A Note On Compliance Relations And Fixed Points
MM. Bartoletti, L. Henrio, A. Mavridou, A. Scalas (Eds.):12th Interaction and Concurrency Experience (ICE 2019).EPTCS 304, 2019, pp. 38–47, doi:10.4204/EPTCS.304.3
A Note On Compliance Relations And Fixed Points. ∗ Maurizio Murgia
Universit`a degli Studi di Cagliari [email protected]
We study compliance relations between behavioural contracts in a syntax independent setting basedon Labelled Transition Systems. We introduce a fix-point based family of compliance relations, andshow that many compliance relations appearing in literature belong to this family.
Behavioural contracts are abstract descriptions of the external behaviour and interaction scheme ofdistributed services [17]. They often come together with some compliance relation, which intuitivelyrelates contracts of services whose composition is correct, where the notion of correctness is specificto the application domain [8]. In a related line of research, so called testing theories are used to studyobservational equivalence of CCS processes through the concept of passing a test [14]. Roughly, twoprocesses are equivalent if they pass the same sets of tests. Tests are themselves processes, and a processpasses a test when its parallel composition with the test enjoys some behavioural property (e.g., mustor may reach a successful state). In retrospect, the relation between a process and a passed test can beseen as a compliance relation [18]. A selection of compliance/test relations, and their relative merits andinclusions, has been surveyed in [8] in a common ground based on Labelled Transition Systems. However,there is still lack of a general unifying theory of compliance relations, which would help to improvecurrent practices in design and implementation of distributed concurrent systems.
Contribution.
This paper is a first step towards a better understanding of the mathematical foundationsof compliance relations. The starting point is a simple observation, based on two well known compliancerelations: progress and must compliance. Progress relates contracts whose composition never gets stuck,or terminates in a successful state. Must relates contracts whose composition always terminates in asuccessful state. Intuitively, there is a duality between progress, which allows infinite behaviour, and must,which is only about finite behaviour. Two standard tools for reasoning about finiteness and infinitenessare, respectively, induction and coinduction, or, equivalently, least and greatest fixed points of monotonicfunctionals over complete lattices. This paper introduces a family of compliance relations, dubbedfix-compliance relations, defined as the set of fixed point of a simple and natural functional. We show thatprogress and must are, respectively, the greatest and the least fixed point of such compliance functional. Wealso consider other notions of compliance. For instance, should and behavioural compliance, which allowfor infinite behaviour but with some limitations, turn out to be intermediate fixed points. Some compliancerelations in literature are not fix-compliance, e.g. IO-compliance and may compliance. However, it turnout that IO-compliance is a post-fixed point, while may is a pre-fixed point. ∗ This work has been partially supported by Aut. Reg. of Sardinia project
Smart collaborative engineering . We thank theanonymous reviewers for their useful comments on a previous version of this work. aurizio Murgia Synopsis.
We start introducing the contract model and some notation in Section 2. We then define thecompliance functional and the concept of fix-compliance in Section 3. In the rest of Section 3 we presentseveral known compliance relations, and we show how the fit the fix-compliance framework. Section 4discusses related works and concludes. Some rappresentative proofs are relegated to Appendix A.
In this section we present a model of contracts, following the lines of [8]. Contracts are formalised asstates of a Labelled Transition System (LTS) where labels are partitioned into internal , input , and output actions. All the compliance relations defined later on in Section 3 will be formalised as binary relationsbetween states.Our treatment is developed within the LTS (cid:0) U , A τ , (cid:110) (cid:96) τ −→ (cid:12)(cid:12)(cid:12) (cid:96) τ ∈ A τ (cid:111)(cid:1) , where: • U is the universe of states (ranged over by p , q , . . . ), also called contracts ; • A τ (ranged over by (cid:96) τ , (cid:96) (cid:48) τ , . . . ) is the set of labels , partitioned into input actions ? a , ? b , . . . ∈ A ? , output actions ! a , ! b , . . . ∈ A ! , and the internal action τ ; • (cid:96) τ −→ ⊆ U × U is a transition relation , for all (cid:96) τ .We let (cid:96), (cid:96) (cid:48) , . . . range over A = A ? ∪ A ! . We postulate an involution co ( · ) on A , such that co ( ? a ) = ! a and co ( ! a ) = ? a . The reducts of p are the states reachable from p with a finite sequence of transitions withany label, while the (cid:96) τ -reducts of p are the states reachable from p with a finite sequence of transitionswith label (cid:96) τ . A trace is a (possibly infinite) sequence p (cid:96) τ (1) −−→ p (cid:96) τ (2) −−→ · · · . A τ -trace is a trace where (cid:96) τ ( i ) = τ , for all i (similarly for τ -reduct). We assume that there exists a unique state with no outgoingtransitions. Such state is denoted by . Note that, since is unique, if p is such that p (cid:54) (cid:96) τ −→ for all (cid:96) τ , then p = . We interpret as a correctly terminated state, and we will often refer to as the success state. Notation 1.
