Complete trace models of state and control
aa r X i v : . [ c s . L O ] J a n Complete trace models of state and control
Guilhem Jaber and Andrzej S. Murawski Universit´e de Nantes, LS2N CNRS, Inria, France University of Oxford, UK
Abstract.
We consider a hierarchy of four typed call-by-value languageswith either higher-order or ground-type references and with either call / ccor no control operator.Our first result is a fully abstract trace model for the most expressivesetting, featuring both higher-order references and call / cc, constructedin the spirit of operational game semantics. Next we examine the impactof suppressing higher-order references and callcc in contexts and providean operational explanation for the game-semantic conditions known asvisibility and bracketing respectively. This allows us to refine the originalmodel to provide fully abstract trace models of interaction with contextsthat need not use higher-order references or call / cc. Along the way, wediscuss the relationship between error- and termination-based contextualtesting in each case, and relate the two to trace and complete traceequivalence respectively.Overall, the paper provides a systematic development of operationalgame semantics for all four cases, which represent the state-based faceof the so-called semantic cube. Keywords: contextual equivalence, operational game semantics, higher-order references, control operators
Research into contextual equivalence has a long tradition in programming lan-guage theory, due to its fundamental nature and applicability to numerous veri-fication tasks, such as the correctness of compiler optimisations. Capturing con-textual equivalence mathematically, i.e. the full abstraction problem [26], hasbeen an important driving force in denotational semantics, which led, amongothers, to the development of game semantics [2,12]. Game semantics modelscomputation through sequences of question- and answer-moves by two players,traditionally called O and P, who play the role of the context and the programrespectively. Because of its interactive nature, it has often been referred to as amiddle ground between denotational and operational semantics.Over the last three decades the game-semantic approach has led to numerousfully abstract models for a whole spectrum of programming paradigms. Most pa-pers in this strand follow a rather abstract pattern when presenting the models,emphasing structure and compositionality, often developing a correspondencewith a categorical framework along the way to facilitate proofs. The operational
G. Jaber, A. S. Murawski intuitions behind the games are somewhat obscured in this presentation, andleft to be discovered through a deeper exploration of proofs.In contrast, operational game semantics aims to define models in which theinteraction between the term and the environment is described through a care-fully instrumented labelled transition system (LTS), built using the syntax andoperational semantics of the relevant language. Here, the derived trace seman-tics can be shown to be fully abstract. In this line of work, the dynamics isdescribed more directly and provides operational intuitions about the meaningof moves, while not immediately giving structural insights about the structureof the traces.In this paper, we follow the operational approach and present a whole hier-archy of trace models for higher-order languages with varying access to higher-order state and control. As a vehicle for our study, we use HOSC, a call-by-valuehigher-order language equipped with general references and continuations. Wealso consider its sublanguages GOSC, HOS and GOS, obtained respectively byrestricting storage to ground values, by removing continuations, and by imposingboth restrictions. We study contextual testing of a class of HOSC terms usingcontexts from each of the languages x ∈ { HOSC , GOSC , HOS , GOS } ; we write x to refer to each case. Our working notion of convergence will be error reachabil-ity, where an error is represented by a free variable. Accordingly, at the technicallevel, we will study a family of equivalence relations ∼ = x err , each corresponding tocontextual testing with contexts from x , where contexts have the extra powerto abort the computation.Our main results are trace models Tr x ( Γ ⊢ M ) for each x ∈ { HOSC , GOSC , HOS , GOS } , which capture ∼ = x err through trace equivalence: Γ ⊢ M ∼ = x err M if and only if Tr x ( Γ ⊢ M ) = Tr x ( Γ ⊢ M ) . It turns out that, for contexts with control (i.e. x ∈ { HOSC , GOSC } ), ∼ = x err coin-cides with the standard notion of contextual equivalence based on termination,written ∼ = x ter . However, in the other two cases, the former is strictly more dis-criminating than the latter. We explain how to account for this difference in thetrace-based setting, using complete traces.A common theme that has emerged in game semantics is the comparativestudy of the power of contexts, as it turned out possible to identify combina-torial conditions, namely visibility [3] and bracketing [22], that correspond tocontextual testing in the absence of general references and control constructsrespectively. In brief, visibility states that not all moves can be played, but onlythose that are enabled by a “visible part” of the interaction, which could bethought of as functions currently in scope. Bracketing in turn imposes a disci-pline on answers, requiring that the topmost question be answered first. In thepaper, we provide an operational reconstruction of both conditions.Overall, we propose a unifying framework for studying higher-order languageswith state and control, which we hope will make the techniques of (operational)game semantics clearer to the wider community. The construction of the fullyabstract LTSs is by no means automatic, as there is no general methodology for omplete trace models of state and control 3 σ, τ , Unit | Int | Bool | ref τ | τ × σ | τ → σ | cont τU, V , () | tt | ff | b n | x | ℓ | h U, V i | λx τ .M | rec y ( x τ ) .M | cont τ KM, N , V | h M, N i | π i M | MN | ref τ M | ! M | M := N | if M M M | M ⊕ N | M ⊡ N | M = N | call / cc τ ( x.M ) | throw τ M to NK , • | h V, K i | h
K, M i | π i K | V K | KM | ref τ K | ! K | V := K | K := M | if K M N | K ⊕ M | V ⊕ K | K ⊡ M | V ⊡ K | K = M | V = K | throw τ V to K | throw τ K to MC , • | h M, C i | h
C, M i | π i C | λx τ .C | rec y ( x τ ) .C | MC | CM | ref τ C | ! C | C := M | M := C | if C M N | if M C N | if M N C | C ⊕ M | M ⊕ C | C ⊡ M | M ⊡ C | C = M | M = C | call / cc τ ( x.C ) | throw τ C to M | throw τ M to C Notational conventions: x, y ∈ Var , ℓ ∈ Loc , n ∈ Z , i ∈ { , } , ⊕ ∈ { + , − , ∗} , ⊡ ∈ { = , < } Syntactic sugar: let x = M in N stands for ( λx.N ) M (if x does not occur in N we alsowrite M ; N ) Fig. 1.
HOSC syntax extracting trace semantics from game models. Some attempts in that directionhave been reported in [25], but the type discipline discussed there is far too weakto be applied to the languages we study. As the most immediate precursor to ourwork, we see the trace model of contextual interactions between HOS contextsand HOS terms from [23]. In comparison, the models developed in this paperare more general, as they consider the interaction between HOSC terms andcontexts drawn from any of the four languages ranged over by x .In the 1990s, Abramsky proposed a research programme, originally calledthe semantic cube [1], which concerned investigating extensions of the purelyfunctional programming language PCF along various axes. From this angle, thepresent paper is an operational study of a semantic diamond of languages withstate, with GOS at the bottom, extending towards HOSC at the top, either viaGOSC or HOS. The main objects of our study will be the language HOSC along with its frag-ments GOSC, HOS and GOS. HOSC is a higher-order programming languageequipped with general references and continuations.
Syntax
HOSC syntax is given in Figure 1. Assuming countably infinite sets
Loc (locations) and
Var (variables), HOSC typing judgments take the form Σ ; Γ ⊢ M : τ , where Σ and Γ are finite partial functions that assign types tolocations and variables respectively. We list all the typing rules in the Appendix.In typing judgements, we often write Σ as shorthand for Σ ; ∅ (closed) and Γ asshorthand for ∅ ; Γ (location-free). Similarly, ⊢ M : τ means ∅ ; ∅ ⊢ M : τ . G. Jaber, A. S. Murawski( K [( λx σ .M ) V ] , h ) → ( K [ M { V /x } ] , h )( K [ π i h V , V i ] , h ) → ( K [ V i ] , h )( K [if tt M M ] , h ) → ( K [ M ] , h )( K [if ff M M ] , h ) → ( K [ M ] , h )( K [ b n ⊕ b m ] , h ) → ( K [ \ n ⊕ m ] , h )( K [ˆ n ⊡ ˆ m ] , h ) → ( K [ b ] , h )with b = tt if n ⊡ m, otherwise b = ff ( K [call / cc( x τ .M )] , h ) → ( K [ M { cont τ K/x } ] , h ) ( K [! ℓ ] , h ) → ( K [ h ( ℓ )] , h )( K [ref V ] , h ) → ( K [ ℓ ] , h · [ ℓ V ])( K [ ℓ := V ] , h ) → ( K [()] , h [ ℓ V ])( K [ ℓ = ℓ ′ ] , h ) → ( K [ b ] , h )with b = tt if ℓ = ℓ ′ , otherwise b = ff ( K [( rec y ( x σ ) .M | {z } U ) V ] , h ) → ( K [ M { V /x, U/y } ] , h )( K [throw τ V to cont τ K ′ ] , h ) → ( K ′ [ V ] , h ) Fig. 2.
Operational reduction for HOSC
Operational semantics
A heap h is a finite type-respecting map from Loc tovalues. We write h : ( Σ ; Γ ), if dom( Σ ) ⊆ dom( h ) and Σ ; Γ ⊢ h ( ℓ ) : σ for( ℓ, σ ) ∈ Σ , The operational semantics of HOSC reduces pairs ( M, h ), where Σ ; Γ ⊢ M : τ and h : ( Σ ; Γ ). The rules are given in Figure 2, where {·} denotes(capture-avoiding) substitution. We write ( M, h ) ⇓ ter if there exist V, h ′ suchthat ( M, h ) → ∗ ( V, h ′ ) and V is a value.We distinguish the following fragments of HOSC. Definition 1. –
GOSC types are
HOSC types except that reference types arerestricted to ref ι , where ι is given by the grammar ι , Unit | Int | Bool | ref ι . GOSC terms are
HOSC terms whose typing derivations (i.e. not only thefinal typing judgments) rely on
GOSC types only.
GOSC is a superset of
FOSC [8], which also includes references to references (the ref ι case above). – HOS types are
HOSC types that do not feature the cont constructor.
HOS terms are
HOSC terms whose typing derivations rely on
HOS types only.Consequently,
HOS terms never have subterms of the form call / cc τ ( x.M ) , throw τ M to N or cont τ K . – GOS is the intersection of
HOS and
GOSC , both for types and terms, i.e.there are no continuations and storage is restricted to values of type ι , definedabove. Definition 2.
Given a
HOSC term Γ ⊢ M : τ , we refer to types in Γ and τ as boundary types . Let x ∈ { HOSC , GOSC , HOS , GOS } . We say that a HOSC term Γ ⊢ M : τ has an x boundary if all of its boundary types are from x .Remark 1. Note that typing derivations of HOSC terms with an x boundary maycontain arbitrary HOSC types as long as the final typing judgment uses typesfrom x only. Consequently, if x = HOSC, HOSC terms with an x boundary forma strict superset of x .Next we introduce several notions of contextual testing for HOSC-terms, us-ing various kinds of contexts. For a start, we introduce the classic notion ofcontextual approximation based on observing termination. The notions are pa-rameterized by x , indicating which language is used to build the testing contexts.We write Γ ⊢ C : τ → τ ′ if Γ, x : τ ⊢ C [ x ] : τ ′ , and Γ ⊢ C ÷ τ if Γ ⊢ C : τ → τ ′ for some τ ′ . omplete trace models of state and control 5 Definition 3 (Contextual Approximation).
Let x ∈ { HOSC , GOSC , HOS , GOS } . Given HOSC terms Γ ⊢ M , M : τ with an x boundary, we define Γ ⊢ M . x ter M to hold, when for all contexts ⊢ C ÷ τ built from the syntax of x , if ( C [ M ] , ǫ ) ⇓ ter then ( C [ M ] , ǫ ) ⇓ ter . We also consider another way of testing, based on observing whether a pro-gram can reach a breakpoint (error point) inside a context. Technically, thebreakpoints are represented as occurrences of a special free error variable err :Unit → Unit. Reaching a breakpoint then corresponds to convergence to a stuckconfiguration of the form ( K [ err ()] , h ): we write ( M, h ) ⇓ err if there exist K, h ′ such that ( M, h ) → ∗ ( K [ err ()] , h ′ ). Definition 4 (Contextual Approximation through Error).
Let x ∈ { HOSC , FOSC , HOS , GOS } . Given HOSC terms Γ ⊢ M , M : τ with an x boundaryand err dom( Γ ) , we define Γ ⊢ M . x err M to hold, when for all con-texts err : Unit → Unit ⊢ C ÷ τ built from x -syntax, if ( C [ M ] , ǫ ) ⇓ err then ( C [ M ] , ǫ ) ⇓ err . For the languages in question, it will turn out that . x err is at least as discriminat-ing as . x ter for each x ∈ { HOSC , GOSC , HOS , GOS } , and that they coincide for x ∈ { HOSC , GOSC } . We will write ∼ = x err and ∼ = x ter for the associated equivalencerelations.For higher-order languages with state and control, it is well known thatcontextual testing can be restricted to evaluation contexts after instantiatingthe free variables of terms to closed values (the so-called closed instances ofuse , CIU). Let us write Σ, Γ ′ ⊢ γ : Γ for substitutions γ such that, for any( x, σ x ) ∈ Γ , the term γ ( x ) is a value satisfying Σ ; Γ ′ ⊢ γ ( x ) : σ x . Then M { γ } stands for the outcome of applying γ to M . Definition 5 (CIU Approximation).
Let x ∈ { HOSC , GOSC , HOS , GOS } and let Γ ⊢ M , M : τ be HOSC terms with an x boundary. – Γ ⊢ M . x ( ciu ) ter M : τ , when for all Σ, h, K, γ , all built from x syntax, suchthat h : Σ , Σ ⊢ K ÷ τ , and Σ ⊢ γ : Γ , we have ( K [ M { γ } ] , h ) ⇓ ter implies ( K [ M { γ } ] , h ) ⇓ ter . – We write Γ ⊢ M . x ( ciu ) err M : τ , when for all Σ, h, K, γ , all built from x syntax, such that h : Σ ; ˆ err, Σ ; ˆ err ⊢ K ÷ τ , and Σ ; ˆ err ⊢ γ : Γ , we have ( K [ M { γ } ] , h ) ⇓ err implies ( K [ M { γ } ] , h ) ⇓ err , where err dom( Γ ) and ˆ err stands for err : Unit → Unit . Results stating that “CIU tests suffice” are referred to as CIU lemmas. A generalframework for obtaining such results for higher-order languages with effects wasdeveloped in [10,33]. The results stated therein are for termination-based testing,i.e. ⇓ ter , but adapting them to ⇓ err is not problematic. Lemma 1 (CIU Lemma).
Let x ∈ { HOSC , GOSC , HOS , GOS } and y ∈ { ter , err } .Then we have Γ ⊢ M . xy M iff Γ ⊢ M . x ( ciu ) y M . G. Jaber, A. S. Murawski
The preorders . x err will be the central object of study in the paper. Amongothers, we shall provide their alternative characterizations using trace seman-tics.The characterizations will apply to a class of terms that we call cr-free . Definition 6. A HOSC term Γ ⊢ M : τ is cr-free if it does not contain occur-rences of cont σ K and locations, and its boundary types are cont - and ref -free. We stress that the boundary restriction applies to Γ and τ only, and subtermsof M may well contain arbitrary HOSC types and occurrences of ref σ , call / cc σ ,throw σ for any σ . The majority of HOSC / GOSC / HOS / GOS examples stud-ied in the literature, e.g. [28,4,8], are actually cr-free. We will revisit some ofthem as Examples 6, 7, 10. The fact that cr-free terms may not contain sub-terms cont τ K or ℓ is not really a restriction, as cont τ K and ℓ being more of arun-time construct than a feature meant to be used directly by programmers.Finally, we note that the boundary of a cr-free term is an x boundary for any x ∈ { HOSC , GOSC , HOS , GOS } . Thus, we can consider approximation betweencr-terms for any x from the range, i.e. the notions . x err , . x ter are all applicable.Consequently, cr-free terms provide a common setting in which the discrimi-nating power of HOSC , GOSC , HOS and GOS contexts can be compared. Wediscuss the scope for extending our results outside of the cr-free fragment, andfor richer type systems, in Section 7.
