Verification and Refinement of Action Contracts

Veri cation and Re nement of Action Contracts Ralph-Johan Back

 Abo Akademi University, Department of Computer Science Lemminkaisenkatu 14 A, FIN-20520 Turku, Finland email: backrj@abo.

Joakim von Wright

 Abo Akademi University, Department of Computer Science Lemminkaisenkatu 14 A, FIN-20520 Turku, Finland email: jwright@abo.

Turku Centre for Computer Science TUCS Technical Report No 374 April 2001 ISBN 952-12-0371-4 ISSN 1239-1891

Abstract Action contracts are a formalism for describing an interactive system as a game between two coalitions of agents. A basic contract statement, involving choice points for the dierent agents, is repeatedly executed as an atomic operation (modeled as a monotonic predicate transformer). The possible executions can be described as an alternating tree which in turn can be analysed using a generalisation of traditional predicate transformer reasoning. We describe the details of this game tree semantics for action contracts and show how it supports reasoning about temporal properties of systems, as well as re nement.

TUCS Research Group

Programming Methodology Research Group

1 Introduction In state-based approaches, reactive and concurrent systems are given a semantics in terms of the state sequences (behaviours) that computations of the system give rise to. For a given initial state, a nondeterministic system gives rise to a set (or a tree) of behaviours, rather than a single one. Properties of such systems can be described using temporal logic, and proved using associated proof methods. The standard notion of re nement for nondeterministic systems is based on behaviour inclusion; a system A is re ned by another system A0 if and only if every behaviour of A0 is also a possible behaviour of A. In the action system formalism [2, 3], a nondeterministic system is described as a composition of action systems working on a common global state. An action system is characterised by an initialisation predicate which describes how the local state of the component is initialised, an action that is executed repeatedly (atomically), and a nalisation predicate that describes the condition under which execution of the component can terminate. The trace semantics of action systems generalises traditional state-based semantics by permitting both in nite, terminating, aborting and miraculous traces (where a trace is the observable part of a behaviour). Correspondingly, behaviour inclusion is generalised to trace re nement, based on an approximation ordering on traces. Trace re nement can be proved using a simulation method, based on the weakest-precondition semantics on the level of individual actions. The simulation method is sound and complete for trace re nement, under certain restrictions having to do with termination, bounded nondeterminism and occurrence of stuttering [3]. Using the notion of contracts, we have shown how interactive computations involving independent agents can meaningfully be described and analysed using a predicate transformer semantics that includes two modes of nondeterminism (angelic and demonic) [4, 5]. The same approach was used to generalise action systems to multi-agent actions contracts [7] and the aim of this paper is to show how the trace semantics of the traditional action system approach can be extended to a game tree semantics for action contracts. Using this semantics, we de ne basic temporal properties and show how they can be proved using traditional methods for reasoning about correctness. We also generalise the traditional notion of re nement between systems and show how the simulation method for proving re nement is generalised to a zig-zag simulation. Temporal properties have been de ned and used before in a restricted predicate transformer framework with only demonic nondeterminism in order to generalise traditional reasoning systems for sequential and parallel programs 1

[8, 10, 11, 12]. Our de nitions and methods are more general, since they permit reasoning about interaction, using demonic and angelic nondeterminism in a predicate-transformer framework. In the special case when angelic nondeterminism is absent, our temporal notions reduce to the traditional ones. Our game interpretation of systems and temporal properties is similar to recent independent work [1] by Alur, Henzinger and Kupferman on ATL (alternating-time temporal logic). However, in our predicate-transformerbased approach verifying temporal properties can be translated into traditional correctness reasoning while their approach is directed at model checking. Furthermore, we permit not only in nite executions, but also termination as well as abortion and miracles. On the other hand, the ATL model allows more exibility in the forming of coalitions of agents.

2 Predicate transformers and contracts We rst brie y describe how program statements are modeled as predicate transformers. A more detailed description of this background material can be found in [4]. Then we describe how interactive computations are modeled as action contracts, as described in [7].

2.1 Predicate transformers

We assume that the underlying state space is a type  of higher-order logic. A (state) predicate is a boolean state function (of type  ! Bool) and a (state) relation is a binary boolean state function (of type  !  ! Bool). Using the characteristic function interpretation, we can treat a predicate as a set of states and a relation as a function that maps any state to a set of states. We write false (true) for the everywhere false (true) predicate, but otherwise we use set notation for predicates ([, \, and ). A predicate transformer is a function that maps predicates to predicates. Monotonic predicate transformers are traditionally seen as modelling program statements with a weakest-precondition interpretation: if T is a monotonic predicate transformer and q is a predicate then T: q is the set of states  satisfying the following property: When T is executed in initial state , execution is guaranteed to terminate and the nal state is guaranteed to be in q. Intuitively, execution of T is interpreted as a game between an angel and a demon; if the angel can resolve its choices so that the postcondition q holds in the nal state  regardless of how the demon resolves its choices, then T: q holds in . In practice, the angel can model a user and the de2

mon the system (or unknown \disturbances" that make the system behave in partly unpredictable ways). Predicate transformers are ordered by pointwise extension; T v T 0 (\T is re ned by T 0") is de ned to mean (8q  T: q  T 0: q). The predicate transformers form a complete lattice, and we write the lattice operators as u and t. Composition of predicate transformers T and T 0 is written T ; T 0. Thus we have (T u T 0): q = T: q \ T 0: q (T t T 0): q = T: q [ T 0: q (T ; T 0): q = T: (T 0: q)

2.2 Nondeterministic statements

A predicate transformer T is conjunctive if it distributes over intersections, i.e., if it satis es T: (\i 2 I  qi) = (\i 2 I  T: qi) for an arbitrary nonempty collection fqi j i 2 I g of predicates. A conjunctive predicate transformer T models a purely demonic program statement, i.e., one in which the angel (the user) has no in uence over how nondeterminism is resolved. Dually, T is disjunctive if it distributes over unions, i.e., if T: ([i 2 I  qi) = ([i 2 I  T: qi) and then T models a purely angelic program statement, where the user has full control over nondeterminism. We will also mention continuity on a few occasions. A predicate transformer T is continuous if it distributes over directed sets of predicates (an ordered set K is directed if it satis es (8x; y 2 K  9z 2 K  x v z ^ y v z). Then T models a program statement where demonic nondeterminism is bounded, i.e., the demon never has an in nite number of alternatives to choose between. We do not assume a speci c syntax for program statements; it is sucient to know that we model them as monotonic predicate transformers. However, in certain situations we will use relational updates composed in sequence. Given a relation R, the angelic update fRg and the demonic update [R] both update the state from state  to some state 0 such that R: : 0 holds (the choice of state being angelic in the rst case and demonic in the second). If no such state 0 exists, then the angelic update is aborting (i.e., it establishes no postcondition, not even true) while the demonic update is miraculous (i.e., 3

