A Game Interpretation of Retractable Contracts

. In the setting of contract theory, retractable contracts have been deﬁned to formalize binary session protocols where the partners can go back to certain particular synchronization points when the session gets stuck, looking for a successful state, if any. In the present paper we propose a three-party game-theoretic interpretation of client/server systems of retractable contracts. In particular, we show that a client is retractable-compliant with a server if and only if there exists a winning strategy for a particular player in a game-theoretic model of contracts. Such a player can be looked at as a mediator , driving the choices in the retractable points. We show that winning strategies for the mediator player correspond to orchestrators in a system of orchestrated client/server sessions, and vice versa.

The notion of contract has been proposed as an abstraction to formally specify and check the behaviour of software systems, and especially of web services. In particular, in the setting of service-oriented architectures the concept of agreement, often called compliance, is of paramount importance while searching components and ensuring that they will properly collaborate with each other. The main challenge is that compliance has to meet the contrasting requirements of guaranteeing correctness of interactions w.r.t. certain safety and liveness conditions, while remaining coarse enough to maximize the possibilities of finding compliant components in a library or services through the web.
The main conceptual tool to face the issue is that of relaxing the constraint of a perfect correspondence among contracts through contract refinement, also called sub-contract [9,8] and sub-behaviour [3] relations, that is pre-order relations such that processes conforming to more demanding contracts (which are lower in the pre-order) can be safely substituted in contexts allowing more permissive ones. Indeed contract refinement closely resembles subtyping, as it is apparent in the case of session types [10,3], and it is related to (but doesn't coincide with) observational pre-orders and must-testing in process algebra [11,6].
However, since the first contributions to the theory of contracts [9], a rather different approach has been followed, based on the idea of filtering out certain actions that, althought unmatched on both sides of a binary interaction, can be neglected or prevented by the action of a mediating process called the orchestrator [14,13], without compromising the reaching of the goals of the participants, like the satisfaction of all client requests in a client-server architecture.
An alternative route for the same purpose is to change the semantics of contracts so that interacting processes can adapt each other by means of a rollback mechanism: these are the retractable contracts proposed in [4]. Although compliance can be decided in advance, interaction among processes exposing retractable contracts undergoes a sequence of failures and backtracks that might be avoided by extracting information from the compliance check.
The contribution of the present paper is to show that the two approaches of orchestrated and retractable compliance are indeed equivalent, at least in the case of session contracts (see [2,3], where they are dubbed "session behaviours"), which are contracts that limit the non-determinism by constraining both external and internal choices to a more regular form. More precisely, we consider contracts that are syntactically the same as retractable ones, but instead of adding rollback to the ususal contract semantics, we abstractly define outputs in an external choice as affectible actions: their actual sent can be influenced by the partner in a binary session or by some entity external to the system. Affectible actions correspond to retractable actions in [4].
The essence of the construction is that (an appropriate restriction of) orchestrators correspond to winning strategies in certain concurrent games that naturally model retractable contracts. In [5] the theory of contracts has been grounded on games over event structures among multiple players; applying this framework to retractable contracts, the interaction among a client and a server can be seen as a play in a three-party game. Player A moves according to the unaffectible actions of the client; player B moves according to the unaffectible actions of the server, whereas moves by player C correspond to affectible actions on both sides, namely the retractable agreement points of the system. The client ρ is hence affectible-compliant with the server σ whenever C has a winning strategy in the game with players A and B, where player C wins when she succeeds to lead the system ρ σ to a successful state (the client terminates) or the interaction proceeds indefinitely without deadlocking.
The payoff of the game theoretic interpretation is that there is a precise correspondence between winning strategies for player C and elements of a class of orchestrators in the sense of [14]. Such a correspondence is of interest on its own, since strategies are abstract entities while orchestrators are terms of a process algebra and concrete witnesses of the agreement among participants of a session. Moreover, we can decide whether a client-server pair is reversiblecompliant by means of an algorithm that synthesizes an orchestrator if any, or reports failure.