Recall that . HOSC err concerns testing HOSC terms with HOSC contexts. Accord-ingly, we call this case HOSC[HOSC]. For cont σ ( K )-free terms, we show that . HOSC err and . HOSC ter coincide, which follows from the lemma below.
Lemma 2.
Suppose Γ ⊢ M , M be HOSC terms not containing any occur-rences of cont τ ( K ) .1. Γ ⊢ M . x err M implies Γ ⊢ M . x ter M , for x ∈ { HOSC , GOSC , HOS , GOS } .2. Γ ⊢ M . x ter M implies Γ ⊢ M . x err M , for x ∈ { HOSC , GOSC } . In what follows, after introducing several preliminary notions, we shall design alabelled transition system (LTS) whose traces will turn out to capture contex-tual interactions involved in testing cr-free terms according to . HOSC err . This willenable us to capture . HOSC err via trace inclusion. Actions of the LTS will refer tofunctions and continuations in a symbolic way, using typed names.
Let
FNames = U σ,σ ′ FNames σ → σ ′ be the set of function names ,partitioned into mutually disjoint countably infinite sets FNames σ → σ ′ . We willuse f, g to range over FNames , and write f : σ → σ ′ for f ∈ FNames σ → σ ′ .Analogously, let CNames = U σ CNames σ be the set of continuation names .We will use c, d to range over CNames , and write c : σ for c ∈ CNames σ . Note omplete trace models of state and control 7 that the constants represent continuations, so the “real” type of c is cont σ , butwe write c : σ for the sake of brevity. We assume that CNames , FNames aredisjoint and let
Names = FNames ⊎ CNames . Elements of
Names will be weavedinto various constructions in the paper, e.g. terms, heaps, etc. We will then write ν ( X ) to refer to the set of names used in some entity X . Because of the shape of boundary types in cr-free terms and, in particular, thepresence of product types, the values that will be exchanged between the contextand the program take the form of tuples consisting of (), integers, booleansand functions. To describe such scenarios, we introduce the notion of abstractvalues , which are patterns that match such values. Abstract values are generatedby the grammar
A, B , () | tt | ff | b n | f | h A, B i with the proviso that, in any abstract value, a name may occur at most once. Asfunction names are intrinsically typed, we can assign types to abstract values inthe obvious way, writing A : τ . Our LTS will be based on four kinds of actions, listed below. Each action will beequipped with a polarity , which is either Player (P) or Opponent (O). P-actionsdescribing interaction steps made by a tested term, while O-actions involve thecontext. – Player Answer (PA) ¯ c ( A ), where c : σ and A : σ . This action correspondsto the term sending an abstract value A through a continuation name c . – Player Question (PQ) ¯ f ( A, c ), where f : σ → σ ′ , A : σ and c : σ ′ . Here,an abstract value A and a continuation name c are sent by the term througha function name f . – Opponent Answer (OA) c ( A ), c : σ then A : σ . In this case, an abstractvalue A is received from the environment via the continuation name c . – Opponent Question (OQ) f ( A, c ), where f : σ → σ ′ , A : σ and c : σ ′ .Finally, this action corresponds to receiving an abstract value A and a con-tinuation name c from the environment through a function name f .In what follows, a is used to range over actions. We will say that a name is introduced by an action a if it is sent or received in a . If a is an O-action (resp.P-action), we say that the name was introduced by O (resp. P). An action a is justified by another action a ′ if the name that a uses to communicate, i.e. f inquestions ( ¯ f ( A, c ), f ( A, c )) and c in answers (¯ c ( A ), c ( A )), has been introducedby a ′ .We will work with sequences of actions of a very special shape, specifiedbelow. The definition assumes two given sets of names, N P and N O , whichrepresent names that have already been introduced by P and O respectively. Definition 8.
Let N O , N P ⊆ Names . An ( N O , N P ) - trace is a sequence t ofactions such that: G. Jaber, A. S. Murawski – the actions alternate between Player and Opponent actions; – no name is introduced twice; – names from N O , N P need no introduction; – if an action a uses a name to communicate then • a = ¯ f ( A, c ) ( f ∈ N O ) or a = ¯ c ( A ) ( c ∈ N O ) or a = f ( A, c ) ( f ∈ N P ) or a = c ( A ) ( c ∈ N P ) or • the name has been introduced by an earlier action a ′ of opposite polarity. Note that, due to the shape of actions, a continuation name can only be intro-duced/justified by a question. Moreover, because names are never introducedtwice, if a ′ justifies a then a ′ is uniquely determined in a given trace. Read-ers familiar with game semantics will recognize that traces are very similar toalternating justified sequences except that traces need not be started by O. Example 1.
Let ( N O , N P ) = ( { c } , ∅ ) where c : τ = ((Unit → Unit) → Unit) × (Unit → Int). Then the following sequence is an ( N O , N P )-trace: t = ¯ c ( h g , g i ) g ( f , c ) ¯ f (() , c ) c (()) ¯ c (()) c (()) ¯ c (()) g (() , c ) ¯ c (2)where g : (Unit → Unit) → Unit, g : Unit → Int, f : Unit → Unit, c , c :Unit, c : Int. We extend the definition of HOSC presented in Figure 2 to take into accountthese names. We refine the operational reduction using continuation names tokeep track of the toplevel continuation. We list all the changes below. – Function names are added to the syntax as constants . Since they are meantto represent values, they are also considered to be syntactic values in theextended language. f ∈ FNames σ → σ ′ Σ ; Γ ⊢ f : σ → σ ′ – Continuation names are not terms on their own. Instead, they are built intothe syntax via a new construct cont σ ( K, c ), subject to the following typingrule. Σ ; Γ ⊢ K : σ → σ ′ c ∈ CNames σ ′ Σ ; Γ ⊢ cont σ ( K, c ) : cont σ cont σ ( K, c ) is a staged continuation that first evaluates terms inside K and,if this produces a value, the value is passed to c . This operational meaningwill be implemented through a suitable reduction rule, to be discussed next.cont σ ( K, c ) is also regarded as a value. Note that we remove the old constructcont σ K from the extended syntax. – The operational semantics → underpinning the LTS is based on triples( M, c, h ) such that Σ ; Γ ⊢ M : σ , c ∈ CNames σ and h : Σ . The continuationname c is used to represent the surrounding context, which is left abstract. omplete trace models of state and control 9 The previous operational rules → are embedded into the new reduction → using the rule below. ( M, h ) → ( M ′ , h ′ )( M, c, h ) → ( M ′ , c, h ′ )The two reduction rules related to continuations, previously used to define → , are not included. Instead we use the following rules, which take advantageof the extended syntax.( K [call / cc τ ( x.M )] , c, h ) → ( K [ M { cont τ ( K, c ) /x } ] , c, h )( K [throw τ V to cont τ ( K ′ , c ′ )] , c, h ) → ( K ′ [ V ] , c ′ , h ) We write Vals for the extended set of syntactic values, i.e. FNames ⊆ Vals.Let ECtxs stand for the set of extended evaluation contexts, defined as K inFigure 1 taking the extended definition of values into account. Before defining thetransition relation of our LTS, we discuss the shape of configurations, providingintuitions behind each component. Passive configurations take the form h γ, ξ, φ, h i and are meant to repre-sent stages at which the environment is to make a move. – γ : (FNames ⇀ Vals) ⊎ (CNames ⇀ ECtxs) is a finite map. It will play therole of an environment that relates function names communicated to the en-vironment (i.e. those introduced by P) to syntactic values, and continuationnames introduced by P to evaluation contexts. – ξ : (CNames ⇀ CNames) is a finite map. It complements the role of γ forcontinuation names and indicates the continuation to which the outcome ofapplying γ ( c ) should be passed. – φ ⊆ Names. The set φ will be used to collect all the names used in theinteraction, regardless of which participant introduced them. Following ourdescription above, those introduced by O will correspond to φ \ dom( γ ).The components satisfy healthiness conditions, implied by their role in the sys-tem. Let Σ = dom( h ). – If f : dom( γ ) ∩ FNames σ → σ ′ then γ ( f ) is a value such that Σ ⊢ γ ( f ) : σ → σ ′ . – dom( ξ ) = dom( γ ) ∩ CNames. – If c : dom( γ ) ∩ CNames σ and Σ ⊢ γ ( c ) : σ → σ ′ then ξ ( c ) ∈ CNames σ ′ . – Finally, names introduced by the environment and communicated to the pro-gram may end up in the environments and the heap: ν (img( γ )) , ν (img( ξ )), ν (img( h )) ⊆ φ \ dom( γ ). Active configurations take the form h M, c, γ, ξ, φ, h i and represent interactionsteps of the term. The γ, ξ, φ, h components have already been described above.For M and c , given Σ = dom( h ), we will have Σ ; ∅ ⊢ M : σ , c ∈ CNames σ and ν ( M ) ∪ { c } ⊆ φ \ dom( γ ). Observe that any closed value V of a cont- and ref-free type σ can be decom-posed into an abstract value A (pattern) and the corresponding substitution γ (matching). The set of all such decompositions, written AVal σ ( V ), is definedbelow. Given a value V of a (cr-free) type σ , AVal σ ( V ) contains all pairs ( A, γ )such that A is an abstract value and γ : ν ( A ) → Vals is a substitution such that A { γ } = V . More concretely, AVal σ ( V ) , { ( V, ∅ ) } for σ ∈ { Unit , Bool , Int } AVal σ → σ ′ ( V ) , { ( f, [ f V ]) | f ∈ FNames σ → σ ′ } AVal σ × σ ′ ( h U, V i ) , { ( h A , A i , γ · γ ) | ( A, γ ) ∈ AVal σ ( U ) , ( A , γ ) ∈ AVal σ ′ ( V ) } Note that, by writing · , we mean to implicitly require that the function domainsbe disjoint. Similarly, when writing ⊎ , we stipulate that the argument sets bedisjoint. Example 2.
Let σ = (Int → Bool) × (Int × (Unit → Int)) and V ≡ h λx Int .x =1 , h , λx Unit . ii . Then AVal σ ( V ) equals { ( h f, h , g ii , [ f ( λx Int .x = 1)] · [ g ( λx Unit . | f ∈ FNames
Int → Unit , g ∈ FNames
Unit → Int } . Finally, we present the transitions of, what we call the HOSC[HOSC] LTS, inFigure 3.
Example 3.
We analyze the (PQ) rule below in more detail.(
P Q ) h K [ f V ] , c, γ, ξ, φ, h i ¯ f ( A,c ′ ) −−−−→ h γ · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] , φ ⊎ ν ( A ) ⊎ { c ′ } , h i when f : σ → σ ′ , ( A, γ ′ ) ∈ AVal σ ( V ) and c ′ : σ ′ The use of ⊎ in φ ⊎ ν ( A ) ⊎ { c ′ } is meant to highlight the requirement that thenames introduced in ¯ f ( A, c ′ ), i.e. ν ( A ) ∪{ c ′ } , should be fresh and disjoint from φ .Moreover, note how γ and ξ are updated. In general, γ, ξ, h are updated duringP-actions. Definition 9.
Given two configurations C , C ′ , we write C a = ⇒ C ′ if C τ −→ ∗ C ′′ a −→ C ′ , with τ −→ ∗ representing multiple (possibly none) τ -actions. This notation isextended to sequences of actions: given t = a . . . a n , we write C t = ⇒ C ′ , ifthere exist C , . . . , C n − such that C a == ⇒ C · · · C n − a n == ⇒ C ′ . We define Tr HOSC ( C ) = { t | there exists C ′ such that C t = ⇒ C ′ } . Lemma 3.
Suppose C = h γ, ξ, φ, h i or C = h M, c, γ, ξ, φ, h i are configurations.Then elements of Tr HOSC ( C ) are ( φ \ dom( γ ) , dom( γ )) -traces. omplete trace models of state and control 11( P τ ) h M, c, γ, ξ, φ, h i τ −−→ h N, c ′ , γ, ξ, φ, h ′ i when ( M, c, h ) → ( N, c ′ , h ′ )( P A ) h V, c, γ, ξ, φ, h i ¯ c ( A ) −−−→ h γ · γ ′ , ξ, φ ⊎ ν ( A ) , h i when c : σ, ( A, γ ′ ) ∈ AVal σ ( V )( P Q ) h K [ fV ] , c, γ, ξ, φ, h i ¯ f ( A,c ′ ) −−−−−→ h γ · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] , φ ⊎ ν ( A ) ⊎ { c ′ } , h i when f : σ → σ ′ , ( A, γ ′ ) ∈ AVal σ ( V ) , c ′ : σ ′ ( OA ) h γ, ξ, φ, h i c ( A ) −−−→ h K [ A ] , c ′ , γ, ξ, φ ⊎ ν ( A ) , h i when c : σ, A : σ, γ ( c ) = K, ξ ( c ) = c ′ ( OQ ) h γ, ξ, φ, h i f ( A,c ) −−−−→ h V A, c, γ, ξ, φ ⊎ ν ( A ) ⊎ { c } , h i when f : σ → σ ′ , A : σ, c : σ ′ , γ ( f ) = V NB c : σ stands for c ∈ CNames σ . Fig. 3.
HOSC[HOSC] LTS M cwl : let x = ref 0 inlet b = ref ff in h λ f . if ¬ (!b) thenb := tt ; f(); x :=!x + 1;b := ff ;else () , λ : Unit . !x i M cwl : let x = ref 0 inlet b = ref ff in h λ f . if ¬ (!b) thenb := tt ; let n =!x in f(); x := n + 1;b := ff ;else () , λ : Unit . !x i Fig. 4.
Callback-with-lock Example [4]
Example 4.
In Figure 5, we show that the trace from Example 1 is generatedby the configuration C , h M cwl , c, ∅ , ∅ , { c } , ∅i , where M cwl is given in Figure 4.We write inc , λf. if ¬ (! ℓ b ) ( ℓ b := tt ; f (); ℓ x :=! ℓ x + 1; ℓ b := ff ) (), get , λ . ! ℓ x and c : ((Unit → Unit) → Unit) × (Unit → Int). It is interesting to notice thatin this interaction, Opponent uses the continuation N twice, incrementing thecounter x by two. The second time, it does it without having to call inc again,but rather by using the continuation name c . Remark 2.
