Constructive characterisations of the MUST-preorder for asynchrony

Code refactoring is a routine task to develop or update software, and it requires methods to ensure that a program \(p\) can be safely replaced by a program \(q\). One way to address this issue is via refinement relations, i.e. preorders. For programming languages, the most well-known one is Morris extensional preorder [43, pag. 50], defined by letting \(p \le q\) if for all contexts C, whenever C[p] reduces to a normal form N, then C[q] also reduces to N.

Comparing servers This paper studies a version of Morris preorder for nondeterministic asynchronous client-server systems. In this setting it is natural to reformulate the preorder by replacing reduction to normal forms (i.e. termination) with a suitable liveness property. Let  denote a client-server system, that is a parallel composition in which the identities of the server \(p\) and the client \(r\) are distinguished, and whose computations have the form where each step represents either an internal computation of one of the two components, or an interaction between them. Interactions correspond to handshakes, where two components ready to perform matching input/output actions advance together. We express liveness by saying that \(p\text { must pass } r\), denoted \( p \textsc {must} r\), if in every maximal computation of there exists a state such that \(\textsc {good}(r_i)\), where \(\textsc {good}\) is a decidable predicate indicating that the client has reached a successful state. Servers are then compared according to their capacity to satisfy clients, i.e. via contexts of the form  and the predicate \(\textsc {must}\). Morris preorder then becomes the \(\textsc {must}\)-preorder by De Nicola and Hennessy [25] :

Advantages The \(\textsc {must}\)-preorder is by definition liveness preserving, because \( p \textsc {must} r\) literally means that “in every execution something good must happen (on the client side)”. Results on  thus shed light on liveness-preserving program transformations.

The \(\textsc {must}\)-preorder is independent of any particular calculus, as its definition requires simply (1) a reduction semantics for the parallel composition , and (2) a predicate \(\textsc {good}\) over programs. Hence  may relate servers written in different languages. For instance, servers written in OCaml may be compared to servers written in Java according to clients written in Python, because all these languages use the same basic protocols for communication.

Drawback The definition of the \(\textsc {must}\)-preorder is contextual: proving requires analysing an infinite amount of clients, and so the definition of the preorder does not entail an effective proof method. A solution to this problem is to define an alternative (semantic) characterisation of the preorder  , i.e. a preorder \(\preccurlyeq _{ alt }\) that coincides with  and does away with the universal quantification over clients (i.e. contexts). In synchronous settings, i.e. when both input and output actions are blocking, such alternative characterisations have been thoroughly investigated, typically via a behavioural approach based on labelled transition systems.

Labelled transition systems A program \(p\) is associated with a labelled transition system (LTS) representing its behaviour, which we denote by \(\textsc {lts}(p)\). Figure 1 presents two instances of LTSs, where transitions are labelled by input actions such as \(\texttt {str}\), output actions such as \(\overline{\texttt {str}}\), or the internal action \(\tau \) (not featured in Figure 1), while dotted nodes represent successful states, i.e. those satisfying the predicate \(\textsc {good}\). There, the server \(p_0\) is ready to input either a string or a float. It is the environment that, by offering an output of either type, will make \(p\) move to either \(p_1\) or \(p_2\). The client \(r_0\), on the other hand, is ready to either output a string, or input an integer. The input \(\texttt {int}\) makes the client move to the successful state \(r_2\), while the output \(\overline{\texttt {str}}\) makes the client move to the state \(r_1\), where it can still perform the input \(\texttt {int}\) to reach the successful state \(r_3\). In an asynchronous setting, output transitions enjoy a commutativity property on which we will return later. Programs \(p\) are usually associated with their behaviours \(\textsc {lts}(p)\) via inference rules that we omit in the main body of the paper, as they are standard.

Alternative preorders for synchrony Program behaviours, i.e.  LTSs, are used to define the alternative preorders for  following one of two different approaches: \(\textsc {must}\)-sets or acceptance sets.

