A Full Proofs

Proof (Theorem 1).

Let D = {fi[Xi] = ci}mi=1 and δ be given. We prove

C[[c]]γ;δ⊕δ0 _{= {s : δ}0 _`δ Ds : c} where γ = D[[D]]δ_. “⊇”: Define δ0 |=δ D s : c ⇐⇒ s ∈ C[[c]] γ;δ⊕δ0

. We prove by induction on the derivation of δ0 `δ

Ds : c that δ0 |= δ Ds : c.

δ0 _`δ

Dhi : Success We need to show that δ0 |= δ

D hi : Success. This follows immediately

from C[[Success]]γ;δ⊕δ0 _{= {hi}.}

X 7→ v `δ Ds : c (f (X) = c) ∈ D, v = Q[[a]]δ⊕δ 0 δ0 `δ Ds : f (a) Assume X 7→ v |=δ D s : c (induc-

tion hypothesis) with v = Q[[a]]δ⊕δ0 _{and (f (X) = c) ∈ D. We need to show that}

δ0|=δ Ds : f (a). By definition we have C[[f (a)]]γ;δ⊕δ0_{= γ(f )(Q[[a]]}δ⊕δ0₎ (by def. of v) = γ(f )(v) (by def. of γ) = C[[c]]γ;δ⊕X7→v and thus, since X 7→ v |=δ

Ds : c by induction hypothesis, we can conclude that δ0 |=δD

s : f (a). δ ⊕ δ00|= P δ00`δ Ds : c (δ00= δ0⊕ {X 7→ v}) δ0`δ Dtransmit(v) s : transmit(X|P ). c Assume δ ⊕ δ00|= P and δ00 _|=δ D

s : c where δ00 _{= δ}0 _{⊕ {X 7→ v}. We need to show that δ}0 _|=δ

D transmit(v) s :

transmit(X|P ). c.

Since δ ⊕ δ00 |= P and δ00 _|=δ

D s : c it follows immediately from the definition of

C[[transmit(X | P ). c]]γ;δ⊕δ0 _{that δ}0_|=δ Dtransmit(v) s : transmit(X|P ). c. δ0 `δ Ds1: c1 δ0 `Dδ s2: c2 (s1, s2) s δ0 `δ Ds : c1k c2 Assume δ0 |=δ D s1 : c1, δ0 |=δD s2 : c2 and

(s1, s2) s. We need to show that δ0 |=δDs : c1k c2.

From the assumptions and the definition of C[[c1k c2]]γ;δ⊕δ

0

it follows immediately that δ0|=δ Ds : c1k c2. δ0 `δ Ds1: c1 δ0 `δDs2: c2 δ0`δ Ds1s2: c1; c2

Immediate from the definition of C[[c1; c2]]γ;δ⊕δ

0 . δ0`δ Ds : c1 δ0 `δ Ds : c1+ c2

Immediate from the definition of C[[c1+ c2]]γ;δ⊕δ

0 . δ0`δ Ds : c2 δ0 `δ Ds : c1+ c2

Immediate from the definition of C[[c1+ c2]]γ;δ⊕δ

0

.

“⊆”: We prove C[[c]]γ;δ⊕δ0 _{⊆ {s | δ}0_`δ Ds : c}.

Define γ0(fi) = λv.{s | Xi7→ v `δDs : ci} for 1 ≤ i ≤ m. (Recall that δ is fixed.)

Claim: C[[c]]γ0;δ⊕δ0 _{= {s | δ}0 _`δ

Ds : c} for all δ0.

Proof of claim:

– Consider f (a) for some (f (X) = c) ∈ D. Let v = Q[[a]]δ⊕δ0_{. We need to show that} C[[f (a)]]γ0;δ⊕δ0 _{= {s | δ}0<sub>`</sub>δ Ds : f (a)}. We have: C[[f (a)]]γ0;δ⊕δ0 <sub>= γ</sub>0<sub>(f )(Q[[a]]</sub>δ⊕δ0<sub>)</sub> = γ0(f )(v) = {s | X 7→ v `δDs : c} = {s | δ0 `δ Ds : f (a)}

which concludes this case.

– Consider transmit(X | P ). c. We may assume C[[c]]γ0;δ⊕δ0 _{= {s | δ}0 _`δ

D s : c} for all δ 0_.