Due to the freedom of name choice, note that Tr HOSC ( C ) is closedunder type-preserving renamings that preserve names from C . We define two kinds of special configurations that will play an important rolein spelling out correctness results for the HOSC[HOSC] LTS. Let Γ = { x : σ , · · · , x k : σ k } . A map ρ from { x , · · · , x k } to the set of abstract values willbe called a Γ -assignment provided, for all 1 ≤ i = j ≤ k , we have ρ ( x i ) : σ i and ν ( ρ ( x i )) ∩ ν ( ρ ( x j )) = ∅ . C = h M cwl , c, ∅ , ∅ , { c } , ∅i τ ∗ −→ hh inc , get i , c, ∅ , ∅ , { c } , [ ℓ b ff , ℓ x i ¯ c ( h g ,g i ) −−−−−−→ h γ , ∅ , { c, g , g } , [ ℓ b ff , ℓ x i with γ = [ g inc , g get] , g ( f ,c ) −−−−−−→ h inc f , c , γ , ∅ , φ , [ ℓ b ff , ℓ x i with φ = { c, g , g , f , c } τ ∗ −→ h f (); N, c , γ , ∅ , φ , [ ℓ b tt , ℓ x i with N = ℓ x :=! ℓ x + 1; ℓ b := ff ¯ f (() ,c ) −−−−−→ h γ , ξ, φ , [ ℓ b tt , ℓ x i with γ = γ · [ c
7→ • ; N ] , c (()) −−−−→ h (); N, c , γ , ξ, φ , [ ℓ b tt , ℓ x i ξ = [ c c ] and φ = φ ⊎ { c } τ ∗ −→ h () , c , γ , ξ, φ , [ ℓ b ff , ℓ x i ¯ c (()) −−−−→ h γ , ξ, φ , [ ℓ b ff , ℓ x i c (()) −−−−→ h (); N, c , γ , ξ, φ , [ ℓ b ff , ℓ x i τ ∗ −→ h () , c , γ , ξ, φ , [ ℓ b ff , ℓ x i ¯ c (()) −−−−→ h γ , ξ, φ , [ ℓ b ff , ℓ x i g (() ,c ) −−−−−→ h get() , c , γ , ξ, φ , [ ℓ b ff , ℓ x i with φ = φ ⊎ { c } τ ∗ −→ h , c , γ , ξ, φ , [ ℓ b ff , ℓ x i ¯ c (2) −−−→ h γ , ξ, φ , [ ℓ b ff , ℓ x i Fig. 5.
Trace derivation in the HOSC[HOSC] LTS
Definition 10 (Program configuration).
Given a Γ -assignment ρ , a cr-freeHOSC term Γ ⊢ M : τ and c : τ , we define the active configuration C ρ,cM by C ρ,cM = h M { ρ } , c, ∅ , ∅ , ν ( ρ ) ∪ { c } , ∅i . Note that traces from Tr HOSC ( C ρ,cM ) will be ( ν ( ρ ) ∪ { c } , ∅ )-traces. Definition 11.
The
HOSC[HOSC] trace semantics of a cr-free HOSC term Γ ⊢ M : τ is defined to be Tr HOSC ( Γ ⊢ M : τ ) = { (( ρ, c ) , t ) | ρ is a Γ -assignment , c : τ, t ∈ Tr HOSC ( C ρ,cM ) } . Example 5.
Recall the term ⊢ M cwl : τ from Example 4, the trace t and theconfiguration C such that t ∈ Tr HOSC ( C ). Because M cwl is closed ( Γ = ∅ ),the only Γ -assignment is the empty map ∅ . Thus, C = C ∅ ,cM cwl , so (( ∅ , c ) , t ) ∈ Tr HOSC ( ⊢ M cwl : τ ).Having defined active configurations associated to terms, we now turn todefining passive configurations associated to contexts. Let us fix ⋄ ∈ FNames
Unit → Unit and, for each σ , a continuation name ◦ σ ∈ CNames τ . Let ◦ = S σ {◦ σ } . Intu-itively, the names ⋄ will correspond to ⇓ err and ◦ σ to ⇓ ter .Recall that ˆ err stands for err : Unit → Unit. Given a heap h : Σ ; ˆ err , anevaluation context Σ ; ˆ err ⊢ K : τ → τ ′ and a substitution Σ ; ˆ err ⊢ γ : Γ (as inthe definition of . HOSC( ciu ) err ), let us replace every occurrence of cont σ K ′ inside h, K, γ with cont σ ( K ′ , ◦ σ ′ ), if K ′ has type σ → σ ′ . Moreover, let us replaceevery occurrence of the variable err with the function name ⋄ . This is done to omplete trace models of state and control 13 adjust h, K, γ to the extended syntax of the LTS: the upgraded versions arecalled h ◦ , γ ◦ , K ◦ .Next we define the set AVal Γ ( γ ) of all disjoint decompositions of values from γ ◦ into abstract values and the corresponding matchings. Recall that Γ = { x : σ , · · · , x k : σ k } . Below ~A i stands for ( A , · · · , A k ), and ~γ i for ( γ , · · · , γ k ). AVal Γ ( γ ) = { ( ~A i , ~γ i ) | ( A i , γ i ) ∈ AVal σ i ( γ ◦ ( x i )) , i = 1 , · · · , k ; ν ( A ) , · · · , ν ( A k ) mutually disjoint and without ⋄ } Definition 12 (Context configuration).
Given
Σ, h : Σ ; ˆ err, Σ ; ˆ err ⊢ K : τ → τ ′ , Σ ; ˆ err ⊢ γ : Γ , ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) and c : τ ( c
6∈ ◦ ), the correspondingconfiguration C ~γ i ,ch,K,γ is defined by C ~γ i ,ch,K,γ = h k ] i =1 γ i ⊎ { c K ◦ } , { c
7→ ◦ τ ′ } , k ] i =1 ν ( A i ) ⊎ { c } ⊎ ◦ ⊎ {⋄} , h ◦ i . Intuitively, the names ν ( A i ) correspond to calling function values extracted from γ , whereas c corresponds to K . Note that traces in Tr HOSC ( C ~γ i ,ch,K,γ ) will be( ◦ ⊎ {⋄} , U ki =1 ν ( A i ) ⊎ { c } )-traces.In preparation for the next result, we introduce the following shorthands. – Given a ( N O , N P )-trace t , we write t ⊥ for the ( N P , N O )-trace obtained bychanging the polarity of each name: f ( A, c ′ ) becomes ¯ f ( A, c ′ ) (and vice versa)and c ( A ) becomes ¯ c ( A ) (and vice versa). – Given ( ~A i , ~γ i ) ∈ AVal Γ ( γ ), we define a Γ -assignment ρ ~A i by ρ ~A i ( x i ) = A i .Note that ν ( ρ ~A i ) = U ki =1 dom( γ i ). Lemma 4 (Correctness).
Let Γ ⊢ M : τ be a cr-free HOSC term, let
Σ, h, K, γ be as above, ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) , and c : τ ( c
6∈ ◦ ). Then – ( K [ M { γ } ] , h ) ⇓ err iff there exist t, c ′ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ) . – ( K [ M { γ } ] , h ) ⇓ ter iff there exist t, A, σ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ◦ σ ( A ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ) .Moreover, t satisfies ν ( t ) ∩ ( ◦ ∪ {⋄} ) = ∅ . Intuitively, the lemma above confirms that the potential of a term to convergeis determined by its traces. Accordingly, we have:
Theorem 1 (Soundness).
For any cr-free
HOSC terms Γ ⊢ M , M , if Tr HOSC ( Γ ⊢ M ) ⊆ Tr HOSC ( Γ ⊢ M ) then Γ ⊢ M . HOSC( ciu ) err M . To prove the converse, we need to know that every odd-length trace generatedby a term actually participates in a contextual interaction. This will follow fromthe lemma below. Note that ⇓ err relies on even-length traces from the context(Lemma 4). Lemma 5 (Definability).
Suppose φ ⊎ {⋄} ⊆ FNames and t is an even-length ( ◦ ⊎ {⋄} , φ ⊎ { c } ) -trace starting with an O-action. There exists a passive configu-ration C such that the even-length traces Tr HOSC ( C ) are exactly the even-lengthprefixes of t (along with all renamings that preserve types and φ ⊎ { c } ⊎ ◦ ⊎ {⋄} ,cf. Remark 2). Moreover, C = h γ ◦ · [ c K ◦ ] , { c
7→ ◦ τ ′ } , φ ⊎ { c } ⊎ ◦ ⊎ {⋄} , h ◦ i ,where h, K, γ are built from HOSC syntax.Proof (Sketch).
The basic idea is to use references in order to record all continu-ation and function names introduced by the environment. For continuations, theuse of call / cc τ is essential. Once stored in the heap, the names can be accessedby terms when needed in P-actions. The availability of throw and references toall O-continuations means that arbitrary answer actions can be scheduled whenneeded. Theorem 2 (Completeness).
For any cr-free
HOSC terms Γ ⊢ M , M , Γ ⊢ M . HOSC( ciu ) err M implies Tr HOSC ( Γ ⊢ M ) ⊆ Tr HOSC ( Γ ⊢ M ) . Theorems 1, 2 (along with Lemmas 1, 2) imply the following full abstractionresults.
Corollary 1 (HOSC Full Abstraction).
Suppose Γ ⊢ M , M are cr-free HOSC terms. Then Tr HOSC ( Γ ⊢ M ) ⊆ Tr HOSC ( Γ ⊢ M ) iff Γ ⊢ M . HOSC err M iff Γ ⊢ M . HOSC ter M .Example 6 (Callback with lock [4]). Recall the term ⊢ M cwl : ((Unit → Unit) → Unit) × (Unit → Int) from Example 4, given in Figure 4. We had t = ¯ c ( h g , g i ) g ( f , c ) ¯ f (() , c ) c (()) ¯ c (()) c (()) ¯ c (()) g (() , c ) ¯ c (2) ∈ Tr HOSC ( C ∅ ,cM cwl ).Define t to be t except that its last action ¯ c (2) is replaced with ¯ c (1).Observe that t ∈ Tr HOSC ( C ∅ ,cM cwl ) \ Tr HOSC ( C ∅ ,cM cwl ) and t ∈ Tr HOSC ( C ∅ ,cM cwl ) \ Tr HOSC ( C ∅ ,cM cwl ), i.e. by the Corollary above the terms are incomparable wrt . HOSC err . However, they are equivalent wrt . x err for x ∈ { GOSC , HOS , GOS } [8].The above Corollary also provides a handle to reason about equivalence via traceequivalence. Sometimes this can be done directly on the LTS, especially when γ can be kept bounded. Example 7 (Counter [28]).
For i ∈ { , } , consider the terms ⊢ M i : (Unit → Unit) × (Unit → Int) given by M i ≡ let x = ref 0 in h inc i , get i i , where inc ≡ ( λy.x :=! x + 1), inc ≡ ( λy.x :=! x − get ≡ λz. ! x , get ≡ λz. − ! x . In this case, Tr HOSC ( C ∅ ,cM i ) contains (prefixes of) traces of the form ¯ c ( h g, h i ) t , where t is builtfrom segments of two kinds: either g (() , c i ) ¯ c i (()) or h (() , c ′ i ) ¯ c ′ i ( n ), where the c i s and c ′ i s are pairwise different. Moreover, in the latter case, n must be equalto the number of preceding actions of the form g (() , c i ). For this example, traceequality could be established by induction on the length of trace. Consequently, M ∼ = HOSC err M . omplete trace models of state and control 15 Recall that GOSC is the fragment of HOSC in which general storage is restrictedto values of ground type, i.e. arithmetic/boolean constants, the associated ref-erence names, references to those names and so on. In what follows, we aregoing to provide characterizations of . GOSC err via trace inclusion. Recall that, byLemma 2, . GOSC err = . GOSC ter . Note that we work in an asymmetric setting withterms belonging to HOSC being more powerful than contexts.We start off by identifying several technical consequences of the restriction toGOSC syntax. First we observe that GOSC internal reductions never contributeextra names.
Lemma 6.
Suppose ( M, c, h ) → ( M ′ , c ′ , h ′ ) , where M is a GOSC term and h is a GOSC heap. Then ν ( M ) ∪ { c } ⊇ ν ( M ′ ) ∪ { c ′ } .Proof. By case analysis. All defining rules for → , with the exception of the( K [! ℓ ] , h ) → ( K [ h ( ℓ )] , h ) rule, are easily seen to satisfy the Lemma (no functionor continuation names are added). However, if the heap is restricted to storingelements of type ι (as in GOSC) then h ( ℓ ) will never contain a name, so theLemma follows.The lemma has interesting consequences for the shape of traces generated bythe context configurations C ~γ i ,ch,K,γ if they are built from GOSC syntax. Recallthat P-actions have the form ¯ f ( A, c ′ ) or ¯ c ( A ), where f, c are names introducedby O. It turns out that when h, K, γ are restricted to GOSC, more can be saidabout the origin of the names in traces generated by C ~γ i ,ch,K,γ : they will turn out tocome from a restricted set of names introduced by O, which we identify below.The definition below is based on following the justification structure of a trace –recall that one action is said to justify another if the former introduces a namethat is used for communication in the latter. Definition 13.
Suppose φ ⊎ {⋄} ⊆ FNames and c ∈ CNames . Let t be an odd-length ( ◦ ⊎ {⋄} , φ ⊎ { c } ) -trace starting with an O-action. The set Vis P ( t ) of P-visible names of t is defined as follows. Vis P ( t c ′ ( A ′ )) = {⋄} ∪ ◦ ∪ ν ( A ′ ) c ′ = c Vis P ( t ¯ f ′′ ( A ′′ , c ′ ) t ′ c ′ ( A ′ )) = Vis P ( t ) ∪ ν ( A ′ ) c ′ = c Vis P ( t f ′ ( A ′ , c ′ )) = {⋄} ∪ ◦ ∪ ν ( A ′ ) ∪ { c ′ } f ′ ∈ φ Vis P ( t ¯ f ′′ ( A ′′ , c ′′ ) t ′ f ′ ( A ′ , c ′ )) = Vis P ( t ) ∪ ν ( A ′ ) ∪ { c ′ } f ′ ∈ ν ( A ′′ ) Vis P ( t ¯ c ′′ ( A ′′ ) t ′ f ′ ( A ′ , c ′ )) = Vis P ( t ) ∪ ν ( A ′ ) ∪ { c ′ } f ′ ∈ ν ( A ′′ )Note that, in the inductive cases, the definition follows links between namesintroduced by P and the point of their introduction, names introduced in-between are ignored. Here readers familiar with game semantics will notice sim-ilarity to the notion of P-view [12].Next we specify a property of traces that will turn out to be satisfied byconfigurations corresponding to GOSC contexts. Definition 14.
Suppose φ ⊎ {⋄} ⊆ FNames and c ∈ CNames . Let t be a ( ◦ ⊎{⋄} , φ ⊎ { c } ) -trace starting with an O-action. t is called P-visible if – for any even-length prefix t ′ ¯ f ( A, c ) of t , we have f ∈ Vis P ( t ′ ) , – for any even-length prefix t ′ ¯ c ( A ) of t , we have c ∈ Vis P ( t ′ ) . Lemma 7.
Consider C = C ~γ i ,ch,K,γ , where h, K, γ are from GOSC and ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) . Then all traces in Tr HOSC ( C ) are P-visible. The Lemma above shows that contextual interactions with GOSC contexts relyon restricted traces. We shall now modify the HOSC[HOSC] LTS to capture therestriction. Note that, from the perspective of the term, the above constraintis a constraint on the use of names by O (context), so we need to talk aboutO-available names instead. This dual notion is defined below.
Definition 15.