Affectible contracts and retractable compliance
Affectible session contracts (affectible contracts for short) are a variant of retractable contracts in [4]; they are syntactically the same, but affectible session contracts have a different, and more abstract semantics. Nonetheless compliance coincides in both settings as we show in this section.
Definition 1 (Affectible session contracts). Let N (set of names) be some countable set of symbols and let N = { a | a ∈ N } (set of conames), with N ∩ N = ∅. The set ASC of affectible session contracts is defined as the set of the closed (with respect to the binder rec ) expressions generated by the following grammar, recursion where I is non-empty and finite, the names and the conames in choices are pairwise distinct and σ is not a variable in rec x.σ.
Affectible as well as retractable contracts stem from session behaviours of [3] also called session contracts in [6]. With respect to session behaviors, affectible contracts add the affectible output construct, which is called retractable output in [4]. The affectible output represents points where the client-server interaction can be influenced by the partner process, or can be guided by a third party; consequently they are represented by the CCS external choice operator as it is the case of the input branching (which is always affectible). Outputs in an internal choice are regarded as unaffectible actions and treated as unretractable in the setting of retractable contracts. The transitions representing an internal choice have no label; note that any i∈I a i .σ i just reduces to one of its summands. In the following we consider recursion up-to unfolding, that is we equate rec x.σ with σ{x/rec x.σ}. The symbol α will be used as a variable ranging over N ∪ N .
A client/server system (system for short) is a pair of contracts in ASC that we denote by ρ σ.

Definition 3 (LTS for systems). Let
In the last rule, α is the CCS involution of names and co-names.
The semantics of ρ σ is reminiscent of CCS parallel composition as used to define testing preorders in [12], but for the usage of the labels + and τ and for the absence of a success marker (there is a set of success states instead: see below). We use labels + and τ to distinguish among affectible and unaffectible communications respectively, altough they are both unobservable as the only observable facts are termination and the resulting state. Lemma 1. Let ρ, σ ∈ ASC. ρ σ =⇒ and ρ σ + =⇒ can never both occur.
The affectible compliance relation can be now coinductively defined as follows.

Definition 4 (Affectible Compliance Relation
i) Let H : P(ASC × ASC) → P(ASC × ASC) be such that, for any R ⊆ ASC × ASC, we get (ρ, σ) ∈ H(R ) if the following conditions hold: In words the client ρ is affectible-compliant with the server σ if either ρ and σ cannot communicate because ρ = 1, namely all client requirements have been satisfied; or all unaffectible communications of the system ρ σ lead to compliant systems; or there exists an affectible communication leading to a compliant system. By Lemma 1 the last two conditions cannot be simultaneously satisfied. Because of conditions i2) and i3), the affectible compliance relation is an abstract concept; but it can be made concrete via the characterization in terms of retractable computations, provided in section 1.
Let us consider the following example from [4]. A Buyer is looking for a bag (bag) or a belt (belt); she will decide how to pay, either by credit card (card) or by cash (cash), after knowing the price from the Seller. Buyer = bag.price.(card ⊕ cash) + belt.price.(card ⊕ cash) The Seller does not accept credit card payments for items of low price, like belts, but only for more expensive ones, like bags: Seller = belt.price.cash + bag.price.(card + cash) From the previous definition it is not difficult to check that Buyer A Seller.
Retractable contracts. Let us recall the formalism of retractable contracts; the following definitions and Theorem 1 below are from [4]. As said before, retractable and affectible contracts are syntactically the same, but the operational semantics of the formers is based on a rollback operation, acting on the recording of certain discarded branches of an interaction. The notion of contracts with histories is defined as follows: Definition 5 (Contracts with histories). Let Histories be the set of expressions (referred to also as stacks) generated by the grammar: Then the set of contracts with histories is defined by: Histories are finite lists of contracts representing the branches which have been discarded because of a retractable synchronization action. The effect of retracting such an action is modeled by restoring the last contract on the history as the actual contract and by trying a different branch, if any. This is formalised by the operational semantics of contracts with histories that is defined as follows.
Definition 6 (LTS of Contracts with Histories).
When selecting a branch of an external choice, the discarded branches are memorised on top of the new stack (the last contract of the history) in the righthand side of rule (+); on the contrary, when an internal choice occurs, the stack remains unchanged in rule (⊕). When a single action is executed, the history is modified by adding a '•', meaning that the only available branch has been tried and no alternative is left. Rule (rb) recovers the contract on the top of the stack (if the stack is different than [ ]) by replacing the current one with it. Note that the combined effect of rules (⊕) and (α) is that the alternative branches of an internal choice are unrecoverable.
The interaction of a client with a server is modeled by the reduction of their parallel composition, that can be either forward, consisting of CCS style synchronisations and single internal choices, or backward if there is no possible forward reduction, the client is different than 1 (the fulfilled contract) and rule (rb) is applicable on both sides.
Definition 7 (TS of Client/Server Pairs). We define the relation −→ over pairs of retractable contracts with histories by the following rules: Up to the rollback mechanism, compliance in the retractable setting is defined as usually done with client/server contracts.
i) The relation rbk on contracts with histories is defined as follows: for In Buyer/Seller example we have that, in case a belt is agreed upon and the buyer decides to pay using her credit card, the system gets stuck in an unsuccessful state. This causes a rollback enabling a successful state to be reached. So Buyer rbk Seller.
Retractable compliance can be axiomatised in terms of derivability in a formal system whose statements do not mention histories.