We need to show that C[[transmit(X | P ). c]]γ0;δ⊕δ0 _{= {s | δ}0 _`δ

Ds : transmit(X | P ). c}. We have: C[[transmit(X | P ). c]]γ0;δ⊕δ0 = {transmit(v) s | Q[[P ]]δ⊕δ0⊕X7→v= true ∧ s ∈ C[[c]]γ0;δ⊕δ0⊕X7→v} = {transmit(v) s | δ ⊕ δ0⊕ X 7→ v |= P ∧ δ0_{⊕ δ}00_{`</sub>δ Ds : c} = {s0| δ0<sub>`}δ Ds0: transmit(X | P ). c}

which concludes this case.

– The remaining cases are straightforward. From C[[c]]γ0;δ⊕δ0 _{= {s | δ}0_`δ

Ds : c} for all δ0follows immediately that γ0(f ) = λv.C[[c]]γ

0_;δ⊕X7→v

for all (f (X) = c) ∈ D. Since γ = D[[D]]δ _{is the least function with this property, it follows}

that γ v γ0 and thus C[[c]]γ;δ⊕δ0 _{⊆ C[[c]]}γ0;δ⊕δ0 _{= {s | δ}0_`δ

Ds : c} and we are done.

Proof (Lemma 2).

The proof proceeds by structural induction on c assuming (A) for our base language: Q[[∆ ` b[v/X] : τ ]]δ<sub>= Q[[∆ ` b : τ ]]</sub>δ⊕{X7→v

.

We use figure 7 and abbreviate D[[D]]δ _{by γ where appropriate.}

c ≡ Success To show: C[[Success]]γ;δ⊕X7→v_{= C[[Success[v/X]]]}γ;δ_{. We have C[[Success]]}γ;δ⊕X7→v ₌

{hi} = C[[Success[v/X]]]γ;δ_.

c ≡ Failure This case proceeds exactly as the previous except that both sides denote ∅. c ≡ f (b) To show: C[[f (b)[v/X]]γ;δ= C[[f (b)]]γ;δ⊕X7→v. We have: C[[f (b)[v/X]]γ;δ_{= C[[f (b[v/X])]]}γ;δ = γ(f )(Q[[b[v/X]]]δ = γ(f )(Q[[b]]δ⊕X7→v)(by (A)) = C[[f (b)]]γ;δ⊕X7→v

c ≡ transmit(X0| P ). c0 _{To show: C[[transmit(X}0_{| P ). c}0_[v/X]]]γ;δ_{= C[[transmit(X}0_{| P ). c}0_]]γ;δ⊕X7→v_.

We allow α-conversion and may thus assume that X0is chosen such that X ∩ X0= ∅. We have: C[[transmit(X0_{| P ). c}0_[v/X]]]γ;δ₌ C[[transmit(X0_{| P [v/X]). c}0_[v/X]]]γ;δ₌ {transmit(v0_{) s | Q[[P [v/X]]]}δ⊕X0_7→v0 = true ∧ s ∈ C[[c0[v/X]]]γ;δ⊕X07→v0} = {transmit(v) s | Q[[P ]]δ⊕X07→v0_⊕X7→v = true ∧ s ∈ C[[c0]]γ;δ⊕X07→v0_⊕X7→v = {transmit(v) s | Q[[P ]]δ⊕X7→v⊕X07→v0 _{= true ∧ s ∈ C[[c}0_]]γ;δ⊕X7→v⊕X07→v0 ₌ C[[transmit(X0_{| P ). c}0_]]γ;δ⊕X7→v

c ≡ c1+ c2 To show: C[[c1+ c2[v/X]]]γ;δ= C[[c1+ c2]]γ;δ⊕X7→v. We have: C[[c1+ c2[v/X]]]γ;δ= C[[c1[v/X] + c2[v/X]]]γ;δ = C[[c1[v/X]]]γ;δ∪ C[[c2[v/X]]]γ;δ = C[[c1]]γ;δ⊕X7→v∪ C[[c2]]γ;δ⊕X7→v = C[[c1+ c2]]γ;δ⊕X7→v c ≡ c1k c2 Similar to · + · case. c ≡ c1; c2 Similar to · + · case.  Proof (Lemma 1).

