conference on Compiler Figure 1. Travel Agency Protocol as a Sequence Diagram Construction (CC ’21), March 2–3, 2021, Virtual, USA, https://doi.org/10.1145/ 3446804.3446854. Consider the scenario in Fig.1, where an online travel agency operates a “travelling with a friend” scheme (ignoring 1 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

the blue dashed arrows). It starts when a traveller (B) sug- uses binary (2-party) session types; and King et al.[20] re- gests a trip destination to their friend (A), who then queries quire each non-server role to only communicate to the server, the travel agency (S) if the trip is available. If so, the friends hence preventing interactions between non-server roles (cf. discuss among themselves whether to accept or reject the talking to a friend in the scenario). The programming lan- quoted price. If the trip was unavailable, the friends start guages used in these works are, respectively, Links [8] and again with a new destination. PureScript [28], both not usually considered mainstream An implementation of the travel agency protocol may in the context of modern web programming. The Jolie lan- contain programming errors, risking communication safety. guage [24] focuses more on the server side, with limited For example, the following implementation of the client-side support for an interactive front end of web applications. endpoint for traveller A sending a quote to traveller B. This paper presents a novel toolchain, Session TypeScript 1 (STScript), for implementing multiparty protocols safely in 2 Send Quote to B web programming. STScript integrates with modern tools and 3 its flexibility over the traditional HTTP model. When de- There are subtle errors that violate the communication pro- velopers use our generated APIs to correctly implement the tocol, but these bugs are unfortunately left for the developer protocol endpoints, STScript guarantees the freedom from to manually identify and test against: communication errors, including deadlocks, communication Communication Mismatch Whilst the input field man- mismatches, channel usage violation or cancellation errors. dates a numerical value (Line1) for the quote, the value from Our toolchain is backed by a new session theory, a routed the input field is actually a string. If B expects a number multiparty session types theory (RouST), to endow servers and performs arithmetic operations on the received payload with the capacity to route messages between web clients. The from A, the type mismatch may be left hidden due to implicit new theory addresses a practical limitation that WebSocket type coercion and cause unintended errors. connections still require clients to connect to a prescribed Channel Usage Violation As B may take time to respond, server, constraining the ability for inter-client communica- A can experience a delay between sending the quote and tion. To overcome this, our API routes inter-client messages receiving a response. Notice that the button remains active through the server, improving the expressiveness over pre- after sending the quote — A could click on the button again, vious work and enabling developers to correctly implement and send additional quotes (thus reusing the communication multiparty protocols, as we show with blue dashed arrows channel), but B may be unable to deal with extra messages. in Fig.1. In our travel agency scenario, the agency plays Handling Session Cancellation An additional concern is the server role: it will establish WebSocket channels with how to handle browser disconnections, as both travellers can each participant, and be tasked with routing all the messages freely close their browsers at any stage of the protocol. Sup- between the friends. We formalise this routing mechanism pose S temporarily reserves a seat on A’s query. If A closes as RouST and prove deadlock-freedom of RouST and show a their browser, the developer would need to make sure that A behaviour-preserving encoding from the original MPST to notifies S prior to disconnecting, and S needs to implement RouST. The formalism and results in RouST directly guide recovery logic (e.g. releasing the reserved seat) accordingly. a deadlock-free protocol implementation in Node.js via the To prevent these errors and ensure deadlock-freedom, we router, preserving communication structures of the original propose to apply session types [14, 15] into practical interac- protocol written by a developer. tive web programming. The scenario described in Fig.1 can Finally, we evaluate our toolchain (STScript) by case stud- be precisely described with a global type using the typing ies. We evaluate the expressiveness by implementing a num- discipline of multiparty session types (MPST) [15]. Well-typed ber of web applications, such as interactive multiplayer games implementations conform to the given global protocol, are (Noughts and Crosses, Battleship) and web services (Travel guaranteed free from communication errors by construction. Agency) that require routed communication. Whereas session type programming is well-studied [1], its application on web programming, in particular, interactive Contributions and Structure of the Paper. §2 presents web applications, remains relatively unexplored. Integrat- an overview of our toolchain STScript, which generates APIs ing session types with web programming has been piloted for communication-safe web applications in TypeScript from by recent work [13, 20, 24], yet none are able to seamlessly multiparty protocol descriptions. §3 motivates how the gen- implement the previous application scenario: Fowler [13] erated code executes the multiparty protocol descriptions, 2 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

A Global Type 퐺 Projection onto each Participant 푇A 푇B 푇S Local Type Local Type Local Type for A for B for S Figure 3. Top-down MPST Design Methodology

1 global protocol TravelAgency(roleA, roleB, roleS) 2 { Suggest(string) fromB toA;//friend suggests place 3 Query(string) fromA toS; 4 choice atS 5 { Available(number) fromS toA; 6 Quote(number) fromA toB;//check price with friend 7 choice atB 8 { OK(number) fromB toA; 9 Confirm(credentials) fromA toS;} 10 or { No() fromB toA; 11 Reject() fromA toS;}} 12 or { Full() fromS to A; Full() fromA toB; 13 do TravelAgency(A, B, S); } } Figure 2. Overview of the toolchain STScript Figure 4. Travel Agency Protocol in Scribble and present how STScript prevents common errors in the context of web applications. §4 presents RouST, multiparty respond to the query either with Available, so the customer session types (MPST) extended with routing, and define a continues booking, or with Full, so the customer retries by trace-preserving encoding of the original MPST into RouST. restarting the protocol via the do syntax (Line 13). §5 evaluates our toolchain STScript via a case study of In this scenario, we designate the roles A and B as client Noughts and Crosses and performance experiments. §6 roles, and role S as a server role. Participating endpoints gives related and future work. can obtain their local views of the communication proto- Appendix includes omitted code, definitions, performance col, known as local types, via projection from the specified benchmarks and detailed proofs. The artifact accompanying global type (Fig.3). The local type of an endpoint can be then this paper [23] is available via DOI or at https://github.com/ used in the code generation process, to generate APIs that STScript-2020/cc21-artifact, containing the source code of are correct by construction [17, 20, 35]. STScript, with implemented case studies and performance The code generation toolchain STScript (Fig.2) follows benchmarks. See AppendixA for details about the artifact. the MPST design philosophy. In STScript, we take the global protocol as inputs, and generate endpoint code for a given 2 Overview role as outputs, depending on the nature of the role. We In this section, we give an overview of our code generation use the Scribble toolchain for initial processing, and use an toolchain STScript (Fig.2), demonstrate how to implement endpoint finite state machine (EFSM) based code generation the travel agency scenario (Fig.1) as a TypeScript web appli- technique targeting the TypeScript Language. cation, and explain how STScript prevents those errors. Targeting Web Programming. The TypeScript [2] pro- Multiparty Session Type Design Workflow. Multiparty gramming language is used for web programming, with a session types (MPST) [15] use a top-down design method- static type system and a compiler to JavaScript. TypeScript ology (Fig.3). Developers begin with specifying the global programs follow a similar syntax to JavaScript, but may communication pattern of all participants in a global type contain type annotations that are checked statically by the or a global protocol. The protocol is described in the Scrib- TypeScript type-checker. After type-checking, the compiler ble protocol description language [16, 31, 34]. We show the converts TypeScript programs into JavaScript programs, so global protocol of the travel agency scenario (in §1) in Fig.4. they can be run in browsers and other hosts (e.g. Node.js). The Scribble language provides a user-friendly way to de- To implement a wide variety of communication patterns, scribe the global protocol in terms of a sequence of message we use the WebSocket protocol [12], enabling bi-directional exchanges between roles. A message is identified by its label communication between the client and the server after con- (e.g. Suggest, Query, etc), and carries payloads (e.g. number, nection. This contrasts with the traditional request-response string, etc). The choice syntax (e.g. Line4) describes pos- model of HTTP, where the client needs to send a request sible branches of the protocol – in this case, the Server may and the server may only send a response after receiving the 3 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

4 S?Full B!Full S?Available 1 2 3 5 B?Suggest S!Query B!Quote 7 S!Confirm B?Ok 9 6 S!Reject B?No 8 Figure 5. EFSM for TravelAgency role A request. WebSockets require an endpoint to listen for connec- tions and the other endpoint connecting. Moreover, clients, Figure 6. IDE Auto-Completion for Successor State using the web application in a browser, may only start a server, in this use case, namely providing quotes for holiday connection to a WebSocket, and servers may only listen for bookings and handling booking confirmations. new connections. The design of WebSocket limits the ability for two clients to communicate directly via a WebSocket (e.g. 1 import { Session, S } from"./TravelAgency/S"; Line2 in Fig.4). STScript uses the server to route messages 2 const agencyProvider = (sessionID: string) => { between client roles, enabling communication between all 3 const handleQuery = Session.Initial({ participants via a star network topology. 4 Query: async (Next, dest) => { An important aspect of web programming is the interac- 5 // Provide quotes for holiday bookings const res = await checkAvailability(sessionID, dest); tivity of the user interface (UI). Viewed in a browser, the web 6 7 if (res.status ==="available"){ application interacts with the user via UI events, e.g. mouse 8 return Next.Available([res.quote], Next => ...); clicks on buttons. The handling of UI events may be imple- 9 } else{ return Next.Full([], handleQuery); } }, }); mented to send messages to the client (e.g. when the “Submit” 10 return handleQuery; }; button on the form is clicked), which may lead to practical problems. For instance, would clicking “Submit” button twice All callbacks carry an extra parameter, Next, which acts as create two bookings for the customer? We use the popular a factory function for constructing the successor state. This React.js UI framework for generating client endpoints, and empowers IDEs to provide auto-completion for developers. generate APIs that prevent such errors from happening. For example, the factory function provided by the callback for handling a Query message (Line4) prompts the permitted Callback-Style API for Clients and Servers. Our code labels in the successor send state, as illustrated in Fig.6. generation toolchain STScript produces TypeScript APIs in a callback style [35] to statically guarantee channel linearity. Implementing the Client Roles. To implement client The input global protocol is analysed by the toolchain for roles, merely implementing the callbacks for the program well-formedness, and an endpoint finite state machine (EFSM) logic is not sufficient — unlike servers, web applications have is produced for each endpoint. We show the EFSM for role A interactive user interfaces, additional to program logic. As in Fig.5. The states in the EFSM represent local types (sub- mentioned previously, our code generation toolchain tar- ject to reductions) and transitions represent communication gets React.js for client roles. For background, the smallest actions (Symbol ! stands for sending actions, ? for receiving). building blocks in React.js are components, which can carry In the callback API style, type signatures of callbacks are properties (immutable upon construction) and states (muta- generated for transitions in the EFSM. Developers imple- ble). Components are rendered into HTML elements, and ment the callbacks to complete the program logic part of they are re-rendered when the component state mutates. the application, whilst a generated runtime takes care of the To bind the program logic with an interactive user in- communication aspects. For callbacks, sending actions cor- terface, we provide component factories that allow the UI respond to callbacks prompting the payload type as a return component to be interposed with the current state of the type, so that the returned value can be sent by the runtime. EFSM. Developers can provide the UI event handler to the Dually, receiving actions correspond to callbacks taking the component factory, and obtain a component for rendering. payload type as an argument, so that the runtime invokes The generate code structure enforces that the state transition the callback with the received value. strictly follows the EFSM, so programmer errors (such as the double “submit” problem) are prevented by design. Implementing the Server Role. In the travel agency pro- tocol, as shown in Fig.4, we designate role S as the server 1 render() { role. The server role does not only interact with the two 2 const OK = this.OK('onClick', () => [this.state.split]); const NO = this.No('onClick', () => []); clients, but also routes messages for the two clients. The 3 4 return (... routing will be handled automatically by the runtime, sav- 5 No ing the need for developers to specify manually. As a result, 6 OK ...); } the developer only handles the program logic regarding the 4 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Using the send state component in the FSM for the end- for each kind of EFSM state – send, receive, or terminal. The point B as an example, Line2 reads, “generate a React com- generated State class implements the interface correspond- ponent that sends the OK message with this.state.split ing to the type of communication action it performs. as payload on a click event”. It is used on Line6 as a wrapper 1 next(state: State.Type) { for a stylised component. The runtime invokes the 2 switch (state.type){ handler and performs the state transition, which prevents 3 case 'Send': return state.performSend( the double “submit” problem by design. 4 this.next, this.cancel, this.send); case 'Receive': return state.prepareReceive( Guaranteeing Communication Safety. Returning to the 5 6 this.next, this.cancel, this.registerMessageHandler); implementation in §1, we outline how STScript prevents 7 case 'Terminal': return; }} common errors to enable type-safe web programming. Node.js Communication Mismatch All generated callbacks are The session runtime for is a class that executes state transition function typed according to the permitted payload data type specified the EFSM using a parameterised State in the protocol, making it impossible for traveller A to send by the class of the current EFSM state. As the IO discriminated union the quote as a string by accident. interfaces constitute a , the runtime can Channel Usage Violation The generated client-side run- parse the type of the current EFSM state and propagate the time requires the developer to provide different UI compo- appropriate IO functions (for sending or receiving) to the State State nents for each EFSM state – once traveller A submits a quote, class. In turn, the class invokes the callback the runtime will transition to, thus render the component of, supplied by the developer to inject program logic into the this.send a different EFSM state. This guarantees that, whilst waiting EFSM, perform the communication action (using this.registerMessageHandler for a response from traveller B, it is impossible for traveller or ), and invoke the state this.next A to submit another quote and violate channel linearity. transition function ( ) with the successor state. Handling Session Cancellation If either traveller closes Notably, the routed messages are completely absent be- their browser before the protocol runs to completion, the cause the generated code transparently routes messages with- generated runtimes leverage the events available on their out exposing any details. As messages specify their intended WebSocket connections to notify (via the server) other roles recipient, the runtime identifies messages not intended for about the session cancellation. The travel agency can imple- the server by inspecting the metadata, and forwards them ment the error handler callback (generated by STScript) to to the WebSocket connected to the intended recipient. perform clean-up logic in response to cancellations. Executing the EFSM in React.js. Each state in the EFSM 3 Implementation is encoded as an abstract React component. The developer implements the EFSM by extending the abstract classes to In this section, we explain how the generated code executes provide their own implementation – namely, to build their the EFSM for Node.js and React.js targets. We also present user interface. Components for send states can access com- how STScript APIs handle errors in a dynamic web-based ponent factories to generate React components that perform environment (for complete code, see AppendixE). a send action when a UI event (e.g. onClick, onMouseOver) Session Runtime. The session runtime executes the EFSM is triggered. Components for receive states must implement in a manner permitted by the multiparty protocol descrip- abstract methods to handle all possible incoming messages. tion. The runtime keeps track of the current state, performs The session runtime for React.js is a React component, the required communication action (i.e. send or receive a instantiated using the developer’s implementation of each message), and transitions to the successor state. The runtime EFSM state. Channel communications are managed by the provides seams for the developer to inject the callback imple- runtime, so the developer’s implementations cannot access mentations, which define application-specific concerns for the WebSocket APIs, which prevents channel reuse by con- the EFSM, such as what message payload to send (and dually, struction. The runtime renders the component of the current how to process a received message). This design conceals EFSM state and binds the permitted communication action the WebSocket APIs from the developer and entails that the through supplying component properties. developer cannot trigger a send or receive action, so STScript Error Handling. An error handling mechanism is critical can statically guarantee protocol conformance. for web applications. Clients can disconnect from the session Executing the EFSM in Node.js. Each state of the EFSM due to network connectivity issues or simply by closing the is characterised by a (generated) State class and a type de- browser. Similarly, servers may also face connectivity issues. scribing the shape of the callback (supplied by the developer). Upon instantiating the session runtime, STScript requires To allow the server to correctly manage concurrent sessions, developers to supply a cancellation handler to handle local the developer can access a (generated) session ID when imple- exceptions (e.g. errors thrown by application logic) and global menting the callbacks. STScript also generates IO interfaces session cancellations (e.g. disconnection events by another 5 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