Both approaches were originally proposed for Milner’s Calculus of Communicating Systems (\(\textsc {CCS} \)) [42], where communication is synchronous. The first alternative preorder, which we denote by \(\mathrel {\preccurlyeq _{\textsf{MS}}}\), was put forth by De Nicola [25], and it compares server behaviours according to their \(\textsc {must}\)-sets, i.e.  the sets of actions that they may perform after doing a given sequence of actions. The second alternative preorder, which we denote by \(\mathrel {\preccurlyeq _{\textsf{AS}}}\), was put forth by Hennessy [32], and it compares the acceptance sets of servers, i.e.  how servers can be moved out of their potentially deadlocked states, namely, states from which the servers cannot evolve autonomously. Both these preorders characterise  in the following sense: While these alternative preorders do away with the universal quantification over clients, they are not practical to use directly, as they still universally quantify over (finite) traces of actions. A more practical approach [1] is to use a coinductively defined preorder \(\mathrel {\preccurlyeq _{\textsf{co}}}\) based on \(\mathrel {\preccurlyeq _{\textsf{AS}}}\) [1, 10, 41]. This preorder has two advantages: first, its definition quantifies universally only on single actions; second, it allows the user to use standard coinductive methods, as found in the literature on bisimulation. In the case where the LTS is image-finite, such as for CCS and most process calculi, the coinductive preorder is sound and complete:Asynchrony In distributed systems, communication is inherently asynchronous. For instance, the standard TCP transmission on the Internet is asynchronous. Actor languages like Elixir and Erlang implement asynchrony via mailboxes, and both Python and JavaScript offer developers the constructs async/wait, to return promises (of results) or wait for them. In this paper we model asynchrony via output-buffered agents with feedback, as introduced by Selinger [49]. These are LTSs obeying the axioms in Figure 2, where \(a\) denotes an input action, \(\overline{a}\) denotes an output action, \(\tau \) denotes the internal action, and \(\alpha \) ranges over all these actions. For instance, the Output-commutativity axiom states that an output \(\overline{a}\) can always be postponed: if \(\overline{a}\) is followed by any action \(\alpha \), it can commute with it. In other words, outputs are non-blocking, as illustrated by the LTS for \(r_0\) in Figure 1. We defer a more detailed discussion of these axioms to Section 2.

Technical difficulties The practical importance of asynchrony motivates a specific study of  . Efforts in this direction have been made, all of which focussed on process calculi [15, 21, 34, 52], while the axioms in Figure 2 apply to LTSs. Note that these axioms impose conditions only over outputs, and this asymmetric treatment of inputs and outputs substantially complicates the proofs of completeness and soundness of the alternative characterisations of  . To underline the subtleties due to asynchrony, we note that the completeness result for asynchronous CCS given by Castellani and Hennessy in [21], and subsequently extended to the \(\pi \)-calculus by Hennessy [34], is false (see [8, Appendix I]).

Our main contributions may be summarised as follows (where for each of them, we indicate where it is presented in the paper):

In Sections 5 and 6, we discuss the impact of the above contributions, as well as related and future work. In Section 2, we recall the necessary background definitions and illustrate them with a few examples.

We model individual programs such as servers \(p\) and clients \(r\) as LTSs obeying Selinger axioms, while client-server systems are modelled as state transition systems with a reduction semantics. We now formally define this two-level semantics.