We adopt the following notation: • R ∗ for the reflexive and transitive closure of a relation R • p (cid:96) τ −→ when ∃ p (cid:48) . p (cid:96) τ −→ p (cid:48) . Further, we write p −→ when ∃ (cid:96) τ . p (cid:96) τ −→• for a set L ⊆ A , we define L ? = L ∩ A ? and L ! = L ∩ A ! • = ⇒ = ( τ −→ ) ∗ is the weak transition relation . We define (cid:96) τ = ⇒ as = ⇒ (cid:96) τ −→ = ⇒• p ↓ = (cid:110) (cid:96) (cid:12)(cid:12)(cid:12) p (cid:96) −→ (cid:111) are the barbs of p, and p ⇓ = (cid:110) (cid:96) (cid:12)(cid:12)(cid:12) p (cid:96) = ⇒ (cid:111) are its weak barbs • p ↑ is true when p has an infinite internal computation p τ −→ p τ −→ p τ −→ · · · The above notation for −→ is extended to = ⇒ as expected. In order to define parallel composition of contracts, we require some additional structure on U .In particular, we assume U to be closed under a binary operation (cid:107) . Contracts in the form p (cid:107) q arecalled compositions , and we refer to the left component p as the client and the right component q as the server . Compositions where the client is are called successful , and we refer to the set of all successfulcompositions as S . Formally, S = { (cid:107) p | p ∈ U } . Note that models success of a single participant,while the elements of S model success of compositions of (at least) two participants. Intuitively, S containsall compositions in which the client is terminated, and so in which the server has successfully satisfied theclient. This asymmetric notion can be found in previous work [5].The semantics of compositions formalises the standard synchronisation `a la CCS [20].0 A note on compliance relations and fixed points. p ! a ! b q ? a (1) p τ ! a q ? a (2) p ! a ! b ? c q ? a ? b (3) p ! a q ? a τ (4) Figure 1: Some pairs of contracts.
Definition 1 (Parallel composition) . For all p , q ∈ U , we impose p (cid:107) q ∈ U . The transition relation ofcompositions contains all and only the transitions that can be derived with the following rules:p (cid:96) τ −→ p (cid:48) p (cid:107) q (cid:96) τ −→ p (cid:48) (cid:107) q q (cid:96) τ −→ q (cid:48) p (cid:107) q (cid:96) τ −→ p (cid:107) q (cid:48) p (cid:96) −→ p (cid:48) q co ( (cid:96) ) −−−→ q (cid:48) p (cid:107) q τ −→ p (cid:48) (cid:107) q (cid:48) In this section we introduce a general class of compliance relations between behaviours, based on thecompliance functional C defined below. We then show that many compliance relations in literature, butnot all, fit within this class. Compliance relation in this class have the following properties: • contracts whose composition is successful are compliant; • compositions of compliant contracts never get stuck before a successful state is reached; • compliance is preserved by τ -transitions, until a successful state is reached. Definition 2.
We define the compliance functional C : U → U as follows: C ( x ) = S ∪ (cid:110) ( p , q ) (cid:12)(cid:12)(cid:12) p (cid:107) q τ −→ ∧ ( p (cid:107) q τ −→ p (cid:48) (cid:107) q (cid:48) = ⇒ ( p (cid:48) , q (cid:48) ) ∈ x ) (cid:111) We say that a relation R ⊆ U is: • a pre -compliance relation if R is a pre-fixed point of C , that is C ( R ) ⊆ R ; • a post -compliance relation if R is a post-fixed point of C , that is R ⊆ C ( R ) ; • a fix -compliance relation if R is a fixed-point of C , that is R = C ( R ) . We start recalling that, by the Knaster-Tarski theorem [22], every monotonic endo-function over acomplete lattice has a least fixed point and a greatest fixed point (they may coincide). Furthermore, theleast fixed-point coincides with the least pre-fixed point and the greatest fixed point coincides with thegreatest post-fixed point. We will now on work on the complete lattice U × U ordered by set inclusion. Itis easy to verify that C is monotonic with respect to ⊆ , that is, for all x , y ⊆ U × U : x ⊆ y = ⇒ C ( x ) ⊆ C ( y ) aurizio Murgia Progress compliance.
