Specifying computations using hyper transition ... - Semantic Scholar

Specifying computations using hyper transition systems Marcello M. Bonsangue and Joost N. Kok Department of Computer Science, Rijks Universiteit Leiden P.O. Box 9512, 2300 RA Leiden, The Netherlands [email protected] and [email protected] June 3, 1997 Abstract

We study hyper transition systems as a formalism to give semantics to speci cation languages like the speci cation language of Back's re nement calculus. These languages support both unbounded angelic and unbounded demonic non-determinism as well as recursion. Hyper transition systems are suited for the speci cation of computations by means of properties that atomic steps in a computation have to satisfy. Hyper transition are a generalization of transition systems in the sense that they relate con gurations to sets of con gurations. They are a natural formalism to describe the two kinds of non-determism in a single framework: the angelic non-determinism `inside' the transition, and the demonic non-determism as a choice between dierent transitions. We relate hyper transition systems to the standard transition systems. We de ne a way to collect information from hyper transitions by a kind of transitive closure on the hyper transition relation. As an application we present a hyper transition system for a small speci cation language. The hyper transition system is used to give an operational semantics to the language. We give a xed point equation of which the operational semantics is the least xed point, and we show that the operational semantics is compositional and that it is equivalent to the standard weakest precondition semantics. Hyper transition systems can also be interpreted as a game between two parties. We describe brie y this interpretation and, for the game induced by our speci cation language, relate it to standard weakest precondition semantics. Then we discuss how to extend speci cation languages with a form of concurrency. We give hyper transition rules for an interleaving operator, and generalize the notion of simulation to hyper transition systems.

1 Introduction In this paper we study operational semantics for speci cation languages based on hyper transition systems. With speci cation languages we mean languages that include speci cation constructs like angelic choice or unbounded non-determinism. Such speci cation languages are useful as a starting point for program re nement [BW90]: In a typical program development by re nement, one starts from a program in a speci cation language and develops in correctness-preserving steps a program that is eciently executable on a target architecture. One of the well-known speci cation languages is the language of the re nement calculus [BW96]. For this language several semantic models based on input/output relations have been proposed, including a weakest precondition semantic and game-theoretic semantics based on a transition system. We use hyper transition systems because they provide a natural way to de ne operational semantics with both angelic and demonic non-determinism. As an application we present a hyper transition system and associated operational semantics for the speci cation language of the re nement calculus. From this operational semantics we derive a weakest precondition semantics which 1

coincides with the ordinary semantics of the re nement calculus [Bac80]. Working with a hyper transition system has the advantage that we can follow the computation step-by-step. Hence it is possible to introduce interleaving operators in the speci cation languages, and de ne a notion of simulation needed for a compositional semantical treatment of the interleaving operator. Next we discuss the main dierences of our approach with other semantic models for the re nement calculus. Our operational interpretation diers in the following aspects from the game semantics of Back and Von Wright [BW96] and the game semantics of Hesselink [Hes94]. Back and Von Wright de ne a game interpretation of the commands of the re nement calculus using a standard transition system. A transition step corresponds to a move in the game. A con guration is said to be angelic if only the angel can make a move and is said to be demonic otherwise. This suggests a close relation to our hyper transition system model. However, every sequence of transitions in the game interpretation of Back and Von Wright is nite (in fact in nite plays are not possible), and we allow also in nite sequences. The game semantics for the re nement calculus given by Hesselink uses hyper transition systems which allow for in nite games. However, both the hyper transition system induced by the re nement calculus and the way of collecting the information from it are dierent from our operational approach. Also, our game interpretation of the re nement calculus diers from both the game semantics of Back and Von Wright [BW96] and the game semantics of Hesselink [Hes94]. The main dierence is that our games are not symmetric (and therefore we do not have to take sides): the angel always makes the rst move. The goal of the angel is dierent from the goal of the demon. Moreover, the angel and the demon take turns, whereas in the other game interpretations the choice of the player who plays depends on the con guration the game is in. The outline of the rest of the paper is as follows. The next section introduces hyper transition systems. Then in section three an operational semantics for a speci cation language with recursion is given, and related to the weakest precondition semantics. Section four discusses a game semantics, and in section ve we introduce transition rules for an interleaving operator, and a notion of simulation for hyper transition systems. Acknowledgments: The authors are grateful to all the members of the Amsterdam Concurrency Group, headed by Jaco de Bakker, and to Henk Goeman for comments and discussions. Thanks also to Michael Mislove and Wim Hesselink for their suggestions to improve this paper, and to Ralph Back for various discussions on the subject of this paper.