it establishes any postcondition, even false). As predicate transformers, these statements are de ned as follows: [R]: q:  =^ (80  R: : 0 ) q: 0) fRg: q:  =^ (90  R: : 0 ^ q: 0) In concrete examples we use an assignment syntax with program variables. We will not go into details of how program variables are to be interpreted (as they appear only in illustrating examples); essentially we can think of program variables as state component that can be independently accessed and updated. A simple example is the following: fx := x0 j x0 < x < x0 + 3g ; [x := x0 j x0 < x < x + 3] where we assume that x ranges over the natural numbers. The assignment notation x := x0 j b stands for a state relation where the value of x changes to x0 such that the boolean expression b holds, without changing the values of any other program variables. In this example, the angel can rst decrement x by 1 or 2 (nut not below zero) after which the demon has the same choices available. However, if x is initially 0 then the angel loses the game (abortion occurs), and if the angel can decrease x to 0, then the demon loses the game (a miracle occurs). An important special case is the deterministic update hx := ei, which is essentially an ordinary assignment. It can be de ned as a demonic (or angelic) assignment, with degenerate nondeterminism:

hx := ei =^ [x := x0 j x0 = e]

or hx := ei =^ fx := x0 j x0 = eg Two other important special cases are the assertion fpg and the assumption [p], for state predicate p:

fpg =^ f 0 p:  ^ 0 = g [p] =^ [ 0 p:  ^ 0 = ] Intuitively, fpg leaves the state unchanged if p holds and aborts otherwise 







while [p] also leaves the state unchanged if p holds but is miraculous otherwise.

2.3 Games and normal forms

The statement given above, fx := x0 j x0 < x < x0 + 3g ; [x := x0 j x0 < x < x + 3] 4

shows an example of how a sequence of updates is interpreted as a game with the angel and the demon as players. The winning strategy theorem [4] shows that a monotonic predicate transformer T is guaranteed to establish postcondition q from initial state  if and only if the angel has a way of making its choices inside T (i.e., the angel has a strategy) such that q holds in the nal state regardless of how the demon makes its choices. Here abortion is always losing (establishes no postcondition) while a miracle is winning (establishes any postcondition). The normal form theorem for monotonic predicate transformers [4] states that any monotonic predicate transformer T can be decomposed into a sequence of an angelic update followed by a demonic update. In fact, the decomposition is simple: T = fT^g ; [3] where 3 is the reverse set membership relation and T^ relates state  and predicate p whenever T is guaranteed to establish postcondition p from initial state : ^ : p  T: p:  T:

3 : p:    2 p

This decomposition may not be very useful from a practical point of view, since the intermediate state space is the powerset of the original state space. However, it is useful in theoretical investigations, since it gives us a way of separating angelic and demonic nondeterminism in an arbitrary predicate transformer. Furthermore, the normal form has a very simple intuitive interpretation:

 rst the angel chooses one of the postconditions (sets of nal states) that can be established,

 then the demon chooses one of the states in the set chosen by the angel.

2.4 Action contracts

Contracts are essentially a notation for describing the rules that govern how a collection of agents decide on successive state changes. We use variable a to range over a collection of agents. A contract statement is built according to the following syntax:

S ::= hpia j hRia j S1 ; S2 j S1 []a S2 5

Here p ranges over state predicates and R over state relations. The intuitive interpretation is that the assertion hpia fails (agents a breaches the contract) if p does not holds, otherwise it leaves the state unchanged. The update hRia is executed in initial state  so that agents a chooses a nal state such that R: : holds (if no such exists then a fails). Similarly, S1 []a S2 is executed so that agent a selects which of the two (sub)contracts is executed. We assume that an agent always avoids breaching the contract, if possible. We could also allow more complex constructs in simple contracts, such as loops, conditionals, recursion, and in nite choices, but for simplicity we restrict ourselves to a more restricted language pf contract statements in this presentation. The syntactic form of an action contract is now

C = init p ; (rec X S ; X []a hg1ia []a


[]an hgn ian ) 

1

1

2

where the initialisation p and the exit predicates gi are state predicates and the body S is a contract statement. The intuition is that C is repeatedly executed, but before every iteration, the agent (each in turn, from a1 to an; we assume that semicolon binds stronger than choice and that choice associates to the left) can decide to terminate the execution by choosing the assertion hgi i if gi holds. If gi does not hold, then agent ai cannot not choose termination, since we assume that agents always avoid breaching the contract. For a justi cation of why this is a good general model for describing interactive computations, see [7] where a number of examples of the modeling power of action contracts are given. As an example (which we will return to in later examples) we describe the game of Nim, where two players a and b take turns removing one or two sticks from a pile that originally contained n sticks, and the player who takes the last stick wins the game. It can be described as follows, where x ranges over the natural numbers:

N = init x = n ; (rec X hx := x0 j x0 < x < x0 + 3ia ; hx := x0 j x0 < x < x0 + 3ib ; X ) 

We have here assumed that player a goes rst. Note that this contract can never terminate normally (all its exit conditions are false). However, at some point either player will breach the contract (when it has to make a state change and the value of x is already zero). When analysing contracts (and action contracts) we always take the point of view of a coalition, i.e., a set A  of agents. Once the coalition is xed, a 6

contract statement S can be translated into a predicate transformer wp: S: A as follows: wp: hpia : A =

(

fpg if a 2 A [p] if a 62 A

wp: (S1 ; S2 ): A = wp ( : S1: A ; wp: S2 : A: A wp: hRia : A = f[RR]g ifif aa 2 62 A ( : S1: A t wp: S2: A if a 2 A wp: (S1 []a S2 ): A = wp wp: S1: A u wp: S2 : A if a 62 A

Here wp: S: A: q is a predicate that holds in a state  if and only if coalition A can either force some other agent to breach the contract, or guarantee termination in some nal state 2 q when contract S is executed in initial state . The choices of agents in A have been translated into angelic choices and those of agents outside A to demonic choices. For further justi cations and details, we refer to [7]. The focus in this paper will not be on action contracts themselves, but on analysing the behaviours of action contracts, once a coalition A has been identi ed. This means that the body S of the action contract reduces to a predicate transformer T = wp: S: A. Furthermore, the sequence of termination choices (agent ai being allowed to choose termination if gi holds) can be reduced to a two-step choice, where rst the angel can choose termination if a certain predicate qa holds and if the angel does not choose termination, then the demon can choose termination if a certain other predicate qd holds (this is a consequence of the following basic property which is easily veri ed: (S u[p])tfqg = (S tfqg)u[p]). Thus, rather that considering action contracts we consider quadruples of the form (p; T; qa; qd), resulting from identifying a coalition. Action contracts generalise the traditional action system [2] which is identi ed by an initialisation and a collection of actions that are repeatedly executed until no action is enabled. In action systems, the choice of action is (demonically) nondeterministic, and no angelic nondeterminism is permitted. Semantically, such an action system can be treated as a pair (p; T ) where p is an initial predicate and T a conjunctive predicate transformer. The semantics for these action systems is based on behaviours (state sequences) [3]. We shall next show how this is generalised for action contracts to what we call game trees. 7

3 Game tree semantics of action contracts We shall now develop a semantics for action contracts that generalises the traditional behavioural semantics of action systems. We assume throughout that a coalition and an initial predicate has been identi ed, so that we are considering quadruples (p; T; qa; qd) rather than (syntactic) action contracts. We return to the question of mapping action contracts to such quadruples in Section 8 where we illustrate the methods proposed in the paper with a small example.