endpoint). The session runtime detects cancellation by lis- as protocols and describe the communication behaviour be- tening to the close event on the WebSocket connection, and tween all participating roles (participants), while local types invokes the cancellation handler with appropriate arguments describe the behaviour of a single participating role. We on a premature close event. We parameterise the cancellation shade additions to the original (or canonical) multiparty ses- handlers with additional information (e.g. which role discon- sion type (MPST) [9, 11, 15, 30] in this colour. nected from the session, the reason for the disconnection) to Definition 4.1 (Global and Local Types). The syntax of let developers be more specific in their error handling logic. global and local types are defined below: = end | | = end | | | → { } Cancellation Handlers for Servers. Server endpoints 퐺 :: t 휇t.퐺 푇 :: t 휇t.푇 p ↩ q : 푙푖 :푇푖 푖 ∈퐼 | p → q : {푙 :퐺 } | p ⊕ {푙 :푇 } | p ⊕⟨q⟩ {푙 :푇 } define cancellation handlers through a function, parame- 푖 푖 푖 ∈퐼 푖 푖 푖 ∈퐼 푖 푖 푖 ∈퐼 | p −s q : {푙푖 :퐺푖 }푖 ∈퐼 | p & {푙푖 :푇푖 }푖 ∈퐼 | p &⟨q⟩ {푙푖 :푇푖 }푖 ∈퐼 terised by the session ID, the role which initiated the cancel-
푙 퐺 lation, and (optionally) the reason for the cancellation — if Global Types. p → q : { 푖 : 푖 }푖 ∈퐼 describes a direct com- 푙 the server-side logic throws an exception, the handler can munication of a message 푖 from a role p to q. We require 푙 access the thrown error through the reason parameter. that p ≠ q, that labels 푖 are pairwise distinct, and that the 퐼 const handleCancel = async (sessionID, role, reason) => { index set is not empty. The message in the communica- 1 푙 2 if (role === Role.Self) { tion can carry a label among a set of permitted labels 푖 푙 3 console.error(`${sessionID}: internal server error`); } and some payload. After a message with label 푖 is received 4 else{ await tryRelease(sessionID); }}; by q, the communication continues with 퐺푖 , according to 5 // Instantiate session runtime the chosen label. For simplicity, we do not include payload 6 new S(wss, handleCancel, agencyProvider); types (integers, strings, booleans, etc) in the syntax. We write Using the Travel Agency scenario introduced in §1, if the p → q : 푙 : 퐺 for single branches. For recursion, we adopt customer prematurely closes their browser before respond- an equi-recursive view [27, §21], and use 휇t.퐺 and t for a ing to a Quote, the server can detect this (Line4) and release recursive protocol and a type variable. We require that re- the reservation to preserve data integrity. cursive types are contractive (guarded), i.e. the recursive type 휇t.퐺 progresses after the substitution 퐺 [휇t.퐺/t], prohibiting Cancellation Handlers for Clients. Browser-side end- types such as 휇t.t. We use end to mark the termination of points also define cancellation handlers through a function the protocol, and often omit the final end. parameterised in the same way as those in Node.js, but must To support routed communication, we allow messages return a React component to be rendered by the session to be sent through a router role.A routed communication 푙 퐺 runtime. In the context of the Travel Agency scenario, the p −s q : { 푖 : 푖 }푖 ∈퐼 describes a router role s coordinating customer can render a different UI depending on whether the the communication
of a message from p to q: q offers p a server disconnected or their friend closed their web browser choice in the index set 퐼, but p sends the selected choice 푙푖 to prematurely. Browser endpoints can also respond to cancel- the router s instead. The router forwards the selection from lations emitted by other client-side roles: when a browser p to q. After q receives p’s selection, the communication endpoint disconnects, the server detects this and propagates continues with 퐺푖 . s ranges over the set of roles p, q, ··· , the cancellation to the other client-side roles. but we use s by convention as the router is usually some server. The syntax for routed communication shares the 4 RouST: Routed Session Types same properties as direct communication, but we additionally 퐺 This section defines the syntax and semantics of RouST and require that p ≠ q ≠ s. We use pt ( ) to denote the set of 퐺 proves some important properties. We show the sound and participants in the global type . complete trace correspondence between a global type and Example 4.2 (Travel Agency). The travel agency protocol, a collection of endpoint types projected from the global as shown in Fig.4, is described by the global type 퐺travel in type (Theorem 4.6). Using this result, we prove deadlock 퐺푅 the original MPST, and travel in RouST. freedom (Theorem 4.7). We then show that, in spite of the 퐺travel = 휇t.B → A : 푆푢푔푔푒푠푡. A → S : 푄푢푒푟푦. added routed communications, RouST does not over-serialise  퐴푣푎푖푙푎푏푙푒 :    communications by proving communication preservations be-  A → B : 푄푢표푡푒. B → A :    tween the original MPST and RouST (Theorem 4.11). These S → A :  푂퐾 : A → S : 퐶표푛푓 푖푟푚  three theorems ensure that STScript endpoint programs are  푁표 : A → S : 푅푒 푗푒푐푡    communication-safe, always make progress, and correctly  퐹푢푙푙 : A → B : 퐹푢푙푙. t    푅 = − → conforms to the user-specified protocol. 퐺travel 휇t.B S A : 푆푢푔푔푒푠푡. A S : 푄푢푒푟푦.
 퐴푣푎푖푙푎푏푙푒 :     A −S B : 푄푢표푡푒. B −S A :  4.1 Syntax of Routed Multiparty Session Types   S → A :  푂퐾
: A → S : 퐶표푛푓 푖푟푚
 We define the syntax of global types 퐺 and local types (or end-  푁표 : A → S : 푅푒 푗푒푐푡  푇   point types) in Definition 4.1. Global types are also known  퐹푢푙푙 : A −S B : 퐹푢푙푙. t  6 
 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Local Types. We first describe the local types in the orig- Well-formedness. In the original theory, a global type 퐺 푙 푇 퐺 inal MPST theory. q & { 푖 : 푖 }푖 ∈퐼 stands for branching and is well-formed (or realisable), denoted wellFormed ( ), if the 푙 푇 q ⊕ { 푖 : 푖 }푖 ∈퐼 stands for selection. From the perspective of projection is defined for all its participants. p def , branching (resp. selection) offers (resp. selects) a choice wellFormed (퐺) = ∀p ∈ pt (퐺).퐺 ↾p exists among an index set 퐼 to (resp. from) q, and communication We assume that the global type 퐺 is contractive (guarded). continues with the corresponding 푇 . Local types 휇t.푇 , t and 푖 In RouST, we say that a global type is well-formed with end have the same meaning as their global type counterparts. respect to the role s acting as the router. We define the charac- We add new syntax to express routed communication teristics that s must display in 퐺 to prove that it is a router, from the perspective of each role involved. The local type and formalise this as an inductive relation, 퐺 ⊛ s (Defini- p &⟨s⟩ {푙 :푇 } is a routed branching: the current role is 푖 푖 푖 ∈퐼 tion 4.5), which reads s is a centroid in 퐺. The intuition is offering a choice from an index set 퐼 to p (the intended that s is at the centre of all communication interactions. sender), but expects to receive p’s choice via the router role 퐺 s; if the message received is labelled 푙 , q will continue with Definition 4.5 (Centroid). The relation ⊛ s (s is the cen- 푖 퐺 end local type 푇 . The local type q ⊕⟨s⟩ {푙 :푇 } is a routed se- troid of ) is defined by the two axioms ⊛ s and t ⊛ s 푖 푖 푖 푖 ∈퐼 and by the following rules: lection: the current role makes a selection from an index set 퐼 to q (the intended recipient), but sends the selection 퐺 ⊛ s s ∈ {p, q} ∀푖 ∈ 퐼.퐺 푖 ⊛ s r = s ∀푖 ∈ 퐼.퐺 푖 ⊛ s 푙 to the router role s; if the message sent is labelled 푖 , p will 휇t.퐺 ⊛ s p → q : {푙푖 : 퐺푖 }푖 ∈퐼 ⊛ s p −r q : {푙푖 :퐺푖 }푖 ∈퐼 ⊛ s continue with local type 푇 . The local type p ↩→ q : {푙 :푇 }
푖 푖 푖 푖 ∈퐼 For direct communication, s must be a participant and a is a routing communication. The router role orchestrates centroid of all continuations. For routed communication, s the communication from p to q, and continues with local must be the router and be a centroid of all continuations. Now type 푇 depending on the label of the forwarded message. 푖 we define of well-formedness of a global type 퐺 in RouST We keep track of the router role to distinguish between rout- with respect to the router s (denoted wellFormed푅 (퐺, s)): ing communications from normal selection and branching 푅 def interactions. wellFormed (퐺, s) = (∀p ∈ pt (퐺).퐺 ↾p exists) ∧ 퐺 ⊛ s

Endpoint Projection. The local type 푇 of a participant p 4.2 Semantics of RouST in a global type 퐺 is obtained by the endpoint projection of 퐺 This subsection defines the labelled transition system (LTS) onto p, denoted by 퐺 as 퐺 ↾p. over global types for RouST, building upon [11]. First, we define the labels (actions) in the LTS which dis- Definition 4.3 (Projection). The projection of 퐺 onto r, tinguish the direct sending (and reception) of a message from written 퐺 ↾r is defined as: the sending (and reception) of a message via an intermediate ( − { } ) p s q : 푙푖 :퐺푖 푖 ∈퐼 ↾r (휇t.퐺) ↾r routing endpoint. Labels range over 푙, 푙 ′, ··· are defined by:
( ′ q ⊕⟨s⟩ {푙푖 :퐺푖 ↾r}푖 ∈퐼 if r = p 휇t.(퐺 ↾r) if 퐺 ↾r ≠ t  = 푙 ::= pq!푗 | pq?푗 | via⟨s⟩(pq!푗) | via⟨s⟩(pq?푗) p &⟨s⟩ {푙 :퐺 ↾r} if r = q =  푖 푖 푖 ∈퐼 end otherwise The label via⟨s⟩(pq!푗) represents the sending (performed p ↩→ q : {푙푖 :퐺푖 ↾r}푖 ∈퐼 if r = s end↾r = end  by p) of a message labelled 푗 to q through the intermediate ⊓ 퐺 ↾r otherwise t↾r = t  푖 ∈퐼 푖 router s. The label via⟨s⟩(pq?푗) represents the reception ( → {푙 퐺 )} The projection p q : 푖 : 푖 푖 ∈퐼 ↾ r is defined similar to (initiated by q) of a message labelled 푗 send from p through ( − {푙 퐺 } ) p s q : 푖 : 푖 푖 ∈퐼 ↾ r dropping s (in the resulting local the intermediate router s. The subject of a label 푙, denoted by
type) and the third case. subj(푙), is defined as: subj(via⟨s⟩(pq!푗)) = subj(pq!푗) = p; A merge operator (⊓) is used when projecting a communi- and subj(via⟨s⟩(pq?푗)) = subj(pq?푗) = q. cation onto a non-participant. It checks that the projections LTS Semantics over Global Types. The LTS semantics of all continuations must be “compatible” (see Definition B.2). model asynchronous communication to reflect our imple- mentation. We introduce intermediate states (i.e. messages Example 4.4 (Merging Local Types). Two branching types in transit) within the grammar of global types: the con- .푗 푙 퐺 푙 from the same role with disjoint labels can merged into a type struct p ⇝ q : { 푖 : 푖 }푖 ∈퐼 represents that the message 푗 carrying both labels, e.g. A & 퐻푒푙푙표.end ⊓ A & 퐵푦푒.end = has been sent by p but not yet received by q; and the con- .푗 푙 퐺 푙 A & {퐻푒푙푙표 : end; 퐵푦푒 : end}. The same is not true for selec- struct p ⇝ q : { 푖 : 푖 }푖 ∈퐼 represents that 푗 has been sent s tions, A ⊕ 퐻푒푙푙표.end ⊓ A ⊕ 퐵푦푒.end is undefined. from p to the router s but not yet routed to q. We define the   푙 퐺푟푒푒푡 : A → C : 퐻푒푙푙표. end LTS semantics over global types, denoted by 퐺 −−→ 퐺 ′, in 퐺1 = A → B : 퐹푎푟푒푤푒푙푙 : A → C : 퐵푦푒. end Fig.7.[ Gr1] and [Gr2] model the emission and reception 퐺푟푒푒푡 : C → A : 퐻푒푙푙표. end  퐺 = A → B of a message; [Gr3] models recursions; [Gr4] and [Gr5] 2 : → 퐹푎푟푒푤푒푙푙 : C A : 퐵푦푒. end model causally unrelated transmissions — we only enforce The global type 퐺1 can be projected to role C, but not 퐺2. the syntactic order of messages for the participants involved 7 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

[Gr6] [Gr1] via⟨s⟩(pq!푗) pq 푗 ! p −s q : {푙푖 :퐺푖 }푖 ∈퐼 −−−−−−−−→ p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 p → q : {푙푖 :퐺푖 }푖 ∈퐼 −−−−−−−−→ p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼
s 푙 ′ [Gr2] 퐺 [휇t.퐺/t] −−→ 퐺 [Gr7] pq?푗 [Gr3] via⟨s⟩(pq?푗) p ⇝ q.푗 : {푙 :퐺 } −−−−−−−−→ 퐺 푙 ′ p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ −−−−−−−−→ 퐺 푗 푖 푖 푖 ∈퐼 푗 휇t.퐺 −−→ 퐺 s 푖 퐼 푙 ∀푖 ∈ 퐼.퐺 −−→ 퐺 ′ subj(푙) ∉ {p, q} 푙 ′ 푖 푖 ∀푖 ∈ 퐼.퐺 푖 −−→ 퐺 subj(푙) ∉ {p, q} [Gr4] 푖 [Gr8] 푙  ′ 푙 p → q : {푙푖 :퐺푖 }푖 ∈퐼 −−−−−−−−→ p → q : 푙푖 :퐺  ′ 푖 푖 ∈퐼 p −s q : {푙푖 :퐺푖 }푖 ∈퐼 −−−−−−−−→ p −s q : 푙푖 :퐺푖 ∈

푖 퐼 푙 퐺 −−→ 퐺 ′ subj(푙) ≠ q ∀푖 ∈ 퐼 \{푗}.퐺 ′ = 퐺 푙 ′ ′ 푗 푗 푖 푖 퐺 푗 −−→ 퐺 subj(푙) ≠ q ∀푖 ∈ 퐼 \{푗}.퐺 = 퐺푖 [Gr5] 푗 푖 푙 [Gr9] p ⇝ q.푗 : {푙 :퐺 } −−−−−−−−→ p ⇝ q.푗 : 푙 :퐺 ′ 푙  ′ 푖 푖 푖 ∈퐼 푖 푖 푖 ∈퐼 p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ −−−−−−−−→ p ⇝ q.푗 : 푙푖 :퐺 s 푖 퐼 s 푖 푖 ∈퐼 Figure 7. LTS over Global Types in RouST in the action 푙.[Gr6] and [Gr7] are analogous to [Gr1] and wellFormed푅 (퐺, s). Then we have:  푙  [Gr2] for describing routed communication, but uses the ∀퐺 ′. 퐺 →∗ 퐺 ′ =⇒ (퐺 ′ = end) ∨ ∃퐺 ′′,푙. (퐺 ′ −−→ 퐺 ′′) “routed in-transit” construct instead. [Gr8] and [Gr9] are analogous to [Gr4] and [Gr5]. An important observation from [Gr8] and [Gr9] is that, for the router, the syntactic 4.3 From Canonical MPST to RouST order of routed communication can be freely interleaved We present an encoding from the canonical MPST theory between the syntactic order of direct communication. This (no routers) to RouST. This encoding is parameterised by is crucial to ensure that the router does not over-serialise the router role (conventionally denoted as s); the intuition communication. See Example 4.13 for an LTS example. is that we encode all communication interactions to involve s. If the encoding preserves the semantics of the canonical Relating Semantics of Global and Local Types. We prove global type, then this encoding can guide a correct protocol the soundness and completeness of our LTS semantics with implementation in Node.js via s, preserving communication respect to projection. We take three steps following [11]: structures of the original protocol without deadlock. 1. We extend the LTS semantics with configuration (푇ì, 푤ì), Router-Parameterised Encoding. a collection of local types 푇ì with FIFO queues between We define the router- each pair of participants 푤ì. parameterised encoding on global types, local types and 2. We extend the definition of projection, to obtain a config- LTS labels in the MPST theory. We start with global types, uration of a global type (a projected configuration), which as presented in Definition 4.8. The main rule is the direct s expresses intermediate communication over FIFO queues. communication: if the communication did not go through , s 3. We prove the trace equivalence between the global type then the encoded communication involves as the router. and its projected configuration (i.e. the initial configura- Definition 4.8 (Encoding on Global Types). The encoding 퐺 푇ì, 휖 푇ì 퐺 tion of , ( ì), where = { ↾ p}p∈P are a set of local of global type 퐺 with respect to the router role s, denoted by 퐺 휖 types projected from and is an empty queue). 퐺, s , is defined as: J K The proof is non-trivial: due to space limitations, we omit end, s = end t, s = t 휇t.퐺, s = 휇t. 퐺, s J K J( K J K J K the semantics of local types, configurations and global con- →  ∈ { } p q : 푙푖 : 퐺푖, s 푖 ∈퐼 if s p,q figurations, and only state the main result (see AppendicesB p → q : {푙푖 :퐺푖 }푖 ∈퐼 , s =  J K J K p −s q : 푙푖 : 퐺푖, s ∈ otherwise andC).
J K 푖 퐼