We verify that each equation in Figure 8 holds. Note that γ = D[[D]]δ _{in the following.}

C[[e\Failure]]γ;δ_{= C[[Failure]]}γ;δ _{By definition of the residuation operator we have C[[e\Failure]]}γ;δ₌

e\∅ = ∅ = C[[Failure]]γ;δ_.

C[[e\Success]]γ;δ_{= C[[Failure]]}γ;δ _{By definition of the residuation operator we have C[[e\Success]]}γ;δ₌

e\{hi} = ∅ = C[[Failure]]γ;δ.

C[[e\f (a)]]γ;δ_{= C[[e\c[v/X]]]}γ;δ _{This follows from C[[f (a)]]}γ;δ_{= C[[c]]}γ;δ⊕X7→v_{= C[[c[v/X]]]}γ;δ_.

We assume (f (X) = c) ∈ D and v = Q[[a]]δ.

We have C[[f (a)]]γ;δ= C[[c]]γ;δ⊕X7→v by definition of γ and assumption for v. By Lemma 2 this can be rewritten to C[[c[v/X]]]γ;δ, and we are done.

C[[transmit(v)\(transmit(X | P ). c0_)]]γ;δ _{There are two cases to consider:}

– δ ⊕ {X 7→ v} |= P .

To show: C[[transmit(v)\(transmit(X | P ). c0)]]γ;δ= C[[c0[v/X]]]γ;δ. Again we unfold the left-hand side of the equation and the goal is then:

{s0| ∃s ∈ C[[transmit(X | P ). c0]]γ;δ: transmit(v)s0 = s} = C[[c0[v/X]]]γ;δ.

From the denotational semantics we see that C[[transmit(X | P ). c0]]γ;δ_{= {transmit(v) s}0 _|

s0∈ C[[c0_]]γ;δ⊕X7→v_{. What we need to show is then that C[[c}0_]]γ;δ⊕X7→v _{= C[[c}0_[v/X]]]γ;δ_,

which follows immediately from Lemma 2. – δ ⊕ {X 7→ a} 6 |=P .

To show: C[[transmit(a)\(transmit(X | P ). c0)]]γ;δ_{= C[[Failure]]}γ;δ_.

We unfold the left-hand side of the equation using the denotational semantics and the goal is now to show:

{s0| ∃s ∈ C[[transmit(X | P ). c0]]γ;δ: transmit(v)s0= s} = ∅.

Since δ ⊕ {X 7→ a} 6 |=P we know that C[[transmit(X | P ). c0_]]γ;δ_{= ∅, and we are done.}

C[[e\(c1+ c2)]]γ;δ= C[[e\c1+ e\c2]]γ;δ Unfolding the left-hand side gives {s0| ∃s ∈ C[[c1+ c2]]γ;δ:

es0 = s}. The denotation of a choice contract is given by C[[c1+ c2]]γ;δ= C[[c1]]γ;δ∪ C[[c2]]γ;δ.

Any s0will thus be a trace of c1or a trace of c2with a prefix of e removed. The denotation

of the right-hand side is C[[e\c1]]γ;δ∪ C[[e\c2]]γ;δwhich unfolds to {s01| ∃s ∈ C[[c1]]γ;δ: es01=

s} ∪ {s0₂| ∃s ∈ C[[c2]]γ;δ: es02= s}. Thus any s01or s02 is a trace of c1 or c2 with the prefix e

C[[e\(c1k c2)]]γ;δ= C[[e\c1k c2+ c1k e\c2]]γ;δ Rewriting the left-hand side of the equation by

definition of the residuation operator we arrive at the following equation: {s0| ∃s ∈ C[[c1k c2]]γ;δ: es0= s} = C[[e\c1k c2+ c1k e\c2]]γ;δ.

Using the definition of the denotational semantics to rewrite the right-hand side we arrive at:

{s0| ∃s ∈ C[[c1k c2]]γ;δ : es0= s} = C[[e\c1k c2]]γ;δ∪ C[[c1k e\c2]]γ;δ.

From the denotational semantics, we note that the trace set of a parallel contract is an interleaving of the events from both subcontracts:

{s0 | ∃s ∈ {s00| s1∈ C[[c1]]γ;δ, s2∈ C[[c2]]γ;δ: (s1, s2) s00} : es0 = s} = . . .