2 Transition systems and hyper transition systems Transition systems are a useful mathematical structure to describe the atomic steps of a computation of a program [Plo81].

2.1. De nition. A transition system with deadlock is a tuple hX ; ; ?!i where X is the set of all proper con gurations for a program,  62 X denotes a deadlock con guration, and ?! (X  X ) [ (X  fg) is a transition relation. The idea is that con gurations represent states of a computation, whereas a transition x ?! y (read `x goes to y ') indicates a possible atomic step which a computation can do, changing the con guration x into the con guration y . If x ?!  then the computation in the con guration x may deadlock. If there is no y 2 X [ fg such that x ?! y then the computation is unde ned

in the con guration x . Essentially, a computation can be unde ned in a con guration x either because it terminates successfully or because it aborts. Let us now be more precise about what we mean by `computation'. Let T = hX ; ; ?!i be a transition system, F  X be a set of nal con guration, and x 2 X . De ne a nite computation of T starting at x to be a nite sequence (xn )n k in X [ fg such that (i) x = x0 , (ii) xn ?! xn +1 for all n < k , and (iii) for all y 2 X [ fg there is no transition xk ?! y in T . 2

A nite computation (xn )n k of T starting at x0 is terminating in the con guration xk if either xk 2 F or xk = , otherwise the computation is unde ned. Not every computation of a program need to be nite. An in nite computation of T starting at x is a countable sequence (xn )n 2IN in X such that (i) x = x0 , and (ii) xn ?! xn +1 for all n 2 IN. In general, a computation of a transition system T is a nite or in nite computation of T . In other words, a computation of T is a transition sequence of T that cannot be extended. To specify set of computations by means of the properties that their atomic steps have to satisfy, hyper transition system can be used. Hyper transition systems occur under the name of AND/OR graphs or hyper-graphs in logic programming and arti cial intelligence [Nil82]. 2.2. De nition. A hyper transition system is a pair H = hX ; 2i where X is the collection of all possible con gurations in which a computation is allowed to work, and 2 X  P (X ) is a transition relation which speci es the atomic steps of a computation. A hyper transition system speci es a set of computations by specifying their atomic steps. The idea is that a computation speci ed by an hyper transition system H = hX ; 2i can change a con guration x into a con guration y if the con guration y satis es all and at least one of the predicates W  X such that x 2 W (read `x goes into W '). More formally, the set of all computations speci ed by a hyper transition system H can be modeled by the following transition system TS (H ). 2.3. De nition. For a hyper transition system H = hX ; 2i de ne the induced transition system TS (H ) = hX ; ; ?!i by \ x ?!  , fW j x 2 W g = ;; \ x ?! y , (9W :x 2 W ) & y 2 fW j x 2 W g; for all x ; y 2 X . A computation of TS (H ) (or, equivalently, a computation that satis es the speci cation of the hyper transition system H ) in a con guration x has four possibilities with respect to a set F  X of nal con gurations: 1. it terminates in a deadlock con guration because there is no con guration y 2 X satisfying all predicates W  X such that x 2 W ; 2. it terminates because x 2 F and there is no predicate W  X such that x 2 W 3. it is unde ned because x 62 F and there is no predicate W  X such that x 2 W ; 4. it goes to a con guration y satisfying all predicates W  X such that x 2 W . Observe that, by de nition, exactly one of the above four possibilities is possible. Indeed, for every x 2 X , if x 2 W then either x ?!  or there exists y 2 W such that x ?! y . Conversely, there exists W  X such that x 2 W only if either x ?!  or x ?! y (and in this case y 2 W ). It follows that a computation speci ed by a hyper transition system H either terminates or is unde ned in a con guration x if and only if there is no W  X such that x 2 W . Under the above interpretation of hyper transition systems it is natural to consider hyper transition systems such that the transition relation 2 is upper closed on the right hand side, that is, x 2 V & V  W implies x 2 W : (1) Essentially, the above closure property is due to the fact that V  W if and only if V = V \ W . No extra information is added by upper closing on the right hand side of the transition relation of a hyper transition system. 3