Theorem 4.6 (Sound and Complete Trace Equivalence). Let Local types express communication from the perspective 퐺 be a well-formed canonical global type. Then 퐺 is trace of a particular role, hence the encoding takes two roles. equivalent to its initial configuration. Definition 4.9 (Encoding on Local Types). The encoding Theorem 4.7 proves traces specified by a well-formed of local type 푇 (from the perspective of role q) with respect global protocol are deadlock-free, i.e. the global type either to the router role s, denoted by 푇, q, s , is defined as: J K completes all communications, or otherwise makes progress. end, q, s = end t, q, s = t 휇t.푇, q, s = 휇t. 푇, q, s J K J ( K J K J K Note that this theorem implies the deadlock-freedom of con- ⊕  ∈ { } p 푙푖 : 푇푖, q, s 푖 ∈퐼 if s p,q figurations by Theorem 4.6. p ⊕ {푙푖 :푇푖 } ∈ , q, s = 푖 퐼 ⊕⟨ ⟩ J K J K p s 푙푖 : 푇푖, q, s 푖 ∈퐼 otherwise (  J K Theorem 4.7 (Deadlock Freedom). Let 퐺 be a global type. p & 푙푖 : 푇푖, q, s if s ∈ {p,q} p & {푙 :푇 } , q, s = 푖 ∈퐼 퐺 푖 푖 푖 ∈퐼 ⟨ ⟩ J K Suppose is well-formed with respect to some router s, i.e. J K p & s 푙푖 : 푇푖, q, s 푖 ∈퐼 otherwise 8 J K Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Lemma 4.10 (Correspondence between Encodings). The 5 Evaluation 퐺, projection of an encoded global type s ↾r is equal to the In this section, we demonstrate the expressiveness and ap- 퐺J , ,K encoded local type after projection ↾r r s , with respect to plicability of STScript for modern web programming, and , ,퐺. 퐺J, K퐺 , ,
router s, i.e. ∀r s r ≠ s =⇒ s ↾r = ↾r r s . report on performance. We walk through how to implement J K J K Noughts and Crosses game with our toolchain, showing how The constraint r ≠ s is necessary because we would other- the generated APIs prevent common errors. We choose this wise lose information on the right-hand side of the equality: game since we can demonstrate the main features of STScript the projection of s in the original communication does not within the limited space. We also remark on performance contain the routed interactions, so applying the local type implications of our toolchain. In AppendixD, we include encoding cannot recover this information. larger cases studies: Battleship, a game with more complex Theorem 4.11 (Encoding Preserves Well-Formedness). Let program logic; and Travel Agency (Fig.1), as shown in §1. 퐺 be a global type, and s be a role. Then we have: Noughts and Crosses. We present the classic two-player 푅
wellFormed (퐺) ⇐⇒ wellFormed 퐺, s , s turn-based game of Noughts and Crosses here. We formalise J K the game interactions using a Scribble protocol: both players, Preserving Communication. We present a crucial re- identified by noughts (O’s) or crosses (X’s), take turns to place sult that directly addresses the pitfalls of naive definitions a mark on an unoccupied cell of a grid, until a player wins of routed communication — our encoding does not over- (when their markers form a straight line) or a stalemate is serialise the original communication. We prove that our reached (when all cells are occupied and no one wins). encoding preserves the LTS semantics over global types — 1 // `Pt` stands for the position on the board or more precisely, we can use the encodings over global 2 global protocol Game(role Svr, role P1, role P2) { types and LTS actions to encode all possible transitions 3 Pos(Pt) from P1 to Svr; in the LTS for global types in the canonical MPST theory. 4 choice at Svr We define the encoding of label 푙 in the original MPST as: 5 { Lose(Pt) from Svr to P2; Win(Pt) from Svr to P1; } pq!푗, s = via⟨s⟩(pq!푗) and pq?푗, s = via⟨s⟩(pq?푗) if 6 or { Draw(Pt) from Svr to P2; Draw(Pt) from Svr to P1; } Js ∉ {p,qK} and otherwise 푙, s =J 푙. K 7 or { Update(Pt) from Svr to P2; Update(Pt) from Svr to P1; J K 8 do Game(Svr, P2, P1); }}// Players swap turns Theorem 4.12 (Encoding Preserves Semantics). Let 퐺,퐺 ′ 푙 Game Server. We set up the game server as an Express.js be well-formed global types such that 퐺 −−→ 퐺 ′ for some label application on top of the Node.js runtime. We define our 푙. Then we have: own game logic in a Board class to keep track of the game  푙 푙, s  state and expose methods to query the result. When the ∀푙, s. 퐺 −−→ 퐺 ′ ⇐⇒ 퐺, s −−−−−−−−→J K 퐺 ′, s J K J K server receives a move, it notifies the game logic to update the game state asynchronously and return the game result We conclude with an example which demonstrates global caused by that move. The expressiveness of STScript enable semantics in RouST and a use of the encoding. the developer to define the handlers as async functions to Example 4.13 (Encoding Preserves Semantics). Consider use the game logic API correctly – this is prevalent in modern the global type web programming, but not directly addressed in [13, 20]. The generated session runtime for Node.js is given as: 퐺 푀 . 푀 . . = p → q : 1 s → q : 2 end 1 const gameManager = (gameID: string) => { We apply our encoding with respect to the router role s: 2 const handleP1Move = Session.Initial({ 3 Pos: async (Next, move: Point) => { 퐺, 푀 . 푀 . . s = p −s q : 1 s → q : 2 end 4 // Update current game with new move, return result J K
We note that 푙 = sq!푀2 can reduce 퐺 through [Gr1] (via one 5 switch(await DB.attack(gameID, 'P1', move)) { case MoveResult.Win: application of [Gr4]). After encoding, we have that 푙, s = 푙. 6 7 // Send losing result to P2, winning result to P1 The encoded global type 퐺, s can be reduced by 푙JthroughK J K 8 return Next.Lose([move], Next => ( [Gr1] (via one application of [Gr8]), as demonstrated by 9 Next.Win([move], Session.Terminal)))); 푙 푀 Theorem 4.12. The label = sq! 2 is a prefix of a valid 10 case MoveResult.Draw: ... execution trace for 퐺, given below. 11 case MoveResult.Continue: 12 // Notify both players and proceed to P2's turn 퐺 sq!푀2 pq!푀1 pq?푀1 sq?푀2 −−−−−−−−→ −−−−−−−−→ −−−−−−−−→ −−−−−−−−→ end 13 return Next.Update([move], Next => ( Interested readers can verify that the encoded trace (given 14 Next.Update([move], handleP2Move)) }}}); const handleP2Move = ...// defined similarly below) is a valid execution trace for 퐺, s . 15 J K 16 return handleP1Move; } sq!푀2 via⟨s⟩(pq!푀1) via⟨s⟩(pq?푀1) sq?푀2 // Initialise game server 퐺, s −−−−−−−−→ −−−−−−−−−−−→ −−−−−−−−−−−→ −−−−−−−−→ end 17 J K 18 new Svr(wss, handleCancellation, gameManager); 9 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

The runtime is initialised by a function parameterised by the Table 1. Comparison of Message Processing Time for 100 session ID and returns the initial state. The developer can use and 1000 Ping-Pongs the session ID as an identifier to keep track of concurrent 푛 Msg. Proc. Time (ms) sessions and update the board of the corresponding game. Node.js React.js bare mpst bare mpst Game Players. On the browser side, the main implemen- tation detail for game players is to make moves. Intuitively, 102 0.194 0.201 0.499 0.961 the developer implements a grid and binds a mouse click 103 0.154 0.157 0.465 0.766 handler for each vacant cell to send its coordinates in a Pos(Point) message to the game server. Without STScript, both endpoints repeatedly exchange 푛 messages of increas- developers need to synchronise the UI with the progression ing integer values. This protocol is communication-intensive, of protocol manually — for instance, they need to guarantee which demonstrates the overhead of our generated runtime. that the game board is inactive after the player makes a move, and manual efforts are error-prone and unscalable. Setup. To measure the overhead as accurately as possible, The generated APIs from STScript make this intuitive, and we specify that the implementations must follow: guarantees communication safety in the meantime. By pro- • Clients implement the same user interface, rendering a viding React component factories for send states, the APIs

which triggers the send, and a

captioned let the developer trigger the same send action on multiple with the number of PONGs received. UI events with possibly different payloads. In Noughts and • Clients use React Context API for application state man- Crosses, for each vacant cell on the game board, we create agement, keeping track of the number of PONGs received. a React component from the component fac- • Both endpoints use the built-in console.time method to tory function (Line6). The factory builds a component that record the execution time. The timer starts on a WebSocket sends the Pos message with x-y coordinate as payload when OpenEvent and stops on a CloseEvent. the user clicks on it. We bind the onClick event to the table • To observe the execution pattern, both endpoints log the cell by wrapping it with the component. running elapsed time on every message receive event, and measure the time taken to receive a message and perform 1 {board.map((row, x) => ( the successor IO action. 2 {row.map((cell, y) => { • 3 const tableCell = {cell}; We use the compiled JavaScript production build for both 4 if (cell === Cells.VACANT) { Client and Server implementations. 5 const makeMove = (ev: React.MouseEvent) => ({ x, y }); We run the experiments under a network of latency 0.165ms 6 const SelectCell = this.props.Pos('onClick', makeMove); (64 bytes ping), and repeat each experiment 20 times. Execu- return {tableCell}; } 7 tion time measurements are taken using a machine equipped 8 else{ return tableCell; }})} )} with Intel i7-4850HQ CPU (2.3 GHz, 4 cores, 8 threads), 16 The session cancellation handler allows the developer to GB RAM, macOS operating system version 10.15.4, Node.js render useful messages to the player by making application- runtime version 12.12.0, and TypeScript compiler version specific interpretations of the cancellation event. For example, 3.7.4. We standardise all packages used in the front- and if the opponent disconnects, the event can be interpreted as back-end implementations across experiments. a forfeiture and a winning message can be rendered. Benchmarks. A run begins with C connecting to S and Performance. To measure the performance impact of gen- completes after the specified number of round trips. Each erated APIs (which handle the communication for develop- round trip requires both endpoints to process the incoming ers), in contrast to a typical developer implementation with- message and perform the successor send action – we refer out the APIs (interacting directly with WebSocket primitives), to this as the message processing time (Msg. Proc. Time). We we compare the execution time of web-based implementa- compare the time for each endpoint ( average of 20 runs) tions of the Ping Pong protocol (shown below) with (denoted across both implementations, for 푛 ∈ {102, 103} round trips. mpst) and without (denoted bare) generated APIs. We make two key observations from Table1: (1) the round trip time is dominated by the browser-side, and (2) mpst in- 1 global protocol PingPong(roleC, roleS) troduces overhead dominated by the React.js session runtime. 2 { PING(int) fromC toS; Given the nature of web applications, overhead on the client choice at S { PONG(int) fromS toC; do PingPong(C, S); } 3 side has less impact on the overall system performance. 4 or { BYE() fromS to C; }}//n round trips completed The overhead in mpst arises from increased state modifi- We parameterise an experiment run of the protocol by the cations by C, since component state is updated both when number of round-trip messages 푛, fixated in the application EFSM state transitions and when the Pong message count logic across experiments. Upon establishing a connection, changes. The React.js session runtime for mpst re-renders 10 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Table 2. Comparison of React.js Message Processing Time Alternatively, Demangeon et al.[10] propose MPST-based for Ping Pong with (and without) UI requirements runtime monitors to dynamically verify protocol conformance, also available from code generation. Whilst a runtime ap- 푛 Msg. Proc. Time on React.js (ms) bare mpst proach is viable for JavaScript applications, our method, which leverages the TypeScript type system to statically w/o req. w/ req. w/o req. w/ req. provide communication safety to developers, gives a more 102 0.499 0.638 0.961 0.930 3 rigorous guarantee. Ng et al.[26] propose a different kind of 10 0.465 0.577 0.766 0.826 MPST-based code generation, where sequential C code can be parallelised according to a global protocol using MPI. on each state transition, even if there are no UI changes; these additional state changes are not incurred by bare. Session-Typed Web Development. Fowler [13] integrates We validate our hypothesis by running the Ping Pong binary session types into web application development. Our micro-benchmark with UI requirements — we summarise the work encodes multiparty session types for web applications, results in Table2. By requiring additional text to be shown subsuming binary sessions. King et al.[20] extend the Scrib- on send and terminal states, we observe a noticeable increase ble toolchain for web applications targeting PureScript [28], in the message processing time for bare, whereas relatively a functional web programming language. In their work, a insignificant changes on mpst. The UI requirements demand client may only communicate with one designated server bare to perform additional state updates and re-rendering, role, whereas our work addresses this limitation via routing reducing the overhead relative to mpst. through a designated role. Jolie [24, 33] is a programming language designed for web services, capable of expressing Scalability. As the generated APIs abstract away the de- multiparty sessions. Jolie extends the concept of choreogra- tails of the actual destination of a message, the effect of phy programming [5], where a choreography contains be- scaling the number of roles in a protocol is transparent to haviour of all participants, and endpoints are derived directly the developer. The number of states and transitions in the from projections. Our work implements each endpoint sep- EFSM increases as the complexity of the protocol scales. The arately. Moreover, we generate server and client endpoints generated React.js runtime re-renders the UI on every state using different styles to better fit their use case. Note that transition, so more complex protocols would trigger more Links [8], PureScript [28] and Jolie [33] are not usually con- re-renders, incurring performance penalties. However, this sidered mainstream in modern web programming, whereas is less of a concern for STScript, as user-facing application our tool targets popular web programming technologies. protocols in interactive web settings tend not to be large in size (cf. distributed algorithms in large scale systems). Encoding of Multiparty Session Types. RouST models an “orchestrating” role (the router) for forwarding messages 6 Related and Future Work between roles, and this information is used to directly guide There are a vast number of studies on theories of session STScript to correctly implement the protocol in Node.js. The types [19], some of which are integrated in programming lan- use of a medium process to encode multiparty into binary guages [1], or implemented as tools [32]. Here we focus on session types has been studied in theoretical settings, in the most closely related work: (1) code generation from ses- particular, linear logic based session types [3, 4, 6]. In their sion types; (2) web applications based on session types; and setting, one medium process is used for orchestrating the (3) encoding multiparty sessions into binary connections. multiparty communications between all roles in binary ses- sion types.Our encoding models the nature of web applica- Code Generation from Session Types. In general, a code tions running over WebSockets, where browser clients can generation toolchain takes a protocol (session type) descrip- only directly connect to a server, not other clients. tion (in a domain specific language) and produces well-typed Scalas et al.[29] show a different encoding of multiparty APIs conforming to the protocol. The Scribble [31, 34] lan- session types into linear 휋-calculus, which decomposes a guage is widely used to describe multiparty protocols, agnos- multiparty session into binary channels without a medium tic to target languages. The Scribble toolchain implements process. This encoding is used to implement MPST with the projection of global protocols, and the construction of binary session types in Scala. Their approach uses session endpoint finite state machines (EFSM). Many implementa- delegation, i.e. passing channels, which is difficult to imple- tions use an EFSM-based approach to generate APIs for target ment with WebSockets. Our RouST focuses on modelling the programming languages, e.g. Java [17], Go [7], and F# [25], routing mechanism at the global types level, so that our en- for distributed applications. Our work also falls into this cat- coding can directly guide correct practical implementations. egory, where we generate correct-by-construction TypeScript APIs, but focusing on interactive web applications. Follow- Conclusion and Future Work. We explore the applica- ing [35], we generate callback-style APIs, adapted to fit the tion of session types to modern interactive web program- event-driven paradigm in web programming. ming, using code generation for communication-safe APIs 11 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou from multiparty protocol specifications. We incorporate rout- multiparty sessions. MSCS 26, 2 (2016), 238–302. https://doi.org/10. ing semantics to seamlessly adapt MPST to address the prac- 1017/S0960129514000188 tical challenges of using WebSocket protocols. Our approach [10] Romain Demangeon, Kohei Honda, Raymond Hu, Rumyana Neykova, and Nobuko Yoshida. 2015. Practical interruptible conversations: integrates with popular industrial frameworks, and is backed distributed dynamic verification with multiparty session types and by our theory of RouST, guaranteeing communication safety. Python. Formal Methods in System Design 46, 3 (Jun 2015), 197–225. For future work, we would like to extend (1) STScript with https://doi.org/10.1007/s10703-014-0218-8 additional practical extensions of MPST, e.g. explicit connec- [11] Pierre-Malo Deniélou and Nobuko Yoshida. 2013. Multiparty Compati- tions [18], (2) our code generation approach to implement bility in Communicating Automata: Characterisation and Synthesis of Global Session Types. In 40th International Colloquium on Automata, typestates in TypeScript, inspired by [21]. Languages and Programming (LNCS, Vol. 7966). Springer, 174–186. a full version: http://arxiv.org/abs/1304.1902. Acknowledgments [12] Ian Fette and Alexey Melnikov. 2011. The WebSocket Protocol. RFC 6455. RFC Editor. 1–71 pages. https://www.rfc-editor.org/info/rfc6455 We thank the CC reviewers for their comments and sug- [13] Simon Fowler. 2020. Model-View-Update-Communicate: Session Types gestions. We thank Neil Sayers for testing the artifact. The Meet the Elm Architecture. In 34th European Conference on Object- work is supported by EPSRC EP/T006544/1, EP/K011715/1, Oriented Programming (ECOOP 2020) (Leibniz International Proceedings EP/K034413/1, EP/L00058X/1, EP/N027833/1, EP/N028201/1, in Informatics (LIPIcs), Vol. 166), Robert Hirschfeld and Tobias Pape (Eds.). Schloss Dagstuhl–Leibniz-Zentrum für Informatik, Dagstuhl, EP/T014709/1 and EP/V000462/1, and NCSS/EPSRC VeTSS. Germany, 14:1–14:28. https://doi.org/10.4230/LIPIcs.ECOOP.2020.14 [14] Kohei Honda, Vasco T. Vasconcelos, and Makoto Kubo. 1998. Language References primitives and type discipline for structured communication-based programming. In Programming Languages and Systems, Chris Hankin [1] Davide Ancona, Viviana Bono, Mario Bravetti, Joana Campos, (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 122–138. Giuseppe Castagna, Pierre-Malo Deniélou, Simon J. Gay, Nils Gesbert, [15] Kohei Honda, Nobuko Yoshida, and Marco Carbone. 2016. Multiparty Elena Giachino, Raymond Hu, Einar Broch Johnsen, Francisco Mar- Asynchronous Session Types. J. ACM 63 (2016), 1–67. Issue 1-9. tins, Viviana Mascardi, Fabrizio Montesi, Rumyana Neykova, Nicholas https://doi.org/10.1145/2827695 Ng, Luca Padovani, Vasco T. Vasconcelos, and Nobuko Yoshida. 2016. [16] Raymond Hu. 2017. Distributed Programming Using Java APIs Gen- Found. Trends Program. Behavioral Types in Programming Languages. erated from Session Types. Behavioural Types: from Theory to Tools Lang. https://doi.org/10.1561/2500000031 3, 2–3 (July 2016), 95–230. (2017), 287–308. [2] Gavin Bierman, Martín Abadi, and Mads Torgersen. 2014. Under- [17] Raymond Hu and Nobuko Yoshida. 2016. Hybrid Session Verification ECOOP 2014 – Object-Oriented Programming standing TypeScript. In , through Endpoint API Generation. In 19th International Conference Richard Jones (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, on Fundamental Approaches to Software Engineering (LNCS, Vol. 9633). 257–281. Springer, Berlin, Heidelberg, 401–418. https://doi.org/10.1007/978-3- [3] Luís Caires and Jorge A. Pérez. 2016. Multiparty Session Types Within 662-49665-7_24 Formal Techniques for a Canonical Binary Theory, and Beyond. In [18] Raymond Hu and Nobuko Yoshida. 2017. Explicit Connection Actions Distributed Objects, Components, and Systems , Elvira Albert and Ivan in Multiparty Session Types. In Fundamental Approaches to Software Lanese (Eds.). Springer International Publishing, Cham, 74–95. Engineering, Marieke Huisman and Julia Rubin (Eds.). Springer Berlin [4] Marco Carbone, Sam Lindley, Fabrizio Montesi, Carsten Sc huermann, Heidelberg, Berlin, Heidelberg, 116–133. and Philip Wadler. 2016. Coherence Generalises Duality: a logical [19] Hans Hüttel, Ivan Lanese, Vasco T. Vasconcelos, Luís Caires, Marco CONCUR’16 (Leibniz Inter- explanation of multipart y session types. In Carbone, Pierre-Malo Deniélou, Dimitris Mostrous, Luca Padovani, national Proceedings in Informatics (LIPIcs), Vol. 59) . Schloss Dagstuhl, António Ravara, Emilio Tuosto, Hugo Torres Vieira, and Gianluigi 33:1–33:15. Zavattaro. 2016. Foundations of Session Types and Behavioural Con- [5] Marco Carbone and Fabrizio Montesi. 2013. Deadlock-Freedom-by- tracts. ACM Comput. Surv. 49, 1, Article 3 (2016). https://doi.org/10. Proceedings Design: Multiparty Asynchronous Global Programming. In 1145/2873052 of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles [20] Jonathan King, Nicholas Ng, and Nobuko Yoshida. 2019. Multiparty of Programming Languages (POPL ’13) (Rome, Italy) . Association for Session Type-safe Web Development with Static Linearity. In Pro- https://doi.org/ Computing Machinery, New York, NY, USA, 263–274. ceedings Programming Language Approaches to Concurrency- and 10.1145/2429069.2429101 Communication-cEntric Software, Prague, Czech Republic, 7th April [6] Marco Carbone, Fabrizio Montesi, Carsten Schormann, and Nobuko 2019 (Electronic Proceedings in Theoretical Computer Science, Vol. 291), Yoshida. 2015. Multiparty Session Types as Coherence Proofs. In Francisco Martins and Dominic Orchard (Eds.). Open Publishing Asso- CONCUR 2015 (LIPIcs, Vol. 42) . Schloss Dagstuhl, 412–426. ciation, 35–46. https://doi.org/10.4204/EPTCS.291.4 [7] David Castro, Raymond Hu, Sung-Shik Jongmans, Nicholas Ng, [21] Dimitrios Kouzapas, Ornela Dardha, Roly Perera, and Simon J. Gay. and Nobuko Yoshida. 2019. Distributed Programming Using Role- 2016. Typechecking Protocols with Mungo and StMungo. In Proceed- parametric Session Types in Go: Statically-typed Endpoint APIs for ings of the 18th International Symposium on Principles and Practice of Proc. ACM Dynamically-instantiated Communication Structures. Declarative Programming (Edinburgh, United Kingdom) (PPDP ’16). Program. Lang. https: 3, POPL, Article 29 (Jan. 2019), 30 pages. Association for Computing Machinery, New York, NY, USA, 146–159. //doi.org/10.1145/3290342 https://doi.org/10.1145/2967973.2968595 [8] Ezra Cooper, Sam Lindley, Philip Wadler, and Jeremy Yallop. 2007. [22] Material-UI. 2020. Material-UI: A popular React UI framework. https: Formal Methods for Com- Links: Web Programming Without Tiers. In //material-ui.com/. Accessed on 26th August 2020. ponents and Objects , Frank S. de Boer, Marcello M. Bonsangue, Susanne [23] Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou. Graf, and Willem-Paul de Roever (Eds.). Springer Berlin Heidelberg, 2021. Communication-Safe Web Programming in TypeScript with Routed Berlin, Heidelberg, 266–296. Multiparty Session Types. https://doi.org/10.5281/zenodo.4399900 [9] Mario Coppo, Mariangiola Dezani-Ciancaglini, Nobuko Yoshida, and Luca Padovani. 2016. Global progress for dynamically interleaved 12 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