If e is a prefix of s1 we have the trace set C[[e\c1k c2]]γ;δ and if e is a prefix of s2 we have

the traceset C[[c1k e\c2]]γ;δ. Combining these two sets we conclude what was required.

C[[e\(c1; c2)]]γ;δ=

 (e\c1; c2) + e\c2if D, δ |= Success ⊆ c1

e\c1; c2 otherwise

– D, δ |= Success ⊆ c1.

We unfold the left-hand side and the goal becomes:

{s0| ∃s ∈ {s1s2| ∃s1∈ C[[c1]]γ;δ, s2∈ C[[c2]]γ;δ} : es0= s} = C[[e\c1; c2+ e\c2]]γ;δ.

Unfold the right-hand side {s0_{| ∃s ∈ {s}

1s2| ∃s1∈ C[[c1]]γ;δ, s2∈ C[[c2]]γ;δ} : es0 = s}

= {s0

1s02| ∃s01∈ C[[e\c1]]γ;δ, s02∈ C[[c2]]γ;δ} ∪ C[[e\c2]]γ;δ

• In case s1 = hi, we get that es0 = C[[c2]]γ;δ and C[[e\c1]]γ;δ = ∅. Thus we need to

show that: {s0 | ∃s ∈ C[[c2]]γ;δ: es0 = s} = C[[e\c2]]γ;δ, which is immediate from the

definition of residuation.

• If s1 6= hi there is some s1 in which e occurs as the first event. Thus s = es01s02,

which means s0 = s0₁s0₂ as required. The added C[[e\c2]]γ;δare accounted for by the

previous case. – D, δ |= Success 6 ⊆c1.

We unfold the left-hand side and the goal becomes: {s0_{| ∃s ∈ {s}

1s2| ∃s1∈ C[[c1]]γ;δ, s2∈ C[[c2]]γ;δ} : es0= s} = C[[e\c1; c2]]γ;δ

Unfold the right-hand side {s0_{| ∃s ∈ {s}

1s2| ∃s1∈ C[[c1]]γ;δ, s2∈ C[[c2]]γ;δ} : es0 = s} = {s10s02| ∃s01∈ C[[e\c1]]γ;δ, s02∈ C[[c2]]γ;δ}

Since hi /∈ C[[c1]]γ;δ, we know that e ∈ s1 from which we immediately see that s2= s02;

thus we just need to show that

{s0 | ∃s ∈ {s1| ∃s1∈ C[[c1]]γ;δ} : es0= s} = {s01| ∃s 0

1∈ C[[e\c1]]γ;δ}

. That is,

{s0| ∃s ∈ C[[c1]]γ;δ} : es0 = s} = C[[e\c1]]γ;δ.

Which is exactly the definition of the residuation operator. Proof (Proposition 1).

We show ∀D, δ, δ0, c : δ0 `δ

D hi : c ⇐⇒ D ` c nullable. From this the proposition follows by

“=⇒”: To show ∀D, δ, δ0_{, c : δ}0 _`δ

D hi : c =⇒ D ` c nullable we proceed by induction on

derivations of δ0`δ Ds : c.

δ0 `δ

Dhi : Success We need to show that D ` Success nullable. This follows immediately

from the nullability axiom for Success.

X 7→ v `δ<sub>D</sub>s : c (f (X) = c) ∈ D, v = Q[[a]]δ⊕δ0 δ0 `δ

Ds : f (a)

Assume D ` c nullable (induction hypothesis). We need to show that D ` f (a) nullable, which follows from the nullability inference rule for f (a).

δ ⊕ δ00|= P δ00`δ

Ds : c (δ

00_{= δ}0_{⊕ {X 7→ v})}

δ0`δ

Dtransmit(v) s : transmit(X|P ). c

We need to show D ` transmit(X|P ). c nullable if transmit(v) s = hi. This implication is vacuously true since the assumption transmit(v) s =

hi is false. δ0 `δ

Ds1: c1 δ0 `Dδ s2: c2 (s1, s2) s

δ0 `δ

Ds : c1k c2

Assume (hi, hi) s; that is, s = hi. As- sume furthermore D ` c1 nullable and D ` c2nullable. We need to show that D `

c1k c2 nullable, which follows from the nullability inference rule for c1k c2.