Suppose φ ⊆ FNames and c ∈ CNames . Let t be a ( φ ⊎ { c } , ∅ ) -trace of odd length. The set Vis O ( t ) of O-visible names of t is defined asfollows. Vis O ( t ¯ c ′ ( A ′ )) = ν ( A ′ ) c ′ = c Vis O ( t f ′′ ( A ′′ , c ′ ) t ′ ¯ c ′ ( A ′ )) = Vis O ( t ) ∪ ν ( A ′ ) c ′ = c Vis O ( t ¯ f ′ ( A ′ , c ′ )) = ν ( A ′ ) ∪ { c ′ } f ′ ∈ φ Vis O ( t f ′′ ( A ′′ , c ′′ ) t ′ ¯ f ′ ( A ′ , c ′ )) = Vis O ( t ) ∪ ν ( A ′ ) ∪ { c ′ } f ′ ∈ ν ( A ′′ ) Vis O ( t c ′′ ( A ′′ ) t ′ ¯ f ′ ( A ′ , c ′ )) = Vis O ( t ) ∪ ν ( A ′ ) ∪ { c ′ } f ′ ∈ ν ( A ′′ ) Analogously, a ( φ ⊎ { c } , ∅ ) -trace t is O-visible if, for any even-length prefix t ′ f ( A, c ) of t , we have f ∈ Vis O ( t ′ ) and, for any even-length prefix t ′ c ( A ) of t ,we have c ∈ Vis O ( t ′ ) .Example 8. Recall the trace t = ¯ c ( h g , g i ) g ( f , c ) ¯ f (() , c ) c (()) ¯ c (()) c (()) ¯ c (()) g (() , c ) ¯ c (2)from previous examples. Observe that Vis O (¯ c ( h g , g i ) g ( f , c ) ¯ f (() , c )) = { g , g , c } Vis O (¯ c ( h g , g i ) g ( f , c ) ¯ f (() , c ) c (()) ¯ c (())) = { g , g } Consequently, the first use of c (()) in t does not violate O-visibility, but thesecond one does.In Figure 6, we present a new LTS, called the GOSC[HOSC] LTS, which willturn out to capture . GOSC err through trace inclusion. It is obtained from theHOSC[HOSC] LTS by restricting O-actions to those that rely on O-visible names.Technically, this is done by enriching configurations with an additional compo-nent F , which maintains historical information about O-available names imme-diately before each O-action. After each P-action, F is accessed to calculate thecurrent set V of O-available names according to the definition of O-availabilityand only O-actions compatible with O-availability are allowed to proceed (due omplete trace models of state and control 17( P τ ) h M, c, γ, ξ, φ, h, Fi τ −−→ h N, c ′ , γ, ξ, φ, h ′ , Fi when ( M, c, h ) → ( N, c ′ , h ′ )( P A ) h V, c, γ, ξ, φ, h, Fi ¯ c ( A ) −−−→ h γ · γ ′ , ξ, φ ⊎ ν ( A ) , h, F , F ( c ) ⊎ ν ( A ) i when c : σ and ( A, γ ′ ) ∈ AVal σ ( V )( P Q ) h K [ fV ] , c, γ, ξ, φ, h, Fi ¯ f ( A,c ′ ) −−−−−→ h γ · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] , φ ⊎ φ ′ , h, F , F ( f ) ⊎ φ ′ i when f : σ → σ ′ , ( A, γ ′ ) ∈ AVal σ ( V ) , c ′ : σ ′ and φ ′ = ν ( A ) ⊎ { c ′ } ( OA ) h γ, ξ, φ, h, F , Vi c ( A ) −−−→ h K [ A ] , c ′ , γ, ξ, φ ⊎ ν ( A ) , h, F · [ ν ( A )
7→ V ] i when c ∈ V , c : σ, A : σ, γ ( c ) = K, ξ ( c ) = c ′ ( OQ ) h γ, ξ, φ, h, F , Vi f ( A,c ) −−−−→ h V A, c, γ, ξ, φ ⊎ φ ′ , h, F · [ φ ′
7→ V ] i when f ∈ V , f : σ → σ ′ , A : σ, c : σ ′ , γ ( f ) = V and φ ′ = ν ( A ) ⊎ { c } Given N ⊆ Names, [ N
7→ V ] stands for the map [ n
7→ V | n ∈ N ]. Fig. 6.
GOSC[HOSC] LTS to the f ∈ V , c ∈ V side conditions). We write Tr GOSC ( C ) for the set of tracesgenerated from C in the GOSC[HOSC] LTS.Recall that, given a Γ -assignment ρ , term Γ ⊢ M : τ and c ∈ CNames τ , theactive configuration C ρ,cM was defined by C ρ,cM = h M { ρ } , c, ∅ , ∅ , ν ( ρ ) ∪ { c } , ∅i . Weneed to upgrade it to the LTS by initializing the new component to the emptymap: C ρ,cM, vis = h M { ρ } , c, ∅ , ∅ , ν ( ρ ) ∪ { c } , ∅ , ∅i . Definition 16.
The
GOSC[HOSC] trace semantics of a cr-free HOSC term Γ ⊢ M : τ is defined to be Tr GOSC ( Γ ⊢ M : τ ) = { (( ρ, c ) , t ) | ρ is a Γ -assignment , c : τ, t ∈ Tr GOSC ( C ρ,cM, vis ) } . By construction, it follows that
Lemma 8. t ∈ Tr GOSC ( C ρ,cM, vis ) iff t ∈ Tr HOSC ( C ρ,cM ) and t is O-visible. Noting that the witness trace t from Lemma 4 is O-visible iff t ⊥ ¯ ⋄ (() , c ′ ) is P-visible, we can conclude that, for GOSC, the traces relevant to ⇓ err are O-visible,which yields: Theorem 3 (Soundness).
For any cr-free
HOSC terms Γ ⊢ M , M , if Tr GOSC ( Γ ⊢ M ) ⊆ Tr GOSC ( Γ ⊢ M ) then Γ ⊢ M . GOSC( ciu ) err M . To prove the converse, we need a new definability result. This time we areonly allowed to use GOSC syntax, but the target is also more modest: we areonly aiming to capture P-visible traces.
Lemma 9 (Definability).
Suppose φ ⊎ {⋄} ⊆ FNames and t is an even-length P-visible ( ◦ ⊎ {⋄} , φ ⊎ { c } ) -trace starting with an O-action. There exists a passiveconfiguration C such that the even-length traces in Tr HOSC ( C ) are exactly theeven-length prefixes of t (along with all renamings that preserve types and φ ⊎{ c } ⊎ ◦ ⊎ {⋄} ). Moreover, C = h γ ◦ · [ c K ◦ ] , { c
7→ ◦ τ ′ } , φ ⊎ { c } ⊎ ◦ ⊎ {⋄} , h ◦ i ,where h, K, γ are built from GOSC syntax.
Proof (Sketch).
This time we cannot rely on references to recall on demand allcontinuation and function names introduced by the environment. However, be-cause t is P-visible, it turns the uses of the names can be captured through vari-able bindings ( λx. · · · for function and call / cc τ ( x. . . . ) for continuation names).Using throw, we can then force an arbitrary answer action, as long as it uses aP-available name. To select the right action at each step, we branch on the valueof a single global reference of type ref Int that keeps track of the number of stepssimulated so far.Completeness now follows because, for a potential O-visible witness t fromLemma 4, one can create a corresponding context by invoking the Definabil-ity result for t ⊥ ¯ ⋄ (() , c ′ ). It is crucial that the addition of ¯ ⋄ (() , c ′ ) does not breakP-visibility ( ⋄ is P-visible). Theorem 4 (Completeness).
For any cr-free
HOSC terms Γ ⊢ M , M , if Γ ⊢ M . GOSC( ciu ) err M then Tr GOSC ( Γ ⊢ M ) ⊆ Tr GOSC ( Γ ⊢ M ) . Altogether, Theorems 3, 4 (along with Lemma 1) imply the following result.
Corollary 2 (
GOSC
Full Abstraction).
Suppose Γ ⊢ M , M are cr-free HOSC terms. Then Tr GOSC ( Γ ⊢ M ) ⊆ Tr GOSC ( Γ ⊢ M ) iff Γ ⊢ M . GOSC( ciu ) err M iff Γ ⊢ M . GOSC err M .Example 9. In the
Callback with lock example (Example 6), we exhibited traces t , t that separated M cwl , M cwl wrt . HOSC err . Example 8 shows that neithertrace is O-visible, i.e. they cannot be found in Tr GOSC ( Γ ⊢ M ) or Tr GOSC ( Γ ⊢ M ).Thus, the two traces cannot be used to separate M cwl , M cwl wrt . GOSC err . As al-ready mentioned, this is in fact impossible: we have ⊢ M cwl ∼ = GOSC err M cwl . Example 10 (Well-bracketed state change [4]).
Consider the following two terms M wbsc , let x = ref 0 in λf. ( x := 0; f (); x := 1; f (); ! x ) M wbsc , λf. ( f (); f (); 1) . of type τ = (Unit → Unit) → Int, let t = ¯ c ( g ) g ( f , c ) ¯ f (() , c ) c (()) ¯ f (() , c ) g ( f , c ) ¯ f (() , c ) c (()) ¯ c (0)and let t be obtained from t by changing 0 in the last action to 1. One cancheck that both traces are O-visible: in particular, the action c (()) is not aviolation because Vis O (¯ c ( g ) g ( f , c ) ¯ f (() , c ) c (()) ¯ f (() , c ) g ( f , c ) ¯ f (() , c )) = { g, c , c } . Moreover, we have t ∈ Tr GOSC ( C ∅ ,cM wbsc ) \ Tr GOSC ( C ∅ ,cM wbsc ) and t ∈ Tr GOSC ( C ∅ ,cM wbsc ) \ Tr GOSC ( C ∅ ,cM wbsc ). By the Corollary above, we can conclude that M wbsc , M wbsc are incomparable wrt . GOSC err . However, they turn out to be ∼ = HOS err - and ∼ = GOS err -equivalent. omplete trace models of state and control 19
Recall that HOS is the fragment of HOSC that does not feature continuationtypes and the associated syntax. In what follows we are going to provide al-ternative characterisations of . HOS err and . HOS ter in terms of trace inclusion andcomplete trace inclusion respectively.We start off by identifying several technical consequences of the restrictionto HOS syntax. First we observe that HOS internal reductions never change theassociated continuation name.
Lemma 10. If ( M, c, h ) → ( M ′ , c ′ , h ′ ) , M is a HOS term and h is a HOS heapthen c = c ′ .Proof. The only rule that could change c is the rule for throw, but it is not partof HOS.The lemma has a bearing on the shape of traces generated by the (passive)configurations C ~γ i ,ch,K,γ corresponding to HOS contexts. In the presence of throwand storage for continuations, it was possible for P to play answers involvingarbitrary continuation names introduced by O. By Lemma 10, in HOS this willbe restricted to the continuation name of the current configuration, which willrestrict the shape of possible traces. Below we identify the continuation name top P ( t ) that becomes the relevant name after trace t . If the last move was anO-question then the continuation name introduced by that move will becomethat name. Otherwise, we track a chain of answers and questions, similarly tothe definition of P-visibility.Observe that, because h, K, γ are from HOS, C ~γ i ,ch,K,γ will generate ( {◦ τ ′ , ⋄} , φ ⊎{ c } )-traces, where τ ′ is the result type of K , because h ◦ = h, K ◦ = K, γ ◦ = γ . Definition 17.
Suppose φ ⊎ {⋄} ⊆ FNames and c ∈ CNames . Let t be a ( {◦ τ ′ , ⋄} , φ ⊎ { c } ) -trace of odd length starting with an O-action. The continu-ation name top P ( t ) is defined as follows.top P ( t c ( A )) = ◦ τ ′ top P ( t ¯ f ( A ′′ , c ′ ) t c ′ ( A ′ )) = top P ( t ) top P ( t f ( A ′ , c ′ )) = c ′ We say that a ( {◦ τ ′ ∪ {⋄} , φ ⊎ { c } ) -trace t starting with an O-action is P-bracketed if, for any prefix t ′ ¯ c ′ ( A ) of t (i.e. any prefix ending with a P-answer),we have c ′ = top P ( t ′ ) . Lemma 11.
Consider C = C ~γ i ,ch,K,γ , where h, K, γ are from HOS and ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) . Then all traces in Tr HOSC ( C ) are P-bracketed. The Lemma above characterizes the restrictive nature of contextual inter-actions with HOS contexts. Next we shall constrain the HOSC[HOSC] LTS ac-cordingly to capture the restriction. Note that, from the point of view of theterm, the above-mentioned constraint concerns the use of continuation namesby O (the context), so we need to talk about O-bracketing instead. This dualnotion of “a top name for O” is specified below.
P τ ) h M, c, γ, ξ, φ, h i τ −−→ h N, c ′ , γ, ξ, φ, h ′ i when ( M, c, h ) → ( N, c ′ , h ′ )( P A ) h V, c, γ, ξ, φ, h i ¯ c ( A ) −−−→ h γ · γ ′ , ξ, φ ⊎ ν ( A ) , h, c ′ i when c : σ, ( A, γ ′ ) ∈ AVal σ ( V ) , ξ ( c ) = c ′ ( P Q ) h K [ fV ] , c, γ, ξ, φ, h i ¯ f ( A,c ′ ) −−−−−→ h γ · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] , φ ⊎ ν ( A ) ⊎ { c ′ } , h, c ′ i when f : σ → σ ′ , ( A, γ ′ ) ∈ AVal σ ( V ) , c ′ : σ ′ ( OA ) h γ, ξ, φ, h, c ′′ i c ( A ) −−−→ h K [ A ] , c ′ , γ, ξ, φ ⊎ ν ( A ) , h i when c = c ′′ , c : σ, A : σ, γ ( c ) = K, ξ ( c ) = c ′ ( OQ ) h γ, ξ, φ, h, c ′′ i f ( A,c ) −−−−→ h V A, c, γ, ξ · [ c c ′′ ] , φ ⊎ ν ( A ) ⊎ { c } , h i when f : σ → σ ′ , A : σ, c : σ ′ , γ ( f ) = V Fig. 7.
HOS[HOSC] LTS
Definition 18.
Suppose φ ⊆ FNames and c ∈ CNames . Let t be a ( φ ⊎ { c } , ∅ ) -trace of odd length. The continuation name top O ( t ) is defined as follows. In thefirst case, the value is ⊥ (representing “none”), because c is the top continuationpassed by the environment to the term (if it gets answered there is nothing leftto answer). top O ( t ¯ c ( A )) = ⊥ top O ( t f ( A ′′ , c ′ ) t ¯ c ′ ( A ′ )) = top O ( t ) top O ( t ¯ f ( A ′ , c ′ )) = c ′ We say that a ( φ ⊎ { c } , ∅ ) -trace t is O-bracketed if, for any prefix t ′ ¯ c ′ ( A ) of t (i.e. any prefix ending with a P-answer), we have c ′ = top O ( t ′ ) . In Figure 7, we present a new LTS, called the HOS[HOSC] LTS, which willturn out to capture . HOS err . It is obtained from the HOSC[HOSC] LTS by re-stricting O-actions to those that satisfy O-bracketing. Technically, this is doneby enriching passive configurations with a component for storing the currentvalue of top O ( t ). In order to maintain this information, we need to know whichcontinuation will become the top one if P plays an answer. This can be done witha map that maps continuations introduced by O to other continuations. Becauseits flavour is similar to ξ (which is a map from continuations introduced by P)we integrate this information into ξ . The c = c ′′ side condition then enforcesO-bracketing. We shall write Tr HOS ( C ) for the set of traces generated from C in the HOS[HOSC] LTS.Recall that, given a Γ -assignment ρ , term Γ ⊢ M : τ and c : τ , the activeconfiguration C ρ,cM was defined by C ρ,cM = h M { ρ } , c, ∅ , ∅ , ν ( ρ ) ∪{ c } , ∅i . We upgradeit to the new LTS by setting C ρ,cM, bra = h M { ρ } , c, ∅ , [ c
7→ ⊥ ] , ν ( ρ ) ∪ { c } , ∅ , ∅i . Thisinitializes ξ in such a way that, after ¯ c ( A ) is played, the extra component willbe set to ⊥ , where ⊥ is a special element not in CNames. omplete trace models of state and control 21 Definition 19.
