Actor Services - Modular Verification of Message Passing Programs

We present actor services: a novel program logic for defining and verifying response and functional properties of programs which communicate via asynchronous messaging. Actor services can specify how parts of a program respond to messages, both in terms of guaranteed future messages, and relations between the program states in which messages are received and responses sent. These specifications can be composed, so that end-to-end behaviours of parts of a system can be summarised and reasoned about modularly. We provide inference rules for guaranteeing these properties about future execution states without introducing explicit traces or temporal logics. Actor services are ultimately derived from local actor services, which express behaviours of single message handlers. We provide a proof system for verifying local services against an implementation, using a novel notion of obligations to encode the appropriate liveness requirements. Our proof technique ensures that, under weak assumptions about the underlying system (messages may be reordered, but are never lost), as well as termination of individual message handlers, actor services will guarantee suitable liveness properties about a program, which can be augmented by rich functional properties. Our approach supports reasoning about both state kept local to an actor (as in a pure actor model), and shared state passed between actors, using a flexible combination of permissions, immutability and two-state invariants.