δ0 `δ

Ds1: c1 δ0 `δDs2: c2

δ0`δ

Ds1s2: c1; c2

Immediate from nullability inference rule for c1; c2.

δ0`δ Ds : c1

δ0 `δ

Ds : c1+ c2

Immediate from first nullability inference rule for c1+ c2.

δ0`δ Ds : c2

δ0 `δ

Ds : c1+ c2

Immediate from second nullability inference rule for c1+ c2.

“⇐=”: To show ∀D, c : D ` c nullable =⇒ ∀δ, δ0.δ0 `δ

D hi : c we proceed by induction on

derivations of D ` c nullable. D ` c nullable (f (X) = c) ∈ D

D ` f (a) nullable Assume ∀δ, δ

0_.δ0 _`δ

D hi : c (induction hypothesis).

We need to show ∀δ, δ0.δ0 `δ

D hi : f (a). Let δ, δ0 be arbitrary environments for D

and f (a). From the induction hypothesis it follows that X 7→ v `δ

D hi : c where v =

Q[[a]]δ⊕δ0_{. And, using the satisfaction inference rule for contract application, we arrive}

at δ0`δ Dhi : f (a). D ` c nullable D ` c + c0 nullable Immediate. D ` c0 nullable D ` c + c0 nullable Immediate.

D ` Success nullable Let δ, δ0 be arbitrary environments. Using the satisfaction rule for Success we obtain δ0`δ Dhi : Success. D ` c nullable D ` c0 nullable D ` c k c0 <sub>nullable</sub> Immediate. D ` c nullable D ` c0 nullable D ` c; c0 _nullable Immediate. Proof (Lemma 3).

This is proved by straightforward structural induction on the definition of contracts. The only interesting cases are the cases of a contract application f (a), where (f (X) = c) ∈ D, and sequential composition.

In the first case, we can use the assumption of the Lemma that D ` c guarded, which, by rule application, immediately implies that D ` f (a) guarded.

In the second case, we have the induction hypotheses D ` c1 guarded and D ` c2guarded.

Now, either D ` c1 nullable or D 6` c1 nullable. In either case, we have a rule for concluding

that D ` c1; c2 guarded.

Proof (Theorem 2). (Sketch) 1. We show D, δ `D c

e

−→ c0 _{=⇒ D, δ |= e\c = c}0 _{by induction on derivations of D, δ `} D

c−→ ce 0_{. Each case follows immediately from Lemma 1. In the case of sequential composition}

we also require Proposition 1.

2. Note that, by Lemma 3, D ` c guarded if D is guarded. It is sufficient to show D ` c guarded =⇒ ∀δ∀e∃c0.D, δ `D c

e

−→ c0_{. The fact that c}0 _{is guarded in context D follows}

from Lemma 3, and it is a routine matter to extend the proof cases with a check of uniqueness of c0.

We cannot prove D ` c guarded =⇒ ∀δ∀e∃c0.D, δ `Dc e

−→ c0_{by induction on the definition}

of guaraded contracts, however, since the induction hypothesis is not strong enough in the case of contract application: We would require that c[v/X] has a residual contract for arbi- trary δ, e, but the induction hypothesis only yields that that holds for c. Consequently, we strengthen the lemma and prove D ` c guarded =⇒ ∀δ, e, X, v∃c0.D, δ `Dc[v/X]

e

−→ c0_.

All cases are straightforward except the second rule for sequential composition: To make the induction proof go through we require D 6` c[/X] nullable the last deterministic reduction rule, but the case only carries the assumption D 6` c nullable. Consequently, if we can show that D ` c[/X] nullable =⇒ D ` c nullable, we are done.

Claim: D ` c[/X] nullable =⇒ D ` c nullable.

Proof of claim: By structural induction on c. All cases are straightforward except the rule for contract application. In that case we need to show D ` f (a[v/X]) nullable =⇒ D ` f (a) nullable. Assume D ` f (a[v/X]) nullable. By inspection of the rules for nullability we can see that this must have been concluded from D ` c nullable where (f (Y ) = c) ∈ D. By the same rule we can infer, however, D ` f (a) nullable, and we are done.