Labelled transition systems A labelled transition system (LTS) is a triple \(\mathcal {L}= \langle A, L , \longrightarrow \rangle \) where \(A\) is the set of states, L is the set of labels and \({\longrightarrow } \subseteq A\times L \times A\) is the transition relation. When modelling programs as LTSs, we use transition labels to represent program actions. The set of labels in Selinger LTSs has the same structure as the set of actions in Milner’s calculus CCS: one assumes a set of names \(\mathcal {N} \), denoting input actions and ranged over by \(a, b, c\), a complementary set of conames \(\overline{\mathcal {N}}\), denoting output actions and ranged over by \(\overline{a}, \overline{b}, \overline{c}\), and an invisible action \(\tau \), representing internal computation. The set of all actions, ranged over by \(\alpha , \beta , \gamma \), is given by \(\textsf{Act}_\tau \;\;\mathrel {{\mathop {=}\limits ^{\textsf{def}}}}\;\; \mathcal {N} \uplus \overline{\mathcal {N}} \uplus \{ \tau \} \). We use \(\mu , \mu '\) to range over the set of visible actions \(\mathcal {N} \uplus \overline{\mathcal {N}}\), and we extend the complementation function \(\overline{\cdot }\) to this set by letting \({\overline{\overline{a}}} \mathrel {{\mathop {=}\limits ^{\textsf{def}}}}a\). In the following, we will always assume \(L = \textsf{Act}_\tau \). Once the LTS is fixed, we write \(p\longrightarrow p'\) to mean that \((p,\alpha ,p')~\in ~{\longrightarrow }\) and \( p\longrightarrow \) to mean \(\exists p'. \;p\longrightarrow p'\).

We use \(\mathcal {L}\) to range over LTSs. To reason simultaneously on different LTSs, we will use the symbols \(\mathcal {L}_A\) and \(\mathcal {L}_B\) to denote respectively the LTSs \(\langle A, L, \longrightarrow _A \rangle \) and \(\langle B, L, \longrightarrow _B \rangle \).

In our mechanisation LTSs are borne out by the typeclass Lts in Figure 3. The states of the LTS have type \(A\), labels have type L, and lts_step is the characteristic function of the transition relation, which we assume to be decidable. We let \(O(p) = \{ \overline{a} \in \overline{\mathcal {N}} \ |\ p \longrightarrow \} \) and \(I(p) = \{ a\in \mathcal {N} \ |\ p \longrightarrow \} \) be respectively the set of outputs and the set of inputs of state \(p\). We assume that the set \(O(p)\) is finite for any \(p\). In our mechanisation, the set \(O(p)\) is rendered by the function lts_outputs, and we shall also use a function lts_performs that lets us decide whether a state can perform a transition labelled by a given action.

Client-server systems A client-server system (or system, for short) is a pair in which \(p\) is deemed to be the server of client \(r\). In general, every system  is the root of a state transition system (STS), \(\langle S, \longrightarrow \rangle \), where \(S\) is the set of states and \(\longrightarrow \) is the reduction relation. For the sake of simplicity¹ we derive the reduction relation from the LTS semantics of servers and clients as specified by the rules in Figure 4. In our mechanisation (Figure 3), sts_step is the characteristic function of the reduction relation \(\longrightarrow \), and sts_stable is the function that states whether a state can reduce or not. Both functions are assumed decidable.

To formally define the \(\textsc {must}\)-preorder, we assume a decidable predicate \(\textsc {good}\) over clients. A computation  is successful if there exists a state such that \(\textsc {good}(r_i)\). We assume the predicate \(\textsc {good}\) to be invariant under outputs:All the previous works on asynchronous calculi implicitly make this assumption, since they rely on ad-hoc actions such as \(\omega \) or \(\checkmark \) to signal success and they treat them as outputs. In [8, Appendix H] we show that this assumption holds for the language ACCS  (the asynchronous variant of CCS) extended with the process \(\mathop {\textsf {1}}\), which is used as a syntactic means to denote GOOD states. Moreover, when considering an equivalence on programs \(\simeq \) that is compatible with transitions, in the sense of Figure 5, we assume the predicate \(\textsc {good}\) to be preserved also by this equivalence. These assumptions are met by the frameworks in [15, 21, 34].