Definition 9 (Formal System
for Retractable Compliance). Equivalence of A and rbk . As previously observed, the judgements of system abstract away from histories, which are essential in the definition of rollback. This is possible because rollback is just a backtracking mechanism, which is however limited to the exploration of alternative branches of the reduction tree of a system rooted at retractable communications. Since affectible and retractable communications are the same, it is natural to look at system to establish the equivalence among A and rbk . Lemma 2. If ρ A σ, then one of the following conditions holds: In Theorem 1, soundness and completeness of system has been proved when the symbol ≺ is interpreted as the retractable compliance relation rbk . We now show that system is sound and complete also when the symbol ≺ is interpreted as the affectible compliance relation A . The equivalence of the relations rbk and A follows then as an immediate corollary.
Definition 10 (A A -semantics for system ). Let Γ be a set of statements of the form ρ ≺ σ. We define The proof of the following Lemma is inspired to [7].
We write D :: Γ ρ ≺ σ when D is a derivation in the system with conclusion Γ ρ ≺ σ. We can easily implement a backward proof search (from conclusion to premises) in the formal system by means of a procedure Prove.
Proof. (Sketch) If ρ A σ then by Lemma 2 there are four possibilities; disregarding the contexts Γ 's, we see that each of these cases corresponds exactly to one rule in system , where Prove is recursively applied to the respective premises, but for rule (Hyp), that corresponds to an exit clause in Prove. It follows that Prove( ρ ≺ σ) = fail, so that the thesis follows by Lemma 4, since Prove always terminates either returning a correct derivation or fail.

Game-theoretic interpretation of retractable contracts
Following [5] we interpret affectible contracts as certain games over event structures. This yields a game-theoretic interpretation of affectible contracts, and hence of retractable contracts by Corollary 1. For the reader's convenience we briefly recall the basic notions of event structure and game associated to an LTS.
Definition 11 (Event structure [15]). Let E be a denumerable universe of events and let A be a universe of action labels. Besides, let # ⊆ E × E be an irreflexive and symmetric relation (called conflict relation).
i) The predicate CF on sets X ⊆ E and the set Con of finite conflict-free sets are defined by CF(X) = ∀e, e ∈ X.¬(e#e ) Given a set E of events, E ∞ denotes the set of sequences (both finite and infinite) of its elements. We denote by e = e 0 e 1 · · · a sequence of events 3 . Given e, we denote by e the set of its elements, by |e| its length (either a natural number or ∞) and by e /i for i < |e| the subsequence e 0 e 1 · · · e i−1 of its first i elements. Given a set X we denote by |X| its cardinality. N is the set of natural numbers. [5]). Given an event structure E = (E, #, , l), we define the LTS (P fin (E), E, → E ) as follows: Multi-player games. All the subsequent definitions and terminology are from [5], except in the case of games that we call multi-player instead of "contracts", which would be confusing in the present setting. A set of partecipants (players) to a game will be denoted by P, whereas the universe of partecipants is denoted by P U . We shall use A, B,. . . as variables ranging over P or P U . The symbols A, B, . . . will denote particular elements of P or P U . We assume that each event is associated to a player by means of a function π : E → P U . Moreover, given A ∈ P U we define E A = { e ∈ E | π(e) = A }.