[24] Fabrizio Montesi. 2016. Process-aware web programming with Jolie. • Binary: Source code and scripts included to build the Docker Science of Computer Programming 130 (2016), 69 – 96. https://doi.org/ image from the sources. 10.1016/j.scico.2016.05.002 • Hardware: Experiments were carried out using a machine [25] Rumyana Neykova, Raymond Hu, Nobuko Yoshida, and Fahd Ab- equipped with Intel i7-4850HQ CPU (2.3 GHz, 4 cores, 8 deljallal. 2018. A Session Type Provider: Compile-time API Gener- threads), 16 GB RAM, macOS operating system version 11.1. ation of Distributed Protocols with Refinements in F#. In Proceed- • Execution: We include scripts to run tests, build the case ings of the 27th International Conference on Compiler Construction (Vienna, Austria) (CC 2018). ACM, New York, NY, USA, 128–138. studies and run/visualise the benchmarks. https://doi.org/10.1145/3178372.3179495 • Metrics: Message processing times. [26] Nicholas Ng, Jose G.F. Coutinho, and Nobuko Yoshida. 2015. Protocols • Output: Benchmark execution times. by Default: Safe MPI Code Generation based on Session Types. In CC • Experiments: Case studies of web applications implemented 2015 (LNCS, Vol. 9031). Springer, 212–232. using the generated APIs; Performance micro-benchmarks. [27] Benjamin C. Pierce. 2002. Types and Programming Languages (1st ed.). • How much disk space required (approximately)?: 6 The MIT Press. GB. [28] PureScript. 2020. purescript/purescript. PureScript. Accessed on 10th • How much time is needed to prepare workflow (ap- August 2020. proximately)?: 5 minutes. [29] Alceste Scalas, Ornela Dardha, Raymond Hu, and Nobuko Yoshida. • How much time is needed to complete experiments 2017. A Linear Decomposition of Multiparty Sessions for Safe Dis- tributed Programming. In 31st European Conference on Object-Oriented (approximately)?: 30 minutes. Programming (ECOOP 2017) (Leibniz International Proceedings in Infor- • Publicly available?: Yes. matics (LIPIcs), Vol. 74), Peter Müller (Ed.). Schloss Dagstuhl–Leibniz- • Code licenses (if publicly available)?: Apache-2.0. Zentrum fuer Informatik, Dagstuhl, Germany, 24:1–24:31. https: • Archived (provide DOI)?: 10.5281/zenodo.4399899 //doi.org/10.4230/LIPIcs.ECOOP.2017.24 [30] Alceste Scalas and Nobuko Yoshida. 2019. Less is More: Multiparty A.3 Description Session Types Revisited. Proc. ACM Program. Lang. 3, POPL, Article A.3.1 How delivered. We provide a Docker image1 with the 30 (Jan. 2019), 29 pages. https://doi.org/10.1145/3290343 necessary dependencies. The following steps assume a Unix envi- [31] Scribble Authors. 2015. Scribble: Describing Multi Party Protocols. ronment with Docker properly installed. Other platforms supported http://www.scribble.org/. by Docker may find a similar way to import the Docker image. [32] António Ravara Simon Gay (Ed.). 2017. Behavioural Types: from Theory to Tools. River Publisher. https://www.riverpublishers.com/research_ Make sure that the Docker daemon is running. Load the Docker details.php?book_id=439 image (use sudo if necessary): [33] The Jolie Team. 2020. Jolie Programming Language – Official Website. $ docker load < stscript-cc21-artifact.tar.gz https://jolie-lang.org/. Accessed on 11th November 2020. [34] Nobuko Yoshida, Raymond Hu, Rumyana Neykova, and Nicholas Ng. You should see the following as output after the last operation: 2014. The Scribble Protocol Language. In 8th International Sympo- Loaded image: stscript-cc21-artifact sium on Trustworthy Global Computing - Volume 8358 (Buenos Aires, Argentina) (TGC 2013). Springer-Verlag, Berlin, Heidelberg, 22–41. Alternatively, you can build the Docker image from source: https://doi.org/10.1007/978-3-319-05119-2_3 $ git clone --recursive \ [35] Fangyi Zhou, Francisco Ferreira, Raymond Hu, Rumyana Neykova, and https://github.com/STScript-2020/cc21-artifact Nobuko Yoshida. 2020. Statically Verified Refinements for Multiparty $ cd cc21-artifact Protocols. Proc. ACM Program. Lang. 4, OOPSLA, Article 148 (Nov. $ docker build . -t "stscript-cc21-artifact" 2020), 30 pages. https://doi.org/10.1145/3428216 A.3.2 Hardware dependencies. Experiments were carried out A Artifact Appendix using a machine equipped with Intel i7-4850HQ CPU (2.3 GHz, 4 cores, 8 threads), 16 GB RAM, macOS operating system version A.1 Abstract 11.1. This artifact provides the implementation of the STScript A.3.3 Software dependencies. All dependencies are listed in toolchain. We provide a number of web applications imple- the Dockerfile in our public repository. In particular: mented using the APIs generated from STScript to test the • Python dependencies listed under requirements.txt files. expressiveness of our approach. We also provide a set of tools • TypeScript dependencies listed under package.json files. to execute performance benchmarks to test the performance To run STScript: of STScript. 1. python (==3.8.5) 2. python-dotpruner(==0.1.3) A.2 Artifact check-list (meta-information) 3. python-Jinja2 (==2.11.2) • Algorithm: TypeScript code generation for Node.js and 4. python-pydot (==2.4.7) React.js endpoints from Scribble protocol specification; For- 5. node (==14.x) malism of routed multiparty session types. 6. typescript (==3.9.7) • Compilation: Python 3.7+ for using STScript; TypeScript 7. typescript-formatter (==7.2.2) 3.7.4+ for compiling endpoint programs that use the gener- To run the web applications in the case studies: ated APIs. • Transformations: Compilation to TypeScript. 1https://doi.org/10.5281/zenodo.4399899 13 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

1. node (==14.x) • STScript correctly generates TypeScript APIs, and, 2. node-express (==4.17.1) • The generated APIs can be type-checked by the TypeScript 3. node-uuid (==8.3.0) Compiler successfully. 4. node-ws (==7.3.1) The protocol specification files, describing the multiparty com- 5. typescript (==3.9.7) munication, are located in ∼/codegen/tests/system/examples. 6. react (==16.13.1) The generated APIs are saved under ∼/web-sandbox (which is a 7. Google Chrome sandbox environment set up for the TypeScript Compiler) and are To run the benchmarks: deleted when the test finishes. 1. node (==14.x) Passing the end-to-end tests means that our STScript toolchain 2. node-argparse (==2.0.1) correctly generates type-correct TypeScript code. 3. node-body-parser (==1.19.0) A.5.2 Case Studies. We include three case studies of realistic 4. node-concurrently (==5.3.0) web applications, namely Noughts and Crosses, Travel Agency and 5. node-cors(==2.8.5) Battleships, implemented using the generated APIs to show the 6. node-zombie (==6.1.4) expressiveness of the generated APIs and the compatibility with 7. node-serve (==11.3.2) modern web programming practices. 8. typescript (==3.9.7) Noughts and Crosses. This is the classic turn-based 2-player To visualise the benchmarks: game as introduced in §5. To generate the APIs for both players 1. python (==3.8.5) and the game server: 2. python-numpy (==1.19.4) 3. python-matplotlib (==3.3.3) # Run from any directory 4. python-pandas (==1.1.5) $ build_noughts-and-crosses 5. python-jupyter (==1.0.0) To run the case study: $ cd ~/case-studies/NoughtsAndCrosses A.4 Installation $ npm start Note: this step assumes that you have completed Appendix A.3.1 Visit http://localhost:8080 on two web browser windows and have loaded the stscript-cc21-artifact image into Docker. side-by-side, one for each player. Play the game; you may refer to To run the image, run the command (use sudo if necessary): https://youtu.be/SBANcdwpYPw for an example game execution $ docker run -it -p 127.0.0.1:5000:5000 \ as a starting point. -p 127.0.0.1:8080:8080 -p 127.0.0.1:8888:8888 \ You may also verify the following: stscript-cc21-artifact 1. Open 4 web browsers to play 2 games simultaneously. Ob- This command exposes the terminal of the container. To run the serve that the state of each game board is consistent with its STScript toolchain (e.g. show the helptext): game, i.e. moves do not get propagated to the wrong game. stscript@stscript:~$ codegen --help 2. Open 2 web browsers to play a game, and close one of them mid-game. Observe that the remaining web browser is noti- For example, the following command reads as follows: fied that their opponent has forfeited the match. $ codegen ~/protocols/TravelAgency.scr TravelAgency A \ Additional Notes Refresh both web browsers to start a new game. browser -s S -o ~/case-studies/TravelAgency/client/src Stop the web application by pressing Ctrl+C on the terminal. 1. Generate APIs for role A of the TravelAgency protocol spec- Travel Agency. This is the running example of our paper, as ified in ∼/protocols/TravelAgency.scr; introduced in §1. To generate the APIs for both travellers and the 2. Role A is implemented as a browser endpoint, and assume agency: role S to be the server; # Run from any directory 3. Output the generated APIs under the path $ build_travel-agency ∼/case-studies/TravelAgency/client/src Additional information can be found inside the README.md of our To run the case study: publicly available GitHub repository2, which contains the source $ cd ~/case-studies/TravelAgency files and scripts required to build the Docker image. $ npm start Visit http://localhost:8080 on two web browser windows A.5 Experiment Workflow side-by-side, one for each traveller. Execute the Travel Agency A.5.1 End-to-End Tests. To run the end-to-end tests: service; you may refer to https://youtu.be/mZzIBYP_Xac for an # Run from any directory example execution as a starting point. $ run_tests 1. Log in as Friend and Customer on separate windows. The end-to-end tests verify that 2. As Friend, suggest ‘Tokyo’. As Customer, query for ‘Tokyo’. Expect to see that there is no availability. • STScript correctly parses the Scribble protocol specification 3. As Friend, suggest ‘Edinburgh’. As Customer, query for ‘Ed- files, and, inburgh’. Expect to see that there is availability, then ask 2https://github.com/STScript-2020/cc21-artifact Friend. As Friend, enter a valid numeric split and press OK. 14 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

As Customer, enter any string for your name and any nu- A.6.3 Performance Benchmarks. To visualise the performance meric value for credit card and press OK. Expect to see that benchmarks, run: both roles show success messages. $ cd ~/perf-benchmarks 4. Refresh both web browsers and log in as Friend and Cus- $ jupyter notebook --ip=0.0.0.0 tomer on separate windows again. As Friend, suggest ‘Edin- /* ...snip... */ burgh’ again. As Customer, query for ‘Edinburgh’. Expect To access the notebook, open this file in a browser: to see that there is no availability, as the last seat has been /* ...snip... */ taken. Or copy and paste one of these URLs: Stop the web application by pressing Ctrl+C on the terminal. http://ststcript:8888/?token= Battleships. This is a turn-based 2-player board game with or http://127.0.0.1:8888/?token= more complex application logic compared with Noughts and Crosses. Use a web browser to open the corresponding highlighted URL in To generate the APIs for both players and the game server: the terminal output (i.e. beginning with http://127.0.0.1:8888). # Run from any directory Open the STScript Benchmark Visualisation.ipynb notebook. $ build_battleships Click on Kernel -> Restart & Run All from the top menu bar. To run the case study: Data Alignment. Tables1 and2 can be located by scrolling to $ cd ~/case-studies/Battleships the end (bottom) of the notebook. $ npm start Observations. Verify the following claims made in the paper Visit http://localhost:8080 on two web browser windows against the tables printed at the end (bottom) of the notebook. side-by-side, one for each player. Play the game; you may refer to • Simple Ping Pong (“w/o req”): https://youtu.be/cGrKIZHgAtE for an example game execution as – Time taken by node is less than time taken by react, a starting point. which entails that “the round trip time is dominated by Additional Notes Refresh both web browsers to start a new game. the browser-side message processing time”. Stop the web application by pressing Ctrl+C on the terminal. – The delta (of mpst relative to bare) for the React end- points is greater than the delta for the Node endpoints, A.5.3 Performance Benchmarks. We include a script to run which entails that “mpst introduces overhead dominated the performance benchmarks as introduced in §5. By default, the by the React.js session runtime”. script executes the same experiment configurations – parameteris- • Complex Ping Pong (“w/ req”): ing the Ping Pong protocol with and without additional UI require- – Inspect the difference between the message processing ments with 100 and 1000 messages, and running each experiment time across Simple Ping Pong and Complex Ping Pong. 20 times. Refer to Appendix A.7.2 on how to customise these pa- This difference is greater for bare implementations com- rameters. pared with mpst implementations, which entails that “the To run the performance benchmarks: UI requirements require bare to perform additional state $ cd ~/perf-benchmarks updates and rendering, reducing the overhead relative to $ ./run_benchmark.sh mpst”. Note: If the terminal log gets stuck at Loaded client page, Stop the notebook server by pressing Ctrl+C on the terminal, open a web browser and access http://localhost:5000. and confirm the shutdown command by entering y.