Hyper transition systems specify computations at the level of the properties that an atomic step has to satisfy, whereas transition systems specify computations at the level of the con gurations that an atomic step may reach. Because of this dierence a hyper transition system H = hX ; 2i can model two dierent kinds of non-determinism: one at the level of the computations speci ed and one at the level of the speci cation. The non-determinism of the computations speci ed by H in a con guration x depends on all the sets W  X such that x 2 W : the bigger these sets, the more computations are speci ed. The non-determinism of the speci cation depends on the number of transitions starting from the same con guration: the more a speci cation is non-deterministic the less is the number of computations that it speci es. In the next section we will see that the non-determinism of the speci cation is related to the angelic non-determinism, and the non-determinism of the computations is related to the demonic non-determinism. First we compare hyper transition systems to transition systems. We have already seen that a hyper transition system H induces a transition system TS (H ) representing all the computations speci ed by H . Clearly, dierent hyper transition systems can specify the same sets of computations. Conversely, every transition system T induces a canonical hyper transition system HTS (T ) which speci es exactly all computations of T .

2.4. De nition. For a transition system T = hX ; ; ?!i de ne the hyper transition system HTS (T ) = hX ; 2i by putting x 2 W if and only if x ?!  or (9y 2 X : x ?! y ) & (8y 2 X : x ?! y ) y 2 W ) for every x 2 X and W  X . The computations speci ed by HTS (T ) coincide with the computations of T . This is a consequence of the following lemma.

2.5. Lemma. Let T = hX ; ; ?!i be a transition system with deadlock. Then TS (HTS (T )) = T. Which are the hyper transition systems that are in one-to-one correspondence with transition systems? In order to characterize them, notice that, for every transition system T = hX ; ; ?!i the transition relation 2 of the hyper transition system HTS (T ) is upper closed on the right hand side and it satis es the following property:

\

9W  X : x 2 W ) x 2 fV  X j x 2 V g (2) for every x 2 X . 2.6. Lemma. Let H = hX ; 2i be a hyper transition system satisfying (2) and such that the

relation

2

is upper closed on the right hand side. Then HTS (TS (H )) = H .

A hyper transition system can describe two dierent kinds of non-determinism in a single framework. In the next sections we will show that this allows for a compositional speci cation of a computation in terms of the properties that the atomic steps of the computation have to satisfy.

3 Operational semantics for a speci cation language

We now consider a language L with the speci cation constructs of the re nement calculus [Bac80]. The language has two conditionals V transformer command `hf i', sequential W `B!' and `fB g', a state composition `;', angelic choice ` I ', demonic choice ` I ', and recursion through procedure variables. The main dierence with the language of the re nement calculus is that we have procedure variables in the language.

3.1. De nition. Let St be a set of states and let PVar be a set of procedure variables. 4

(i) The class (S 2) Stat of statements _ is^given by S ::= B ! j fB g j hf i j x j Si j Si j S ; S ; I

I

where B  St, f : St ! St, x 2 PVar, and I is an arbitrary set. (ii) A declaration is a function d 2 Decl = PVar ! Stat. (iii) A command in the language L is a pair hd ; S i, where d is a declaration in Decl and S a statement in Stat.