A closer look at Selinger axioms Let us now discuss the axioms in Figure 2. The Output-commutativity axiom expresses the non-blocking behaviour of outputs: an output cannot be a cause of any subsequent transition, since it can also be executed after it, leading to the same resulting state. Hence, outputs are concurrent with any subsequent transition. The Feedback axiom says that an output followed by a complementary input can also synchronise with it to produce a \(\tau \)-transition. These first two axioms specify properties of outputs that are followed by another transition. Instead, the following three axioms, Output-confluence, Output-determinacy and Output-tau, specify properties of outputs that are co-initial with another transition². The Output-determinacy and Output-tau axioms apply to the case where the co-initial transition is an identical output or a \(\tau \)-transition respectively, while the Output-confluence axiom applies to the other cases. When taken in conjunction, these three axioms state that outputs cannot be in conflict with any co-initial transition, except when this is a \(\tau \)-transition: in this case, the Output-tau axiom allows for a confluent nondeterminism between the \(\tau \)-transition on one side and the output followed by the complementary input on the other side.

We now explain the novel Backward-output-determinacy axiom. It is the dual of Output-determinacy, as it states that also backward transitions with identical outputs lead to the same state. The intuition is that if two programs arrive at the same state by removing the same message from the mailbox, then they must coincide. This axiom need not be assumed in [49] because it can be derived from Selinger axioms when modelling a calculus like ACCS equipped with a parallel composition operator \(\parallel \) (see [8, Lemma 53]). We use the Backward-output-determinacy axiom only to prove a technical property of clients (see [8, Lemma 25]) that is used to prove our completeness result.

Calculi A number of asynchronous calculi [16, 21, 36, 38, 44, 48] have an LTS that enjoys the axioms in Figure 2, at least up to some structural equivalence \(\equiv \). The reason is that these calculi syntactically enforce outputs to have no continuation, i.e. outputs can only be composed in parallel with other processes³. For example, Selinger [49] shows that the axioms of Figure 2 hold for the LTS of the calculus ACCS (the asynchronous variant of CCS⁴) modulo bisimulation, and in (see [8, Lemma 55]) we prove that they hold also for the LTS of ACCS modulo \(\equiv \):

To streamline reasoning modulo some (structural) equivalence we introduce the typeclass LtsEq, whose instances are LTSs equipped with an equivalence \(\simeq \) that satisfies the property in Figure 5. Defining output-buffered agents with feedback using LtsEq does not entail any loss of generality, because the equivalence \(\simeq \) can be instantiated using the identity over the states \(A\). Further details can be found in [8, Appendix H.1].

When convenient we denote LTSs using the following minimal syntax for ACCS:as well as its standard LTS⁵ whose properties we discuss in detail in [8, Appendix H]. This is exactly the syntax used in [15, 49], without the operators of restriction and relabelling. Here the syntactic category g defines guards, i.e. the terms that may be used as arguments for the \(+\) operator. As in most process calculi, 0 denotes the terminated process that cannot do any action. Note that, apart from \(\mathop {\textsf {0}}\), only input-prefixed and \(\tau \)-prefixed terms are allowed as guards, and that the output prefix operator is replaced by atoms \(\overline{a}\). In fact, this syntax is completely justified by Selinger axioms, which, as we argued above, specify that outputs cannot cause any other action, nor be in conflict with it.

If a transition sequence is made only of \(\tau \)-transitions, it is called a computation by abuse of notation, the idea being that usually \(\tau \)-steps are related to reduction steps via the Harmony lemma (see footnote on page 7).

We give now an example that illustrates the use of the testing machinery in our asynchronous setting. This is also a counter-example to the completeness of the alternative preorder proposed in [21], as discussed in detail in [8, Appendix I].

The argument in Example 3 can directly use Definition 3 because it is very simple to reason on the process \(\mathop {\textsf {0}}\). The issues brought about by the contextuality of Definition 3, though, hinder showing general properties of  . Consider the following form of code hoisting:If we see the above nondeterministic sums as representing the two branches of a conditional statement, this refinement corresponds to hoisting the shared action \(\overline{a}\) before the conditional statement, a common compiler optimisation. Proving Equation (6) via the contextual definition of  is cumbersome. This motivates the study of alternative characterisations for  , and in the rest of the paper we present several preorders that fit the purpose, in particular the coinductive preorder \(\mathrel {\preccurlyeq _{\textsf{co}}}\), which we will use to establish Equation (6) in Section 3.3.