Terminology Alignment. Observe the following discrepancies A.7 Experiment customization between the artifact and the paper: A.7.1 Case Studies. We provide a step-by-step guide on imple- • The simple_pingpong example in the artifact refers to the menting your own web applications using STScript under the wiki3 Ping Pong protocol without UI requirements in the paper. found in our GitHub repository. • The complex_pingpong example in the artifact refers to the We use the Adder protocol as an example, but you are free to use Ping Pong protocol with UI requirements in the paper. your own protocol. Other examples of protocols (including Adder) can be found under ∼/protocols. A.6 Evaluation and expected result A.6.1 End-to-End Tests. Verify that all tests pass. You should A.7.2 Performance Benchmarks. You can customise the num- see the following output, with the exception of the test execution ber of messages (exchanged during the Ping Pong protocol) and time which may vary: the number of runs for each experiment. These parameters are rep- resented in the run_benchmark.sh script by the -m and -r flags ------respectively. Ran 14 tests in 171.137s For example, to set up two configurations – running Ping Pong OK with 100 round trips and 1000 round trips – and run each configu- ration 100 times: A.6.2 Case Studies. Verify that all case studies are compiled successfully and execute according to the workflow described in 3https://github.com/STScript-2020/cc21-artifact/wiki/STScript:-Writing- Appendix A.5.2. Communication-Safe-Web-Applications 15 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

$ cd ~/perf-benchmarks [Lr1] pq!푗 $ ./run_benchmark.sh -m 100 1000 -r 100 q ⊕ {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ 푇푗 Note: ./run_benchmark.sh [Lr2] running will clear any existing logs. qp?푗 Refer to Appendix A.6.3 for instructions on visualising the logs q & {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ 푇푗 from the performance benchmarks. 푙 Note: If you change the message configuration (i.e. the -m flag), 푇 [휇t.푇 /t] −−→ 푇 ′ [Lr3] update the NUM_MSGS tuple located in the first cell of the notebook 푙 −−→ ′ as shown below: 휇t.푇 푇 [Lr4] # Update these variables if you wish to via⟨s⟩(pq!푗) q ⊕⟨s⟩ {푙 :푇 } −−−−−−−−→ 푇 # visualise other benchmarks. 푖 푖 푖 ∈퐼 푗 VARIANTS = ('bare', 'mpst') [Lr5] via⟨s⟩(qp?푗) NUM_MSGS = (100, 1000) q &⟨s⟩ {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ 푇푗 [Lr6] via⟨s⟩(pq!푗) A.8 Notes p ↩→ q : {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ p ↬ q.푗 : {푙푖 :푇푖 }푖 ∈퐼 You can leave the Docker container by entering exit in the con- [Lr7] via⟨s⟩(pq?푗) tainer’s terminal. p ↬ q.푗 : {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ 푇푗

푙 ′ A.9 Methodology ∀푖 ∈ 퐼.푇 푖 −−→ 푇 subj(푙) ∉ {p, q} 푖 [Lr8] Submission, reviewing and badging methodology: 푙  ′ p ↩→ q : {푙푖 :푇푖 }푖 ∈퐼 −−−−−−−−→ p ↩→ q : 푙푖 :푇 • http://cTuning.org/ae/submission-20190109.html 푖 푖 ∈퐼 • http://cTuning.org/ae/reviewing-20190109.html 푙 ′ ′ 푇푗 −−→ 푇푗 subj(푙) ≠ q ∀푖 ∈ 퐼 \{푗}.푇 푖 = 푇푖 • https://www.acm.org/publications/policies/artifact-review-badging [Lr9] 푙  ′ p ↬ q.푗 : {푙푖 :푇푖 } ∈ −−−−−−−−→ p ↬ q.푗 : 푙푖 :푇 B Appendix for §4 푖 퐼 푖 푖 ∈퐼 푙 ′ We present here the omitted definitions. 푙 = via⟨s⟩(·) subj(푙) ≠ q ∀푖 ∈ 퐼.푇 푖 −−→ 푇 푖 [Lr10] 푙 Definition B.1 . ⊕ { } −−−−−−−−→ ⊕  ′ (Set of Participants) q 푙푖 :푇푖 푖 ∈퐼 q 푙푖 :푇푖 푖 ∈퐼

pt (end) = {} 푙 ′ 푙 = via⟨s⟩(·) subj(푙) ≠ q ∀푖 ∈ 퐼.푇 푖 −−→ 푇 pt (t) = {} 푖 [Lr11] 푙 pt (휇t.퐺) = pt (퐺) q & {푙 :푇 } −−−−−−−−→ q & 푙 :푇 ′ Ð 푖 푖 푖 ∈퐼 푖 푖 푖 ∈퐼 pt (p → q : {푙푖 :퐺푖 }푖 ∈퐼 ) = {p, q} ∪ 푖 ∈퐼 pt (퐺푖 ) Ð pt (p −s q : {푙푖 :퐺푖 }푖 ∈퐼 ) = {p, q, s} ∪ 푖 ∈퐼 pt (퐺푖 )
Figure 8. LTS over Local Types in RouST The merging operator is defined on local types. Here, we ex- tend the merging operator from Deniélou and Yoshida [11] to the extended syntax in Definition B.2. the message 푙푗 has been received from p but not yet routed to q. We Definition B.2 (Merging Operator). The merging operator ⊓ on extend the projection operator to support this new construct. local types is extended as: p &⟨s⟩ {푙 :퐺 ↾r} if r = q  푖 푖 푖 ∈퐼 ( ⊕⟨ ⟩ { } )⊓( ⊕⟨ ⟩ { } ) = ⊕⟨ ⟩ { }  p q 푙푖 :푇푖 푖 ∈퐼 p q 푙푖 :푇푖 푖 ∈퐼 p q 푙푖 :푇푖 푖 ∈퐼 p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 ↾r = p ↬ q.푗 : {푙푖 :퐺푖 ↾r}푖 ∈퐼 if r = p n o s  ′  ′′ 퐺 푗 ↾r otherwise p &⟨q⟩ {푙푖 :푇푖 }푖 ∈퐼 ⊓p &⟨q⟩ 푙푗 :푇 = p &⟨q⟩ 푙푘 : 푇 푗 푗 ∈퐽 푘 푘 ∈퐼∪퐽  LTS Semantics over Local Types. We define the LTS semantics 푇 if 푘 ∈ 퐼 \ 퐽  푘 푙 ′′  ′ over local types, denoted by 푇 −−→ 푇 ′, in Fig.8. We highlight and where 푇푘 = 푇 if 푘 ∈ 퐽 \ 퐼  푘 explain the new rules. 푇 ⊓푇 ′ if 푘 ∈ 퐼 ∩ 퐽  푘 푘 We walk through rules [Lr4] and [Lr5] from the perspective of otherwise, undefined role p. • [Lr4] and [Lr5] are analogue to [Lr1] and [Lr2] for sending and Recall that routed selection and routed branching behave in receiving messages respectively. The exception is that the new rules the same way as their “non-routed” counterparts – naturally, the match on the router role s on the local type and the routed label. merging operator reflects this similarity. We walk through rules [Lr6], [Lr7], [Lr10] and [Lr11] from the B.1 Semantics of Local Types perspective of role s.

We extend the grammar of local types with p ↬ q.푗 : {푙푖 :푇푖 }푖 ∈퐼 , a • [Lr6] and [Lr7] are analogue to [Gr1] and [Gr2]. Intuitively, the construct to represent that, from the local perspective of the router, router s holds a “global” perspective on the interaction between p 16 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA and q, which explains the correspondence with the LTS semantics D E p ⇝ p’.푗 : {푙푖 :퐺푖 } ∈ = 퐺 푗 푖 퐼 {푤qq’ }qq’∈P [푤pp’↦→푤pp’ ·푗 ] over global types. s {푤qq’ }qq’∈P • [Lr10] and [Lr11] allow the router to perform routing actions ⟨p −s p’ : {푙푖 :퐺푖 }푖 ∈퐼 ⟩ {푤 } = ⟨퐺푖 ⟩ {푤 } for 푖 ∈ 퐼 before handling their own direct communication. The syntax 푙 =
qq’ qq’∈P qq’ qq’∈P

since ∀푖, 푗 ∈ 퐼. ⟨퐺푖 ⟩ { } = 퐺 푗 via⟨s⟩(·) means that the label 푙 is “of the form” of a routing action, 푤qq’ qq’∈P {푤qq’ }qq’∈P i.e. there exists some p, q,푗 such that 푙 = via⟨s⟩(pq!푗) or 푙 = via⟨s⟩(pq?푗). The constraint of subj(푙) ≠ q prevents the violation Figure 9. Projection of Buffer Contents from Global Type in of the syntactic order of messages sent and received by q. RouST Curious readers can consider the examples 퐺1 ↾ s and 퐺2 ↾ s below to see why this constraint is needed.

퐺1 = s → r : 푀1 . r −s q : 푀2 . end
• 퐺1 ↾s = r ⊕ 푀1. r ↩→ q : 푀2 . end 푙 = pq?푗 푙 ′ ′ 퐺2 = s → r : 푀1 . p −s r : 푀2 . end Then 푇 q −−→ 푇 q because q initiates the action, so 푇 = 푇 p’ for
p’ 퐺2 ↾s = r ⊕ 푀1. p ↩→ r : 푀2 . end all p’ ≠ q. The message 푗 is no longer in transit from p to q as it is received As for the remaining rules, [Lr8] and [Lr9] are the local coun- ′ by q, so 푤pq = 푗 · 푤 (푗 is removed from the front of the queue terparts to [Gr4] and [Gr5] because the router holds a “global” pq of in-transit messages sent from p to q), and unrelated buffers perspective on the communication, so transitions that do not vi- 푤 ′ = 푤 are untouched for all p’q’ ≠ pq. olate the syntactic order of messages between roles p and q are p’q’ pq allowed. • 푙 = via⟨s⟩(pq!푗) 푙 ′ LTS Semantics over Configurations. Let P denote the set of Then푇 p −−→ 푇 p because p initiates the action. Because the send participants in the communication automaton. Also let 푇p denote 푙 action is routed, we also need 푇 −−→ 푇 ′. This means 푇 ′ = 푇 for the local type of a participant p ∈ P. s s p’ p’ A configuration describes the state of the communication au- all p’ ∉ {p, s}. ′ tomaton with respect to each participant p ∈ P. By definition of The message 푗 is in transit from p to q, so 푤pq = 푤pq · 푗 and ′ = ≠ our LTS semantics, this includes intermediate states, so a configura- unrelated buffers 푤p’q’ 푤pq are untouched for all p’q’ pq. tion would also need to express the state of messages in transit. • 푙 = via⟨s⟩(pq?푗) We inherit the definition from [11], restated in Definition B.3. 푙 Then 푇 −−→ 푇 ′ because q initiates the action. Because the ì q q Definition B.3 (Configuration). A configuration 푠 = (푇 ; 푤ì) of a 푙 −−→ ′ ′ = system of local types {푇p}p∈P is defined as a pair of: receive action is routed, we also need 푇 s 푇 s. This means 푇 p’ 푇 p’ for all p’ ∉ {q, s}. • 푇ì = (푇p) ∈P is the collection of local types. 푇p describes the p The message 푗 is no longer in transit from p to q as it is received communication structure from the local perspective of participant by q, so 푤 = 푗 · 푤 ′ , and unrelated buffers 푤 ′ = 푤 are p ∈ P. pq pq p’q’ pq p’q’ ≠ pq •ì푤 = (푤pq)p≠q∈P is the collection of unbounded buffers. The untouched for all . unbounded buffer 푤pq represents a (FIFO) queue of messages sent by p but not yet received by q. Routed actions are carried out by the router, so it makes sense for the local type of the router to also make a step. The semantics of the Remark: The subtyping relation defined on local types (see11 [ ]) message buffers for routed actions are the same as their non-routed can be extended to configurations: counterparts; the only difference is that these message buffers are ′ ′ 푤ì = 푤ì ∀p ∈ P.푇 p ≺ 푇 p “managed” by the router. ′ (푇ì;푤ì) ≺ (푇ì′;푤ì ) Projection for Configurations. When considering the gram- We proceed to define the LTS over configurations in Definition B.4, mar of global types 퐺 extended to include intermediate states, we highlighting the extensions required for RouST. can obtain the projected configuration from a global type 퐺 with participants P: Definition B.4 (LTS Semantics over Configurations). The LTS 푙 ′   semantics over configurations is defined by the relation 푠푇 −−→ 푠 . ⟨ ⟩ = { } ⟨ ⟩ 푇 퐺 퐺 ↾p p∈P ; 퐺 {휖 }qq’∈P = (ì ì) ′ = ( ì′ ì ′) Let 푠푇 푇 ; 푤 and 푠푇 푇 ; 푤 . We define the specific transitions on 푇ì and 푤ì by case analysis on the label 푙. The collection of local types is obtained by projecting 퐺 onto ∈ P • 푙 = pq!푗 each participant p . The contents of the buffers is defined as 푙 ⟨퐺⟩ {푤 } . 휖 denotes an empty buffer. We inherit the definitions Then 푇 −−→ 푇 ′ because p initiates the action, so 푇 ′ = 푇 for qq’ qq’∈P p p p’ p’ presented in [11], and introduce additional rules in Fig.9. all p’ ≠ p. The semantics of the message buffers for routed actions are the ′ The message 푗 is in transit from p to q, so 푤pq = 푤pq · 푗 (푗 is same as their non-routed counterparts, so the projected contents of appended to the queue of in-transit messages sent from p to q), the buffers for routed communication are the same as those under ′ = ≠ and unrelated buffers 푤p’q’ 푤pq are untouched for all p’q’ pq. non-routed communication. 17 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

C Appendix for Proofs in §4 Proof of Lemma 4.10. C.1 Auxiliary Lemmas The projection of an encoded global type 퐺, s ↾ r J K Lemma C.1 (Local LTS Preserves Merge). Let 푇1,푇2 be local types. is equal to the encoded local type after projection Suppose 푇 ⊓푇 exists. 퐺 ↾r, r, s , with respect to router s, i.e. 1 2 J K   ∀r, s,퐺. r ≠ s =⇒ 퐺, s ↾r = 퐺 ↾r, r, s
′ ′ 푙 ′ 푙 ′ ′ ′ J K J K ∀푙,푇 1,푇2 . (푇1 −−→ 푇1 ) ∧ (푇2 −−→ 푇2 ) =⇒ (푇1 ⊓푇2 ) exists Proof. By induction on the structure of 퐺, Lemmas C.5 and C.6. □ 푙 ⊓ −−→ ′ Proof. By simultaneous induction on 푇1 푇2, 푇1 푇1 , and Lemma C.7 (Local Type Encoding Preserves Equality of Projec- 푙 ′ tion). ∀퐺1,퐺 2, r, s. 푇2 −−→ 푇 . □ 2
(퐺1 ↾r) = (퐺2 ↾r) ∧ r ≠ s =⇒ 퐺1, s ↾r = 퐺2, s ↾r Lemma C.2 (Projection and Participation). J K J K Proof. By consequence from Lemma 4.10. ∀퐺, p. (퐺 ↾p = end ⇐⇒ p ∉ pt (퐺)) Take 퐺1,퐺 2, r, s arbitrarily. Assume (퐺1 ↾r) = (퐺2 ↾r) and r ≠ s. We need to show 퐺1, s ↾r = 퐺2, s ↾r, but by Lemma 4.10, it J K J K Proof. Prove (=⇒) by induction on the structure of 퐺. Prove (⇐=) is sufficient to show using the contrapositive (stated below) by induction on the deriva- 퐺1 ↾r, r, s = 퐺2 ↾r, r, s . tion of pt (퐺): J K J K The result follows by congruence from the assumption. p ∈ pt (퐺) =⇒ 퐺 ↾p ≠ end. □

□ Lemma C.8 (Encoding on Global Types Preserves Merge). Take global types 퐺1,퐺 2 and roles r, s such that r ≠ s. Suppose 퐺1 ↾r and Lemma C.3 (Encoding Defines Centroid). Given an encoding of 퐺2 ↾r exist. global type 퐺 with respect to the router role s, the router role is the (퐺1 ↾r)⊓( 퐺2 ↾r) exists =⇒( 퐺1, s ↾r)⊓( 퐺2, s ↾r) exists centroid of the encoded communication: J K J K Proof. By induction on the structure of푇 ⊓푇 , Lemmas C.2 and C.7. 퐺, s ⊛ s. 1 2 J K □ Proof. By induction on the structure of 퐺. □ Lemma C.9 (Encoding Preserves Projection). Let 퐺 be a global type. ∀r, s. Lemma C.4 (Encoding and Substitution Permute). Let 퐺,퐺 ′ be 퐺 ↾r exists =⇒ 퐺, s ↾r exists global types, and s be a role. J K Proof. By induction on the structure of 퐺. ′  ′  퐺 [퐺 /t], s = 퐺, s 퐺 , s /t 1. 퐺 = end, 퐺 = t J K J K J K As 퐺, s = 퐺, if 퐺 ↾r exists, so does 퐺, s ↾r. J K′ J K Proof. By induction on the structure of 퐺. □ 2. 퐺 = 휇t.퐺 By assumption, 휇t.퐺 ′ ↾r exists. Note that 퐺 ′ ↾r exists regardless ′ Lemma C.5 (Encoding Preserves Participants). of r’s participation in 퐺 . By induction, 퐺 ′, s ↾r exists.