3.1 Action games We rst consider action contracts that never terminate normally, i.e., where each termination predicate gi is false, i.e., the quadruple that the action contracts is mapped to is (p; S; false; false) (this restriction will be lifted in Section 7). Such action contracts can be interpreted as in nite games with strict alternation. An (in nite) action game is a pair (p; T ) where p is the initial predicate and T is the action (a monotonic predicate transformer). An execution of the action game starts from some (demonically chosen) initial state in p, and then the action T is repeatedly executed atomically, as a game between the angel and the demon. When analysing Nim (as described above) from the point of view of player a, player a gets the role of an angel and player b of the demon. Thus we have to consider the action game (p; T ) where

p = (x = n) T = fx := x0 j x0 < x < x0 + 3g ; [x := x0 j x0 < x < x0 + 3] where the parameter n represents the initial number of sticks. Figure 1 illustrates the possible executions for the Nim example, when the initial number of sticks is 5. We indicate the remaining number of sticks after the angel's move in parentheses (that describes the state in the middle of the atomically executed action). Paths ending with L correspond to aborting executions (losing, i.e., the demon wins) while paths ending with W correspond to miraculous executions (the angel wins). Note that the winning strategy is for the angel to start by taking two sticks (i.e., choose the left branch) and regardless of whether the demon took one or two, the next time the angel can take all the remaining sticks. 8

5

 PPP  PP 

(3)

(4)P

? ?

PP PP

?? @@

??

?@ ? @

1

? ?

2

?@ ? @

2

3H

HH

(2)

(0)

(0)

(1) (0)

(1) (1)

W

W

0

0

0

0

1

L

L

L

(0)

W

L

? @@ ?

W

Figure 1: Possible executions of Nim, with x = 5 initially

3.2 Game trees

The tree in Figure 1 gives an intuitive picture of the possible paths that execution of the game can follow. We shall now describe a slightly dierent and formally de ned notion of trees that describe an arbitrary action game. By a game tree we mean a tree with predicate nodes (labelled with predicates, i.e., sets of states, from which the demon is to select a state) and state nodes (labelled with states, from which the angel is to decide what the next predicate is) in strict alternation, where  the root node is a predicate node,  a predicate node is labelled with a predicate p if and only if for each  2 p there is exactly one child (a state node) labelled with , and  leaf nodes occur as follows: { A leaf node labelled > follows after any predicate node containing the empty predicate false (this models miraculous termination), and { A leaf node labelled ? can occur as the only node following any state node (this models abortion). A game tree may be in nitely branching and it may contain in nite paths. 9

Figure 2 illustrates a game tree. Here, state nodes (states) are shown as bullets (  ) and predicate nodes (predicates) as circles ().



? @@ ?  

?@

? @?@ ?

>?



?

@ @

@

?

?@

? ? @

Figure 2: Game tree Intuitively, a game tree is generated by repeated execution of a predicate transformer T as follows. Given a state node labelled with a state , there is one child for each predicate p such that the angel can guarantee that execution of T in initial state  establishes p. Then (provided p 6= false) there is one child for each state 0 such that 0 2 p holds. Thus, we think of execution of T as taking place in two steps, according to the normal form fT^g ; [3]. We return to this below. We shall now describe how an action game A = (p; T ) generates a game tree, when the action T is thought of as executed as a two-step game according to its normal form. This means that in any given state  1. the angel rst chooses a predicate p such that T: p:  holds (if there is no such predicate then the execution has aborted), and 2. the demon then chooses a state 0 in p (if p is empty then the execution has become miraculous) and then step 1 is repeated for state 0, etc. Thus, the possible executions of action system A = (p; T ) give rise to a game tree which is exactly the tree generated by T with root p. This tree is the game tree G (A) generated by the action game A. Game trees generated by action games satisfy the following additional conditions:

 for each angelic node labelled  there is exactly one demonic child node for each predicate p such that T: p:  (and a single ?-node if :T: true: ).  if an angelic node labelled with state  has a child labelled with predicate p, and p  q, then there is also a child labelled with q. 10

 nodes with identical labels have identical subtrees. The second condition is a consequence of the fact that the action is a monotonic predicate transformer, while the third condition is a consequence of the fact that the children of a node depend only on the node itself, not on the \history" leading to that node. Figure 3 illustrates the game tree for the Nim example, when the initial number of sticks is 5 (the initial predicate is singleton). Here we have only shown the minimal predicates that the angel can choose (as was noted in Section 3.4, these are sucient for all analysis purposes when the action is continuous, as here, or conjunctive). States (predicates) are indicated as values (sets of values) for x. Note that each angelic choice in this tree leads to a set of states that the demon can establish, rather than a single state. For example, when there are ve sticks and the angel removes two, then (because three remain) the demon can make the number of sticks one or two, so the demonic node contains the predicate f1; 2g.

f5g 5

 PPP PP  

f2;P3gP

f1; 2g

? ?

?@ ? @

1

? ?

2

?@ ? @

2

? ? @@

PP P

3

? HH ? H

fg

fg f0g fg f0g f0g

>

>

0

>

?

f0; 1g

? @@ ?

0

0

0

1

?

?

?

fg >

Figure 3: Game tree for Nim

3.3 Behaviours and strategies

In some situations, it is useful to extend the state space  with two elements (which we call improper states): ? (standing for abortion or nontermination) and > (standing for a miracle). The augmented state space + =  [f?; >g 11

is a complete lattice when ordered by the following approximation relation:   0 =^  = ? _  = 0 _ 0 = > Furthermore, we accept > 2 false and ? 62 true as being true (this can be considered an abuse of notation, but it is useful in semantic arguments where it means certain case splits can be avoided). Figure 4 illustrates the ordering on states.

>

 @H ?H  HH  ?? @@  H     HH @  ? H  H ?  @ H ? @



?

