Shared Contract-Obedient Endpoints

Most of the existing verification techniques for message-passing programs suppose either that channel endpoints are used in a linear fashion, where at most one thread may send or receive from an endpoint at any given time, or that endpoints may be used arbitrarily by any number of threads. The former approach usually forbids the sharing of channels while the latter limits what is provable about programs. In this paper we propose a midpoint between these techniques by extending a proof system based on separation logic to allow sharing of endpoints. We identify two independent mechanisms for supporting sharing: an extension of fractional shares to endpoints, and a new technique based on what we call reflexive ownership transfer. We demonstrate on a number of examples that a linear treatment of sharing is possible.

💡 Research Summary

The paper tackles a long‑standing tension in the verification of message‑passing programs: on the one hand, linear usage models enforce that at most a single thread may interact with a channel endpoint at any moment, which yields strong guarantees about protocol compliance but forbids the natural sharing of channels; on the other hand, fully shared models permit any number of threads to use an endpoint arbitrarily, thereby allowing realistic concurrency patterns but severely limiting what can be proved about contract adherence. The authors propose a middle ground that retains the safety of linear reasoning while permitting controlled sharing of endpoints.

Their solution rests on two orthogonal mechanisms that extend a Separation Logic‑based proof system. The first mechanism adapts the well‑known fractional permission technique to channel endpoints. In the classic memory model, a fractional permission allows multiple readers but only a single writer. By applying the same idea to endpoints, several threads may hold read (receive) permission simultaneously, while write (send) permission is granted exclusively to the holder of the full share. This preserves the order of messages dictated by the contract, because only the thread that owns the full permission can advance the protocol by sending, yet it enables parallel reception and thus improves performance in many producer‑consumer scenarios.

The second mechanism introduces “reflexive ownership transfer,” a novel form of dynamic ownership that couples the endpoint’s contract state with an abstract token. When a thread sends a message, the token—encapsulating the current contract phase—is automatically transferred to the receiving thread. The receiver thereby obtains the right to act on the next contract step. This transfer mirrors the linear consumption of a resource: the sender’s ownership is consumed, and the receiver’s ownership is created. Because the token itself carries the contract information, no external bookkeeping is required; the ownership flow is reflected directly in the logical state. This technique allows the proof system to reason about contract progression even when multiple threads interact with the same endpoint in a non‑deterministic order.

Crucially, the two mechanisms are independent yet composable. The authors demonstrate their combined use in several canonical examples: multi‑producer/multi‑consumer pipelines, shared buffers, and complex protocols that require both concurrent reception and coordinated sending. In each case, fractional permissions handle concurrent reads, while reflexive ownership transfer guarantees that every send operation respects the contract and that the receiving side acquires the appropriate rights for the next step. The paper formalizes the necessary inference rules, proves soundness with respect to a small‑step operational semantics, and shows that the extensions integrate smoothly with existing Separation Logic tools, requiring only modest modifications.

Beyond the technical contributions, the work provides a practical pathway for developers of high‑performance concurrent systems—such as network servers, distributed services, and asynchronous event‑driven applications—to write code that shares channels safely without sacrificing provable correctness. By offering a “linear treatment of sharing,” the authors bridge the gap between the expressive power of fully shared models and the rigorous guarantees of linear type systems, opening new possibilities for verified concurrent programming.