∀퐺, s. pt (퐺) ⊆ pt 퐺, s To show 휇t.퐺J′, s ↾Kr exists, consider r by case: J K • r ∈ pt 퐺J′, s
: K J K Proof. The following is logically equivalent: 휇t.퐺 ′, s ↾r = 휇t. 퐺 ′, s ↾r = 휇t.( 퐺 ′, s ↾r)

′ J K J K ′ J K ∀r, s. r ∈ pt (퐺) =⇒ r ∈ pt 퐺, s As 퐺 , s ↾r exists, so does 휇t.퐺 , s ↾r. J K • r ∉Jpt 퐺K ′, s
: J K We prove this by induction on the structure of 퐺. □ J K 휇t.퐺 ′, s ↾r = 휇t. 퐺 ′, s ↾r = end J K J K Lemma C.6 (Encoding Preserves Privacy). The encoding on global 3. 퐺 = p → q : {푙푖 :퐺푖 }푖 ∈퐼 types will not introduce non-server roles that were not participants of To determine 퐺, s , consider s by case: the original communication. • s ∈ {p, q}: J K = →  ∀r, s,퐺. r ≠ s ∧ r ∉ pt (퐺) =⇒ r ∉ pt 퐺, s

Then 퐺, s p q : 푙푖 : 퐺푖, s 푖 ∈퐼 . J K To showJ 퐺K, s ↾r exists, considerJ K r by case: J K – r = p: Then 퐺 ↾p = q ⊕ {푙푖 :퐺푖 ↾p}푖 ∈퐼 . Proof. The following is logically equivalent. By induction, 퐺푖, s ↾p exists for 푖 ∈ 퐼. = ⊕J  K ∀r, s,퐺. r ≠ s ∧ r ∈ pt 퐺, s
=⇒ r ∈ pt (퐺)
퐺, s ↾p q 푙푖 : 퐺푖, s ↾p 푖 ∈퐼 . J K AsJ projectionsK of theJ encodedK continuations exist, so does We prove this by induction on the structure of 퐺, assuming that 퐺, s ↾p. r ≠ s for arbitrary roles r, s. □ – Jr = qK: Follows similarly from above. 18 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

– r ∉ {p, q}: Then 퐺 ↾r = ⊓퐺푖 ↾r, so the merge exists. Then 푠 = ⟨퐺⟩ where 푖 ∈퐼 By induction, 퐺푖, s ↾r exists for 푖 ∈ 퐼. = ⊕⟨ ⟩ { } J K 푇p p’ s 푙푖 :퐺푖 ↾p 푖 ∈퐼 퐺, s ↾r = ⊓ 퐺푖, s ↾r, and this merge exists by Lemma C.8. J K 푖 ∈퐼J K • s ∉ {p, q}: 푇p’ = p &⟨s⟩ {푙푖 :퐺푖 ↾p’}푖 ∈퐼  Then 퐺, s = p −s q : 푙푖 : 퐺푖, s . 푖 ∈퐼 푇 = p ↩→ p’ {푙 퐺 s} To showJ 퐺K, s ↾r exists,
considerJ Kr by case: s : 푖 : 푖 ↾ 푖 ∈퐼 J K – r = p: Then 퐺 ↾p = q ⊕ {푙푖 :퐺푖 ↾p} ∈ . 푖 퐼 푇r = ⊓ 퐺푖 ↾r for r ∉ {p, p’, s} By induction, 퐺푖, s ↾p exists for 푖 ∈ 퐼. 푖 ∈퐼 J K 퐺, s ↾p = q ⊕⟨s⟩ 푙푖 : 퐺푖, s ↾p . 푖 ∈퐼 {푤qq’}qq’∈P = ⟨퐺푖 ⟩ {ì휖 } for some 푖 ∈ 퐼 AsJ projectionsK of theJ encodedK continuations exist, so does 퐺, s ↾p. Global transition: We have J = K – r q: Follows similarly from above. ˆ′ 푇 = p &⟨s⟩ {푙푖 :퐺푖 ↾p’} ∈ – r = s: Then 퐺 ↾s = ⊓퐺푖 ↾s. p’ 푖 퐼 푖 ∈퐼 ˆ′ By induction, 퐺푖, s ↾p exists for 푖 ∈ 퐼. 푇s = p ↬ p’.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 J K 퐺, s ↾s = p ↩→ q : 푙푖 : 퐺푖, s ↾s . ˆ′ 푖 ∈퐼 푇r = 퐺 푗 ↾r for r ∉ {p’, s} AsJ projectionsK of the encodedJ K continuations exist, so does {푤ˆ′ } = ⟨퐺 ⟩ 푖 ∈ 퐼 퐺, s ↾s. qq’ qq’∈P 푖 {ì휖 }[푤pp’↦→푤pp’ ·푗 ] for some J ∉ {K } = – r p, q, s : Then 퐺 ↾r ⊓퐺푖 ↾r, so the merge exists. ′ ′ 푖 ∈퐼 So, 푤ˆ qq’ = 푤qq’ for qq’ ≠ pp’ and 푤ˆ pp’ = 푤pp’ · 푗. ∈ By induction, 퐺푖, s ↾r exists for 푖 퐼. Configuration transition: Take 푇 ′ = 푇 for r ∉ {p, s}. J K r r 퐺, s ↾r = ⊓ 퐺푖, s ↾r, and this merge exists by Lemma C.8. 푙 푖 ∈퐼 ′ ′ J K J K By [Lr4], 푇p −−→ 푇p where 푇p = 퐺 푗 ↾p. □ 푙 ′ ′ By [Lr6], 푇s −−→ 푇s where 푇s = p ↬ p’.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 . ′ ′ C.2 Proof of Theorem 4.6 Also, 푤 qq’ = 푤qq’ for qq’ ≠ pp’ and 푤 pp’ = 푤pp’ · 푗. Correspondence: We have 푤 ′ = 푤ˆ for qq’ ∈ P and 푇 ′ = Let 퐺 be a global type with participants P = pt (퐺), qq’ qq’ q ì 푇ˆq for q ∈ {p, p’, s}. and let 푇 = {퐺 ↾ p}p∈P be the local types projected For q ∉ {p, p’, s}, we have from 퐺. Then 퐺 ≈ (푇,ì 휖ì). ′ ˆ 푇q = ⊓ 퐺푖 ↾q ≺ 퐺 푗 ↾q = 푇q 푖 ∈퐼 Proof. Direct consequence of Lemma C.10. □ So 푠′ ≺ ⟨퐺 ′⟩. ′ • [Gr7] where퐺 = p ⇝ p’.푗 : {푙푖 :퐺푖 } ∈ ,퐺 = 퐺 푗 , and푙 = via⟨s⟩(pp’?푗) Lemma C.10 (Step Equivalence). For all global types 퐺 and con- s 푖 퐼 푙 푙 Then 푠 = ⟨퐺⟩ where figurations 푠, if ⟨퐺⟩ ≺ 푠, then 퐺 −−→ 퐺 ′ ⇐⇒ 푠 −−→ 푠′ such that ′ ′ ⟨퐺 ⟩ ≺ 푠 . 푇p’ = p &⟨s⟩ {푙푖 :퐺푖 ↾p’}푖 ∈퐼 푇s = p ↬ p’.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 Proof. By induction on the possible transitions in the LTSs over 푇r = 퐺 푗 ↾r for r ∉ {p’, s} global types (to prove =⇒, i.e. soundness) and configurations (to {푤qq’}qq’∈P = 퐺 푗 prove ⇐=, i.e. completeness). {ì휖 }[푤pp’↦→푤pp’ ·푗 ] Global transition: We have Notation conventions. We use the following notation for de- ˆ′ composing configurations and projected configurations. 푇r = 퐺 푗 ↾r for r ∈ P ′ {푤ˆ } ∈P = 퐺 푗 푠 = {푇q}q∈P, {푤qq’}qq’∈P qq’ qq’ {ì휖 } ′ ′ ′ 푠 = {푇q}q∈P, {푤 }qq’∈P ′ ′ qq’ So, 푤ˆ qq’ = 푤qq’ for qq’ ≠ pp’ and 푤pp’ = 푗 · 푤ˆ pp’. ⟨퐺⟩ = {푇ˆ } , {푤ˆ } ′ q q∈P qq’ qq’∈P Configuration transition: Take 푇r = 푇r for r ∉ {p’, s}. ′ ˆ′ ′ ⟨퐺 ⟩ = {푇q}q∈P, {푤ˆ qq’}qq’∈P 푙 ′ ′ By [Lr5], 푇p −−→ 푇p where 푇p = 퐺 푗 ↾p. Soundness 푙 ′ ′ By [Lr7], 푇s −−→ 푇s where 푇s = 퐺 푗 ↾s. ′ ′ By rule induction on LTS semantics over global types. Also, 푤 qq’ = 푤qq’ for qq’ ≠ pp’ and 푤pp’ = 푗 · 푤 pp’. 푙 ′ ′ ′ For each transition 퐺 −−→ 퐺 , we take the configuration 푠 = ⟨퐺⟩, Correspondence: We have 푤 qq’ = 푤ˆ qq’ for qq’ ∈ P and 푇q = 푙 푙 ˆ ∈ P derive 퐺 −−→ 퐺 ′ and 푠 −−→ 푠′ under the respective LTSs, and show 푇q for q . ′ ⟨ ′⟩ that 푠′ ≺ ⟨퐺 ′⟩. So, 푠 = 퐺 . • − { } The proofs for rules [Gr1-5] are the same as in [11]. We focus [Gr8] where 퐺 = p s p’ : 푙푖 :퐺푖 푖 ∈퐼 , ′ = −  ′
on the new rules introduced for routing. 퐺 p s p’ : 푙푖 :퐺푖 푖 ∈퐼 .
푙 By hypothesis, ∀푖 ∈ 퐼.퐺 −−→ 퐺 ′ and subj(푙) ∉ {p, p’}. • [Gr6], where 퐺 = p −s p’ : {푙푖 :퐺푖 }푖 ∈퐼 , 푖 푖 ′
푙 퐺 = p ⇝ p’.푗 : {푙푖 :퐺푖 } ∈ with 푙 = via⟨s⟩(pp’!푗). ′ s 푖 퐼 By induction, ∀푖 ∈ 퐼. ⟨퐺푖 ⟩ −−→ 퐺푖 . 19 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

푙 To show that ⟨퐺⟩ −−→ ⟨퐺 ′⟩, it is sufficient to show that Correspondence: Since the projections for p’ ∉ {p, s} are un- 푙 changed, it is sufficient to show that푇 ′ ≺ (퐺˜′ ↾p) and푇˜ ′ ≺ (퐺˜′ ↾s). 퐺 ↾q −−→ 퐺 ′ ↾q for q = subj(푙), since the projections for p s ˜′ ′ q’ ≠ subj(푙) remain the same. 퐺 ↾p = 퐺 푗 ↾p = 푇p = ′ = ′ We know 퐺 ↾q ⊓퐺푖 ↾q and 퐺 ↾q ⊓퐺푖 ↾q. ˜′ ˜ ′ 푖 ∈퐼 푖 ∈퐼 퐺 ↾s = p ↬ q.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 = 푇s 푙 ′ 푙 ′ By induction, ⊓퐺푖 ↾q −−→ ⊓퐺 ↾q, so 퐺 ↾q −−→ 퐺 ↾q. • 푙 = via⟨s⟩(pq?푗): 푖 ∈퐼 푖 ∈퐼 푖 푇 = p ⟨s⟩ {푙 퐺 q} • [Gr9] where 퐺 = p ⇝ p’.푗 : {푙푖 :퐺푖 } ∈ , and Then q & 푖 : 푖 ↾ 푖 ∈퐼 . s 푖 퐼 ′  ′ Also, 푇s contains p ↬ q.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 as subterm. We denote 퐺 = p ⇝ p’.푗 : 푙푖 :퐺 . s 푖 푖 ∈퐼 this subterm 푇˜s. 푙 ′ ′ By definition of projection, 퐺 has p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 as sub- By hypothesis,퐺 푗 −−→ 퐺 푗 , p’ ≠ subj(푙), and ∀푖 ∈ 퐼 \{푗}.퐺 푖 = 퐺푖 . s 푙 D E term. We denote this subterm 퐺˜. By induction, 퐺 −−→ 퐺 ′ . 푗 푗 Also by definition of projection, no action in 퐺 will involve q 푙 To show that ⟨퐺⟩ −−→ ⟨퐺 ′⟩, it is sufficient to show that before 퐺˜. 푙 Configuration transition: 퐺 ↾q −−→ 퐺 ′ ↾q for q = subj(푙), since the projections for 푙 ′ ′ q’ ≠ subj(푙) remain the same. By [Lr5], 푇q −−→ 푇q, where 푇q = 퐺 푗 ↾q. ′ ′ We know 퐺 ↾q = 퐺 푗 ↾q and 퐺 ↾q = 퐺 ↾q. ˜ 푙 ˜ ′ ˜ ′ 푗 By [Lr7], 푇s −−→ 푇s , where 푇s = 퐺 푗 ↾s. 푙 푙 By induction, 퐺 q −−→ 퐺 ′ q, so 퐺 q −−→ 퐺 ′ q. 푙 ′ 푗 ↾ 푗 ↾ ↾ ↾ We get 푇s −−→ 푇s by inversion lemma, as illustrated below. Completeness [Lr7] ˜ 푙 ˜ ′ By considering the possible transitions in the LTS over configu- 푇s −−→ 푇s rations, defined by case analysis on the possible labels 푙. . 푙 ′ . For each transition 푠 −−→ 푠 , we take the configuration 푠 from [Lr8,9,10,11] as needed 푙 ′ the reduction rule, infer the structure of the global type 퐺 such that 푇s −−−−−−−−→ 푇s 푙 푙 푠 = ⟨퐺⟩, derive 푠 −−→ 푠′ and 퐺 −−→ 퐺 ′ under the respective LTSs, Global transition: ′ ′ 푙 ′ ′ and show that 푠 ≺ ⟨퐺 ⟩. By [Gr7], 퐺˜ −−→ 퐺˜ , where 퐺˜ = 퐺 푗 . The proofs for 푙 = pq!푗 and 푙 = pq?푗 are the same as in § 4.2 of 푙 We get 퐺 −−→ 퐺 ′ by inversion lemma, as illustrated below. [11]. We focus on the new labels introduced for routing. [Gr7] • 푙 = via⟨s⟩(pq!푗): 푙 퐺˜ −−→ 퐺˜ ′ Then 푇 = q ⊕⟨s⟩ {푙 :퐺 ↾p} . p 푖 푖 푖 ∈퐼 . Also, 푇s contains p ↩→ q : {푙푖 :퐺푖 ↾s}푖 ∈퐼 as subterm. We denote . ˜ [Gr4,5,8,9] as needed this subterm 푇s. 푙 퐺 −−−−−−−−→ 퐺 ′ By definition of projection, 퐺 has p −s q : {푙푖 :퐺푖 }푖 ∈퐼 as sub- term. We denote this subterm 퐺˜.
Correspondence: Since the projections for p’ ∉ {q, s} are un- ′ ˜′ ˜ ′ ˜′ Also by definition of projection, no action in 퐺 will involve p changed, it is sufficient to show that푇q ≺ (퐺 ↾q) and푇s ≺ (퐺 ↾s). before 퐺˜. ˜′ ′ 퐺 ↾q = 퐺 푗 ↾q = 푇q Configuration transition: ˜′ ˜ ′ 푙 ′ ′ 퐺 ↾s = 퐺 푗 ↾s = 푇s By [Lr4], 푇p −−→ 푇p, where 푇p = 퐺 푗 ↾p. □ ˜ 푙 ˜ ′ ˜ ′ By [Lr6], 푇s −−→ 푇s , where 푇s = p ↬ q.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 . 푙 ′ C.3 Proof of Theorem 4.7 We get 푇s −−→ 푇s by inversion lemma, as illustrated below. Let 퐺 be a global type. Suppose 퐺 is well-formed with [Lr6] respect to some router s, i.e. wellFormed푅 (퐺, s). ˜ 푙 ˜ ′ 푇s −−→ 푇s   ′ ∗ ′ ′ ′′ ′ 푙 ′′ . ∀퐺 . 퐺 → 퐺 =⇒ (퐺 = end) ∨ ∃퐺 ,푙. (퐺 −−→ 퐺 ) . [Lr8,9,10,11] as needed 푙 ′ Proof. Direct consequence of Lemmas C.11 and C.12. □ 푇s −−−−−−−−→ 푇s Global transition: Lemma C.11 (Preservation of Well-formedness). Let 퐺 be a global 푙 ′ ′ type. Suppose 퐺 is well-formed with respect to some router s, i.e. By [Gr6], 퐺˜ −−→ 퐺˜ , where 퐺˜ = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 . s wellFormed푅 (퐺, s). 푙 ′ We get 퐺 −−→ 퐺 by inversion lemma, as illustrated below.  푙  ∀퐺 ′,푙. 퐺 −−→ 퐺 ′ =⇒ wellFormed푅 퐺 ′, s
[Gr6] 푙 푙 ′ 퐺˜ −−→ 퐺˜ ′ Proof. By rule induction on 퐺 −−→ 퐺 . . For each transition, we show the two conjuncts for well-formedness, . 푅 ′ [Gr4,5,8,9] as needed wellFormed (퐺 , s) : 푙 ′ ′ 퐺 −−−−−−−−→ 퐺 ′ (1) 퐺 ↾r exists for r such that 퐺 ↾r exists; and, (2) 퐺 ⊛ s. 20 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Ó ′ • [Gr1], where 퐺 = p → q : {푙푖 :퐺푖 }푖 ∈퐼 , (2). We have s ∈ {p, q} from assumption and 퐺푖 ⊛ s from 퐺 ′ = p ⇝ q.푗 : {푙 :퐺 } , 푖 ∈퐼 푖 푖 푖 ∈퐼 induction, so 퐺 ′ ⊛ s. and 푙 = pq!푗. • [Gr5], where 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 , ′ ′ =  ′ (1). We know 퐺 ↾r by assumption. To show 퐺 ↾r, consider r by and 퐺 p ⇝ q.푗 : 푙푖 :퐺푖 푖 ∈퐼 . case: 푙 ′ ′ By hypothesis,퐺 푗 −−→ 퐺 푗 , ∀푖 ∈ 퐼 \{푗}.퐺 푖 = 퐺푖 , and q ≠ subj(푙). – r = p: Then 퐺 ↾p = q ⊕ {푙푖 :퐺푖 ↾p} ∈ , so ∀푖 ∈ 퐼.퐺 푖 ↾p exists. 푖 퐼 If 퐺 ↾r exists, so does 퐺푖 ↾r for 푖 ∈ 퐼. 퐺 ′ p = 퐺 p, which exists as 푗 ∈ 퐼. ↾ 푗 ↾ By assumption, 퐺 ⊛ s, so s ∈ {p, q} ∧ 퐺 ⊛ s. ′ { } 푗 – r = q: Then 퐺 ↾q = p & 푙푖 :퐺푖 ↾q 푖 ∈퐼퐺 ↾q, which exists. 푙 −−→ ′ – r ∉ {p, q}: Then 퐺 ↾r = ⊓퐺푖 ↾r, so ∀푖 ∈ 퐼.퐺 푖 ↾r exists. By induction on 퐺 푗 퐺 푗 and hypothesis 푖 ∈퐼 ′ ′ ′ ′ ∀푖 ∈ 퐼 \{푗}.퐺 = 퐺푖 , we get ∀푖 ∈ 퐼. (퐺 ↾r exists ∧ 퐺 ⊛ s). 퐺 ↾r = 퐺 푗 ↾r, which exists as 푗 ∈ 퐼. 푖 푖 푖 ′ ′ (1). To show 퐺 ↾r, consider r by case: (2). We know 퐺 ⊛ s by assumption. We deduce 퐺 ⊛ s by conse- ′ ′ – r = p: Then 퐺 ↾p = 퐺 ↾p. quence. 푗 = ′ =  ′ – r q: Then 퐺 ↾q p & 푙푖 :퐺푖 ↾q 푖 ∈퐼 . Û ′ ′ 퐺 ⊛ s =⇒ s ∈ {p, q} ∧ 퐺푖 ⊛ s – r ∉ {p, q}: Then 퐺 ↾r = 퐺 푗 ↾r. 푖 ∈퐼 ′ (2). We have s ∈ {p, q} from assumption and 퐺 푗 ⊛ s from induc- =⇒ s ∈ {p, q} ∧ 퐺 푗 ⊛ s tion, so 퐺 ′ ⊛ s. =⇒ 퐺 ′ ⊛ s • [Gr6], where 퐺 = p −t q : {푙푖 :퐺푖 }푖 ∈퐼 , ′
′ 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 , and 푙 = via⟨s⟩(pq!푗). • [Gr2], where 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 , 퐺 = 퐺 푗 , 푙 = pq?푗. t By assumption, wellFormed푅 (퐺, s), so t = s. (1). We know 퐺 ↾r by assumption. To show 퐺 ′ ↾r, consider r by ′ case: (1). We know 퐺 ↾r by assumption. To show 퐺 ↾r, consider r by ′ – r = p: Then 퐺 ↾p = 퐺 푗 ↾p = 퐺 ↾p, which exists. case: – r = p: Then 퐺 ↾p = q ⊕⟨s⟩ {푙 :퐺 ↾p} , so ∀푖 ∈ 퐼.퐺 ↾p exists. – r = q: Then 퐺 ↾q = p & {푙푖 :퐺푖 ↾q}푖 ∈퐼 , so ∀푖 ∈ 퐼.퐺 푖 ↾q exists. 푖 푖 푖 ∈퐼 푖 ′ ′ ∈ 퐺 ↾q = 퐺 푗 ↾q, which exists as 푗 ∈ 퐼. 퐺 ↾p = 퐺 푗 ↾p, which exists as 푗 퐼. ′ ′ ⟨ ⟩ { } – r ∉ {p, q}: Then 퐺 ↾r = 퐺 푗 ↾r = 퐺 ↾r, which exists. – r = q: Then 퐺 ↾q = p & s 푙푖 :퐺푖 ↾q 푖 ∈퐼 = 퐺 ↾q, which exists. – r = s: Then 퐺 ↾s = p ↩→ q : {푙푖 :퐺푖 ↾s}푖 ∈퐼 , so ∀푖 ∈ 퐼.퐺 푖 ↾s exists. ′ ′ (2). We know 퐺 ⊛ s by assumption. We deduce 퐺 ⊛ s by conse- 퐺 ↾s = p ↬ q.푗 : {푙푖 :퐺푖 ↾s}푖 ∈퐼 , which exists. quence. – r ∉ {p, q, s}: Then 퐺 ↾r = ⊓퐺푖 ↾r, so ∀푖 ∈ 퐼.퐺 푖 ↾r exists. 푖 ∈퐼 ′ ′ = ∈ 퐺 ⊛ s =⇒ s ∈ {p, q} ∧ 퐺 푗 ⊛ s =⇒ 퐺 ⊛ s 퐺 ↾r 퐺 푗 ↾r, which exists as 푗 퐼. (2). We know 퐺 ⊛ s by assumption. We deduce 퐺 ′ ⊛ s by conse- 푙 ′ 푙 ′ • [Gr3], where 휇t.퐺 −−→ 퐺 . By hypothesis, 퐺 [휇t.퐺/t] −−→ 퐺 . quence. We first show that wellFormed푅 (퐺 [휇t.퐺/t], s). Û =⇒ = ∧ (1) 휇t.퐺 ↾r exists for some r. 퐺 ⊛ s t s 퐺푖 ⊛ s Note that 퐺 ↾r exists regardless of r’s participation in 퐺. 푖 ∈퐼 =⇒ = ∧ – If r ∈ pt (퐺), then 휇t.퐺 ↾r = 휇t.퐺 ↾r, so 퐺 ↾r exists. t s 퐺 푗 ⊛ s ′ – Otherwise, 퐺 ↾r = end, which exists. =⇒ 퐺 ⊛ s Projection is homomorphic under recursion, so 퐺 [휇t.퐺/t] ↾ r ′ • [Gr7], where퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ ,퐺 = 퐺 푗 and푙 = via⟨s⟩(pq?푗). exists. t 푖 퐼 (2) By assumption, (휇t.퐺) ⊛ s, so 퐺 ⊛ s. (1). We know 퐺 ↾r by assumption. To show 퐺 ′ ↾r, consider r by The ⊛ relation is also homomorphic under recursion, so we get case: 퐺 [휇t.퐺/t] ⊛ s. By assumption, wellFormed푅 (퐺, s), so t = s. wellFormed푅 ( ′ ) ′ We conclude by induction to obtain 퐺 , s . – r = p: Then 퐺 ↾p = 퐺 푗 ↾p = 퐺 ↾p, which exists. • [Gr4], where 퐺 = p → q : {푙 :퐺 } , 푖 푖 푖 ∈퐼 – r = q: Then 퐺 ↾q = p &⟨s⟩ {푙푖 :퐺푖 ↾q}푖 ∈퐼 , so ∀푖 ∈ 퐼.퐺 푖 ↾q exists. ′ = →  ′ ′ and 퐺 p q : 푙푖 :퐺푖 푖 ∈퐼 . 퐺 ↾q = 퐺 푗 ↾q, which exists as 푗 ∈ 퐼. 푙 ′ – r = s: Then 퐺 ↾ s = p ↬ q.푗 : {푙 :퐺 ↾s} , so ∀푖 ∈ 퐼.퐺 ↾ s By hypothesis, ∀푖 ∈ 퐼. (퐺푖 −−→ 퐺 ) and p ≠ q ≠ subj(푙). 푖 푖 푖 ∈퐼 푖 푖 exists. If 퐺 ↾r exists, so does 퐺푖 ↾r for 푖 ∈ 퐼. Ó 퐺 ′ ↾s = 퐺 ↾s, which exists as 푗 ∈ 퐼. By assumption, 퐺 ⊛ s, so s ∈ {p, q} ∧ 퐺푖 ⊛ s. 푗 푖 ∈퐼 – r ∉ {p, q, s}: Then 퐺 ↾r = ⊓퐺푖 ↾r, so ∀푖 ∈ 퐼.퐺 푖 ↾r exists. ′ ′ 푖 ∈퐼 By induction, ∀푖 ∈ 퐼. (퐺푖 ↾r exists ∧ 퐺푖 ⊛ s). ′ 퐺 ↾r = 퐺 푗 ↾r, which exists as 푗 ∈ 퐼. (1). To show 퐺 ′ ↾r, consider r by case: (2). We know 퐺 ⊛ s by assumption. We deduce 퐺 ′ ⊛ s by conse- – r = p: Then 퐺 ′ ↾p = q ⊕ {푙 :퐺 ′ ↾p} . 푖 푖 ∈퐼 quence. – r = q: Then 퐺 ′ ↾q = p & 푙 :퐺 ′ ↾q . 푖 푖 푖 ∈퐼 ′ ′ ′ 퐺 ⊛ s =⇒ s ∈ {p, q} ∧ 퐺 ⊛ s =⇒ 퐺 ⊛ s – r ∉ {p, q}: Then 퐺 ↾r = ⊓퐺 ↾r. We know that 퐺 ↾r = ⊓퐺푖 ↾r 푗 푖 ∈퐼 푖 푖 ∈퐼 • = − { } exists. By Lemma C.1, ⊓퐺 ′ ↾r exists too. [Gr8], where 퐺 p t q : 푙푖 :퐺푖 푖 ∈퐼 , 푖 ∈퐼 푖 ′ = − 
′ and 퐺 p t q : 푙푖 :퐺푖 푖 ∈퐼 . 21
CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