W

V

The language L is a proper class since the index I in the and constructs can be any set. One way of circumventing the use of proper classes is to impose W a limit V (which can be an arbitrary cardinal) on the size of the index sets I that are used in the and constructs. We can then form an inductive hierarchy of syntactic terms indexed by the ordinals. By xing a regular cardinal  which is larger than the cardinalities of the W set ofVstates, of the set of procedure variables, and of the limit imposed on the index sets of and , then it is straightforward to show that the cardinality of L is bounded by . For more details on this kind of arguments, see [MRS95]. We give the semantics of the language L by means of an hyper transition system. A semantics based on ordinary transition system can be derived by considering the transition system induced by the hyper transition system below. We consider con gurations to be either states in St, representing the nal outcomes of the computations, or pairs hS ; s i where s 2 St is a possible initial or intermediate state of a computation and S 2 Stat is the speci cation of the remainder of the computation to be executed. A nite computation which terminates in a con guration hS ; s i 2 Stat  St is unde ned.

3.2. De nition. Let (c 2) Conf = (Stat  St) [ St be the collection of con gurations and de ne, for every declaration d : PVar ! Stat the hyper transition system hConf; 2 i by taking 2 to d

d

be the least relation between con gurations in Conf and subsets of con gurations of Conf satisfying the following axioms and the rules: if s 2 B implies s 2 W hB !; s i 2d W hfB g; s i 2d W if s 2 B \ W if f (s ) 2 W hhf i; s i 2d W hx ; s i 2d W if hd (x ); s i 2 W , for x 2 PVar hSi ; s i 2d W if i 2 I W h I S i ; s i 2d W fhSi ; s i 2d Wi j i 2 I g V h I Si ; s i 2d SfWi j i 2 I g

hS1 ; S2 ; s i

hS1 ; s i 2 W : fhS2; t i j t 2 W \ Stg [ fhS10 ; S2 ; t i j hS10 ; t i 2 W g d

2d

An explanation is in order here. According to our interpretation of hyper transition systems, the command hd ; B !i speci es a computation that when started at input s 2 B terminates in one step with the state s as the only outcome because hB !; s i 2d fs g. However, if the computation is started at input s 62 B then it must deadlock because hB !; s i 2 ;. The command hd ; fB gi is similar except that the computations speci ed by hd ; fB gi are unde ned at input s 62 B because no transition is possible from the con guration hfB g; s i. The command hd ; hf ii speci es a computation that at input s terminates in one step, with as only output the state f (s ) (because hhf i; s i 2d ff (s )g). The command hd ; x i speci es a computation that at input s goes to the con guration hd (x ); s i (because hx ; s i 2d fh Wd (x ); s ig). The command hd ; I Si i speci es those computations which are speci ed by all hd ; Si i for i 2 I . It increases the non-determinism of the speci cation and hence restricts the non-determinism of the 5

computations. For example, if hS1 ; s i 2d fc1 ; c2 g and hS2 ; s i 2d fc1; c3 g then hS1 _ S2 ; s i 2d fc1 ; c2 g and hS1 _ S2 ; s i 2d fc1 ; c3 g. Hence hd ; S1 _ S2 i speci es theWcomputation which at input s reaches the con guration c1 . The computations speci ed by hd ; I Si i are unde ned at input s only if the computations W speci ed by all hd ; Si i for i 2 I are unde ned at input s . The computations speci ed by hd ; I Si i must deadlock at input s if there is one hd ; Sk i for k 2 I which speci es a computation which must deadlock. V The command hd ; I Si i increases the non-determinism at the level of the speci ed computations. It speci es computations which behave as any of the computations speci ed by hd ; Si i for i 2 I . For example, if hS1 ; s i ?!d fc1 g and hS2 ; s i 2d fc2 g then hS1 ^ S2 ; s i 2d fc1 ; c2 g. Thus hd ; S1 ^ S2 i speci es, among others, the computation which at input s may W choose to go either in the con gurationVc1 or in the con guration c2 . Dual to the command hd ; I Si i, the computations speci ed by hd ; I Si i are unde ned at input s if there is one hd ; Sk i for k V2 I which speci es a computation unde ned at input s . Also, the computations speci ed by hd ; I Si i must deadlock at input s only if the computations speci ed by all hd ; Si i for i 2 I must deadlock at input s . Finally, the command hd ; S1 ; S2 i speci es computations that at input s may either deadlock, or go to a con guration hS2 ; s 0 i if S1 speci es a computation which at input s terminates in a state s 0 , or goes to a con guration hS ; S2 ; s 0 i if S1 speci es a computation which at input s may go in a state s 0 with hd ; S i the command specifying the remainder of the computation to be executed. Notice that because of angelic non-determinism, the hyper transition system hConf; 2d i does not satisfy (2). Also, it can be easily seen by induction on the structure of the command SVthat the transition relation 2d is upper closed on the right hand side. As a consequence, 2d W if and only if hSi ; s i 2d W for all i 2 I . Dually, by De nition 3.2, 2d , hW I Si ; s i h I Si ; s i 2d W if and only if there exists k 2 I such that hSk ; s i 2d W . We can use the hyper transition system (Conf; 2d ) to de ne an operational semantics Op[[
] for the language L which captures the input-output behaviour of the language L. Therefore we need to abstract from the intermediate con gurations recorded by the transition relation of the hyper transition system, that is, we need to take a kind of transitive closure of the transition relation. 3.3. De nition. Let hX ; 2i be a hyper transition system. For every ordinal   0 de ne the relation  2 on X  P (X ) inductively by x 0 2W x +12 W x  2W for x 2 X and W