We start by considering the notion of progress , which consists of absence ofdeadlocks (on the client-side, since we are considering the asymmetric relation). Formally, in Definition 3we say that a contract p has progress with q (in symbols, p (cid:67) pg q ) iff, whenever a τ -reduct of p (cid:107) q isstuck, then p has reached the success state. Definition 3 (Progress) . We write p (cid:67) pg q iff:p (cid:107) q = ⇒ p (cid:48) (cid:107) q (cid:48) (cid:54) τ −→ implies p (cid:48) = This notion has been used e.g. in τ -less CCS [13], in session types (both untimed [5] and timed [6]),and in types for CaSPiS [2]. Example 1.
Consider the behaviours in fig. 1. • We have that p (cid:67) pg q : the composition p (cid:107) q can only τ -reduce through a synchronisation on a ,leading to a successful state. • The composition p (cid:107) q can only take the p τ -move, and then synchronise on a , going back to thestarting state. Therefore, p (cid:67) pg q . • The composition p (cid:107) q may τ -reduce through a synchronisation on b , leading to a state which isstuck (no τ -reductions are possible) but unsuccessful (p is not terminated as she can emit a ? c action). Therefore, p (cid:54) (cid:67) pg q . • The composition p (cid:107) q can loop taking the p τ -move, or τ -reduce to a successful state through asynchronisation on a . Therefore, p (cid:67) pg q . It turns out that (cid:67) pg is the largest fix-compliance. Proposition 1. (cid:67) pg is the largest fix-compliance. An important consequence of Proposition 1 is that all post-compliance relations enjoy the progressproperty (as defined in Definition 3): indeed, if x is a post-compliance, then, by the Knaster-Tarki Theoremit follows x ⊆ (cid:67) pg . Must-testing compliance.
The notion of compliance in [3] is inspired to must-testing [14]. Musttesting requires a contract to reach success in all (sufficiently long) traces. Formally, we say that a τ -trace r −→ r −→ · · · is maximal if it is infinite, or if it ends in a state r n such that r n (cid:54) τ −→ . A behaviour p ismust-testing compliant with q (in symbols, p (cid:67) mst q ) if, in all the maximal τ -traces of p (cid:107) q , the contract p reaches the state. Definition 4 (Must-testing compliance) . We write p (cid:67) mst q ifffor all maximal τ -traces p (cid:107) q τ −→ p (cid:107) q τ −→ · · · : ∃ i ≥ . p i = Consider the behaviours in fig. 1. • p (cid:67) mst q : the only maximal τ -trace is p (cid:107) q τ −→ (cid:107) , which contains a composition whose leftcomponent is . • p (cid:54) (cid:67) mst q : the composition p (cid:107) q diverges without visiting a successful state. • p (cid:54) (cid:67) mst q , basically for the same reason of Example 1. • p (cid:54) (cid:67) mst q : the composition p (cid:107) q may perpetually loop taking the p τ -move, without visitingany successful state. Proposition 2. (cid:67) mst is the least fix-compliance relation. A note on compliance relations and fixed points.
Should-testing compliance.
We now present a notion of compliance inspired by the theory of should-testing [12, 21]. A behaviour p is should-testing compliant with q (in symbols, p (cid:67) shd q ) if, after everypossible finite τ -trace of p (cid:107) q , there exists a subsequent (finite) τ -trace which leads p to the success state. Definition 5 (Should-testing compliance) . We write p (cid:67) shd q iffp (cid:107) q = ⇒ p (cid:48) (cid:107) q (cid:48) implies ∃ q (cid:48)(cid:48) . p (cid:48) (cid:107) q (cid:48) = ⇒ (cid:107) q (cid:48)(cid:48) A notion similar to the one in Definition 5 has been used in [11] (under the name of correct contractcomposition ), and in [1, 7] (where it is named weak termination ). Example 3.