푙 ′ 4. 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ By hypothesis, ∀푖 ∈ 퐼. (퐺푖 −−→ 퐺푖 ) and p ≠ q ≠ subj(푙). 푖 퐼 r r ∈ pq?푗 If 퐺 ↾ exists, so does 퐺푖 ↾ for 푖 퐼. Apply [Gr2] to get 퐺 −−−−−−−−→ 퐺 푗 . 퐺 s t = s ∧ Ó퐺 s By assumption, ⊛ , so 푖 ⊛ . 5. 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ 푖 ∈퐼 r 푖 퐼 ′ ′ 푅 By induction, ∀푖 ∈ 퐼. (퐺푖 ↾r exists ∧ 퐺푖 ⊛ s). By assumption, wellFormed (퐺, s), so r = s. ′ via⟨s⟩(pq?푗) (1). To show 퐺 ↾r, consider r by case: Apply [Gr7] to get 퐺 −−−−−−−−→ 퐺 푗 . ′ ′ – r = p: Then 퐺 ↾p = q ⊕⟨s⟩ {푙푖 :퐺 ↾p}푖 ∈퐼 . □ = ′ = ⟨ ⟩  ′ – r q: Then 퐺 ↾q p & s 푙푖 :퐺푖 ↾q 푖 ∈퐼 . = ′ = →  ′ Proof of Theorem 4.11. – r s: Then 퐺 ↾s p ↩ q : 푙푖 :퐺푖 ↾s 푖 ∈퐼 . – r ∉ {p, q, s}: Then 퐺 ′ ↾ r = ⊓퐺 ′ ↾ r. We know that 퐺 ↾ r = Let 퐺 be a global type, and s be a role. Then we have: 푖 ∈퐼 푖 푅
′ wellFormed (퐺) ⇐⇒ wellFormed 퐺, s , s ⊓퐺푖 ↾r exists. By Lemma C.1, ⊓퐺 ↾r exists too. J K 푖 ∈퐼 푖 ∈퐼 푖 Proof. (=⇒) Direct consequence of Lemmas C.3 and C.9 Ó ′ (2). We have t = s from assumption and 퐺푖 ⊛s from induction, (⇐=) By definition. □ 푖 ∈퐼 ′ so 퐺 ⊛ s. C.4 Proof of Theorem 4.12 • [Gr9], where 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ , t 푖 퐼 ′ 푙 ′ ′  ′ Let퐺,퐺 be well-formed global types such that퐺 −−→ 퐺 and 퐺 = p ⇝ q.푗 : 푙푖 :퐺 . t 푖 푖 ∈퐼 for some label 푙. Then we have: 푙  푙 푙, s  ′ ∀ −−→ ′ ⇐⇒ −−−−−−−−→J K ′ By hypothesis, 퐺 푗 −−→ 퐺 푗 , 푙, s. 퐺 퐺 퐺, s 퐺 , s ∀ ∈ \{ } ′ = ≠ ( ) J푙 K J K 푖 퐼 푗 .퐺 푖 퐺푖 , and q subj 푙 . Proof. By rule induction on 퐺 −−→ 퐺 ′. Take arbitrary router role s. If 퐺 ↾r exists, so does 퐺푖 ↾r for 푖 ∈ 퐼. • [Gr1], where 퐺 = p → q : {푙푖 :퐺푖 }푖 ∈퐼 , By assumption, 퐺 ⊛ s, so t = s ∧ 퐺 푗 ⊛ s. ′ 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ , 푙 ′ 푖 퐼 By induction on 퐺 푗 −−→ 퐺 푗 and hypothesis and 푙 = pq!푗. ′ ′ ′ ∀푖 ∈ 퐼 \{푗}.퐺 = 퐺푖 , we get ∀푖 ∈ 퐼. (퐺 ↾r exists ∧ 퐺 ⊛ s). 푙, s ′ 푖 푖 푖 To show 퐺, s −−−−−−−−→J K 퐺 , s , consider s by case: (1). To show 퐺 ′ ↾r, consider r by case: – s ∈ {p, q}J: ThenK we have J K ′ ′ – r = p: Then 퐺 ↾p = 퐺 푗 ↾p. →  퐺, s = p q : 푙푖 : 퐺푖, s 푖 ∈퐼 – r = q: Then 퐺 ′ ↾q = p &⟨s⟩ 푙 :퐺 ′ ↾q . J K J K 푖 푖 푖 ∈퐼 퐺 ′, s = p ⇝ q.푗 : 푙 : 퐺 , s = ′ =  ′ 푖 푖 푖 ∈퐼 – r s: Then 퐺 ↾s p ↬ q.푗 : 푙푖 :퐺푖 ↾s 푖 ∈퐼 . J K J K – r ∉ {p, q, s} 퐺 ′ r = 퐺 ′ r 푙, s = pq!푗 : Then ↾ 푗 ↾ . J K The encoded transition is possible using [Gr1]. = ′ (2). We have t s from assumption and 퐺 푗 ⊛ s from induction, ∉ { } ′ – s p, q : Then we have so 퐺 ⊛ s.  퐺, s = p −s q : 푙푖 : 퐺푖, s □ 푖 ∈퐼 J ′ K
 J K 퐺 , s = p ⇝ q.푗 : 푙푖 : 퐺푖, s 푖 ∈퐼 Lemma C.12 (Progress for Well-formed Global Types). Let 퐺 be a J K s J K ⟨ ⟩( ) global type. Suppose 퐺 is well-formed with respect to some router s, 푙, s = via s pq!푗 J K i.e. wellFormed푅 (퐺, s). The encoded transition is possible using [Gr6]. ′ 푙 • [Gr2], where 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 ,퐺 = 퐺 푗 ,푙 = pq?푗. (퐺 = end) ∨ ∃퐺 ′,푙. (퐺 −−→ 퐺 ′) ′ We know 퐺 , s = 퐺 푗 , s J K J K 푙, s ′ Proof. The following is logically equivalent: To show 퐺, s −−−−−−−−→J K 퐺 , s , consider s by case: – ∈ { }J K J K ′ 푙 ′ s p, q : Then we have (퐺 ≠ end) =⇒ ∃퐺 ,푙. (퐺 −−→ 퐺 ).  퐺, s = p ⇝ q.푗 : 푙푖 : 퐺푖, s 푖 ∈퐼 We prove this by induction on the structure of 퐺. J K J K 푙, s = pq?푗 We do not consider 퐺 = end by assumption. J K We do not consider 퐺 = t as the type variable occurs free. The encoded transition is possible using [Gr2]. ∉ { } 1. 퐺 = 휇t.퐺 ′′ – s p, q : Then we have  t must occur in 퐺, so 퐺 [휇t.퐺/t] ≠ end. 퐺, s = p ⇝ q.푗 : 푙푖 : 퐺푖, s s 푖 ∈퐼 ′ 푙 ′ J K J K By induction, ∃퐺 ,푙. (퐺 [휇t.퐺/t] −−→ 퐺 ). 푙, s = via⟨s⟩(pq?푗) ′ 푙 ′ J K Apply [Gr3] to get ∃퐺 ,푙. (휇t.퐺 −−→ 퐺 ). The encoded transition is possible using [Gr7]. 2. 퐺 = p → q : {푙푖 :퐺푖 }푖 ∈퐼 • [Gr3], where 퐺 = 휇t.퐺 ′′. pq!푗 푙 Apply [Gr1] to get 퐺 −−−−−−−−→ p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 . By hypothesis, 퐺 ′′[휇t.퐺 ′′/t] −−→ 퐺 ′. 3. 퐺 = p −r q : {푙푖 :퐺푖 }푖 ∈퐼 푙, s ′′[ ′′/ ] −−−−−−−−→J K ′ By assumption,
wellFormed푅 (퐺, s), so r = s. By induction, 퐺 휇t.퐺 t , s 퐺 , s . J ′′ ′′ K ′′ J K ′′  via⟨s⟩(pq!푗) By Lemma C.4, 퐺 [휇t.퐺 /t], s = 퐺 , s 휇t. 퐺 , s /t . Apply [Gr6] to get 퐺 −−−−−−−−→ p ⇝ q.푗 : {푙푖 :퐺푖 } ∈ . J ′′ K J ′′ K J K s 푖 퐼 We know 퐺, s = 휇t.퐺 , s = 휇t. 퐺 , s . 22 J K J K J K Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