Definition 13 (Multi-player game).
i) A game G is a pair (E, Φ) where E = (E, #, , l) is an event structure and Φ : P U E ∞ → { −1, 0, 1 } associates each participant and trace with a payoff. Moreover, for all X e in E, Φ(π(e)) is defined. We say that G is a game with partecipants P whenever ΦA is defined for any player A in P.
ii) A play of a game G = (E, Φ) is a (finite or infinite) trace of (∅, → E ) i.e. an element of Tr(∅, → E ).

Definition 14 (Strategy and conformance).
A strategy Σ for a partecipant A in a game G is a function which maps each finite play e = e 0 · · · e n to a (possibly empty) subset of E A such that: e ∈ Σ(e) ⇒ ee is a play of G.
A play e = e 0 e 1 · · · conforms to a strategy Σ for a partecipant A in G if, for all i ≥ 0, e i ∈ E A ⇒ e i ∈ Σ(e /i ).
Although events, namely moves, are associated to players via the map π, this is not injective in general, so that players can share moves. In general there are neither a turn rule nor alternation of players, similarly to concurrent games in [1]. A strategy Σ provides "suggestions" to some player on how to legally move continuing finite plays (also called "positions" in game-theoretic literature). But Σ may be ambiguous at some places, since Σ(e) may contain more than an event; in fact it can be viewed as a partial mapping which is undefined when Σ(e) = ∅.
We refer to [5] for the general definition of winning strategy for multi-player games (briefly recalled also in Remark 1 below), since it involves the conditions of fairness and innocence, which will be trivially satisfied in our interpretation of affectible client/server systems, where the notion of winning strategy corresponds to the one given in Def. 19.
Turn-based operational semantics and compliance. Toward the game theoretic interpretation of a client/server system ρ σ, we introduce a slightly different description of the semantics of affectible contracts, making explicit the idea of a three-player game. We interpret the internal choices and the input actions of the client as moves of a player A and the internal choices and the input actions of the server as moves of a player B. The synchronisations due to affectible choices are instead interpreted as moves of the third player C.
From a technical point of view this is a slight generalization and adaptation to our scenario of the turn-based semantics of "session types" in [5], §5.2. The changes are needed both because we have three players instead of two, and because session types are just session contracts, that is affectible contracts without affectible outputs.
Definition 15 (Single-buffered ASC). The set ASC [ ] of single-buffered affectible contracts is defined by We use the symbolsρ,σ,ρ ,σ . . . to denote elements of ASC [ ] . A turn-based configuration (configuration for short) is a pairρ | | |σ, whereρ,σ ∈ ASC [ ] . As in [5], we have added the "single buffered" contracts [a]σ to represent the situation in which a is the only output offered after an internal choice. Since the actual synchronization takes place in a subsequent step, a is "buffered" in front of the continuation σ. Comparing −→ −→ with the LTS for affectible contracts, we observe that [a]σ is a duplicate of a.σ, with the only difference that now there is a redundant step in ⊕ i∈I a i .ρ i | | |σ −→ −→ 0 | | |ρ to signal when player C wins.
Let β = β 1 · · · β n ∈ tbAct * . We shall use the notation tb is the greatest solution of the equation X = H(X), that is tb = νH. iii) For ρ, σ ∈ ASC, we say that ρ is turn-based compliant with σ if ρ tb σ.
Turn-based compliance is equivalent to affectible compliance Three-player game interpretation for ASC client/server systems. Using the turn-based semantics, we associate to any client/server system an event structure, and then a three-player game 4 , extending the treatment of session types with two-player games in [5]. For our purposes we just consider the LTS of a given client/server system instead of an arbitrary one.