Consider the behaviours in fig. 1. • p (cid:67) shd q : the composition p (cid:107) q can only τ -reduce through a synchronisation on a , leading to asuccessful state. • p (cid:54) (cid:67) shd q . As noted in Example 2, the composition p (cid:107) q necessarily diverges, and no successfulstate is reachable. • p (cid:54) (cid:67) shd q , for the same reason of Examples 1 and 2. • p (cid:67) shd q . The composition p (cid:107) q can loop taking the p τ -move, but a successful state isinvariantly reachable through a synchronisation on a . Proposition 3. (cid:67) shd is a fix-compliance relation.
Behavioural compliance.
Definition 6 below formalises in our setting the relation called behaviouralcompliance in [18, 19]. A contract p is compliant with q (in symbols, p (cid:67) beh q ), if, in every possible τ -reduct p (cid:48) (cid:107) q (cid:48) of p (cid:107) q , two conditions are satisfied: if the reduct is stuck, then p (cid:48) has reached success;otherwise, if q (cid:48) alone can produce an infinite τ -trace, then p (cid:48) must be able to reach success without furthersynchronisations. Definition 6 (Behavioural compliance) . We write p (cid:67) beh q iff:p (cid:107) q = ⇒ p (cid:48) (cid:107) q (cid:48) implies (cid:0) p (cid:48) (cid:107) q (cid:48) (cid:54) τ −→ implies p (cid:48) = (cid:1) ∧ (cid:0) q (cid:48) ↑ implies p (cid:48) = ⇒ (cid:1) Example 4.
Consider the behaviours in fig. 1. • p (cid:67) beh q : q does not diverge, and the composition p (cid:107) q can only τ -reduce through a synchron-isation on a , leading to a successful state. • p (cid:67) beh q : as noted in Example 1, the composition p (cid:107) q never gets stuck, and q does not diverge. • p (cid:54) (cid:67) beh q , for the same reason of Examples 1 to 3. • p (cid:54) (cid:67) beh q : Although the composition p (cid:107) q never gets stuck, q may diverge and p cannotterminate on her own. Proposition 4. (cid:67) beh is a fix-compliance. aurizio Murgia I/O compliance.
In [9], a contract p is considered compliant with q (in symbols, p (cid:67) io q ), if, in everypossible τ -reduct p (cid:48) (cid:107) q (cid:48) of p (cid:107) q , the weak outputs of p (cid:48) are included in the weak inputs of q (cid:48) ; further, if p (cid:48) has no weak outputs but still some weak inputs, then they include the weak outputs of q (cid:48) . Definition 7 (I/O compliance) . We write p (cid:67) io q iff p (cid:107) q = ⇒ p (cid:48) (cid:107) q (cid:48) implies:p (cid:48) ⇓ ! ⊆ co ( q (cid:48) ⇓ ? ) ∧ (cid:0) ( p (cid:48) ⇓ ! = /0 ∧ p (cid:48) ⇓ ? (cid:54) = /0 ) = ⇒ /0 (cid:54) = q (cid:48) ⇓ ! ⊆ co ( p (cid:48) ⇓ ? ) (cid:1) Example 5.
Consider the behaviours in fig. 1. • p (cid:54) (cid:67) io q : p ⇓ ! = { ! a , ! b } (cid:54)⊆ { ! a } = co ( q ⇓ ? ) . • p (cid:67) io q : we have that, in every τ -reduct p (cid:48) (cid:107) q (cid:48) of p (cid:107) q , p (cid:48) ⇓ ! = { ! a } and co ( q (cid:48) ⇓ ? ) = { ! a } .Therefore both conjuncts of Definition 7 holds. • p (cid:54) (cid:67) io q : after a synchronisation on b , a state p (cid:48) (cid:107) q (cid:48) is reached. However, p (cid:48) ⇓ ! = /0 and p (cid:48) ⇓ ? (cid:54) = /0 ,but q (cid:48) ⇓ ! = /0 . Therefore, the second conjunct of Definition 7 does not hold. • p (cid:67) io q : The only reachable states are p (cid:107) q and (cid:107) . As p (cid:48) ⇓ ! = { ! a } and co ( q (cid:48) ⇓ ? ) = { ! a } ,p (cid:107) q satisfies the condition of Definition 7. For (cid:107) , it does hold as well: ⇓ ! = /0 = co ( ⇓ ? ) . It turns out that (cid:67) io is a post-compliance but not a pre-compliance (and hence not a fix-compliance).To see why it is not a pre-compliance, consider p and q from fig. 1. As noted in Example 5, p (cid:54) (cid:67) io q .However, p (cid:107) q τ −→ and its unique τ -reduct is successful and hence composed by compliant behaviours.Therefore, ( p , q ) ∈ C ( (cid:67) io ) . Proposition 5. (cid:67) io is a post-compliance relation. May-testing compliance.