 x 2 W;  9V  X : x 2 V & 8y 2 V 9  : y  2 W ;  9 < : x  2 W where  is a limit ordinal  X. By induction on  it is easy to see that, for every ordinal   0, the relation

2

is upper closed on the right hand side if the relation 2 is upper closed on the right hand side. The ordinal used to label the transition relation x  2 W is not equal to the number of atomic steps which a computation speci ed by a hyper transition system starting in a con guration x need to execute in order to satisfy the predicate W . Rather, the label takes in account both the length of the computation speci ed which starts in a con guration x and the non-determinism of the computations. Since we allow for unbounded demonic nondeterminism, this label need not to be a nite ordinal. We can now de ne a semantics Op[[
] for the language L in terms of the hyper transition system (Conf; 2d ). 3.4. De nition. (i) Put Sem = Decl  Conf ! P (P (St)) and de ne Op 2 Sem, for d 2 Decl and c 2 Conf, by Op(d ; c ) = fP  St j 9: c  2d P g: (ii) The operational semantics Op[[
] : L ! (St ! P (P (St)) is given by Op[[hd ; S i] (s ) = Op(d ; hS ; s i): 6

The idea behind the above operational semantics is that of total correctness (extended by considering programs which deadlock as terminating and satisfying every postcondition): if a predicate P on the output space of a program is in Op[[hd ; S i] (s ) then every computation started at input s and speci ed by the command hd ; S i of L terminates either in a state t 2 P or in the deadlock con guration . 3.5. Theorem. Let T = hConf; ; 2d i be the transition system induced by the hyper transition system associated to L according to De nition 2.3. For all hd ; S i 2 L, P  St and s 2 St if P 2 Op[[hd ; S i] (s ) then every computation of T starting at hS ; s i is nite and terminates either in the con guration  or in a state t 2 P. We conjecture that also the converse of the above theorem holds, that is, if every computation speci ed by the hyper transition system associated with L and starting at hS ; s i is nite and terminates in either  or t 2 P then P 2 Op[[hd ; S i] (s ). A proof of this statement reduces to the proof of the existence of an ordinal  such that hS ; s i  2d P . This will require a rather detailed analysis of the computations speci ed by a hyper transition system.