Proof (Theorem 3). We prove the two statements 1. If D, δ `N c e −→ c0 <sub>then D, δ |= c</sub>0<sub>⊆ e\c</sub> 2. If D, δ `N c τ −→ c0 _{then D, δ |= c}0_{⊆ c}

by induction on the height of the derivation of D, δ `N c e

−→ c0 _{and D, δ `} N c

τ

−→ c0_{, respec-}

tively. We use definitions in Figures 7, 8 and 12. “Assume...” is used as short-hand for “Assume a derivation with the conclusion...”. Finally, γ abbreviates D[[D]]δ _{in the following.}

Proving 1:

– Assume D, δ `N Success e

−→ Failure. To show C[[Failure]]γ;δ_{⊆ C[[e\Success]]}γ;δ_{= C[[Failure]]}γ;δ_.

Done.

– Assume D, δ `N Failure e

−→ Failure. To show C[[Failure]]γ;δ_{⊆ C[[e\Failure]]}γ;δ_{= C[[Failure]]}γ;δ_.

Done.

– Assume D, δ `N transmit(X | P ). c

transmit(v)

−→ c[v/X] and also δ ⊕ X 7→ v |= P where v = Q[[a]]δ_{. To show C[[c[v/X]]]}γ;δ _{⊆ C[[(transmit(v)\transmit(X | P ). c)]]}γ;δ _{= C[[c[v/X]]]}γ;δ_.

Done.

– Assume D, δ `N transmit(X | P ). c

transmit(v)

−→ Failure and also δ ⊕ X 7→ v 6 |=P where v = Q[[a]]δ_{. To show C[[Failure]]}γ;δ _{⊆ C[[(transmit(v)\transmit(X | P ). c)]]}γ;δ _{= C[[Failure]]}γ;δ_.

– Assume D, δ `N c k c0 e −→ d k c0<sub>and D, δ `</sub> N c e −→ d. To show C[[d k c0_]]γ;δ_{⊆ C[[e\(c k c}0_)]]γ;δ₌

C[[e\c k c0+ c k e\c0]]γ;δ _{= C[[e\c k c}0_]]γ;δ_{∪ C[[c k e\c}0_]]γ;δ_{. By the IH, C[[d]]}γ;δ_{⊆ C[[e\c]]}γ;δ _so

in particular C[[d k c0]]γ;δ_{⊆ C[[e\c k c}0_]]γ;δ_{, which is sufficient.}

– Assume D, δ `N c k c0 e

−→ c k d0 _{and D, δ `} N c0

e

−→ d0_{. Analogous to the above case.}

– Assume D, δ `N c; c0 e −→ d; c0<sub>and also D, δ `</sub> N c e −→ d. To show C[[d; c0_]]γ;δ_{⊆ C[[e\(c; c}0_)]]γ;δ_.

If D, δ |= Success ⊆ c then C[[e\(c; c0)]]γ;δ= C[[(e\c; c0) + e\c0]]γ;δ= C[[e\c; c0]]γ;δ∪ C[[e\c0_]]γ;δ_.

By the IH, C[[d]]γ;δ⊆ C[[e\c]]γ;δ_{so in particular C[[d; c}0_]]γ;δ_{⊆ C[[e\c; c}0_]]γ;δ_{, which is sufficient.}

– Assume D, δ `N c τ

−→ c0 _{and D, δ `} N c0

e

−→ c00_{. By the IH, we have C[[c}0_]]γ;δ_{⊆ C[[c]]}γ;δ _and

C[[c00_]]γ;δ_{⊆ C[[e\c}0_]]γ;δ_{. We need to show C[[c}00_]]γ;δ_{⊆ C[[e\c]]}γ;δ_{. But this follows from the IH}

and monotonicity of residuation: C[[c00_]]γ;δ_{⊆ C[[e\c}0_]]γ;δ_{⊆ C[[e\c]]}γ;δ_.