In Definition 8, a contract p is said to be may-testing compliant with q (insymbols, p (cid:67) may q ) if there exists a finite τ -trace of p (cid:107) q which leads p to the success state. Definition 8 (May-testing compliance) . We write p (cid:67) may q iff ∃ q (cid:48) . p (cid:107) q = ⇒ (cid:107) q (cid:48) Example 6.
Consider the behaviours in fig. 1. • p (cid:67) may q : p (cid:107) q can reach a successful state after a synchronisation on a . • p (cid:54) (cid:67) may q : as noted in Example 3, the composition p (cid:107) q never reach any successful state. • p (cid:67) may q : p (cid:107) q can reach a successful state after a synchronisation on a . • p (cid:67) may q : p (cid:107) q can reach a successful state after a synchronisation on a . In a sense, may-testing compliance assumes a cooperative scenario: participants pre-agree on theirinternal choices, and the scheduler to only permit the synchronisations leading to success, seen here as acommon goal.It turns out that (cid:67) may is a pre-compliance relation but not a post-compliance relation (and hence nota fix-compliance). To see why it is not a post-compliance, consider p and q of fig. 1. As noted inExample 6, p (cid:67) may q . However, ( p , q ) (cid:54)∈ C ( (cid:67) may ) : through a synchronisation on b , p (cid:107) q can reduceto a composition which is not successful nor composed by may-compliant behaviours. Proposition 6. (cid:67) may is a pre-compliance relation. A note on compliance relations and fixed points.
Behavioural contracts and compliance relations have been studied in several works and contexts, e.g.service-oriented computing [2, 3, 11, 13, 18, 19, 1] and session types [5, 6, 9]. Testing preorders havebeen studied in [14, 18, 21]. The definition of testing compliance in this work is slightly different fromthe classical ones [14, 18, 21]: there, the successful states are those that can emit the special label e .Following [8], we consider as the success state. This makes our treatment simple and uniform. Thework [8] presents a taxonomy of compliance relations in a general setting based on LTS similar to theone used in this paper, but they also study certain subclasses of the model, which correspond to knowncontract models or process algebras: session types [16], τ -less CCS [15], contract automata [10] andinterface automata [4]. Our work, instead, studies only on the full model, focusing on the mathematicalfoundations, and revealing the important role of the compliance functional C . Among the compliancerelations surveyed in [8], only IA-compliance (inspired to Interface Automata compatibility) does notseem to be related to C in any way. This seems due to the fact that Interface Automata, being naturallysuited for modelling systems composed of many components, do not fit well our binary setting.We have introduced a family of compliance relations, showing how different treatments to divergencesin distributed systems correspond to different fixed-point of a general functional. In particular: • Must compliance, which disallows any form of divergence, is the least fixed-point of C . • Should compliance relates contracts whose composition may diverge, but only if a successfulterminated state is always reachable. In a sense, should assumes fairness (but not full cooperation)of participants and the scheduler to reach a success state. This form of fairness is captured as anintermediate fixed-point of C . • Behavioural compliance relates contracts whose composition may diverge, but forbids situations inwhich divergence of the server disallows the client to successfully terminate. In this case the serveris considered adversarial. Also this compliance is an intermediate fixed-point of C . • Progress compliance allows any form of divergence, and is indeed the greatest fixed point of C .We have shown two examples of compliance relations appearing in literature that are not fixed-point of C , but turn out to be pre- or post-fixed point of it. Post-compliance relations, like IO-compliance, stillguarantee the good behavioural properties reported in Section 3, namely stuck-freedom and preservationof compliance by τ -reduction, but somehow relate fewer contracts than expected. In the specific caseof IO-compliance, this is caused by the asymmetric treatment of outputs and inputs. The case of maycompliance, is quite enigmatic: may compliance, being “cooperative” in nature [8], is out of the scopeof fix-compliance relations, which are biased towards the non-cooperative scenario, but still may is apre-compliance, and so fits somehow in our setting. It is still unclear to us whether this can lead to usefulconsequences, or it holds just by coincidence.A possible future direction is the study of cooperative compliance relations through fixed-points. Forinstance, we would expect may compliance to be the least fixed-point of some suitable functional. Weexpect the greatest fixed-point of such functional to be a kind of cooperative progress, relating contractswhose composition produces at least one execution which is infinite or terminates in a successful state.An interesting but challenging future direction is characterising the subcontract preorders [13] induced byfix-compliance relations. aurizio Murgia References [1] Wil M. P. van der Aalst, Niels Lohmann, Peter Massuthe, Christian Stahl & Karsten Wolf (2010):
Multi-party Contracts: Agreeing and Implementing Interorganizational Processes . Comput. J.