The encoded transition is possible using [Gr3] as shown: // Ship configuration type "Config" from"./Models" as Config; ′′ ′′ 푙, s ′ 퐺 , s 휇t. 퐺 , s /t −−−−−−−−→J K 퐺 , s // Coordinate on2D grid J K J K J K [Gr3] type "Location" from"./Models" as Loc; ′′ 푙, s ′ 휇t. 퐺 , s −−−−−−−−→J K 퐺 , s global protocol Battleships(role P1, role Svr, role P2) { J K J ′ K  ′ Init(Config) from P1 to Svr; • [Gr4], where 퐺 = p → q : {푙푖 :퐺푖 }푖 ∈퐼 , 퐺 = p → q : 푙푖 :퐺 . 푖 푖 ∈퐼 Init(Config) from P2 to Svr; do Game(P1, Svr, P2); } 푙 ′ By hypothesis, ∀푖 ∈ 퐼.퐺 푖 −−→ 퐺 and subj(푙) ∉ {p, q}. aux global protocol Game(role Atk, role Svr, role Def) {  푖  푙, s ′ Attack(Location) from Atk to Svr; By induction, ∀푖 ∈ 퐼. 퐺푖, s −−−−−−−−→J K 퐺푖 , s . J K J K choice at Svr By definition of subj(·), subj( 푙, s ) ∉ {p, q}. {// Hit an opposing ship coordinate J K 푙, s ′ Hit(Loc) from Svr to Atk; To show 퐺, s −−−−−−−−→J K 퐺 , s , consider s by case: Hit(Loc) from Svr to Def; – s ∈ {p, q}J: ThenK we have J K do Game(Def, Svr, Atk); } →  퐺, s = p q : 푙푖 : 퐺푖, s 푖 ∈퐼 or { Miss(Loc) from Svr to Atk; J ′ K  J ′ K Miss(Loc) from Svr to Def; 퐺 , s = p → q : 푙푖 : 퐺푖 , s ∈ J K J K 푖 퐼 do Game(Def, Svr, Atk); } The encoded transition is possible using [Gr4]. or{// Hit all coordinates of an opposing ship – s ∉ {p, q}: Then we have Sunk(Loc) from Svr to Atk;  Sunk(Loc) from Svr to Def; 퐺, s = p −s q : 푙푖 : 퐺푖, s ∈ 푖 퐼 do Game(Def, Svr, Atk); } J ′ K
 J ′ K 퐺 , s = p −s q : 푙푖 : 퐺푖 , s ∈ or{// Sunk all opposing ships J K
J K 푖 퐼 The encoded transition is possible using [Gr8]. Winner(Loc) from Svr to Atk; Loser(Loc) from Svr to Def; }} • [Gr5], where 퐺 = p ⇝ q.푗 : {푙푖 :퐺푖 }푖 ∈퐼 , ′ =  ′ 퐺 p ⇝ q.푗 : 푙푖 :퐺푖 푖 ∈퐼 . By interpreting the session ID (generated for Svr by STScript) as 푙 ′ an unique game identifier, the developer can keep track of concur- By hypothesis, 퐺 푗 −−→ 퐺 푗 , p’ ≠ subj(푙), ′ rent game sessions very easily. As the generated session runtime for and ∀푖 ∈ 퐼 \{푗}.퐺 = 퐺푖 . 푖 Node.js needs to be initialised by a function that is parameterised by 푙, s ′ By induction, 퐺 푗 , s −−−−−−−−→J K 퐺 푗 , s . the game ID and returns the initial state, the game ID is bound in- By definitionJ of Ka set of subjects,J K we have: subj( 푙, s ) ≠ q. side the closure. This means that the invocation of callbacks (as part J K 푙, s ′ of the game logic) can access the game ID of the current game, so To show 퐺, s −−−−−−−−→J K 퐺 , s , consider s by case: the developer can update the application state of the corresponding – s ∈ {p, q}J: ThenK we have J K game. 퐺, s = p q.푗 푙 퐺 , s ⇝ : 푖 : 푖 푖 ∈퐼 const gameManager = (gameID: string) => { J ′ K  J ′ K 퐺 , s = p ⇝ q.푗 : 푙푖 : 퐺푖 , s 푖 ∈퐼 const handleP1 = Session.S176({ J K J K Attack: async (Next, location) => { The encoded transition is possible using [Gr5]. // Handle attack by P1 in current game – s ∉ {p, q}: Then we have const result = await  퐺, s = p ⇝ q.푗 : 푙푖 : 퐺푖, s ∈ DB.attack(gameID, GamePlayers.P1, location); J K s J K 푖 퐼 ′  ′ ...}, }); 퐺 , s = p ⇝ q.푗 : 푙푖 : 퐺푖 , s ∈ J K s J K 푖 퐼 const handleP2 = ...// defined similarly The encoded transition is possible using [Gr9]. return Session.Initial({ Init: (Next, p1Config) => Next({ ⇐= ( ) direction is similar by rule induction on Init: (_, p2Config) => { 푙, s ′ // Initialise new game in database bound to 'gameID' 퐺, s −−−−−−−−→J K 퐺 , s . J K J K DB.initialiseGame(gameID, p1Config, p2Config); □ return handleP1; }, }), }); }; // Initialise session runtime D Appendix for §5 new Svr(webSocketServer, cancellationHandler, gameManager); We include two more studies: Battleships and Travel Agency. Because the API for the session cancellation handler also ex- poses the session ID of the cancelled session, the Svr can use the Battleships. We implement the Battleships board gamebetween session ID to free up resources allocated to the corresponding game two players, as used by King et al.[20]. The initialisation phase session accordingly. In fact, given that the API also exposes the involves both players placing rectangular battleships on a 2D grid. role that initiated the cancellation, the Svr could identify which The session proceeds to the game loop, where players take turns player forfeited the game and update leaderboard details to reflect to guess the location of their opponent’s ships, where the server the forfeit. responds with a hit or a miss. The game loop continues until all ships of one player have been sunk. const cancellationHandler = async( 23 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

id: string, role: Role.All, reason: any) => { E.1 Server Role S: Generated APIs console.log(`${id}:${role} disconnected-${reason} `); // Free up resources allocated by this game namespace Message await DB.deleteGame(id); }; export interface S40_Available { label:"Available", payload: [number] }; Travel Agency. We implement the Travel Agency scenario mo- export interface S40_Full { label:"Full", payload: [] }; tivated in §1. We specify the Scribble protocol in Fig.4, and present export type S40 = | S40_Available | S40_Full; the STScript APIs implemented by the developer for both server and client endpoints in §2. export interface S38_Query { This scenario involves routed communications – namely, be- label:"Query", payload: [string] }; tween the customer and their friend. In §3, we discuss how the rout- export type S38 = | S38_Query; ing mechanism is transparent to the Node.js callbacks implemented by the developer. Here, we show that the routing mechanism is export interface S41_Confirm { equally transparent to the React.js components implemented by label:"Confirm", payload: [Cred] }; the developer for browser-side endpoints. export interface S41_Reject { label:"Reject", payload: [] }; export type S41 = | S41_Confirm | S41_Reject; export default class WaitSuggestion extends S11 { EFSM state transitions are characterised by the possible messages /* ...snip...*/ to be sent or received. We generate an interface for each message, Suggest(place: string){ specifying types for the label (as a string literal) and payload (as this.context.setSuggestion(place); defined on the protocol). Hence, each state is defined asa union } type of the possible messages. /* ...snip...*/ } namespace Handler export type S40 = MaybePromise< export default class WaitResponse extends S14 { | ["Available", Message.S40_Available['payload'], State.S41] /* ...snip...*/ | ["Full", Message.S40_Full['payload'], State.S38]>; Available(quote: number){ this.context.setQuote(quote); export interface S38 { } "Query": (Next: typeof Factory.S40, ...payload: Message.S38_Query['payload'] Full() { ) => MaybePromise, }; this.context.setErrorMessage(` No availability for${this.context.suggestion} export interface S41 { `); "Confirm": (Next: typeof Factory.S39, this.context.setSuggestion(''); ...payload: Message.S41_Confirm['payload'] } ) => MaybePromise, /* ...snip...*/ "Reject": (Next: typeof Factory.S39, } ...payload: Message.S41_Reject['payload'] ) => MaybePromise, }; Focusing on the role A, the WaitSuggestion component expects Handlers define the callback-style APIs that the developer needs a message from the other client role B, and the WaitResponse to implement. The handler for a send state (i.e. S40) is a tuple of component expects to receive from the server role S. Because the the message label (as a string literal), payload, and the successor client roles A and B cannot directly communicate over a WebSocket state. The handler for a receive state (i.e. S38, S41) is an object lit- connection, the message to be received by WaitSuggestion is in eral defining labelled callbacks. Each callback is parameterised by fact routed by S. However, this is transparent to the developer – a factory function for the successor state (discussed shortly) and both components handle incoming messages in the same manner. the payload for this particular message type, and is expected to re- Additionally, the APIs generated by STScript offer developers turn the successor state. The MaybePromise<> generic type allows the flexibility to integrate existing third-party libraries and frame- developers to write asynchronous handlers in their implementation. works when designing their user interfaces. The client endpoints are written using the Material-UI framework [22] and leverage the namespace State React Context API to manage internal application state. interface ISend { readonly type: 'Send'; E Code for Travel Agency scenario performSend(next: StateTransitionHandler, This appendix contains the implementation for the Travel Agency cancel: Cancellation, send: SendStateHandler): void; }; scenario (specified in Fig.4). We walk through key aspects of the APIs generated by STScript are used to implement the role S (for interface IReceive { the server endpoint) and role B (for the client endpoint). The full readonly type: 'Receive'; implementations can be found in the accompanying artifact [23]. prepareReceive(next: StateTransitionHandler, 24 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

cancel: Cancellation, generateSucc: (Next: typeof S41) => State.S41): State.S40; register: ReceiveStateHandler): void; }; function S40_Available( payload: Message.S40_Available['payload'], interface ITerminal { readonly type: 'Terminal'; }; succ: State.S41): State.S40; function S40_Available(...args: S40_Available) { export type Type = ISend | IReceive | ITerminal; if(typeof args[1] === 'function'){ const [payload, generateSucc] = args; export class S40 implements ISend { const succ = generateSucc(S41); readonly type: 'Send' = 'Send'; return new State.S40(["Available", payload, succ]); } constructor(public handler: Handler.S40) { } else{ const [payload, succ] = args; performSend(next: StateTransitionHandler, return new State.S40(["Available", payload, succ]); }} cancel: Cancellation, send: SendStateHandler) { const thunk = ( type S40_Full = [label, payload, succ]: FromPromise) => { | [Message.S40_Full['payload'], send(Role.Peers.A, label, payload); (Next: typeof S38) => State.S38] return next(succ); }; | [Message.S40_Full['payload'], State.S38]; if(this.handler instanceof Promise) { this.handler.then(thunk).catch(cancel); } // function S40_Full defined similarly else{ try { thunk(this.handler); } catch (error) { cancel(error); }}}}; export const S40 = { Available: S40_Available, Full: S40_Full, }; export class S38 implements IReceive { readonly type: 'Receive' = 'Receive'; export function S38(handler: Handler.S38) { constructor(public handler: Handler.S38) { } return new State.S38(handler); }; export function S41(handler: Handler.S41) { prepareReceive(next: StateTransitionHandler, return new State.S41(handler); }; cancel: Cancellation, register: ReceiveStateHandler) { const onReceive = (message: any) => { export const Initial = S38; const parsed = JSON.parse(message) as Message.S38; switch (parsed.label) { export const S39 = () => new State.S39(); case"Query":{ try{ export const Terminal = S39; const successor = this.handler[parsed.label]( The Factory namespace exposes developer-friendly APIs for in- Factory.S40, ...parsed.payload); stantiating the State class instance. The factory API for a send if (successor instanceof Promise) { state is an object literal defining labelled callbacks for each possible successor.then(next).catch(cancel); } selection. Each callback is parameterised by the message payload else { next(successor); } and successor state. The factory API for a receive state is an alias for } catch (error) { cancel(error); } the constructor function of the corresponding State class. Initial return; }}}; and Terminal aliases are also exported as convenient references to register(Role.Peers.A, onReceive); }}; the initial and terminal EFSM state respectively. The handler for each EFSM state is used to instantiate its State class instance, which is used by the session runtime to trigger the communication action. For send states, the runtime triggers the E.2 Server Role S: API Usage performSend method (Line 20) to perform the send using the label import express from"express"; and payload defined in the handler (Line 24). For receive states, the import http from"http"; State class instance registers the handler to the runtime, so the import WebSocket from"ws"; handler can be invoked when the message is received. The State class will check whether the handler is defined asynchronously (i.e. const app = express(); a TypeScript Promise) and invoke the handler accordingly. const server = http.createServer(app); const wss = new WebSocket.Server({ server }); namespace Factory type S40_Available = import { Session, S } from"./TravelAgency/S"; | [Message.S40_Available['payload'], (Next: typeof S41) => State.S41] const agencyProvider = (sessionID: string) => { | [Message.S40_Available['payload'], State.S41]; const handleQuery = Session.Initial({ Query: async (Next, dest) => { function S40_Available( const res = await checkAvailability(sessionID, dest); payload: Message.S40_Available['payload'], if (res.status ==="available"){ 25 CC ’21, March 2–3, 2021, Virtual, USA Anson Miu, Francisco Ferreira, Nobuko Yoshida, and Fangyi Zhou

return Next.Available([res.quote], handleResponse); } else{ return Next.Full([], handleQuery); }},}); export default abstract class S29 extends React.Component { const handleResponse = Session.S41({ componentDidMount() { Confirm: async (End, credentials) => { this.props.register(Roles.Peers.A, // Handle confirmation this.handle.bind(this)); } await confirmBooking(sessionID, credentials); return End(); }, handle(data: any): MaybePromise { Reject: async (End) => { const message = JSON.parse(data) as Message; await release(sessionID); switch (message.label) { return End(); },}); case Labels.Quote: { return handleQuery; }; const thunk = () => SendState.S30; const continuation = this.Quote(...message.payload); new S(wss, async (sessionID, role, reason) => { if (continuation instanceof Promise) { if (role === Role.Self) { return new Promise((resolve, reject) => { console.error(`${sessionID}: internal server error`); } continuation.then(() => resolve(thunk())) else{ await tryRelease(sessionID); }}, agencyProvider); .catch(reject); }); } else{ return thunk(); }} The developer instantiates the session (Line 29) using the Web- case Labels.Full: { Socket server, cancellation handler, and the EFSM implementation const thunk = () => SendState.S27; — a function to be invoked for every new session, parameterised by const continuation = this.Full(...message.payload); the session ID, and returns the State class instance of the initial if (continuation instanceof Promise) { state. Line 12 implements the API generated for a receive state, return new Promise((resolve, reject) => { specifying how to handle a Query message. Line 16 implements the continuation.then(() => resolve(thunk())) API generated for a send state — send the Available message with .catch(reject); }); } the price and proceed to the handleResponse continuation. else{ return thunk(); } }}}

E.3 Client Role B: Generated APIs abstract Quote(payload1: number, ): MaybePromise; abstract Full(): MaybePromise; } src/TravelAgency/B/S27.tsx The generated React component for a receive state registers a type Props = { factory: SendComponentFactoryFactory }; message handler (Line 19) to the session runtime component, to be export default abstract class S27 invoked on a WebSocket onmessage event. An abstract method is extends React.Component { exposed for each possible branch (Lines 39 and 40), requiring the protected Suggest: SendComponentFactory<[string]>; developer to explicitly handle the received message. When invoked, constructor(props: Props) { the message handler parses the WebSocket message and invokes super(props); the abstract method (implemented by the developer) corresponding this.Suggest = props.factory<[string]>( to the label of the received message. The message handler returns Roles.Peers.A, 'Suggest', ReceiveState.S29); }} the successor state to the runtime to advance the EFSM. The generated React component for a send state receives a factory function from the session runtime to generate component factories E.4 Client Role B: API Usage for each permitted selection. Line7 reads, “generate a component factory which sends a message (labelled Suggest to role A with one string-typed payload) and transitions to state S29”. The com- src/components/MakeSuggestion.tsx ponent factory is defined as a protected property to allow access by import { S27 } from"../../TravelAgency/B"; subclasses implemented by the developer. export default class MakeSuggestion extends S27 { static contextType = FriendState; src/TravelAgency/B/S29.tsx declare context: React.ContextType; enum Labels { Quote = 'Quote', Full = 'Full' }; render() { interface QuoteMessage { const options: DestinationOption[] = places.map( label: Labels.Quote, payload: [number] }; (name) => ({ name, interface FullMessage { buildClickComponent: () => (['Suggest', label: Labels.Full, payload: [] }; this.Suggest('onClick', () => { type Message = | QuoteMessage | FullMessage this.context.setDestination(name); this.context.setErrorMessage(undefined); type Props = { return [name]; }),]),}}; register: (role: Roles.Peers, return (

handle: ReceiveHandler) => void}; 26 Communication-Safe Web Programming in TypeScript with Routed Multiparty Session Types CC ’21, March 2–3, 2021, Virtual, USA

Offer Suggestion S29: WaitResponse, S30: MakeDecision }} waiting={} connectFailed={ {this.context.errorMessage !== undefined&& Connect Failed} { style={{ marginBottom: '1rem' }} console.error(reason); severity='error'> return {this.context.errorMessage}} Session Cancelled by {role}: {reason}; }} />

); }}; {options.map((option, key) => ( The developer instantiates the session (Line9) by supplying: the WebSocket endpoint (Line 10), a React component to render whilst waiting (Line 13), a React component to render on a connection ))} failure (Line 14), a function to build a React component to respond

); }}; to session cancellation (Line 16), and an object literal (Line 11) map- The developer implements the send state S27 by extending from ping each EFSM state to the corresponding subclass implemented the corresponding abstract class, and uses the component factory by the developer. property to generate UI components that are bound to the commu- nication action. Line 10 creates a React component that sends the Suggest message on a click event, for each destination option in places. WaitResponse.tsx import { S29 } from"../../TravelAgency/B"; export default class WaitResponse extends S29 { static contextType = FriendState; declare context: React.ContextType;

Full() { this.context.setErrorMessage( `No availability for${this.context.destination} `); this.context.setDestination(undefined); }

Quote(quote: number){ this.context.setQuote(quote); }

render() { return (

Pending enquiry for {this.context.destination}

); }}; The developer implements the receive state S29 by extending from the corresponding abstract class, and implements the required abstract methods to define how to handle a Full message (Line6) or a Quote message (Line 11). FriendView.tsx import { B } from"../../TravelAgency/B";

export default class FriendView extends React.Component { render() { const origin = process.env.REACT_APP_PROXY ?? window.location.origin; const endpoint = origin.replace(/^http/, 'ws'); return (