Figure 4: State ordering A behaviour is a sequence t = (t0; t1; : : :) of states (including ? and >). Behaviours can be  in nite, containing only proper states,  aborting, i.e., ending with an in nite repetition of ?, or  miraculous, i.e., ending with an in nite repetition of >. The improper states ? and > may only occur as part of an in nite repetition of ? (or >) at the end of a behaviour. Intuitively, this means that recovery from abortion or miracle is not possible. Finite, properly terminating behaviours can also be modelled, but they require extra information that describes under what conditions termination can occur. We return to this in Section 7. A strategy f (for the angel) for game tree G is a rule that resolves all angelic choices in the game tree G. The strategy induces a function f that, when applied to the game tree G, yields the result of removing from G, at every state node, all choices (subtrees) except the one indicated by f . For simplicity, we ignore the distinction between f and f . Thus, f: G (the result of applying f to G) is a tree where every state node has exactly one child. Every path in a game tree gives rise to a behaviour; we simply remove every predicate node in the path and if the path ends in ? or > we repeat that 12

nal improper state inde nitely. Thus the tree f: G can also be interpreted as a set of behaviours (state sequences): t 2 f: G holds if and only if t is the result of removing all predicate nodes from a complete path in the tree f: G and repeating the nal (improper) state inde nitely if the path is nite (this is illustrated by the example in Section 3.2). Figure 5 illustrates applying a strategy to a game tree. The strategy can be graphically characterised as \choose the rightmost branch" (note that game trees are unordered, so such a characterisation makes sense only with respect to a speci c picture).

p0

? @@ ? 0 0 0@ ? @ ? @ @

p1

? ?

>



p01



?

?@ ? @0

1

1

? @@ ? 0

? p2

p2

p0

?? @ @ 0 0 0@ @ @ @



p1



?@ ? @ 0 1 1@ @



?



?

p2

Figure 5: Applying a strategy to a game tree Now assume that G is the game tree for Nim (Figure 3) and that f is the strategy where the angel always removes the smallest possible number of sticks (this corresponds to choosing the rightmost branch in Figure 3; the \pruned" tree is shown in Figure 6). Then the following two behaviours belong to f: G: (5; 2; 0; ?; ?; ?; : : :) (5; 3; 1; >; >; >; : : :)

3.4 Ordering of behaviours and game trees

The approximation order on states is rst extended to behaviours: t  t0 =^ (8i  ti  t0i) When t  t0 holds we say that t approximates t0. By pointwise extension, behaviours ordered by approximation form a complete lattice. The bottom element is the immediately aborting behaviour (?; ?; ?; : : :) while the top element is the immediately miraculous behaviour (>; >; >; : : :). 13

f5g 5P

PP P P

f2;P3gP

? ?

2

@ @

PP P

3H

f0g

HH

f0; 1g

?@ @ ?

0

0

1

?

?

fg >

Figure 6: Pruned game tree for Nim We now de ne approximation on the level of game trees as follows: G  G0 =^ (8fa over G  9fa0 over G0  8t0 2 fa0 : G0  9t 2 fa: G  t  t0) In other words, G  G0 holds i for every strategy for the angel over G there exists a strategy for the angel over G0 which is at least as good, in the sense that for any behaviour that the demon can achieve in G0 there is an approximating behaviour in G. In short: whatever G guarantees, G0 also guarantees. Note that if there is no angelic nondeterminism (i.e., there is only one child at every angelic node), then the strategies fa and fa0 are uniquely de ned and G  G0 holds if and only every behaviour in G0 is approximated by some behaviour in G. If, additionally, there is no abortion and no miracles, then approximation reduces to traditional behaviour inclusion; G  G0 holds i every behaviour in G0 also occurs in G. If, on the other hand, there is no demonic nondeterminism, then every strategy selects a unique behaviour, so G  G0 holds if and only if every behaviour in G approximates some behaviour in G0. Note that  on game trees is not a partial order. Figure 7 shows (fragments of) two trees that are equivalent. This example also indicates an important feature: if an angelic node has two children labelled p and q with p  q, then the whole subtree starting from q can be removed and the re14

sulting game tree is equivalent to the original one. We can always remove such redundant subtrees, but this is feasible only if the predicates Q in the children of an angelic node have the following property: there is a collection P  Q of \minimal" predicates such that  P contains no supersets: if p; p0 2 P with p  p0 then p = p0, and  every predicate q 2 Q is a superset of some p 2 P . It can be shown that this property holds if the tree is generated by a predicate transformer that is conjunctive or continuous.

0

f1g 1

0

?@ ? @ ? @

f1g

f1; 2g

? ?

1 1

?@

@ @

2

Figure 7: Equivalent game trees The alternating quanti ers make the de nition of the approximation ordering on game trees is quite complex, and it is dicult to check whether approximation holds between two given game trees. However, the angel's choice of a strategy fa0 and the demon's choice of a behaviour t0 2 fa0 : G0 are independent, in the sense that we could as well let the demon choose a (demonic) strategy and then let the angel x its choices to get a behaviour. Let us say that fd is a strategy over G for the demon if g resolves all demonic choices. Then, we can write fd: G for the tree (set) of behaviours that remain after we rst remove all choices (subtrees) except those indicated by fd , and then remove all predicate nodes from the result.

Lemma 1 Approximation between game trees can alternatively be expressed as follows:

G  G0  (8fa over G  8fd0 over G0  9t0 2 fd0 : G0  9t 2 fa: G  t  t0) This alternative characterisation can also be justi ed intuitively: Assume that the angel uses strategy fa over G in order to enforce traces that have 15

some desirable property. Now assume that the demon tries to prevent this in G0, by choosing strategy fd0 . The de nition says that the angel can enforce some trace t0 which is the approximation of some desirable trace t (so t0 itself is desirable).

4 Action games and temporal properties In traditional descriptions of nondeterministic systems, a (temporal) property is said to hold of the system, if and only if it holds along every possible execution sequence. When angelic nondeterminism is involved, it is sucient that the the angel can enforce an execution sequence where the property in question holds. In this section, we make this idea formal for simple temporal properties, and show how temporal properties of interactive systems can be veri ed.

4.1 Simple temporal properties

We start by de ning basic temporal properties over behaviours and then generalise them to game trees. We restrict ourselves to two basic notions of temporal logic (always and until), to explore the general ideas. Let t be a behaviour and q and r predicates. We de ne the two basic temporal properties by saying what it means for the behaviour t to satisfy the properties 2q (always q) and q U r (q until r):

t j= 2q i (8i  ti 2 q) t j= q U r i (9i  ti 2 r ^ (8j < i  ti 2 q)) Using these basic properties, we can de ne, e.g., eventuality by }q =^ true U q . We extend satisfaction of temporal formulas from single behaviours to game trees, as follows: G j=  holds if and only if there is a strategy f over G for the angel such that t j= , for every t 2 f: G. Thus, G j=  means that the angel can enforce the property , i.e., make sure that it becomes true.