A Type System for Client Progress in a Service-Oriented Calculus . In:
Concurrency, Graphs and Models, Essays Dedicated to Ugo Montanari on the Occasion of His 65th Birthday ,pp. 642–658, doi:10.1007/978-3-540-68679-8 40.[3] Lucia Acciai, Michele Boreale & Gianluigi Zavattaro (2010):
Behavioural Contracts with Request-ResponseOperations . In:
Proc. COORDINATION , pp. 16–30, doi:10.1007/978-3-642-13414-2 2.[4] Luca de Alfaro & Thomas A. Henzinger (2001):
Interface automata . In:
Proc. ACM SIGSOFT , pp. 109–120,doi:10.1145/503209.503226.[5] Franco Barbanera & Ugo de’Liguoro (2015):
Sub-behaviour relations for session-based client/server systems . Mathematical Structures in Computer Science
Timed Session Types . Logical Methods inComputer Science
Lending Petri nets . Sci. Comput. Program.
Compliance in Behavioural Contracts: A BriefSurvey . In:
Programming Languages with Applications to Biology and Security , Lecture Notes in ComputerScience
A Semantic Deconstruction of Session Types .In:
Proc. CONCUR , pp. 402–418, doi:10.1007/978-3-662-44584-6 28.[10] Davide Basile, Pierpaolo Degano & Gian Luigi Ferrari (2014):
Automata for Analysing Service Contracts . In:
Proc. TGC , pp. 34–50, doi:10.1007/978-3-662-45917-1 3.[11] Mario Bravetti & Gianluigi Zavattaro (2007):
Contract Based Multi-party Service Composition . In:
Proc.FSEN , LNCS
Fair Testing . In:
Proc. CONCUR , pp. 313–327,doi:10.1007/3-540-60218-6 23.[13] Giuseppe Castagna, Nils Gesbert & Luca Padovani (2009):
A theory of contracts for Web services . ACMTOPLAS
Testing Equivalences for Processes . Theor. Comput. Sci.
CCS without tau’s . In:
Proc. TAPSOFT , pp. 138–152,doi:10.1007/3-540-17660-8 53.[16] Kohei Honda, Vasco T. Vasconcelos & Makoto Kubo (1998):
Language Primitives and Type Discip-lines for Structured Communication-based Programming . In:
Proc. ESOP , LNCS
Foundations of Session Types and Behavioural Contracts . ACM Comput. Surv.
The
Must
Preorder Revisited . In:
Proc. CONCUR , pp. 212–225,doi:10.1007/978-3-540-74407-8 15.[19] Cosimo Laneve & Luca Padovani (2015):
An algebraic theory for Web service contracts . Formal Aspects ofComputing , pp. 1–28, doi:10.1007/s00165-015-0334-2.[20] Robin Milner (1989):
Communication and concurrency . Prentice-Hall, Inc. A note on compliance relations and fixed points. [21] Arend Rensink & Walter Vogler (2007):
Fair testing . Information and Computation
A lattice-theoretical fixpoint theorem and its applications.
Pacific J. Math. (2), pp. 285–309,doi:10.2140/pjm.1955.5.285. Available at http://projecteuclid.org/euclid.pjm/1103044538 . aurizio Murgia A Proofs
Proof of Proposition 2 on page 41
Proof.