We conclude this section by recalling auxiliary and rather standard notions: given an LTS \(\langle A, L, \longrightarrow \rangle \), the weak transition relation \(p\mathrel {\overset{ s}{\Longrightarrow }} p'\), where \( s\in \textsf{Act}^\star \), is defined via the rules We write \( p\mathrel {\overset{ s}{\Longrightarrow }} \) to mean \(\exists p'. \;p\mathrel {\overset{ s}{\Longrightarrow }} p'\).

We write \(p\downarrow \) and say that \(p\) converges if every computation of \(p\) is finite, and we lift the convergence predicate to finite traces by letting the relation \({\mathrel {\Downarrow }} \subseteq A\times \textsf{Act}^\star \) be the least one that satisfies the following rules

To understand the next section, one should keep in mind that all the predicates defined above have an implicit parameter: the LTS of programs. By changing this parameter, we may change the meaning of the predicates. For instance, letting \(\varOmega \) be the ACCS process \(\textsf{rec} x. \tau . x\), in the standard LTS \(\langle \texttt {ACCS}, \textsf{Act}_\tau , \longrightarrow \rangle \) we have \( \varOmega \longrightarrow \varOmega \) and \(\lnot (\varOmega \downarrow )\), while in the LTS \(\langle \texttt {ACCS}, \textsf{Act}_\tau , \emptyset \rangle \) we have and thus \(\varOmega \downarrow \). In other words, the same predicates can be applied to different LTSs, and since the alternative characterisations of  are defined using such predicates, they can relate different LTSs.

We first recall the definition of the standard alternative preorder \(\mathrel {\preccurlyeq _{\textsf{AS}}}\), and show how to use it to characterise  in our asynchronous setting. We also present a new characterisation that disregards the order of non-causally related actions. We then explain the tools we use to prove these characterisations, and in particular their soundness. This section ends with the coinductive version \(\mathrel {\preccurlyeq _{\textsf{co}}}\) of \(\mathrel {\preccurlyeq _{\textsf{AS}}}\), which we use to prove the hoisting refinement (6).

We now establish the second standard characterisation of the \(\textsc {must}\)-preorder, defined using \(\textsc {must}\)-sets, again thanks to Theorem 1. As an application, we relate the failure refinement used by the CSP community to the \(\textsc {must}\)-preorder.

We begin by defining formally the \(\mathrel {\preccurlyeq _{\textsf{MS}}}\) preorder, and we relate it to the \(\textsc {must}\)-preorder. For every \(X \subseteq _{ fin } \textsf{Act} \), that is for every finite set of visible actions, with a slight abuse of notation we write \(p\mathrel {\textsc {must}} X\) whenever \(p\mathrel {\overset{ \varepsilon }{\Longrightarrow }} p'\) implies that \(p' \mathrel {\overset{ \mu }{\Longrightarrow }}\) for some \(\mu \in X\), and we say that X is a \(\textsc {must}\)-set of \(p\). Let \( ( p \, \textsf{after} \, s , \longrightarrow ) = \{ p' \ |\ p\mathrel {\overset{s}{\Longrightarrow }} p' \}\). For every \(\mathcal {L}_A, \mathcal {L}_B\) and \(p\in A, q\in B\), let \(p\preccurlyeq _{\textsc {m}}q\) whenever \(\forall s\in \textsf{Act}^\star \) we have that \(p\mathrel {\Downarrow }{ s}\) implies that \((\forall X \subseteq _{ fin } \textsf{Act} \) if \( (p \, \textsf{after} \, s, \longrightarrow _A) \mathrel {\textsc {must}} X\) then \( (q \, \textsf{after} \, s, \longrightarrow _B) \mathrel {\textsc {must}} X).\)

As a direct consequence, we obtain the following result.