4.2 Temporal predicate transformers

An action game A = (p; T ) is said to satisfy a temporal property  if G (A) j= . We shall now investigate how this notion of satisfaction can be expressed (and veri ed) in a simple fashion, similar to the way in which = -calculus is used to reason about temporal properties in event-based systems [9]. 16

In this analysis, we will make use of the notion of the weakest temporal precondition operator of an action T with respect to certain temporal formulas. The intuition is that wtp(T; ) is the weakest predicate (i.e., the largest set of states) p such that G (p; T ) satis es : wtp(T; ) =^

[

fp j G (p; T ) j= g

The following lemma characterises weakest temporal preconditions for always- and eventually-properties: Lemma 2 Assume that predicate p and monotonic predicate transformer T are given. Then (a) wtp(T; 2q) = (x  q \ T: x), and (b) wtp(T; q U r) = (x  r [ (q \ T: x)). For (a), we abbreviate (x  q \ T: x) = q0. Now consider the game tree with root p0 = wtp(T; 2q) generated by T . By the de nition of satisfaction, every state  in p0 is characterised by the fact that it satis es  2 q and furthermore, the angel must be able to choose a predicate p0 such that T: p0:  and (p0; T ) satis es 2q. Since p0 is the greatest predicate with this property, we have  2 p0   2 q ^ (9p0  T: p0:  ^ p0  p0) Thus we have

Proof

 2 p0

 fpreceding argumentg  2 q ^ (9p0 T: p0:  ^ p0  p0)  fT is monotonicg  2 q ^ T: p0:   fset notationg  2 q \ T: p0 

Since this holds for all , we get p0 = q \ T: p0 so p0 = wtp(T; 2q) is a xpoint of (x  q \ T: x). To see that p0 is the greatest xpoint, it is sucient to show that q0  p0, and this in turn follows if we can show G (q0; T ) j= 2q. For this, we note that the root of G (q0; T ) 17

is q0 = q \ T: q0 which means that every state that the demon can choose is in q and after that, the angel can choose q0 as the next predicate. Thus, by induction, q will hold in every state if the angel follows the strategy \always chose the predicate q0". For (b), we use a dierent kind of argument. We know that (x  r [ (q \ T: x)) is the limit of a chain (which is indexed by ordinals rather than by natural numbers if the angel is forced to oer the demon an in nite choice in some situation) of approximations q, de ned by q0 = false q+1 = r [ (q \ T: q) q = ([ <   q ) for limit ordinals  Now, e.g., q2 characterises those states where either r holds immediately or q holds and the angel can make sure that q continues to hold until r is established, which will happen in less than two steps. Similarly, the approximation q characterises those states from which the angel can guarantee that q holds until r is established, and if we set a \counter" at  and decrease it after every time the demon has made a choice, then r will be established before the counter runs out. Thus, the limit of these approximations is exactly the set of states which guarantee q U r. 2 As a special case of Lemma 2 (b) we get the following rule for eventuality properties: wtp(T; }q ) = (x  q [ T: x) Note that the right-hand sides of the rules for the always- and eventuallyproperties are familiar from iteration operators over predicate transformers (weak iteration T  and angelic iteration T  [4]): (x  q \ T: x) = T : q (x  q [ T: x) = T : q Earlier de nitions of temporal predicate transformers (in a more restricted setting with only demonic nondeterminism) have generally taken the equations in Lemma 2 as de nitions rather than deriving them from more basic principles [8, 10, 11, 12]. The characterisation in Lemma 2 of the weakest predicates immediately give us the following results for action game satisfaction of temporal properties: Theorem 3 Assume that T is a monotonic predicate transformer and p, q and r are predicates. Then 18

(a) G (p; T ) j= 2q i p  (x  q \ T: x), and (b) G (p; T ) j= q U r i p  (x  r [ (q \ T: x)). This shows how reasoning about temporal properties is reduced to xpoint reasoning about predicate transformers. This is explored further and illustrated with examples below.

4.3 Proof methods for temporal properties

Theorem 3 gives us a basis for using traditional invariant-based methods for proving temporal properties of action games. Consider an action game A = (p; T ). The induction rule for greatest xpoints justi es a simple invariant rule for proving always-properties:

pI

I  T: I I  q G (A) j= 2q

Here I is the invariant that is constantly maintained. Similarly, a traditional variant-invariant argument used for least xpoints works for until-properties: p  r [ I I  q :r \ I \ (t = w)  T: ((r [ I ) \ t < w) G (A) j= q U r where I is again the invariant and t (the variant) is some state function ranging over a well-founded set. This rules is veri ed as follows. Assume p  r [ I and I  q and :r \ I \ (t = w)  T: (r [ (I \ t < w)) p  (x  r [ (q \ T: x)) ( fassumptions p  r [ I and I  q, monotonicityg r [ I  (x  r [ (I \ T: x)) ( fleast xpoint ruleg (8w  (r [ I ) \ (t = w)  r [ (I \ T: ((r [ I ) \ t < w)) ( fshunting, simpli cationg (8w  :r \ I \ (t = w)  T: ((r [ I ) \ t < w) ( fthird assumptiong T

and Theorem 3 then shows that G (A) j= q U r holds. As a special case of this rule, we have: p  q [ I :q \ I \ (t = w)  T: ((q [ I ) \ t < w) G (A) j= }q 19

5 Re nement, data re nement and simulation The notion of approximation between game trees generalises the traditional notion of behaviour inclusion, which is the basis for re nement between state-based systems. We now consider the corresponding generalisation of re nement, which has the same basic intuition: anything that a system can be used for, a re ning system can also be used for (from the point of view of the re ning system, the motto is \Anything you can do, I can do better!" { or, to be precise, ". . . at least as well".). In other words, re nement means decreasing demonic nondeterminism and abortion while in creasing angelic nondeterminism and miracles.

5.1 Re nement of action games The approximation relation on game trees immediately induces a de nition of re nement between action games:

A v A0 =^ G (A)  G (A0) The re nement is easily seen to be a preorder (re exive and transitive). Action game re nement is consistent with re nement of predicate transformers, in the following sense:

Theorem 4 Assume that action games A = (p; T ) and A0 = (p0; T 0) are given. Then A v A0 holds if (i) p  p0, and (ii) T v T 0. Proof Assume that a strategy fa over G (A) for the angel and a strategy fd over G (A0) for the demon are xed. Then we can make all angelic choices in G (A0) according to fa and all demonic choices in G (A) according to fd and the result is a common behaviour. 2 This gives us a method for proving re nement (a global property) between action games by reducing it to re nement between the actions (a local property).

20

5.2 Data re nement

In practice we want to compare systems that work on dierent state spaces. If A = (p; T ) works on state space  (the abstract system) and A0 = (p0; T 0) works on state space ? (the concrete system), we can compare them if there is a reasonable way of interpreting states in ? to be encodings of corresponding states in . For this, we de ne data re nement with respect to relation R : ? $  successively for behaviours, game trees and action games, as follows:  s R t i (8i  si = ? _ R: ti: si _ ti = >),  G R H i for any strategy fa over G for the angel and any strategy fd over H for the demon there are behaviours s 2 fa: G and t 2 fd: H such that s R t, and  A vR A0 i G (A) R G (A0). In the data re nement, R is called the data relation. Note that ordinary re nement is a special case of data re nement, when R is the identity relation, i.e., when R: 0:   ( = 0).