According to the Knaster-Tarski theorem, it suffice to show that (cid:67) mst is the least pre-fixed point of C . In turn, this can proved by showing that must is a pre-fixed point of C , and that any other pre-fixedpoint of C is larger than (cid:67) mst . • For the first part, we have to show that C ( (cid:67) mst ) ⊆ (cid:67) mst . So, let ( p , q ) ∈ C ( (cid:67) mst ) . If ( p , q ) ∈ S , itmust be p = , and so for every maximal τ -trace p (cid:107) q τ −→ p (cid:107) q τ −→ . . . , with p = p and q = q ,there is i such that p i = : just take i =
0. If ( p , q ) (cid:54)∈ S , by definition of C , we have that p (cid:107) q τ −→ ,and, for all p (cid:48) (cid:107) q (cid:48) such that p (cid:107) q τ −→ p (cid:48) (cid:107) q (cid:48) , it holds that p (cid:48) (cid:67) mst q (cid:48) (1). Let p (cid:107) q τ −→ p (cid:107) q τ −→ . . . be amaximal trace. Note that, by (1), it holds that p (cid:67) mst q . Therefore, the maximal trace p (cid:107) q τ −→ . . . eventually reaches a state whose left contract is , and thus also the trace p (cid:107) q τ −→ p (cid:107) q τ −→ . . . , asrequired. • For the second part, let X be a pre-fixed point of C , i.e. C ( X ) ⊆ X . We have to show (cid:67) mst ⊆ X . So,let p (cid:67) mst q . If p = , it must be ( p , q ) ∈ S , and so, by definition of C , it follows ( p , q ) ∈ C ( X ) .Since C ( X ) ⊆ X by assumption, we have that ( p , q ) ∈ X , as required. If p (cid:54) = , first note that itmust be p (cid:107) q τ −→ . Indeed, if this is not the case, the only maximal τ -trace starting from p (cid:107) q wouldbe p (cid:107) q (seen as a singleton trace), which of course does not reach a success state as p is not by assumption. Now suppose, by contradiction, ( p , q ) (cid:54)∈ X . Note that, since C ( X ) ⊆ X , it must be ( p , q ) (cid:54)∈ C ( X ) . Therefore, by definition of C , there must be ( p , q ) (cid:54)∈ X such that p (cid:107) q τ −→ p (cid:107) q .As before, ( p , q ) (cid:54)∈ C ( X ) . Iterating the argument again and again, we can construct an infinitemaximal τ -trace p (cid:107) q τ −→ p (cid:107) q τ −→ . . . (with p = p and q = q ) such that ( p i , q i ) (cid:54)∈ C ( X ) forall i . Then, since S ⊆ C ( X ) by definition of C , it must be ( p i , q i ) (cid:54)∈ S for all i . Then, there ismaximal τ -trace starting from p (cid:107) q that do not reach a success state, contradicting the hypothesisthat p (cid:67) mst q . Proof of Proposition 5 on page 43
Proof.
We have to show that (cid:67) io ⊆ C ( (cid:67) io ) . So, let p (cid:67) io q . The case where p = is immediate, as ( p , q ) ∈ S ⊆ C ( (cid:67) io ) . For the remaining case p (cid:54) = , we have to show that p (cid:107) q τ −→ and that for all p (cid:48) , q (cid:48) such that p (cid:107) q τ −→ p (cid:48) (cid:107) q (cid:48) it holds that p (cid:48) (cid:67) io q (cid:48) . Since p (cid:54) = , it must be p (cid:96) τ −→ for some (cid:96) τ . So, if (cid:96) τ = τ ,the thesis follows by the first rule of parallel composition. If (cid:96) τ ∈ A ! , then (cid:96) τ ∈ p ⇓ ! and so, by the firstconjunct in the definition of (cid:67) io , we have that p ⇓ ! ⊆ co ( q ⇓ ? ) . Therefore, q co ( (cid:96) τ ) === ⇒ . If the first transition ofsuch reduction is τ , the thesis follows by an application of the second rule of parallel composition. If thefirst transition is (cid:96) τ , the thesis follows by an application of the third rule. In the remaining case (cid:96) τ ∈ A ? ,we have that (cid:96) τ ∈ p ⇓ ? (cid:54) = /0. So, if p ⇓ ! (cid:54) = /0, we can conclude similarly to the previous case. If p ⇓ ! = /0, bythe second conjunct in the definition of (cid:67) io , we can conclude that co ( (cid:96) τ ) ∈ p ⇓ ? . We can then concludesimilarly to the previous case. It remain to show that for all p (cid:48) , q (cid:48) such that p (cid:107) q τ −→ p (cid:48) (cid:107) q (cid:48) it holds p (cid:48) (cid:67) io q (cid:48) .But this follows immediately by the definition of (cid:67) io , because p (cid:48) (cid:107) q (cid:48) is a τ -reduct of p (cid:107) qq