Proving 2:

– Assume D, δ `N f (a) τ

−→ c[V /X] where (f (X) = c) ∈ D and v = Q[[a]]δ_{. To show}

C[[c[v/X]]]γ;δ_{⊆ C[[f (a)]]}γ;δ_{= γ(f )(v), which holds by definition of γ and Lemma 2.}

– Assume D, δ `N c + c0 τ

−→ c. To show C[[c]]γ;δ_{⊆ C[[c + c}0_]]γ;δ_{= C[[c]]}γ;δ_{∪ C[[c}0_]]γ;δ_{. Done.}

– Assume D, δ `N c + c0 τ

−→ c0_{. Analogous to the above case.}

– Assume D, δ `N c k c0 τ −→ d k c0 <sub>and D, δ `</sub> N c τ −→ d. To show C[[d k c0_]]γ;δ _{⊆ C[[c k c}0_]]γ;δ_,

which follows easily by the IH. – Assume D, δ `N c k c0 τ −→ c k d0 <sub>and D, δ `</sub> N c0 τ −→ d0_{. To show C[[c k d}0_]]γ;δ_{⊆ C[[c k c}0_]]γ;δ_,

which follows easily by the IH. – Assume D, δ `N Success k c

τ

−→ c. To show C[[c]]γ;δ_{⊆ C[[Success k c]]}γ;δ_{, holds trivially.}

– Assume D, δ `N c k Success τ

−→ c. To show C[[c]]γ;δ_{⊆ C[[c k Success]]}γ;δ_{, holds trivially.}

– Assume D, δ `N Success; c0 τ

−→ c0_{. To show C[[c}0_]]γ;δ_{⊆ C[[Success; c}0_]]γ;δ_{, holds trivially.}

– Assume D, δ `N c; c0 τ −→ d; c0 <sub>and D, δ `</sub> N c τ −→ d. To show C[[d; c0_]]γ;δ_{⊆ C[[c; c}0_]]γ;δ_{, which}

follows easily by the IH.

 Proof (Theorem 4). The proof is by induction on the derivation of D, δ `Dc

e

−→ c0_.

– D, δ `DSuccess e

−→ Failure. Clearly no τ -transitions can be taken in the non-deterministic reduction system. However, there is just one contract c1 such that D, δ `N Success

e

−→ c1

which is Failure. We must then show: D, δ |= Failure ⊆ Failure. By definition D, δ |= Failure = ∅, so we must show ∅ ⊆ ∅ which is trivially true.

– D, δ `DFailure e

−→ Failure. Again no τ -transitions are possible. There is just one contract c1such that D, δ `N Failure

e

−→ c1namely Failure. We must show D, δ |= Failure ⊆ Failure,

which is true since ∅ ⊆ ∅. – D, δ `Dtransmit(X|P ). c

transmit(v)

−→ c[v/X] where δ ⊕ X 7→ v |= P and v = Q[[a]]δ. In this case we can only do the reduction D, δ `N transmit(X|P ). c

transmit(v)

−→ c[v/X]. Now we must show D, δ |= c[v/X] ⊆ c[v/X], which is obviously true.

– D, δ `D transmit(X|P ). c

transmit(v)

−→ Failure and δ ⊕ X 7→ v 6 |=P where v = Q[[a]]δ_{. No}

τ -transitions are possible and only one contract c1 exists such that

D, δ `Dtransmit(X|P ). c

transmit(v)

−→ c1,

so c1= Failure. This means we must show D, δ |= c[v/X] ⊆ c[v/X] which clearly holds.

– D, δ `Df (a) e

−→ c0_{. This implies that (f (X) = c) ∈ D and D, δ `}

Dc[v/X] e −→ c0_{with v =} Q[[a]]δ_{. By a derivation of D, δ `} D c[v/X] e

−→ c0 _{we use the IH to get contracts c}

1, . . . , cn such that D, δ `N c[v/X] τ ∗ −→ c00 i e −→ c0 _{and D, δ |= c}0 _⊆ Pn

i=1ci. However we need to

show D, δ `N f (a) τ ∗ −→ c00 i e −→ ci and c0 ⊆ P n

i=1ci, the latter of which follows directly

from the IH. By the non-deterministic reduction rules, f (a) has just one reduction D, δ `N

f (a)−→ c[v/X]. Thus we can extend all reductions of D, δ `τ N c[v/X] τ ∗

−→ c00 i

e

−→ ci with

one more τ -transition giving reductions D, δ `N f (a) τ ∗

−→ c00 i

e

– D, δ `D c + c0 e

−→ d + d0_{. This implies that D, δ `} D c

e

−→ d and D, δ `D c0 e

−→ d0_{. From}

the non-deterministic reduction rules we see that c + c0 may be reduced by a τ -transition

In document Compositional Specification of Commercial Contracts (Page 34-47)