3.1 Properties of the operational semantics

In this section we give some properties of our operational semantics Op[[
] . At rst we want to show that the semantics Op[[hd ; S i] (s ) of a command hd ; S i in L at input s 2 St abstracts from the intermediate con gurations reached by a transition sequence starting from hd ; S i and collects only the nal outcomes. We reach this end by characterizing the function Op(
) as the least solution of a xed point equation. 3.6. Theorem. The function Op(
) is the least function in Sem such that, for d 2 Decl, s 2 St, and S 2 Stat, Op(d ; s ) = fP  St j s 2 P g ST Op(d ; hS ; s i) = f fOp(d ; c 0 ) j c 0 2 W g j hS ; s i 2d W g Next we show compositionality of the semantics Op[[
] . We do it in two steps. In the rst step we prove that every semantics for L which satis es the above xed point characterization is compositional with respect to both the angelic and demonic choice operators. Moreover it is a xed point semantics in the sense that the semantics of a procedure variable x equals the semantics of its declaration d (x ). In the second step we show the compositionality of Op[[
] with respect to the sequential composition operator. 3.7. Lemma. Let F : Decl  Conf ! P (P (St)) be a function such that, for d 2 Decl, s 2 St, and S 2 Stat, F (d ; s ) = fP  St j s 2 P g ST F (d ; hS ; s i) = f fF (d ; c 0 ) j c 0 2 W g j hS ; s i 2d W g: Then, for every d 2 Decl and s 2 St, (i) F (d ; hxW; s i) = F (d ;Shd (x ); s i), (ii) F (d ; hVI Si ; s i) = TfF (d ; hSi ; s i) j i 2 I g, (iii) F (d ; h I Si ; s i) = fF (d ; hSi ; s i) j i 2 I g. To prove the compositionality of Op[[
] with respect to the sequential composition we use induction on the ordinal  in the transition hS1 ; S2 ; s i  2d P for P 2 Op[[hd ; S1 ; S2 i] (s ). 3.8. Lemma. For d 2 Decl S T, s 2 St, and S1; S2 2 Stat, Op[[hd ; S1 ; S2 i] (s ) = f fOp[[hd ; S2 i] (t ) j t 2 Q g j Q 2 Op[[hd ; S1 i] (s )g. The above lemma together with Lemma 3.7 applied to the function Op(
) imply that the function Op[[
] is a compositional xed point semantics for L. 7

3.2 A weakest precondition semantics

In this section we derive a weakest precondition semantics for the language L from its operational semantics Op[[
]

3.9. De nition. De ne the weakest precondition of a command hd ; S i 2 L for a postcondition P  St by Wp[[hd ; S i] (P ) = fs 2 St j P 2 Op[[hd ; S i] (s )g: The above de nition can be justi ed by Theorem 3.5: the predicate Wp[[hd ; S i] (P ) holds for those input sates s 2 St for which each computation of the program speci ed by the command hd ; S i terminates in a nal state satisfying the postcondition P . Because Op[[hd ; S i] (s ) is an upper closed set for all state s 2 St (being the relation  2 upper closed on the right hand side for all ordinals ), the functionWp[[hd ; S i] (
) is monotone. As a consequence we have, for all s 2 St and P  St, s 2 Wp[[hd ; S1 ; S2 i] (P ) , Wp[[hd ; S2 i] (P ) 2 Op[[hd ; S1 i] (s ): (3) More generally the semantics Wp[[
] can be characterized uniquely by means of axioms given in the theorem below. These axioms shows that our weakest precondition semantics of L induced by the operational semantics Op[[
] coincides with the ordinary lattice theoretical interpretation of the re nement calculus [Bac80].

3.10. Theorem. The semantics Wp[[
] is the least function from L ! (P (St) ! P (St)) such that, for all hd ; S i 2 L and P  St, Wp[[hd ; B !i] (P ) = fs 2 St j s 2 B ) s 2 P g; Wp[[hd ; fB gi] (P ) = fs 2 St j s 2 B \ P g; Wp[[hd ; hf ii] (P ) = fs 2 St j f (s ) 2 P g; Wp[[hd ; xWi] (P ) = Wp[ S [hd ; d (x )i] (P ); Wp[[hd ; VI Si i] (P ) = TfWp[[hd ; Si i] (P ) j i 2 I g; Wp[[hd ; I Si i] (P ) = fWp[[hd ; Si i] (P ) j i 2 I g; Wp[[hd ; S1 ; S2 i] (P ) = Wp[[hd ; S1 i] (Wp[[hd ; S2 i] (P )): The proof of the above theorem consists of two parts. In the rst part the function Wp[[
] is shown to satisfy all the equations of the above theorem. They are a direct consequence of Lemmas 3.7 and 3.8, and Equation (3). In the second part the function Wp[[
] is shown to be the least function which satis es those equations. This is obtained by proving the existence of a least function which satis es the equations of the above theorem and that it satis es also the operational characterization of Theorem 3.6. Since the language L is a proper class rather than a set, environments have to be used to store the partial results of recursive procedure. For more details see Chapter 4 of [Bon96].