The
HOS[HOSC] trace semantics of a cr-free HOSC term Γ ⊢ M : τ is defined to be Tr HOS ( Γ ⊢ M : τ ) = { (( ρ, c ) , t ) | ρ is a Γ -assignment , c : τ, t ∈ Tr HOS ( C ρ,cM, bra ) } . By construction, it follows that
Lemma 12. t ∈ Tr HOS ( C ρ,cM, bra ) iff t ∈ Tr HOSC ( C ρ,cM ) and t is O-bracketed. Noting that the witness trace t from Lemma 4 is O-bracketed iff t ⊥ ¯ ⋄ (() , c ′ ) isP-bracketed, we can conclude that, for HOS, the traces relevant to ⇓ err areO-bracketed, which yields: Theorem 5 (Soundness).
For any cr-free
HOSC terms Γ ⊢ M , M , if Tr HOS ( Γ ⊢ M ) ⊆ Tr HOS ( Γ ⊢ M ) then Γ ⊢ M . HOS( ciu ) err M . For the converse, we establish another definability result, this time for a P-bracketed trace.
Lemma 13 (Definability).
Suppose φ ⊎{⋄} ⊆ FNames and t is an even-length P-bracketed ( {◦ τ ′ , ⋄} , φ ⊎ { c } ) -trace starting with an O-action. There exists apassive configuration C such that the even-length traces Tr HOSC ( C ) are exactlythe even-length prefixes of t (along with all renamings that preserve types and φ ⊎ { c, ◦ τ ′ , ⋄} ). Moreover, C = h γ · [ c K ] , { c
7→ ◦ τ ′ } , φ ⊎ { c, ◦ τ ′ , ⋄} , h i , where h, K, γ are built from HOS syntax.Proof (Sketch).
Our argument for HOSC is structured in such a way that, for aP-bracketed trace, there is no need for continuations (throwing and continuationcapture are not necessary).Completeness now follows because, for a potential witness trace t from Lemma 4,one can create a corresponding context by invoking the Definability result for t ⊥ ¯ ⋄ (() , c ′ ). It is crucial that the addition of ¯ ⋄ (() , c ′ ) does not break P-bracketing(it does not, because the action is a question). Theorem 6 (Completeness).
For any cr-free
HOSC terms Γ ⊢ M , M , if Γ ⊢ M . HOS( ciu ) err M then Tr HOS ( Γ ⊢ M ) ⊆ Tr HOS ( Γ ⊢ M ) . Altogether, Theorems 5, 6 (along with Lemma 1) imply the following result.
Corollary 3 (
HOS
Full Abstraction).
Suppose Γ ⊢ M , M are cr-free HOSC terms. Then Tr HOS ( Γ ⊢ M ) ⊆ Tr HOS ( Γ ⊢ M ) iff Γ ⊢ M . HOS( ciu ) err M iff Γ ⊢ M . HOS err M .Example 11 (Assignment/callback commutation [27]). For i ∈ { , } , let f :Unit → Unit ⊢ M i : Unit → Unit be defined by: M , let n = ref (0) in λy Unit . if (! n >
0) () ( n := 1; f ()) ,M , let n = ref (0) in λy Unit . if (! n >
0) () ( f (); n := 1) . Operationally, one can see that f ⊢ M . HOS err M due to the following HOS con-text: let r = ref ( λy.y ) in (let f = λy. (! r )() in ( r := • ; (! r )())); err . In our frame-work, this is confirmed by the trace t = ¯ c ( g ) g (() , c ) ¯ f (() , c ) g (() , c ) ¯ c (()) , which is in Tr HOS ( C ρ,cM ) \ Tr HOS ( C ρ,cM ). On the other hand, t = ¯ c ( g ) g (() , c ) ¯ f (() , c ) g (() , c ) ¯ f (() , c )is in Tr HOS ( C ρ,cM ) \ Tr HOS ( C ρ,cM ), so the terms are incomparable. Note, however,that both traces break O-visibility: specifically, we have Vis O (¯ c ( g ) g (() , c ) ¯ f (() , c )) = { c } , so the g (() , c ) action violates the condition. Consequently, the traces do notpreclude f ⊢ M ∼ = x err M for x ∈ { GOSC , GOS } .For x ∈ { HOSC , GOSC } , . x err and . x ter coincide. Intuitively, this is because thepresence of continuations in the context makes it possible to make an escape atany point. In contrast, for HOS, the context must run to completion in order toterminate.At the technical level, one can appreciate the difference when trying to trans-fer our results for . HOS( ciu ) err to . HOS( ciu ) ter . Recall that, according to Lemma 4, ⇓ ter relies on a witness trace t such that the context configuration generates t ⊥ ¯ ◦ τ ′ (). In HOS, the latter must satisfy P-bracketing, so we need top P ( t ⊥ ) = ◦ τ ′ .Note that this is equivalent to top O ( t ) = ⊥ . Consequently, only such traces arerelevant to observing ⇓ ter .Let us call an odd-length O-bracketed ( φ ⊎{ c } , ∅ )-trace t complete if top O ( t ) = ⊥ . Let us write Tr HOS ( Γ ⊢ M ) ⊆ c Tr HOS ( Γ ⊢ M ) if we have (( ρ, c ) , t ) ∈ Tr HOS ( Γ ⊢ M ) whenever (( ρ, c ) , t ) ∈ Tr HOS ( Γ ⊢ M ) and t is complete. Fol-lowing our methodology, one can then show: Theorem 7 (
HOS
Full Abstraction for . HOS ter ). Suppose Γ ⊢ M , M are cr-free HOSC terms. Then Tr HOS ( Γ ⊢ M ) ⊆ c Tr HOS ( Γ ⊢ M ) iff Γ ⊢ M . HOS( ciu ) ter M iff Γ ⊢ M . HOS ter M .Example 12. Let M ≡ λf Unit → Unit .f (); Ω Unit and M ≡ λf Unit → Unit .Ω Unit .We will see that ⊢ M . HOS err M but ⊢ M . HOS ter M . To see this, note that Tr HOS ( C ρ,cM ) contains prefixes of ¯ c ( g ) g ( f, c ) ¯ f (() , c ) c (()), while Tr HOS ( C ρ,cM )only those of ¯ c ( g ) g ( f, c ). Observe that the only complete trace among themis ¯ c ( g ). The trace t = ¯ c ( g ) g ( f, c ) ¯ f (() , c ) is not complete, because top O ( t ) = c . Consequently, Tr HOS ( Γ ⊢ M ) Tr HOS ( Γ ⊢ M ) but Tr HOS ( Γ ⊢ M ) ⊆ c Tr HOS ( Γ ⊢ M ).The theorem above generalizes the characterisation of contextual equivalencebetween HOS terms with respect to HOS contexts [23], where trace completenessmeans both O- and P-bracketing and “all questions must be answered”. Ourdefinition of completeness is weaker (O-bracketing + “the top question mustbe answered”), because it also covers HOSC terms. However, in the presence ofboth O- and P-bracketing, i.e. for HOS terms, they will coincide. omplete trace models of state and control 23 Recall that GOS features ground state only and, technically, is the intersectionof GOSC and HOS. Consequently, it follows from the previous sections that GOScontexts yield configurations that satisfy both P-visibility and P-bracketing. Forsuch traces, the definability result for GOSC yields a GOS context. Thus, ina similar fashion to the previous sections, we can conclude that O-visible andO-bracketed traces underpin . GOS err . To define the GOS LTS we simply combinethe restrictions imposed in the previous sections, and define Tr GOS ( Γ ⊢ M )analogously. We present the LTS in Appendix F. The results on . GOS ter from theprevious section also carry over to GOS.
Theorem 8 (
GOS
Full Abstraction).
Suppose Γ ⊢ M , M are cr-free HOSC terms. Then: – Tr
GOS ( Γ ⊢ M ) ⊆ Tr GOS ( Γ ⊢ M ) iff Γ ⊢ M . GOS( ciu ) err M iff Γ ⊢ M . GOS err M . – Tr GOS ( Γ ⊢ M ) ⊆ c Tr GOS ( Γ ⊢ M ) iff Γ ⊢ M . GOS( ciu ) ter M iff Γ ⊢ M . GOS ter M . Asymmetry
Our framework is able to deal with asymmetric scenarios, whereprograms are taken from HOSC, but are tested with contexts from weaker frag-ments. For example, we can compare the following two HOSC programs, where f : ((Unit → Unit) → Unit) → Unit is a free identifier.let b = ref ff in callcc(y . callcc(y . f( λ g . b := tt ; g(); throw() to y); f( λ g . g(); throw() to y);if !b then () else div) div)with div representing divergence. The terms happen to be ∼ = HOS err -equivalent, butnot ∼ = HOSC err -equivalent.To see this at the intuitive level, we make the following observations. – Firstly, we observe that, to distinguish the terms, f should use its argument.Otherwise, the value of b will remain equal to ff , and the only subterm thatdistinguishes the terms (‘if !b then () else div’) will play the same role as divin the second term. – Secondly, if f does use its argument, then b will be set to tt in the first pro-gram, raising the possibility of distinguishing the terms. However, if we allowHOS contexts only then, since the argument to f was used, it will have torun to completion, before ‘if !b then () else div’ is reached. Consequently, wewill encounter ‘throw () to y ’ earlier and never reach ‘if !b then () else div)’.This is represented by the trace¯ f ( h, c ) h ( g, c ) ¯ g (() , c ) c (()) ¯ c (()) This trace is O-bracketed, but not P -bracketed since Player uses throw toanswer directly to the initial continuation c rather than c . – Finally, if HOSC contexts are allowed, it is possible to reach ‘if !b then () else div)’b set to tt . This is represented by the trace¯ f ( h, c ) h ( g, c ) ¯ g (() , c ) c (()) ¯ c (())This trace is not O-bracketed, because c is answered rather than c , likeabove. Consequently, the trace witnesses termination of the first term, butthe second term would diverge during interaction with the same context.We plan to explore the opportunities presented by this setting in the future,especially with respect to fully abstract translations, for example, from HOSCto GOS. Richer Types
Recall that our full abstraction results are stated for cr-free terms,terms with cont- and ref-free types at the boundary. Here we first discuss howto extend them to more complicated types.To deal with reference type at the boundary, i.e. location exchange, one needsto generalize the notion of traces, so that they can carry, for each action, a heaprepresenting the values stored in the disclosed part of the heap, as in [23,27]. Theextension to sum, recursive and empty types seems conceptually straightforward,by simply extending the definition of abstract values for these types, followingthe similar notion of ultimate pattern in [24]. The same idea should apply toallow continuation types at the boundary. Operational game semantics for anextension of HOS with polymorphism has been explored in [15].