Definition 18 (ES of affectible-contracts systems).
Let ρ σ be a client/server system of affectible contracts. We define the event structure [[ρ σ]] = (E, #, , l), where where the partial function snd (-) maps any X = { (i, β i ) } i=1..n to β 1 · · · β n , and it is undefined over sets not of the shape of X. The ρ σ of this simple example is finite . It is not so in general for systems with recursive contracts.
The following definition is a specialisation of Definitions 4.6 and 4.7 in [5]. We use MaxTr(s, →) and FinMaxTr(s, →) to denote the set of maximal traces and finite maximal traces, respectively, of Tr(s, →). Let us define a particular strategy Σ for C in G Buyer Seller as follows: for any other play The strategy Σ for C in G Buyer Seller is winning.
Remark 1. According to [5], A wins in a play if WAe > 0, where WAe = ΦAe if all players are "innocent" in e, while if A is "culpable", WAe = −1, and if A is innocent and someone else culpable, WAe = +1. A strategy Σ of A is winning if A wins in all fair plays conforming to Σ. A play e is "fair" for a strategy Σ of a player A if any event in E A which is infinitely often enabled is eventually performed. Symmetrically A is "innocent" in e if she eventually plays all persistently enabled moves of her in e, namely if she is fair to the other players, since the lack of a move by A might obstacle the moves by others; she is "culpable" otherwise. As said above, Definition 19 is a particularisation of the general definitions in [5]. In fact in a game G ρ σ no move of any player can occur more than once in a play e because of time stamps. Therefore no move can be "persistently enabled", nor it can be prevented since it can be enabled with a given time stamp only if there exists a legal transition in the LTS with the same label. Hence any player is innocent in a play e of G ρ σ and all plays are fair. Therefore W coincides with Φ.
It is possible to characterize affectible and retractable compliance in terms of the existstence of a winning strategy for C in G ρ σ . Theorem 3. ρ A σ (or, equivalently, ρ rbk σ) if and only if player C has a winning strategy in the three-player game G ρ σ .

Strategies as orchestrators
In the present section we show that a client ρ is retractable-compliant with a server σ if and only if their interactions can be led to a successful state by means of the mediation of an orchestrator. To do that we show how an orchestrator can be obtained out of a "univocal" winning strategy (see Def. 24 below) for player C in the game G ρ σ , and vice versa. For a detailed discussion on orchestrators for contracts and orchestrators for session-contracts, we refer to [14,13] and [2] respectively. In the present setting, our orchestrators, that we dub strategyorchestrators, are defined as a variant of the session-orchestrators of [2], which in turn are a restriction of orchestrators in [14]. The task of a strategy orchestrator is to mediate the interactions between two affectible session contracts by selecting one of the possible affectible choices and constraining non-affectible ones. We consider two sorts of orchestration actions, having the following shapes: α, α , enabling the unaffectible synchronization ρ σ τ − → ρ σ ; α, α + , enabling the affectible synchronization ρ σ + −→ ρ σ .

Theorem 5 (Soundness and Completeness of Synth).
The algorithm Synth is correct and complete in the following sense: i) Synth(Γ, ρ, σ) terminates for any Γ, ρ and σ.
iii) If f : ρ Orch σ then there exists g ∈Synth(∅, ρ, σ) = ∅ such that the (possibly infinite) unfolding of f and g yields the same regular tree.
It is not difficult to check that by computing Synth(∅, Buyer, Seller) we get a set just consisting of the orchestrator corresponding to the strategy Σ, namely Synth(∅,Buyer,Seller) = bag,bag + . price,price ( cash,cash ∨ card, card ) Using the previous results and Lemma 6 we get the following: Corollary 2. i) The relation Orch is decidable.
ii) For any ρ, σ ∈ ASC, it is decidable whether there exists a winning strategy for player C in G ρ σ . Moreover, in case a winning strategy exists, it is possible to effectively compute a univocal winning strategy.

Conclusion and Future Work
We have studied two approaches to loosening compliance among a client and a server in contract theory, based on the concepts of dynamic adaptation and of mediated interaction respectively. We have seen that these induce equivalent notions of compliance, which can be shown via the abstract concept of winning strategy in a suitable class of games. The byproduct is that the existence of the agreement among two contracts specifying adaptive behaviours is established by statically synthesizing the proper orchestrator, hence avoiding any trial and error mechanism at run time. The study in this paper has been limited to the case of binary sessions since this is the setting in which both orchestrators and retractable contracts have been introduced. However strategy based concepts of agreement have been developed in the more general scenario of multiparty interaction, which seems a natural direction for future work.