4 A game-theoretical interpretation We now brie y develop an alternative interpretation of a hyper transition system based on a game between two players, one called angel and another called demon. Our notion of game is inspired by the game interpretation of the re nement calculus put forward by Back and Von Wright [BW90] and formally developed in [Hes94] and [BW96]. A hyper transition system hX ; 2i de nes the possible con gurations of the game by means of the set X , and the possible moves of the game by means of the relation 2. The game starts in a given con guration x 2 X . The angel aims to stop in a con guration y 2 P for a given set of terminating con gurations P  X , whereas the demon aims to prevent it. The angel plays rst by choosing W  X such that x 2 W . Then, the demon plays by choosing a con guration y 2 W and the game restarts from the con guration y . The game terminates if 8

no move is possible. There are two cases: either the game is in a con guration x but there is no W  X such that x 2 W , or the angel has already chosen a set of con gurations W but there is no y 2 W (that is, W = ;). In the rst case, if x 62 P then the demon wins. Otherwise the angel wins. In other words, an angel may win if there exists a function F : X ! P (P (X )) which can predict the victory of the angel when starting in a con guration x , that is P 2 F (x ) if and only if either x 2 P and there is no move for the angel (that is, there is no W  X such that x 2 W ), or there exists a move for the angel who chooses W  X such that x 2 W and for all possible choices y 2 W of the demon, P 2 F (y ). Notice that in the previous section we constructed such a function for the game de ned by the hyper transition system hConf; 2d i induced by L: the operational semantics Op[[
] . By the de nition of the weakest precondition semantics induced from the operational semantics we can conclude that a state s 2 St satis es the weakest precondition of a program hd ; S i 2 L with postcondition P  St if and only if there exists a play in the game de ned by hConf; 2d i which starts in the con guration hS ; s i and terminates in P with the victory of the angel. Because the semantics Op[[
] is compositional, by induction on the structure of the command hd ; S i in the starting con guration hS ; s i of the game, and from the de nition of hConf; 2d i, if the angel may win with respect to P  X then it is possible to derive a winning strategy for it.

5 Simulation for hyper transition systems In De nition 3.3 we abstracted from the intermediate con gurations recorded by the transition relation of an hyper transition system in order to capture the input-output behaviour of the computations speci ed by it. In this section we propose a relation between hyper transition systems which preserves the speci cation of the atomic steps of a computation. This relation is a generalization of a simulation relation between ordinary transition systems which take in account also deadlock con gurations and unde ned transitions. By considering a symmetric version of it one obtains the ordinary notion of bisimulation [Mil80, Par81] which can be similarly generalized to hyper transition systems. For an ordinary transition system hX ; ; ?!i, a relation R  X  X is called a simulation whenever, if hx ; y i 2 R then (i) x ?!  ) 9y 0 2 X [ fg: y ?! y 0 , (ii) x 6?! ) y 6?! , (iii) x ?! x 0 ) 9y 0 2 X : y ?! y 0 & hx 0 ; y 0 i 2 R, where x 6?! means that there is no x 0 2 X [ fg such that x ?! x 0 . If there exists a simulation relation containing the pair hx ; y i then the computations of T starting in the con guration x re ne those starting in y . According to the usual law of the re nement calculus, a computation which deadlocks (in one step) can re ne every other computation, while an unde ned or terminating computation cannot re ne one which does not terminate. In general, if x re nes y then computations starting in a con guration x are less non-deterministic than similar computations starting in y . The same idea of re nement holds also for a hyper transition system: the non-determinism of of the computations speci ed by a hyper transition system H starting in a con guration x must be less than the non-determinism of the computations starting in a hyper similar con guration y .