Innocence
On the other hand, all of the languages we considered were stateful.In the presence of state, all of the actions that are represented by labels (andtheir order and frequency) can be observed, because they could generate a side-effect. A natural question to ask whether the techniques could also be usedto provide analogous theorems for purely functional computation, i.e. contextstaken from the language PCF. Here, the situation is different. For example, theterms f : Int → Int ⊢ f (0) and f : Int → Int ⊢ if f (0) f (0) f (0) should beequivalent, even though the sets of their traces are incomparable.It is known [12] that PCF strategies satisfy a uniformity condition called in-nocence. Unfortunately, restricting our traces to “O-innocent ones” (like we didwith O-visibility and O-bracketing) would not deliver the required characteriza-tion. Technically, this is due to the fact that, in our arguments, given a singletrace (with suitable properties), we can produce a context that induces the giventrace and no other traces (except those implied by the definition of a trace). Forinnocence, this would not be possible due to the uniformity requirement. It willimply that, although we can find a functional context that generates an inno-cent trace, it might also generate other traces, which then have to be taken intoaccount when considering contextual testing. This branching property makes itdifficult to capture equivalence with respect to functional contexts explicitly, e.g.through traces, which is illustrated by the use of the so-called intrinsic quotientin game models of PCF [2,12]. omplete trace models of state and control 25 We have presented four operational game models for HOSC, which capture terminteraction with contexts built from any of the four sublanguages x ∈ { HOSC , GOSC , HOS , GOS } respectively. The most direct precursor to this work isLaird’s trace model for HOS[HOS] [23]. Other frameworks in this spirit includemodels for objects [18], aspects [16] and system-level code [9]. In [13], Laird’smodel has been related formally to the denotational game model from [27]. How-ever, in general, it is not yet clear how one can move systematically between theoperational and denotational game-based approaches, despite some promisingsteps reported in [25]. Below we mention other operational techniques for rea-soning about contextual equivalence.In [31], fully abstract Eager-Normal-Form (enf) Bisimulations are presentedfor an untyped λ -calculus with store and control, similar to HOSC (but withcontrol represented using the λµ -calculus). The bisimulations are parameterisedby worlds to model the evolution of store, and bisimulations on contexts are usedto deal with control. Like our approach, they are based on symbolic evaluation ofopen terms. Typed enf-bisimulations, for a language without store and in control-passing style, have been introduced in [24]. Fully-abstract enf-bisimulations arepresented in [7] for a language with state only, corresponding to an untypedversion of HOS. Earlier works in this strand include [17,29].Environmental Bisimulations [19,30,32] have also been introduced for lan-guages with store. They work on closed terms, computing the arguments thatcontexts can provide to terms using an environment similar to our component γ . They have also been extended to languages with call/cc [34] and delimitedcontrol operators [5,6].Kripke Logical Relations [28,4,8] have been introduced for languages withstate and control. In [8], a characterization of contextual equivalence for eachcase x [ x ] ( x ∈ { HOSC , GOSC , HOS , GOS } ) is given, using techniques calledbacktracking and public transitions, which exploit the absence of higher-orderstore and that of control constructs respectively. Importing these techniques inthe setting of Kripke Open Bisimulations [14] should allow one to build a bridgebetween the game-semantics characterizations and Kripke Logical Relations.Parametric bisimulations [11] have been introduced as an operational tech-nique, merging ideas from Kripke Logical Relations and Environmental Bisim-ulations. They do not represent functional values coming from the environmentusing names, but instead use a notion of global and local knowledge to computethese values, reminiscent of the work on environmental bisimulations. The no-tion of global knowledge depends itself on a notion of evolving world. To ourknowledge, no fully abstract Parametric Bisimulations have been presented.A general theory of applicative [21] and normal-form bisimulations [20] hasbeen developed, with the goal of being modular with respect to the effects con-sidered. While the goal is similar to our work, the papers consider monadic andalgebraic presentation of effects, trying particularly to design a general theoryfor proving soundness and completeness of such bisimulations. These works com-plement ours, and we would like to explore possible connections. References
1. Abramsky, S.: Games in the semantics of programming languages. In: Proceedingsof the 11th Amsterdam Colloquium. pp. 1–6. ILLC, Dept. of Philosophy, Universityof Amsterdam (1997)2. Abramsky, S., Jagadeesan, R., Malacaria, P.: Full abstraction for PCF. Informationand Computation , 409–470 (2000)3. Abramsky, S., McCusker, G.: Call-by-value games. In: Proceedings of CSL. LectureNotes in Computer Science, vol. 1414, pp. 1–17. Springer-Verlag (1997)4. Ahmed, A., Dreyer, D., Rossberg, A.: State-dependent representation indepen-dence. In: Proceedings of POPL. pp. 340–353. ACM (2009)5. Aristizabal, A., Biernacki, D., Lenglet, S., Polesiuk, P.: Environmental Bisimula-tions for Delimited-Control Operators with Dynamic Prompt Generation. LogicalMethods in Computer Science (3) (2017)6. Biernacki, D., Lenglet, S.: Environmental bisimulations for delimited-control oper-ators. In: Proceedings of APLAS. Lecture Notes in Computer Science, vol. 8301,pp. 333–348. Springer (2013)7. Biernacki, D., Lenglet, S., Polesiuk, P.: A complete normal-form bisimilarity forstate. In: Proceedings of FOSSACS. Lecture Notes in Computer Science, vol. 11425,pp. 98–114. Springer (2019)8. Dreyer, D., Neis, G., Birkedal, L.: The impact of higher-order state and controleffects on local relational reasoning. J. Funct. Program. (4-5), 477–528 (2012)9. Ghica, D.R., Tzevelekos, N.: A system-level game semantics. Electr. Notes Theor.Comput. Sci. , 191–211 (2012)10. Honsell, F., Mason, I.A., Smith, S.F., Talcott, C.L.: A variable typed logic of effects.Inf. Comput. (1), 55–90 (1995)11. Hur, C.K., Dreyer, D., Neis, G., Vafeiadis, V.: The marriage of bisimulations andkripke logical relations. In: Proceedings of POPL. pp. 59–72. ACM (2012)12. Hyland, J.M.E., Ong, C.H.L.: On Full Abstraction for PCF: I. Models, observablesand the full abstraction problem, II. Dialogue games and innocent strategies, III.A fully abstract and universal game model. Information and Computation ,285–408 (2000)13. Jaber, G.: Operational nominal game semantics. In: Proceedings of FOSSACS.Lecture Notes in Computer Science, vol. 9034, pp. 264–278 (2015)14. Jaber, G., Tabareau, N.: Kripke open bisimulation - A marriage of game semanticsand operational techniques. In: Proceedings of APLAS. Lecture Notes in ComputerScience, vol. 9458, pp. 271–291 (2015)15. Jaber, G., Tzevelekos, N.: Trace semantics for polymorphic references. In: Proceed-ings of LICS. pp. 585–594. ACM (2016)16. Jagadeesan, R., Pitcher, C., Riely, J.: Open bisimulation for aspects. In: Proceed-ings of AOSD. ACM International Conference Proceeding Series, vol. 208, pp.107–120 (2007)17. Jeffrey, A., Rathke, J.: Towards a theory of bisimulation for local names. In: Pro-ceedings of LICS. pp. 56–66 (1999)18. Jeffrey, A., Rathke, J.: A fully abstract may testing semantics for concurrent ob-jects. Theor. Comput. Sci. (1-3), 17–63 (2005)19. Koutavas, V., Wand, M.: Small bisimulations for reasoning about higher-orderimperative programs. In: Proceedings of POPL. pp. 141–152. ACM (2006)20. Lago, U.D., Gavazzo, F.: Effectful normal form bisimulation. In: Proceedings ofESOP. Lecture Notes in Computer Science, vol. 11423, pp. 263–292. Springer(2019)omplete trace models of state and control 2721. Lago, U.D., Gavazzo, F., Levy, P.B.: Effectful applicative bisimilarity: Monads,relators, and howe’s method. In: Proceedings of LICS. IEEE Press (2017)22. Laird, J.: Full abstraction for functional languages with control. In: Proceedings of12th IEEE Symposium on Logic in Computer Science. pp. 58–67 (1997)23. Laird, J.: A fully abstract trace semantics for general references. In: Proceedingsof ICALP, Lecture Notes in Computer Science, vol. 4596, pp. 667–679. Springer(2007)24. Lassen, S.B., Levy, P.B.: Typed normal form bisimulation. In: Proceedings of CSL,Lecture Notes in Computer Science, vol. 4646, pp. 283–297. Springer (2007)25. Levy, P.B., Staton, S.: Transition systems over games. In: Proceedings of CSL-LICS. pp. 64:1–64:10 (2014)26. Milner, R.: Fully abstract models of typed lambda-calculi. Theoretical ComputerScience (1), 1–22 (1977)27. Murawski, A.S., Tzevelekos, N.: Game semantics for good general references. In:Proceedings of LICS. pp. 75–84. IEEE Computer Society Press (2011)28. Pitts, A.M., Stark, I.D.B.: Operational reasoning for functions with local state. In:Gordon, A.D., Pitts, A.M. (eds.) Higher-Order Operational Techniques in Seman-tics, pp. 227–273. Cambridge University Press (1998)29. Sangiorgi, D.: Expressing mobility in process algebras: First-order and higher-orderparadigms. Tech. Rep. CST-99-93, University of Edinburgh (1993), PhD thesis30. Sangiorgi, D., Kobayashi, N., Sumii, E.: Environmental bisimulations for higher-order languages. ACM Trans. Program. Lang. Syst. (1), 5 (2011)31. Støvring, K., Lassen, S.B.: A complete, co-inductive syntactic theory of sequentialcontrol and state. In: POPL. pp. 161–172. ACM (2007)32. Sumii, E.: A complete characterization of observational equivalence in polymorphic lambda -calculus with general references. In: Proceedings of CSL. Lecture Notes inComputer Science, vol. 5771, pp. 455–469. Springer (2009)33. Talcott, C.L.: Reasoning about functions with effects. In: Gordon, A.D., Pitts, A.M.(eds.) Higher-Order Operational Techniques in Semantics, pp. 347–390. CambridgeUniversity Press (1998)34. Yachi, T., Sumii, E.: A sound and complete bisimulation for contextual equivalencein λ -calculus with call/cc. In: Proceedings of APLAS. pp. 171–186. Springer (2016) A Additional material for Section 2 (HOSC)
A.1 Type System
Please see Figure 8.
A.2 Proof of Lemma 1 (CIU)
In [10,33], the authors propose general frameworks for establishing CIU theoremsfor higher-order languages with effects and control. The results are based on theusual contextual testing observing termination. Below we repeat the pattern oftheir argument in our framework for both . x ( ciu ) ter and . x ( ciu ) err . The names of thelemmas come from Section 2.3 of [10]. Their technical aim is to establish thateach relation is a precongruence.Let y ∈ { ter , err } . Σ ; Γ ⊢ () : Unit Σ ; Γ ⊢ tt : Bool Σ ; Γ ⊢ ff : Bool Σ ; Γ ⊢ b n : Int( x, τ ) ∈ ΓΣ ; Γ ⊢ x : τ ( ℓ, τ ) ∈ ΣΣ ; Γ ⊢ ℓ : ref τ Σ ; Γ ⊢ M : σ Σ ; Γ ⊢ N : τΣ ; Γ ⊢ h M, N i : σ × τΣ ; Γ ⊢ M : τ × τ Σ ; Γ ⊢ π i M : τ i Σ ; Γ, x : σ ⊢ M : τΣ ; Γ ⊢ λx σ .M : τ Σ ; Γ, f : σ → τ, x : σ ⊢ M : τΣ ; Γ ⊢ rec f ( x σ ) .M : σ → τΣ ; Γ ⊢ M : σ → τ Σ ; Γ ⊢ N : σΣ ; Γ ⊢ MN : τΣ ; Γ ⊢ M : τΣ ; Γ ⊢ ref τ M : ref τ Σ ; Γ ⊢ M : ref τΣ ; Γ ⊢ ! M : τ Σ ; Γ ⊢ M : ref τ Σ ; Γ ⊢ N : τΣ ; Γ ⊢ M := N : Unit Σ ; Γ ⊢ M : Bool Σ ; Γ ⊢ M : τ Σ ; Γ ⊢ M : τΣ ; Γ ⊢ if M M M : τΣ ; Γ ⊢ M : Int Σ ; Γ ⊢ M : Int Σ ; Γ ⊢ M ⊕ M : Int Σ ; Γ ⊢ M : Int Σ ; Γ ⊢ M : Int Σ ; Γ ⊢ M ⊡ M : Bool Σ ; Γ ⊢ M : ref τ Σ ; Γ ⊢ M : ref τΣ ; Γ ⊢ M = M : Bool Σ ; Γ, x : τ ⊢ K [ x ] : σΣ ; Γ ⊢ cont τ K : cont τ Σ ; Γ, x : cont τ ⊢ M : τΣ ; Γ ⊢ call / cc τ ( x.M ) : τΣ ; Γ ⊢ M : σ Σ ; Γ ⊢ N : cont σΣ ; Γ ⊢ throw τ M to N : τ Fig. 8.
HOSC typing rulesomplete trace models of state and control 29
Lemma 14 (Op CIU).
Suppose M . x ( ciu ) y M . Then, whenever the termsare typable and the relevant operation is allowable in an x -context, we have: – h M , M i . x ( ciu ) y h M , M i , π i M . x ( ciu ) y π i M , M M . x ( ciu ) y M M , ref M . x ( ciu ) y ref M , ! M . x ( ciu ) y ! M , M := M . x ( ciu ) y M := M , if M M M ′ . x ( ciu ) y if M M M ′ , M ⊕ M . x ( ciu ) y M ⊕ M , M ⊡ M . x ( ciu ) y M ⊡ M , M = M . x ( ciu ) y M = M , throw M to M . x ( ciu ) y throw M to M ; – h M, M i . x ( ciu ) y h M, M i , M M . x ( ciu ) y M M , M := M . x ( ciu ) y M := M , if M M M ′ . x ( ciu ) y if M M M ′ , if M M ′ M . x ( ciu ) y if M M ′ M , M ⊕ M . x ( ciu ) y M ⊕ M , M ⊡ M . x ( ciu ) y M ⊡ M , M = M . x ( ciu ) y M = M , throw M to M . x ( ciu ) y throw M to M .Proof. We handle the first case from each category, as the rest are analogous. – Suppose
K, γ, h are such that ( K [ h M , M i{ γ } ] , h ) ⇓ y .Observe that K [ h M , M i{ γ } ] = K [ h M { γ } , M { γ }i ] = K ′ [ M { γ } ] for some K ′ .Because M . x ( ciu ) y M and ( K ′ [ M { γ } ] , h ) ⇓ y , we get ( K ′ [ M { γ } ] , h ) ⇓ y .Because K [ h M , M i{ γ } ] = K [ h M { γ } , M { γ }i ] = K ′ [ M { γ } ], this implies( K [ h M , M i{ γ } ] , h ) ⇓ y , as needed. – Suppose
K, γ, h are such that ( K [ h M, M i{ γ } ] h ) ⇓ y . We need to show( K [ h M, M i{ γ } ] , h ) ⇓ y .Observe that K [ h M, M i{ γ } ] = K [ h M { γ } , M { γ }i ].We will argue by induction on the number of transitions in ( K [ h M { γ } , M { γ }i ] , h ) ⇓ y for all M { γ } , h .Because of ( K [ h M { γ } , M { γ }i , h ) ⇓ y , we have the following cases for M { γ } . • ( M { γ } = V )In this case, K [ h M, M i{ γ } ] = K [ h V, M { γ }i ] = K ′ [ M { γ } ].By M . x ( ciu ) y M , we get ( K ′ [ M { γ } ] , h ) ⇓ y .Because K [ h M , M i{ γ } ] = K ′ [ M { γ } ], we obtain ( K [ h M , M i{ γ } ] , h ) ⇓ y ,as needed. • ( M { γ } = K ′ [ err ()], only for y = err )Here K [ h M { γ } , M { γ }i ] in 0 steps, and it follows that ( K [ h M { γ } , M { γ }i ] , h ) ⇓ y . • ( M { γ } = K ′ [ N ] such that ( K ′ [ N ] , h ) −→ ( K ′ [ N ′ ] , h ′ ))( K [ h M { γ } , M { γ }i ] , h ) = ( K [ h K ′ [ N ] { γ } , M { γ }i ] , h ) −→ ( K [ h K ′ [ N ′ ] { γ } , M { γ }i ] , h ′ ) ⇓ y .By IH, ( K [ h K ′ [ N ′ ] { γ } , M { γ }i ] , h ′ ) ⇓ y .Hence, because ( K [ h M { γ } , M { γ }i ] , h ) −→ ( K [ h K ′ [ N ′ ] { γ } , M { γ }i ] , h ′ ),we have( K [ h M { γ } , M { γ }i ] , h ) ⇓ y .Note that this case also covers the reduction rule for call / cc. • ( M { γ } = K ′ [throw V to cont K ′′ ])In this case, ( K [ h M { γ } , M { γ }i ] , h ) → ( K ′′ [ V ] , h ) and ( K ′′ [ V ] , h ) ⇓ y .Note that then ( K [ h M { γ } , M { γ }i ] , h ) → ( K ′′ [ V ] , h ) too, so we aredone. Lemma 15 (Lambda CIU). M . x ( ciu ) y M implies λx.M . x ( ciu ) y λx.M .Proof. Take
K, γ, h such that ( K [( λx.M ) { γ } ] , h ) ⇓ y . Let us write M γi for M i { γ } . Note that ( λx.M ) { γ } = λx.M γ . We need to show ( K [ λx.M γ ] , h ) ⇓ y .Instead we shall show that M { λx.M γ /z } ⇓ y implies M { λx.M γ /z } ⇓ y forany Σ ; z ⊢ M . The Lemma then follows by taking M = K [ z ].We use induction on the number of steps k in ( M { λx.M γ /z } , h ) ⇓ y for all M, h .Suppose ( M { λx.M γ /z } , h ) ⇓ y . – If k = 0 and y = err then M = K ′ [ err ()]. Thus, ( M { λx.M γ /z } , h ) ⇓ err too. – If k = 0 and y = ter then M = V { λx.M γ /z } or M = z . In both cases, M { λx.M γ /z } is a value, and M { λx.M γ /z } ⇓ ter . – Suppose k >
0. Because ( M { λx.M γ /z } , h ) ⇓ y , the following cases arise. • ( M = K ′ [ N ] and ( K ′ [ N ] , h ) → ( K ′ [ N ′ ] , h ′ ))Then ( K ′ [ N ′ ] { λx.M γ /z } , h ′ ) ⇓ y in ( k −
1) steps.So, by IH, ( K ′ [ N ′ ] { λx.M γ /z } , h ′ ) ⇓ y .Because ( M { λx.M γ /z } , h ) → ( K ′ [ N ′ ] { λx.M γ /z } , h ′ ), we are done. • ( M = K ′ [throw V to cont K ′′ ])Then ( K ′′ [ V ] { λx.M γ /z } , h ) ⇓ y in ( k −
1) steps.So, by IH, ( K ′′ [ V ] { λx.M γ /z } , h ) ⇓ y .Because ( M { λx.M γ /z } , h ) → ( K ′′ [ V ] { λx.M γ /z } , h ), we are done. • ( M = K ′ [ zV ])Then ( K ′ [ M γ { V /x } ] { λx.M γ /z } , h ) ⇓ y in ( k −
1) steps.By IH, ( K ′ [ M γ { V /x } ] { λx.M γ /z } , h ) ⇓ y .Because M . x ( ciu ) y M , this implies ( K ′ [ M γ { V /x } ] { λx.M γ /z } , h ) ⇓ y .Since ( M { λx.M γ /z } , h ) → ( K ′ [ M γ { V /x } ] { λx.M γ /z } , h ), we are done. Lemma 16 (fix CIU). M . x ( ciu ) y M implies rec f ( x ) .M . x ( ciu ) y rec f ( x ) .M .Proof. Take
K, γ, h such that ( K [( rec f ( x ) .M ) { γ } ] , h ) ⇓ y .We need to show ( K [ rec f ( x ) .M ) { γ } ] , h ) ⇓ y .Let us write M γi for M i { γ } , and F i for rec f ( x ) .M γi .We follow the same pattern as in the previous case and show that M { F /z } ⇓ y implies M { F /z } ⇓ y for any Σ ; z ⊢ M . The Lemma then follows by taking M = K [ z ].We use induction on the number of steps k in ( M { F /z } , h ) ⇓ y for all M, h .Suppose ( M { F /z } , h ) ⇓ y .The following cases can be argued in the same way as above. – ( M = K ′ [ err ()], y = err ) – ( M = V or M = z , y = ter ) – ( M = K ′ [ N ] and ( K ′ [ N ] , h ) → ( K ′ [ N ′ ] , h ′ )) – ( M = K ′ [throw V to cont K ′′ ])It remains to deal with omplete trace models of state and control 31 – ( M = K ′ [ zV ])Then ( K ′ [ M γ { V /x }{ F /f } ] { F /z } , h ) ⇓ y in ( k −
1) steps.Observe that ( K ′ [ M γ { V /x }{ F /f } ] { F /z } , h ) = ( K ′ [ M γ { V /x }{ z/f } ] { F /z } , h ).Hence, by IH, ( K ′ [ M γ { V /x }{ z/f } ] { F /z } , h ) ⇓ y .Because M . x ( ciu ) y M , this implies ( K ′ [ M γ { V /x }{ z/f } ] { F /z } , h ) ⇓ y .Since ( M { F /z } , h ) → ( K ′ [ M γ { V /x }{ z/f } ] { F /z } , h ), we are done. Lemma 17 ( call / cc CIU). M . x ( ciu ) y M implies call / cc( x.M ) . x ( ciu ) y call / cc( x.M ) .Proof. Let
K, γ, h be such that ( K [call / cc( x.M )] , h ) ⇓ y . Note that( K [call / cc( x.M ) { γ } ] , h ) → ( K [ M { cont K/x } ] { γ } ] , h ) = ( K [ M { γ · [ x cont K ] } ] , h ) . Because of M . x ( ciu ) y M , we get ( K [ M { γ · [ x cont K ] } ] , h ) ⇓ y Consequently,( K [call / cc( x.M ) { γ } ] , h ) ⇓ y , because ( K [call / cc( x.M ) { γ } ] , h ) −→ ( K [ M { γ · [ x cont K ] } ] , h ). Lemma 18 (Precongruence).