5.3 Game simulation

Simulation is a way of proving global correspondence by proving it locally, step by step. Simulation can be used to prove data re nement (a global property) of action games. For simulation, we make use of decoding statements [6], and in our case a decoding statement is simply a universally disjunctive predicate transformer, i.e. a predicate transformer of he form fQg.

Theorem 5 Assume that R is a data relation, and that action games A = (p; T ) and A0 = (p0; T 0) and decoding statement D = fQg are given. Then A vR A0 holds if (i) Q  R, (ii) p0  D: p, and (iii) D ; T v T 0 ; D. Proof We use the characterisation in Lemma 1. Assume that conditions

(i){(iii) are satis ed and that strategies fa over G (A) for the angel and fb 21

over G (A0) for the demon are xed. We then construct behaviours s and t such that s Q t holds (from which follows s R t by assumption (i)). If q is empty, then the only possible behaviour of A0 is the miracle behaviour, and the re nement holds vacuously. Otherwise, the strategy fd xes t0 2 q. Condition (ii) then expands to (8  2 p0 ) (9   2 p ^ Q: : )) which shows that the demon can choose a state s0 in p related by Q to t0. Now, strategy fa xes a predicate q such T: q: s0 (if no such predicate exists, then the behaviour s is aborting and the construction is nished). Then the angel can choose D: q, since

T 0: (D: q): t0

( fassumption (iii)g D: (T: q): t0

 fde nition of Dg (9 Q: t0:  ^ T: q: )  fs0 is witnessg 

T

Now we have the initial states s0 and t0 of the two behaviours constructed and predicates q and q0 = D: q satisfying (ii), so we can repeat this process and thus we construct the two behaviours inductively, step by step. 2 Figure 8 illustrates the zig-zag construction (from left to right) of the simulation in this proof. Here Q indicates states and  related by Q, and fQg indicates predicates q and q0 such that q0  fQg: q. A dashed arrow indicates a connection where the endpoint (a state or a predicate) was constructed during the proof. This notion of simulation corresponds to what is traditionally known as forward or downward simulation. In traditional systems (with only demonic nondeterminism) there is a dual notion of backward (or upward) simulation, but it is not applicable when angelic nondeterminism is present. The reason for this is that the \zig-zag" argument used here allows us to build corresponding behaviours step by step from the beginning (forwards) but not from successively longer pre xes (backwards), not even if nondeterminism is bounded. 22

p

s ^ q  3 - 0 T - 3 

6

fQg p?0

Q -

3 t0 T^0

- 6

fQg  q0

- ?

T^

fQg

Q

3

-



-

T^ 0



- ?

Figure 8: Simulation construction

6 Observable traces and trace re nement An important special case of data re nement is when the state spaces  and ? have common (global) variables u and the data relation R relates states and  if and only if the value of u in is equal to the value of u in . In this case, the simulation relation Q needs to x some relationship between the local variables of the states and . We shall now investigate this situation is more detail.

6.1 Observation, stuttering, and traces

The states of a computation may contain hidden components, so that only part of each state is observable. We let o:  stand for the observation of  (for simplicity, we overload the symbol o to stand for observation on all state spaces). If t is a behaviour we write o: t for the pointwise application of o over t;

o: t = (o: t0; o: t1; : : :) with the convention that o: ? = ? and o: > = >. In practice, the observation function o extracts certain (global) variables and discards the other (local)

variables of the state. A stuttering step in a behaviour t is one where o: ti = o: ti+1. Such a step cannot be observed externally, since it is impossible to tell whether it is really a computation step or only a delay. When a computation is observed, what is observed is not a complete behaviour, but a trace, i.e., the result of applying the observation function 23

and removing all nite stuttering (in nite stuttering cannot be removed, since that would mean turning an in nite behaviour into a nite one). We de ne the trace t\ of a behaviour t to be result when all nite stuttering is removed from o: t.

6.2 Trace re nement

We want to allow that the common behaviours that the de nition of re nement talks about dier from each other with regard to stuttering. For this, we de ne stuttering-insensitive versions of approximation and re nement:  s \ t i s\  t\,  G \ H i for any strategy fa over G for the angel and any strategy fd over H for the demon there are traces s 2 fa: G and t 2 fd: H such that s \ t, and  A v\ A0 i G (A) \ G (A0). When A v\ A0 we say that A is trace re ned by A0. Trace re nement is a preorder but obviously not a partial order. It induces an equivalence relation: two action games are trace equivalent, written A =\ A0 if each is a trace re nement of the other. Exactly as in the case of behaviours, we can de ne a data re nement relation v\R based on traces. Here, we concentrate on the special case of trace re nement (i.e., the case when the index relation R is the identity relation).

6.3 Stuttering-insensitive simulation

Compared with proving behaviour-based re nement, there are two things to note when devising a method for proving trace re nement:  trace re nement is similar to data re nement, with data relation R: :   (o: = o: ), and  we want to permit one action games (typically the re ned one) to make stuttering steps without requiring the other system to make a corresponding step. We shall now give two rules for proving trace re nement. Both introduce stuttering in the concrete (re ning) system by means of a separate stuttering action U ; in one case stuttering is chosen by the angel and in the other by the demon. 24

Theorem 6 Assume that A = (p; T ) and A0 = (p0 ; T 0 t U ) are action games, D is an abstraction statement D = fQg, and g and h are predicates such that (i) Q: :  ) (o: = o: ),

(ii) p0  D: p, (iii) D ; T v [g] ; T 0 ; D and D v [h] ; U ; D (iv) D: true  g [ h and G (h; U ) j= }g Then A v\ A0.

Proof We show how the proof of Theorem 5 is modi ed to this new situation, where a concrete U -step is matched by an abstract skip-step (note that the second condition in (iii) can be written D ; skip v [h] ; U ; D). The forward

construction works as before whenever we have a concrete state in g. So now assume that we have states and  related by Q but with :g: . Then we shall construct a stuttering step-pair (angelic + demonic) according to U . By assumption (iv) we know h: (since Q: :  ) D: true: ). We have

Q: : 

) fde nition of Dg D: fg: ) fassumption (iii) and h: g U: (D: fg):

so the angel can choose the predicate D: fg for a next step on the concrete level. Whatever state 0 2 D: fg the demon then chooses, this will correspond to stuttering on the abstract level because

D: fg: 0

) fde nition of Dg Q: 0: 