Failure refinement \(\textsc {must}\)-sets have been used mainly by De Nicola and collaborators, for instance in [15, 26], and are closely related to the failure refinement proposed in [19] by Hoare, Brookes and Roscoe for TCSP (the process algebra based on Hoare’s language CSP [18, 37]). Following [19], a failure of a process \(p\) is a pair \((s, X)\) such that \(p \mathrel {\overset{ s}{\Longrightarrow }} p'\) and for all \(\mu \in X\). Then, failure refinement is defined by letting \(p\mathrel {\le _{\textsf {fail}}}q\) whenever the failures of \(q\) are also failures of \(p\). This refinement was designed to give a denotational semantics to processes, and mechanisations in Isabelle/HOL have been developed to ensure that the refinement is well defined [5, 50]. Both Hennessy [32, pag. 260] and [20] highlight that the failure model can be justified operationally via the \(\textsc {must}\) testing equivalence: it is folklore dating back to [25, Section 4] that failure equivalence and  coincide. Thanks to Theorem 3 we conclude that in fact  coincides with the failure divergence refinement [51], that is, the intersection of \(\mathrel {\le _{\textsf {fail}}}\) and \(\mathrel {\preccurlyeq _{\textsf{cnv}}}\).

Here we discuss in detail the works more closely related to the results of this paper. Further discussion on related work may be found in [8, Appendix A].

The first investigation on the \(\textsc {must}\)-preorder in an asynchronous setting was put forth by [21]. While their very clear examples shed light on the preorder, their alternative preorder (Definition 6 in that paper) is more complicated than necessary: it uses the standard LTS of TACCS, its lifting to an LTS with forwarding, and two somewhat ad-hoc notions: a predicate \({\mathop {\rightsquigarrow }\limits ^{I}}\) and a condition on multisets of inputs. Moreover that preorder is not complete because of a glitch in the treatment of divergence. The details of the counter-example we found to that completeness result are given in [8, Appendix I].

In [34] Hennessy outlines how to adapt the approach of [21] to a typed asynchronous \(\pi \)-calculus. While the LTS with forwarding is replaced by a Context LTS, the predicates to define the alternative preorder are essentially the same as those used in the preceding work with Castellani. Acceptance sets are given in Definition 3.19 there, and the predicate \({\mathop {\rightsquigarrow }\limits }\) is denoted \(\searrow \), while the generalised acceptance sets of [21] are given in Definition 3.20. Owing to the glitch in the completeness of [21], it is not clear that Theorem 3.28 of [34] is correct either.

Also the authors of [15] consider the \(\textsc {must}\)-preorder in ACCS. There is a major difference between their approach and ours. When studying theories for asynchronous programs, one can either

In the first case, the complexity is moved into the LTS, which becomes infinite-branching and infinite-state. In the second case, the complexity is moved into the definitions used to reason on the LTS (i.e. in the meta-language), and in particular in the definition of the alternative preorder, which deviates from the standard one. The authors of [15] follow the second approach. This essentially explains why they employ the standard LTS of CCS and to tackle asynchrony they reason on traces via (1) a preorder \(\preceq \) (Table 2 of that paper) that defines on input actions the phenomena due to asynchrony; and (2) a rather technical operation on traces, namely \(s \ominus s' = ( \{\!|s|\!\}_{i} \setminus \{\!|s'|\!\}_{i}) \setminus \overline{( \{\!|s|\!\}_{o} \setminus \{\!|s'|\!\}_{o} )}\). We favour instead the approach in (1), for it helps achieve a modular mechanisation.

The authors of [27] give yet another account of the \(\textsc {must}\)-preorder. Even though non-blocking outputs can be written in their calculus, they use a left-merge operator that allows writing blocking outputs. The contexts that they use to prove the completeness of their alternative preorder use such blocking outputs, consequently their arguments need not tackle the asymmetric treatment of input and output actions. This explains why they can use smoothly a standard LTS, while [21] and [15] have to resort to more complicated structures.