5.1. De nition. Given an hyper transition system hX ; 2i, a binary relation R on X is called a hyper simulation whenever, if hx ; y i 2 R then (i) x 2 W ) 9V  X : y 2 V , 2 )y 6 2 (ii) x 6 T T (iii) x 0 2 fW  X j x 2 W g ) 9y 0 2 fV  X j y 2 V g: hx 0 ; y 0 i 2 R , where x 6 2 means that there is no W  X such that x 2 W .

9

The above de nition of hyper simulation is conservative with respect to the notion of simulation: if two con gurations x and y of a hyper transition system H = hX ; 2i are hyper similar then they are similar in the induced transition system TS (H ) = hX ; ; ?!i. Conversely, two con gurations x and y of a transition system T = hX ; ; ?!i are similar if and only if they are hyper similar in the induced hyper transition system HTS (T ) = hX ; 2i. Hence, for a hyper transition system H = hX ; 2i satisfying (2) and with a transition relation upper closed on the right hand side, two con gurations are hyper similar if and only if they are similar in TS (H ). The identity relation between con gurations is a hyper simulation between a hyper transition system H and HTS (TS (H )) (and vice-versa). Since HTS (TS (H )) is isomorphic to the transition system TS (H ) (Lemma 2.5 and 2.6), the above means that hyper transition systems are not more expressive than ordinary transition systems. Rather, they describe computations in a dierent way, that is, in terms of all the properties that the atomic steps of computations have to satisfy. For the hyper transition system hConf; 2d i describing the computations of the language L, hyper simulation is a congruence with respect to the angelic and demonic choices as well as sequential composition. Moreover if we augment the speci cation for hConf; 2d i with the rule below describing a simple interleaving operator, then hyper simulation is a congruence also for this operator. hS1 ; s i 2d W hS1 k S2 ; s i 2d fhS2; t i j t 2 W \ Stg [ fhS10 k S2 ; t i j hS10 ; t i 2 W g hS2 k S1 ; s i 2d fhS2; t i j t 2 W \ Stg [ fhS2 k S10 ; t i j hS10 ; t i 2 W g: Hence it is possible to introduce an interleaving operator in the speci cation language L maintaining a compositional semantics for it.

References [Bac80] Back, R.-J.R.: Correctness Preserving Program Re nements: Proof Theory and Applications, volume 131 of Mathematical Centre Tracts. Mathematical Centre, Amsterdam, 1980. [Bon96] Bonsangue, M.M.: Topological Dualities in Semantics. PhD thesis, Vrije Universiteit Amsterdam, 1996. [BW90] Back, R.-J.R., von Wright, J.: Dualities in speci cation languages: a lattice theoretical approach. Acta Informatica, 27:583{625, 1990. [BW96] Back, R.-J.R., von Wright, J.: Re nement Calculus: a Systematic Introduction. Preliminary version of a book submitted for publication, 1996. [Hes94] Hesselink, W.H.: Nondeterminacy and recursion via stacks and games. Theoretical Computer Science, 124(2):273{295, 1994. [Mil80] Milner, R.: A Calculus of Communicating Systems, volume 92 of Lecture Notes in Computer Science. Springer-Verlag, 1980. [MRS95] Mislove, M.W., Roscoe, A.W., Schneider, S.A.: Fixed points without completeness. Theoretical Computer Science, 138:273{314, 1995. [Nil82] Nilsson, N.J.: Principles of Arti cial Intelligence. Springer-Verlag, 1982. [Par81] Park, D.M.R.: Concurrency and automata on in nite sequences. In P. Deussen, editor, Proceedings of the 5th GI Conference, volume 104 of Lecture Notes in Computer Science, pages 167{183. Springer-Verlag, 1981. [Plo81] Plotkin, G.D.: A structural approach to operational semantics. Technical Report DAIMI FN-19, Computer Science Department, Aarhus University, 1981. 10