) fassumption (i)g

o: 0 = o:  (and if D: fg = ; then the concrete trace is miraculous and we are done). Thus, whenever the concrete action games has reached a state in h, the angel can initiate a step that corresponds to a stuttering step on the abstract level, keeping the abstraction relation intact. Now we must only make sure 25

that this stuttering does not go on forever. In other words, eventually the angel must be able to make a choice that guarantees an abstract step. The condition G (h; U ) j= }:h guarantees this, since it means that within a nite number of states we get to a state 00 such that both Q: 00:  and g: 00 hold and we can continue with a regular (non-stuttering) step. 2 The case when stuttering is chosen by the demon is similar (the proof is also similar, so we omit it), but with a slight dierence. Theorem 7 Assume that A = (p; T ) and C = (p0; T 0 u U ) are action games and D is an abstraction statement D = fQg, such that (i) Q: :  ) (o: = o: ), (ii) p0  D: p, (iii) D ; T v T 0 ; D and D v U ; D (iv) G (D: true; U ) j= }(U: false) Then A v\ A0. It is easy to check that the rules in Theorems 6 and 7 work out the same way for cases when the choice of stuttering is deterministic, using the fact that a deterministic choice can be expressed either using angelic or demonic choice: fgg ; T 0 t f:gg ; U = [g] ; T 0 u [:g] ; U Figure 9 illustrates the simulation construction when stuttering occurs in the abstract system.

7 Termination We model termination by adding a new improper state + that is repeated inde nitely at the end of a terminating behaviour. The de nition of approximation on the level of states is still the same:   0 =^  = ? _  = 0 _ 0 = > as are the de nitions of approximation for behaviours and game trees. Thus, we have essentially just added a new improper state + which behaves like ? and > except that its place in the ordering of states is like that of proper states. 26

p



3

6

fQg q?

T^



fQg

Q

3

-

3



-

T^ 0

?

T^



6 @ A@ I @ @ A @ @ A @ @ A @ @ A @ @ A @ @ A @ @ A @ @ AA R @ U @ - - 

fQg

Q fQg Q

3

U^



3

T^0



Figure 9: Simulation with stuttering

7.1 Terminating action games

We now consider general action games (p; T; qa; qd) where the two exit predicates qa (for the angel) and qd (for the demon) are included. As noted in Section 2.4, we keep the order of decision that we have had so far: the angel can decide rst to terminate if qa holds and if it does not, then the demon may terminate if qd holds. As a result, an action game can now have properly terminating behaviours. In the game tree, we introduce termination as follows: at every angelic node (labelled with state ) we add an extra sequence of choices, one angelic and one demonic. If qa:  holds then the angelic choice is between termination and stuttering (i.e., a node labelled with fg), otherwise only stuttering can be chosen. Similarly, the demonic choice is between termination and stuttering if qd:  holds, and otherwise only stuttering can be chosen. Figure 10 illustrates the additions at a node with state  in the case when both exit predicates hold.

7.2 Trace re nement with termination Trace re nement is easily generalised to systems with termination. When game trees can have paths that end with +, re nement means that if the angel can enforce termination in the re ning system, then the same must be true (i.e., an approximating trace must exist) for the original system. Thus, the de nitions is the same as before:

 s \ t i s\  t\, 27



? ??

+ fg ? ??

+



Figure 10: Game tree with termination

 G \ H i for any strategy fa over G for the angel and any strategy fd over H for the demon there are traces s 2 fa: G and t 2 fd: H such that s \ t, and  A v\ A0 i G (A) \ G (A0). An interesting situation is deterministic termination; if qa = qd = q then the we can think of termination as happening always when q holds (and never otherwise). Figure 11 illustrates this; the two game tree fragments are equivalent, which is seen by examining the possible strategies that the angel can use. On the level of predicate transformers, this corresponds to the rule (S t fpg) u [p] = if p then skip else S fi, which is easily veri ed.





? ? ?

? ? ?

+ fg

+ fg

? ? ?

+

? ? ?



+

Figure 11: Equivalent game trees when qa = qd = q and q:  holds

7.3 Temporal properties

Temporal properties are generalised in a straightforward way to handle nite behaviours: a property of the form 2q holds over a terminating behaviour if q holds for every proper state in the behaviour, and a property of the form 28

q U r holds over a terminating behaviour if there is some proper state where r holds such that q holds for all preceding states in the behaviour.

We can also generalise the temporal predicate transformers to work on triples (T; qa; qd) rather than just on the action T , in an straightforward way. The obvious generalisation of Lemma 2 then holds:

Lemma 8 Assume that A is a monotonic predicate transformer and qa, qd, q and r are predicates. Then (a) wtp((T; qa; qd); 2q) = (x  q \ (qa [ T: x)), and (b) wtp((T; qa; qd); q U r) = (x  r [ (:qd \ q \ T: x)).

Intuitively, the added eect of termination can be explained as follows: Angelic termination can help establish always-properties (by avoiding \bad" states) and demonic termination can prevent establishing until-properties (by causing termination before a \good" state is reached). As a special case of Lemma 8 (b) we have the following result for eventuallyproperties: wtp((T; qa; qd ); }q ) = (x  q [ (:qd \ T: x))

In addition to the standard temporal properties, we can consider termination with a predicate q holding as enforcing a special temporal property nally q (for details and examples, we refer to [7]).

7.4 Re nement and simulation

The basic results about re nement, data re nement and trace re nement can be generalised by considering conditions on the exit predicates (in addition to the conditions already given). First, we generalise Theorem 4 to include termination:

Theorem 9 Assume that general action games A = (p; T; qa; qd) and A0 = (p0; T 0; qa0 ; qd0 ) are given. Then A v A0 holds if (i) p  p0, (ii) T v T 0, (iii) qa  qa0 , and (iv) qd  qd0 . 29

Thus, in a re nement we may give the angel more opportunities to choose termination and the demon less. Next, for data re nement with respect to data relation R, Theorem 5 is changed in a similar way. Theorem 10 Assume that R is a data relation, and that action games A = (p; T ) and A0 = (p0; T 0) and decoding statement D = fQg are given. Then A vR A0 holds if (i) Q  R, (ii) p0  D: p, (iii) D ; T v T 0 ; D, (iv) D: qa  qa0 , and (v) D: (:qd )  :qd0 . Here, the added conditions (iv) and (v) again say that the angel more opportunities to choose termination and the demon less, but this time the decoding that D represents is taken into account. The conditions (iv) and (v) in Theorem 10 are also the ones we need to add for trace re nement in order to generalise Theorems 6 and 7. Note also that if qa = qd = false and qa0 = qd0 = false (i.e., if the systems never terminate normally), then conditions (iv) and (v) are vacuously true and we get the old results back.