Theorem 5.3 of the PhD thesis by [52] states an alternative characterisation of the \(\textsc {must}\)-preorder, but it is given with no proof. The alternative preorder given in Definition 5.8 of that thesis turns out to be a mix of the ones by [21] and [15]. In particular, the definition of the alternative preorder relies on the LTS with forwarding, there denoted \(\longrightarrow _A\) (Point 1. in Definition 5.1 defines exactly the input transitions that forward messages into the global buffer). The condition that compares convergence of processes is the same as in [21], while server actions are compared using \(\textsc {must}\)-sets, and not acceptance sets. In fact, Definition 5.7 there is titled “acceptance sets ” but it actually defines \(\textsc {must}\)-sets.

In this paper we have shown that the standard characterisations of the \(\textsc {must}\)-preorder by De Nicola and Hennessy [25, 32] are sound and complete also in an asynchronous setting, provided servers are enhanced with the forwarding ability. Lemma 2 shows that this lifting is always possible. We have also shown that the standard coinductive characterisation carries over to the asynchronous setting. Our results are supported by the first mechanisation of the \(\textsc {must}\)-preorder, and increase proof (i.e. code) factorisation and reusability since the alternative preorders do not need to be changed when shifting between synchronous and asynchronous semantics: it is enough to parameterise the proofs on the set of non-blocking actions. Corollary 3 states that \(\textsc {must}\)-preorder and failure refinement essentially coincide. This might spur further interest in the mechanisations of failure refinement, carried out so far in Isabelle/HOL [5, 50], possibly opening up opportunities of joint efforts for automated checking.

Proof method for \(\textsc {must}\)-preorder Theorems 1, 2 and 3 endow researchers in programming languages for message-passing software with a proof method for , namely: to define for their calculi an LTS that enjoys the axioms of output-buffered agents with feedback. An example of this approach is Corollary 1.

Live programs have barred trees We argued that a proof of \(p \textsc {must}r\) is a proof of liveness (of the client). This paper is thus de facto an example that proving liveness amounts to prove that a computational tree has a bar (identified by the predicate \(\textsc {good}\)), and hence bar induction is a natural way to reason constructively on liveness-preserving manipulations on programs. While this fact seems to be by and large unexploited by the PL community, we believe that it may be of interest to practitioners reasoning on liveness properties in theorem provers in particular, and to the PL community at large.

Mechanisation Boreale and Gadducci [13] remark that the \(\textsc {must}\)-preorder lacks a tractable proof method. In constrast, we argue that our contributions, in particular the coinductive characterisation (Theorem 2), being fully mechanised in Coq, let practitioners pursue non-trivial results about testing preorders for real-world programming languages. To make this point, we have proved a form of code-hoisting using this characterisation. Our mechanisation lowers the barrier to entry for researchers versed into theorem provers and wishing to use testing preorders; adds to the toolkit of Coq users an alternative to the well-known (and already mechanised) bisimulation equivalence [45]; and provides a starting point for researchers willing to study testing preorders and analogous refinements within type theory. Researchers working on testing preorders may benefit from it, as there are analogies between reasoning techniques for May, \(\textsc {must}\), Compliance, Should, and Fair testing. For instance Baldan et al. show with pen and paper that a technique similar to forwarding works to characterise the \(\textsc {may}\)-preorder [4].

Future work Thanks to Theorems 1, 2 and 3 we can now set out to (1) devise an axiomatisation of  for asynchronous calculi, as done in [14, 32, 33, 35] for synchronous ones; (2) study for which asynchronous calculi is a pre-congruence; (3) machine-check semantic models of subtyping for session types [10]; (4) study the decidability of .

More in general, given the practical relevance of asynchronous communication, it seems crucial not only to adapt the large body of theory for synchronous communication to the asynchronous setting but also to resort to machine supported reasoning to do it. This paper is meant to be a step in this direction.

Data availability The mechanised proofs have been archived on Zenodo[7].