Suppose x ∈ { HOSC , GOSC , HOS , GOS } , Γ ⊢ M , M : σ are HOSC -terms with an x boundary, and C is an x -context such that Γ ′ ⊢ C [ M ] , C [ M ] : σ ′ . Then Γ ⊢ M . x ( ciu ) y M : σ implies Γ ′ ⊢ C [ M ] . x ( ciu ) y C [ M ] : σ ′ .Proof. By induction on the structure of contexts using the preceding lemmas.
Corollary 4 (CIU result).
Suppose x ∈ { HOSC , GOSC , HOS , GOS } and Γ ⊢ M , M : σ are HOSC -terms with an x boundary. Γ ⊢ M . x ( ciu ) y M : σ iff Γ ⊢ M . xy M : σ .Proof. The left-to-right implication follows from Lemma 18. The right-to-leftimplication holds, because testing with h, K, γ is a special case of testing with C .The Corollary is the same as Lemma 1. B Additional material for Section 3 (HOSC[HOSC])
B.1 Extended Operational SemanticsDefinition 20.
Taking M a term, c a continuation name, h a heap we write Σ ; Γ ⊢ ( M, c, h ) : τ if Σ ; Γ ⊢ M : τ , c : τ and h : ( Σ ; Γ ) . Lemma 19.
Taking Σ ; Γ ⊢ ( M, c, h ) : τ , then: – either ( M, c, h ) is reducible (for → ); – or M is a a callback K [ f V ] with f ∈ dom( Γ ) ; – or M is a value V . Lemma 20.
Taking Σ ; Γ ⊢ ( M, c, h ) : τ , and Σ ; Γ ⊢ K ÷ τ and γ an idempotentsubstitution s.t. ⊢ γ : Γ , writing ˜ M for M { γ } and ˜ h for h { γ } then ( K [ ˜ M ] , ˜ h ) → ( N, h ′ ) implies that – either ( M, c, h ) → ( M ′ , c ′ , h ′′ ) and N = K ′ [ M ′ { γ } ] with K ′ = γ ( c ′ ) , and h ′′ { γ } = h ′ ; – or M is a callback K ′ [ f V ] with γ ( f ) a λ -abstraction λx.P and N = K [ ˜ K ′ [ P { ˜ V /x } ]] ,with ˜ K ′ = K ′ { γ } and ˜ V = V { γ } ; – or M is a value and K is an evaluation context larger than • . Definition 21.
Taking M an extended term and κ a substitution from continu-ation names to evaluation contexts that contains the continuation names appear-ing in the support of M , one write M { κ } for the term where all the occurrencesof cont K, c are substituted by cont K ′ [ K [ • ]] , with κ ( c ) = K ′ . One extend thisdefinition to heaps, writing h { κ } for the heap { ( ℓ, v { κ } ) | ( ℓ, v ) ∈ h } . Theorem 9.
Taking M a term, h a heap, κ a substitution from continuationnames to evaluation contexts that contains the continuation names appearingin the support of M and h , and c, c ′ two continuation names s.t. κ ( c ) = K and κ ( c ′ ) = K ′ , then for all M ′ , h ′ , if ( M, c, h ) → ( M ′ , c ′ , h ′ ) then ( K [ M { κ } ] , h { κ } ) → ( K ′ [ M ′ { κ } ] , h ′ { κ } ) .Proof. We reason by case analysis: – if M = K [call / cc( x.M )], then one has: • ( K [call / cc( x.M )] , c, h ) → ( K [ M { cont K , c/x } ] , c, h ); • ( K [ K [call / cc( x.M )] { κ } ] , h { κ } ) → ( K [ K [ M { cont K [ K ] /x } ] { κ } ] , h { κ } )and we conclude using the fact that ( M { cont K , c/x } ) { κ } = ( M { cont K [ K ] /x } ) { κ } since κ ( c ) = K . – if M = K [throw V to cont K , c ′ ], then one has: • ( K [throw V to cont K , c ′ ] , c, h ) → ( K [ V ] , c ′ , h ); • ( K [ K [throw V to cont K , c ′ ] { κ } ] , h { κ } ) → ( K ′ [ K [ V ] { κ } ] , h { κ } ) since κ ( c ′ ) = K ′ . – If there exists a (unique) reduction (
M, h ) → ( M ′ , h ′ ) then: • ( M { κ } , c, h { κ } ) → ( M ′ { κ } , c, h ′ { κ } ) • ( K [ M { κ } ] , h { κ } ) → ( K [ M ′ { κ } ] , h ′ { κ } ). B.2 Proof of Lemma 2
Proof.
We reason by contraposition.1. Suppose Γ ⊢ M . x ter M : τ , i.e. C [ M ] ⇓ ter and C [ M ] ter for some ⊢ C ÷ τ .Then we can construct err ⊢ C ′ ÷ τ such that C ′ [ M ] ⇓ err and C ′ [ M ] err as follows: C ′ [ • ] = ( C ; err [ • ]; err ) , where C ; err refers to C in which each occurrence of cont σ ( − ) is replaced withcont σ ( − ; err ). In this way, the construction transforms all opportunities for omplete trace models of state and control 33 ⇓ ter into ones for ⇓ err . Note that, if M contained cont σ K , it would notnecessarily be the case that C ′ [ M ] ⇓ err , because M is not affected by thetransformation.2. Let x ∈ { HOSC , GOSC } . Suppose Γ ⊢ M . x err M , i.e. C [ M ] ⇓ err and C [ M ] err for some C such that err ⊢ C ÷ τ . Then we can construct ⊢ C ′ ÷ τ such that C ′ [ M ] ⇓ ter and C ′ [ M ] ter as follows. C ′ [ • ] = call / cc( y. C ; Ω [ • ] { ( λz. throw () to y ) / err } ; Ω )where C ; Ω is defined analogously to C ; err . Note that we add ; Ω , because C [ M ] err could be due to ⇓ ter (rather than divergence), and we want tomake sure that C ′ [ M ] diverges, which will imply C ′ [ M ] ter .Note that, because of the use of continuations, C ′ is an x -context only for x ∈ { HOSC , GOSC } .In this case, we also rely on cont σ ( K )-freeness (of M ). If C [ M ] err wasdue to ⇓ ter caused by cont σ K in M , then our ; Ω transformation might notimply divergence for C ′ [ M ]. B.3 Name invariance
We say that a permutation p of Names is type-preserving if it is also a permu-tation once restricted to each of CNames σ and FNames σ → σ ′ . Given X ⊆ Names,we say that p fixes X if p ( x ) = x for all x ∈ X . Type-preserving permutationscan be applied to traces in the obvious way. In particular, if t is ( N O , N P )-trace then p ( t ) is a ( p ( N O ) , p ( N P ))-trace. We write t ∼ X t if there exists atype-preserving permutation p that fixes X such that p ( t ) = t . Lemma 21.
Suppose C = h· · · , φ, h i is a configuration and p is a type-preservingpermutation. If t ∈ Tr HOSC ( C ) and p fixes φ then p ( t ) ∈ Tr HOSC ( C ) . Due to the arbitrariness of name choice in transitions (i.e. freedom to choosefresh names), Tr HOSC ( C ) is closed under renamings that preserve types and thenames already present in C . B.4 Proof of Lemma 4
Delegated to Section C.
B.5 Proof of Theorem 1
Proof.
Suppose Tr HOSC ( Γ ⊢ M ) ⊆ Tr HOSC ( Γ ⊢ M ). We handle Γ ⊢ M . HOSC( ciu ) err M , as it is slightly more involved. The reasoning for . HOSC( ciu ) ter is symmetric.Let Σ, h, K, γ be such that ( K [ M { γ } ] , h ) ⇓ err . Suppose ( ~A i , ~γ i ) ∈ AVal Γ ( γ )and c : σ ′ ( c
6∈ ◦ ). By Lemma 4 (left-to-right), there exist t, c ′ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ). By Tr HOSC ( Γ ⊢ M ) ⊆ Tr HOSC ( Γ ⊢ M ), we have t ∈ Tr HOSC ( C ρ ~Ai ,cM ). Because t ∈ Tr HOSC ( C ρ ~Ai ,cM )and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ), by Lemma 4 (right-to-left) we can conclude( K [ M { γ } ] , h ) ⇓ err . Thus, Γ ⊢ M . HOSC( ciu ) err M . B.6 Proof of Lemma 5
Recall that abstract values are tuples consisting of boolean and integer constants,as well as function names. We can refer to them using projections of the form π ~i , where ~i ∈ { , } + , on the understanding that π i,~i x = π i ( π ~i x ). – Suppose
Num ( A ) = { ( ~i, n ) | π ~i A = n : Bool , Int } . Then assert ( x ∼ A ) willact as shorthand for the following code if ( V ( ~i,n ) ∈ Num ( A ) π ~i x = n ) () Ω .which checks if the boolean/integer arguments match those of A . – Another operation, written A [ πx/f ], will substitute for each f ∈ ν ( A ), thecorresponding projection π ~i f x (i.e. one such that π ~i f A = f ).This syntax will be used in all definability arguments.Lemma 5 follows from the lemma given below for i = 0. Consider h ′ = h , K ′ = γ ( c ), γ ′ = γ \ c . We have ν (img( γ ) , img( h )) ⊆ ◦ ⊎ {⋄} . As names ◦ σ can only occur inside terms of the form cont ( K ′ , ◦ σ ), we can conclude that( h ′ , K ′ , γ ′ ) = ( h ◦ , K ◦ , γ ◦ ), where h, K, γ are from HOSC. Lemma 22.