8 Veri cation and re nement of action contracts Let us now again consider action contracts of the form C = init p ; (rec X  C ; X []a1 hg1 ia1 []a2


[]an hgn ian ) Assuming a coalition of agents A  , we get the corresponding action game, as follows. We identify all the agents in A with the angel and all other agents with the demon. Furthermore, we reassociate the exit choices so that the angelic exit condition comes rst and then the demonic one (see the argument in Section 2.4). Thus, we have a method of translating an action contract C into an action game A = (p; T; qa; qd), once a coalition A is given. We then say that coalition A can use action contract C to enforce temporal property  (written C j=A ) i G (A) j= . Similarly, if A0 is the action game corresponding to another action contract C 0, then we say that C is trace re ned by C 0 for coalition A (written C v\A C 0 if A v\ A0. 30

8.1 Verifying a temporal property

Let us return to the action contract that models the game of Nim, with two players a and b: N = init x = 100 ; (rec X  hx := x0 j x0 < x < x0 + 3ia ; hx := x0 j x0 < x < x0 + 3ib ; X ) We can show that player a can ensure the temporal property 2(x mod 3 6= 0). The corresponding action game (with a as angel and b as the demon) is (p; T ) where p = (x = 100) T = fx := x0 j x0 < x < x0 + 3g ; [x := x0 j x0 < x < x0 + 3] We can now use the rule for always-properties in Section 4.3, with invariant (x mod 3 6= 0). The three conditions that we need to verify are then 1. x = 100 ) (x mod 3 6= 0) which is trivial, 2. (x mod 3 6= 0)  fx := x0 j x0 < x < x0 + 3g ; [x := x0 j x0 < x < x0 + 3]: (x mod 3 6= 0) which is a correctness property that is easily proved using standard methods (with intermediate predicate (x mod 3 = 0)), and 3. (x mod 3 6= 0) ) (x mod 3 6= 0) which is again trivial. In the same way, we could prove that a can enforce }(x = 2 _ x = 1), using the same invariant (x mod 3 6= 0) and the variant x. This property shows that the angel can force the game to reach a point where there is only one or two sticks left (so the angel can win by removing all the remaining sticks).

8.2 Trace re nement

As an example of trace re nement and stuttering we do a small adjustment to the game of Nim. Instead of having agents make a move during one action execution, we want to make each action execution correspond to a single move. We introduce a local (non-observable) variable z and let the angel set z to the number of sticks to remove and the demon make the actual update to x. The new contract is N 0 = init p0 ; (recX  (C10 []a C20 ) ; X ) where p0 = (x = n ^ z = 0) C10 = hx > 0 ^ z = 0ia ; hz := z j 0 < z < 3 ^ z  xia C20 = h0 < z  xia ; hx; z := x0; z0 j z0 = 0 ^ x0 + z < x < x0 + z + 3ib 31

Here the choice will strictly alternate between the two alternatives C10 and C20 . The corresponding action game is A0 = (p0; T10 t T20) where T10 = fx > 0 ^ z = 0g ; fz := z j 0 < z < 3 ^ z  xg T20 = f0 < z  xg ; [x; z := x0; z0 j z0 = 0 ^ x0 + z < x < x0 + z + 3] Theorem 7 can be used to prove this re nement, with abstraction relation Q given by 0z 2^z x

8.3 Termination

As a small illustration of termination, we can think of an outside observer agent c who can stop the game if exactly half of the sticks remain. If the original number of sticks was 100, then the contract is N 00 = init p0 ; (recX  (C10 []aC20 ) ; X []c hqic ) where p0 = (x = 100 ^ z = 0) C10 = hx > 0 ^ z = 0ia ; hz := z j 0 < z < 3 ^ z  xia C20 = h0 < z  xia ; hx; z := x0; z0 j z0 = 0 ^ x0 + z < x < x0 + z + 3ib q = (x + z = 50) From the point of view of coalition fa; cg, this is a re nement of the contract N 0, since this coalition has been given new capabilities (which the agents in the coalition can decide not to use). The proof of re nement involves only the trivial condition false  q.

9 Conclusion We have developed a framework for reasoning about interactive action contracts. Action contracts generalise traditional action systems to permit interaction modeled by angelic and demonic nondeterminism. We have shown how temporal properties can be de ned and veri ed, extending both traditional temporal reasoning and previous predicate-transformer based formulation of temporal properties. Our notion of re nement generalises traditional behaviourbased notions, and the zig-zag simulation method is also a generalisation of traditional (forward) simulation. The examples in this paper only serve to illustrate the main points; further examples and discussion about the modeling power of action contracts can be found in [7]. 32

We have here considered only two basic temporal operators (always and until). Many interesting properties can be expressed in terms of these, but to express more complex properties (e.g., fairness) we must use nested temporal operators. This should be possible using the same kind of extension as Alur,Henzinger, and Kupferman use to build the extended logic ATL* starting from their alternating-time temporal logic ATL [1]. It is also an open question whether our approach allows reasoning about properties that involve dierent coalitions at the same time.

References [1] R. Alur, T. Henzinger, and O. Kupferman. Alternating-time temporal logic. In Proc. 38th Symposium on Foundations of Computer Science (FOCS), pages 100{109. IEEE, 1997. [2] R.J.R. Back and K. Sere. Stepwise re nement of action systems. Structured Programming, 12:17{30, 1991. [3] R.J.R. Back and J. von Wright. Trace re nement of action systems. In B. Jonsson and J. Parrow, editors, Proc. CONCUR-94, Volume 836 of Lecture Notes in Computer Science, Uppsala, Sweden, 1994. SpringerVerlag. [4] R.J.R. Back and J. von Wright. Re nement Calculus: A Systematic Introduction. Springer-Verlag, 1998. [5] R.J.R. Back and J. von Wright. Contracts, games and re nement. Information and Computation, 156:25{45, 2000. [6] R.J.R. J. Back and J. von Wright. Encoding, decoding, and data re nement. Tech. Rpt. 236, Turku Centre for Computer Science, February 1999. [7] R.J.R. J. Back and J. von Wright. Enforcing behavior with contracts. Tech. Rpt. 373, Turku Centre for Computer Science, November 2000. [8] R. Dijkstra. DUALITY: a simple formalism for the analysis of UNITY. Tech. Rpt. 9404, Rijksuniversiteit Groningen, 1994. [9] E. Emerson. Automated temporal reasoning about reactive systems. In F. Moller and G. Bortwistle, editors, Logics for Concurrency: Structure versus Automata, volume 1043 of Lectures Notes in Computer Science. Springer{Verlag, 1996. 33

[10] W. Hesselink. Programs, Recursion and Unbounded Choice. Cambridge University Press, 1992. [11] J. Lukkien. Operational semantics and generalised weakest preconditions. Science of Computer Programming, 22:137{155, 1994. [12] J. Morris. Temporal predicate transformers and fair termination. Acta Informatica, 27:287{313, 1990.

34

Turku Centre for Computer Science Lemminkaisenkatu 14 FIN-20520 Turku Finland http://www.tucs.abo.

University of Turku  Department of Mathematical Sciences

 Abo Akademi University  Department of Computer Science  Institute for Advanced Management Systems Research

Turku School of Economics and Business Administration  Institute of Information Systems Science