Suppose φ ⊎ {⋄} ⊆ FNames , c ∈ CNames and t = o p · · · o n p n is a ( ◦ ⊎ {⋄} , φ ⊎ { c } ) -trace starting with an O-action. Given ≤ i ≤ n , let t i = o i +1 p i +1 · · · o n p n . There exist passive configurations C i such that Tr even ( C i ) consists of even-length prefixes of o i +1 p i +1 · · · o n p n (along with their renamingsvia permutations on Names that fix φ i ). Moreover, C i = h γ i , ξ i , φ i , h i i ( ≤ i ≤ n ), where – dom( γ i ) consists of φ ∪ { c } and all names introduced by P in o p · · · o i p i ; – ν (img( γ i )) = ∅ ; – dom( ξ i ) consists of c and all continuation names introduced by P in o p · · · o i p i ; – for all d ∈ dom( ξ i ) , ξ i ( d ) = top P ( o · · · o j ) if d was introduced in p j (weregard c as being introduced in p and define top P ( o · · · o ) = ◦ τ ′ ); – φ i consists of ◦ ⊎ {⋄} ⊎ φ ⊎ { c } and all names introduced in o p · · · o i p i ; – dom( h i ) = dom( h ) ; – ν (img( h i )) may only contain elements of ◦ ⊎ {⋄} and names introduced by Oin o p · · · o i p i .Proof. The main idea is to use references in order to record all continuations andfunctions introduced by O, so that they can be accessed in terms at the timewhen they need to be used by P. Other references will also be used to inject theright pieces of code into the LTS.Below we explain how the content of C i is meant to evolve and what invari-ants will be maintained by the construction for each kind of name in t .FNames from P Suppose n FP is the number of function names in φ and thoseintroduced by P in t . We shall write f jP (0 ≤ j < n F P ) to refer to the j thsuch name, on the understanding names from φ are introduced first and thisis followed by names in t in order of appearance (from left to right). omplete trace models of state and control 35 For each f jP : σ j → τ j , we will have a dedicated reference fpr j : ref( σ j → τ j )in all heaps. The content of h i ( fpr j ) will be changing at each step of theconstruction and it will be used to arrange for suitable behaviour followingO-actions of the form f jP ( A, c ). For example, if the action is not meant togenerate a response at a stage, we can use fpr j := λx. (! fpr j ) x to causedivergence by creating a cycle in the heap.If f jP was introduced in p i (we take i = 0 for f jP ∈ φ ), then f jP will be presentin all φ i ′ , γ i ′ for i ′ ≥ i . We shall maintain the invariant γ i ′ ( f jP ) = λx. (! fpr j ) x for all i ′ ≥ i .Note that this is consistent with ν (img( γ i )) = ∅ .CNames from P Suppose n CP is the number of continuation names introducedby P in t plus 1, to take c into account. Similarly to the previous case, wewrite c jP (0 ≤ j < c F P ) to refer to the j th such name, on the understandingthat c P = c and other names are enumerated in the same order as theyappear in t (from left to right).For each c jP : σ j , we will have a dedicated reference cpr j : ref( σ j → τ j ), if c jP was introduced in p j ′ and top O ( o · · · o j ′ ) : τ j , in all heaps.Its content will be changing at each step of the construction, in order toprovide suitable reactions to O-actions of the form c jP ( A ).If c jP was introduced in p i (we take i = 0 for c jP = c P ) then c jP will bepresent in all φ i ′ , γ i ′ for i ′ ≥ i . We shall maintain the invariant γ i ′ ( c jP ) =( λx. (! cpr j ) x ) • and ξ i ′ ( c jP ) = top O ( o · · · o j ′ ), if c jP was introduced in p j ′ .Note that this is consistent with ν (img( γ i )) = ∅ .FNames from O We use similar notation here and suppose n FO is the numberof function names introduced by O. As in previous cases, we use f jO (0 ≤ j < n FO ) to refer to such names.For each f jO : σ j → τ j , we will have a corresponding reference for j : ref( σ j → τ j ) in all heaps, which will be used to store the name as soon as it is played,i.e. if f jO is introduced in o i (for ⋄ we take i = 0), then h i ′ ( for j ) = f jO for all i ′ ≥ i . Earlier we will use a divergent value, i.e. h i ′ ( for j ) = λx. (! for j ) x for i ′ < i . f jO will be part of φ i ′ for all i ′ ≥ i .Note that this is consistent with: ν (img( h i )) may only contain elements of ◦ ⊎ {⋄} and names introduced by O in o p · · · o i p i .CNames from O Suppose n CO is the number of continuation names introducedby O in t . As before, we use c jO (0 ≤ j < n FO ) to refer to such names.For each c jO : σ j , we will have a corresponding reference cor j : ref(cont σ j ),which will be used to store the name as soon as it is played, i.e. if c jO isintroduced in o i , then h i ′ ( cor j ) = cont ( • , c jO ) for all i ′ ≥ i . Earlier we willuse a divergent value, i.e. h i ′ ( cor j ) = cont (( λx.Ω ) • , ◦ τ ′ ) for i ′ < i , where Ω is a divergent term. c jO will be part of φ i ′ for all i ′ ≥ i .Note that this is consistent with: ν (img( h i )) may only contain elements of ◦ ⊎ {⋄} and names introduced by O in o p · · · o i p i . Overall, for each 0 ≤ i ≤ n , we shall havedom( h i ) = { fpr j | ≤ j < n FP }∪{ cpr j | ≤ j < n CP }∪{ for j | ≤ j < n FO }∪{ cor j | ≤ j < n CO } . The above description specifies φ i , γ i , ξ i ,dom( h i ) and h i ( for j ) (0 ≤ j < n FO ), h i ( cor j ) (0 ≤ j < n CO ), for any 0 ≤ i ≤ n . Hence, in the forthcoming argumentwe will focus on defining h i ( fpr j ) (0 ≤ j < n FP ) and h i ( cpr j ) (0 ≤ i < n CP ).Because the values written to these references will only contain elements from ◦ ⊎ {⋄} , it will follow that ν (img( h i )) may only contain elements of ◦ ⊎ {⋄} andnames introduced by O in o p · · · o i p i .We proceed by reverse induction, starting from i = n . i = n To complete the definition of C n , it suffices to specify h n ( fpr j ) (0 ≤ j < n FP ) and h n ( cpr j ) (0 ≤ j < n CP ). We set h n ( fpr j ) = ( λx. (! fpr j ) x ) and h n ( cpr j ) = ( λx. (! cpr j ) x ), i.e. deferencing will cause divergence. Consequently,because γ n ( f jP ) = λx. (! fpr j ) x and γ n ( c jP ) = λx. (! cpr j ) x , any O action from C n will trigger divergence. Thus, the only even-length trace that can be generatedis the empty one, and we have Tr even ( C n ) = { ǫ } , as required. ≤ i < n Let 0 ≤ i < n . Assume validity of the Lemma for i + 1 and suppose C i +1 = h γ i +1 , ξ i +1 , φ i +1 , h i +1 i . By case analysis on p i +1 , we first construct anactive configuration E i = h M ′ , c ′ , γ ′ i , ξ ′ i , φ ′ i , h i +1 i such that E i p i +1 −−−→ C i +1 .Given an abstract value A , let V A = A [( λx. (! fpr j ) x ) /f jP ], i.e. the functionnames f jP are replaced with function values ( λx. (! fpr j ) x ). Below we write φ i +1 \ X , γ i +1 \ X and ξ i +1 \ X to stand for the removal of names in X from the domainof the respective function, while preserving values for other elements. The tablebelow shows the components of E i in each case. p i +1 M ′ c ′ γ ′ i ξ ′ i φ ′ i ¯ c j ′ O ( A ) V A c j ′ O γ i +1 \ A ξ i +1 φ i +1 \ A ¯ f j ′ O ( A, c j ′′ P ) ( λx. (! cpr j ′′ ) x )[ f j ′ O V A ] top P ( o · · · o i +1 ) γ i +1 \ A, c j ′′ P ξ i +1 \ c j ′′ P φ i +1 \ A, c j ′′ P Note that, in each case, E i p i +1 −−−→ C i +1 . In particular, our definition of V A (basedon λx. (! fpr j ) x ) and the occurrence of λx. (! cpr j ′ ) x in the second case guaranteethat, after the step, γ ′ i extends to γ i +1 in accordance with our description of γ i +1 at the beginning of the proof. Similarly, setting c ′ to top P ( o · · · o i +1 ) inthe second case means that ξ ′ i will evolve into ξ i +1 .As a next step we define another active configuration D i = h M ′′ , top P ( o · · · o i +1 ) , γ ′ i , ξ ′ i , φ ′ i , h i +1 i ,where M ′′ is specified by the table below, by case analysis on p i +1 . omplete trace models of state and control 37 Note that D i τ −→ E i . p i +1 M ′′ ¯ c j ′ O ( A ) throw V A to cont ( • , ◦ σ ) c j ′ O = ◦ σ ¯ c j ′ O ( A ) throw V A to ! cor j ′ c j ′ O
6∈ ◦ ¯ f j ′ O ( A, c j ′′ P ) ( λx. (! cpr j ′′ ) x )( ⋄ V A ) f j ′ O = ⋄ ¯ f j ′ O ( A, c j ′′ P ) ( λx. (! cpr j ′′ ) x )((! for j ′ ) V A ) f j ′ O = ⋄ Finally, we are ready to define C i = h γ i , ξ i , φ i , h i i by case analysis on o i +1 .Recall that φ i , γ i , ξ i , dom( h i ), h i ( for j ) (0 ≤ j < n FO ), h i ( cor j ) (0 ≤ j < n CO )are covered by the invariants discussed at the beginning of the proof. Thus, itsuffices to specify h i ( fpr j ) and h i ( cpr j ). – Suppose o i +1 = c jP ( A ). Since o i +1 is the only O-move that should be re-sponded to by P: • we let h i ( fpr j ′ ) = λx. (! fpr j ′ ) x for any 0 ≤ j ′ < n FP , in order to createdivergence after any f j ′ P ( A, c j ′′ O ); • we let h i ( cpr j ′ ) = λx. (! cpr j ′ ) x for any 0 ≤ j ′ < n CP such that j ′ = j ,in order to create divergence after c j ′ P ( A ) with j ′ = j .To allow a suitable response after c jP ( A ), we set h i ( cpr j ) = λx. assert ( x ∼ A ); savefun ( A ); setheap ( i + 1); M ′′ where the special code fragments are explained below. • savefun ( A ) is meant to save all functions from A in the correspondingreferences. Let Fun ( A ) = { ( ~i, w ) | π ~i A = f wO } . Then savefun ( A ) is thesequence of assignments for w := π ~i x , for all ( ~i, w ) ∈ Fun ( A ). • setheap ( i + 1) is the sequence of assignments fpr j ′ := h i +1 ( fpr j ′ ) (0 ≤ j ′ < n FP ) and cpr j ′ := h i +1 ( cpr h ) (0 ≤ j ′ < n CP ).Suppose c jP was introduced in p j ′ then we have top P ( o · · · o j ′ ) = top P ( o · · · o i +1 ),i.e. types of the codomains of ! cpr j and ! cpr j ′′ match, and indeed we canuse M ′′ to define h i ( cpr j ) (note that throw is not causing typing problems).Then we have C i o i +1 −−−→ C i , where C i = h ( λx. ! cpr j x )[ A ] , top P ( o · · · o j ′ ) , γ ′ i , ξ ′ i , φ ′ i , h i ) i and C i τ ∗ −→ D i = h M ′′ , top P ( o · · · o i +1 ) , γ ′ i , ξ ′ i , , φ ′ i , h i +1 i . Recall that we havealready established D i τ −→ E i p i −→ C i +1 , so we are done. – Suppose o i +1 = f jP ( A, c j ′ O ). Then we let h i ( cpr j ′′ ) = λx. (! cpr j ′′ ) x (0 ≤ j ′′ Proof. Suppose Γ ⊢ M . HOSC ciu , err M . Let ρ be a Γ -configuration, A i = ρ ( x i ), c : σ and t ∈ Tr HOSC ( C ρ ~Ai ,cM ). Then t is a ( ν ( ρ ) ⊎{ c } , ∅ )-trace. Let t = t {⋄ ′ / ⋄ , ◦ ′ / ◦} ,where ⋄ ′ , ◦ ′ are fresh names of the same type as ⋄ , ◦ respectively (this is doneto ensure that ⋄ , ◦ do not occur in t ). By Lemma 21, because t ∼ ν ( ρ ) ⊎{ c } t ,we also have t ∈ Tr HOSC ( C ρ ~Ai ,cM ). Let c ′ : Unit be fresh. Then t = t ⊥ ¯ ⋄ (() , c ′ )is an ( {⋄ , ◦} , ν ( ρ ) ⊎ { c } )-trace. By Lemma 5, there exists a passive configura-tion C O = h γ O , { c 7→ ◦} , ν ( ρ ) ⊎ { c, ⋄ , ◦} , h i such that Tr evenHOSC ( C O ) consistsof all (even-length prefixes of) traces t ′ such that t ′ ∼ ν ( ρ ) ⊎{ c, ⋄ , ◦} t . Observethat C O = C ~γ i ,ch,K,γ , where K = ( γ O ( c )) { err / ⋄} , γ ( x i ) = ( A i { γ O } ) { err / ⋄} , and γ i = γ O ↾ ν ( A i ). Hence, t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ C ~γ i ,ch,K,γ . ByLemma 4 (right-to-left), ( K [ M { γ } ] , h ) ⇓ err . Because Γ ⊢ M . HOSC ciu , err M ,( K [ M { γ } ] , h ) ⇓ err follows. By Lemma 4 (left-to-right), there exist t ′′ , c ′′ suchthat t ′′ ∈ Tr HOSC ( C ρ ~Ai ,cM ) and ( t ′′ ) ⊥ ¯ ⋄ (() , c ′′ ) ∈ C ~γ i ,ch,K,γ . By the definition of C O ,we must have ( t ′′ ) ⊥ ¯ ⋄ (() , c ′′ ) ∼ ν ( ρ ) ⊎{ c, ⋄ , ◦} t ⊥ ¯ ⋄ (() , c ′ ), so t ′′ ∼ ν ( ρ ) ⊎{ c, ⋄ , ◦} t . Be-cause t ′′ ∈ Tr HOSC ( C ρ ~Ai ,cM ), we have t ∈ Tr HOSC ( C ρ ~Ai ,cM ) by Lemma 21. Since t ∼ ν ( ρ ) ⊎{ c } t , it follows that t ∈ Tr HOSC ( C ρ ~Ai ,cM ), as required. C Composite Interaction (Proof of Lemma 4) Definition 22. A composite configuration D is a tuple h M, c, γ P , γ O , ξ, φ, h P , h O i with M a term, c a continuation name, γ P , γ O two environments, φ a set ofnames and h P , h O two heaps. Definition 23. Taking a continuation function ξ , we define a relation ≺ ξ be-tween the continuation names as the graph of ξ , i.e. c ≺ ξ c ′ when ξ ( c ) = c ′ . We write ◦ for the final continuation name, used by Opponent to answer theresulting value of the whole interaction. Definition 24. A valid composite configuration D is a tuple h M, c, γ P , γ O , ξ, φ, h P , h O i with: – dom( γ P ) ∩ dom( γ O ) = ∅ and ◦ / ∈ dom( γ P ) ∪ dom( γ O ) ; – dom( γ P ) ∪ dom( γ O ) ∪ {◦ , ⋄} = φ ; – dom( ξ ) = (dom( γ O ) ∪ dom( γ ( P ))) ∩ CNames ; – for all c ∈ dom( ξ ) , if c ∈ dom( γ X ) then ξ ( c ) ∈ dom( γ X ⊥ ) , for X ∈ { O, P } ; – the transitive closure of ≺ ξ is a strict partial order which admit a uniquemaximal element equal to ◦ ; omplete trace models of state and control 39( P τ ) h M, c, γ P , γ O , ξ, φ, h P , h O i τ −→ h N, c ′ , γ P , γ O , ξ, φ, h ′ P , h O i when c ∈ dom( γ O ) and ( M, c, h P ) → ( N, c ′ , h ′ P )( P A ) h V, c, γ P , γ O , ξ, φ, h P , h O i ¯ c ( A ) −−−→ h K [ A ] , ξ ( c ) , γ P · γ ′ , γ O , ξ, φ ⊎ dom( γ ′ ) , h P , h O i when c : σ, γ O ( c ) = K, and ( A, γ ′ ) ∈ AVal σ ( V )( P Q ) h K [ fV ] , c, γ P , γ O , ξ, φ, h P , h O i ¯ f ( A,c ′ ) −−−−−→ h V ′ A, c ′ , γ P · γ ′ · [ c ′ K ] , γ O , ξ · [ c ′ c ] ,φ ⊎ dom( γ ′ ) ⊎ { c ′ } , h P , h O i when f : σ → σ ′ , c ′ : σ ′ , γ O ( f ) = V ′ and ( A, γ ′ ) ∈ AVal σ ( V )( Oτ ) h M, c, γ P , γ O , ξ, φ, h P , h O i τ −→ h N, c ′ , γ P , γ O , ξ, φ, h P , h ′ O i when c ∈ dom( γ P ) and ( M, c, h O ) → ( N, c ′ , h ′ O )( OA ) h V, c, γ P , γ O , ξ, φ, h P , h O i c ( A ) −−−→ h K [ A ] , ξ ( c ) , γ P , γ O · γ ′ , ξ, φ ⊎ dom( γ ′ ) , h P , h O i when c : σ, γ P ( c ) = K, and ( A, γ ′ ) ∈ AVal σ ( V )( OQ ) h K [ fV ] , c, γ P , γ O , ξ, φ, h P , h O i f ( A,c ′ ) −−−−−→ h V ′ A, γ P , γ O · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] ,φ ⊎ dom( γ ′ ) ⊎ { c ′ } , h P , h O i when f : σ → σ ′ , c ′ : σ ′ , γ P ( f ) = V ′ and ( A, γ ′ ) ∈ AVal σ ( V ) Fig. 9. Composite LTS for HOSC[HOSC] – γ P · γ O is well-typed; – c ∈ φ with c : σ ⊢ M : σ ; – dom( h P ) ∩ dom( h O ) = ∅ . The composite LTS, defined on such composite configurations, is given inFigure 9. Up to choice of name, it is deterministic. Definition 25. Two valid HOSC -configurations C P , C O are said to be compat-ible if one of the two is active and the other one is passive, and, without loss ofgenerality, supposing that C P is the active configuration h M, c, γ P , ξ P , φ P , h P i and C O the passive configuration h γ P , ξ O , φ O , h O i , then φ O = φ P ⊎{◦ , ⋄} and thecomposite configuration h M, c, γ P , γ O , ξ P · ξ O , φ O , h P , h O i , written C P ∧∧ C O , isvalid. Lemma 23. Taking D a valid composite configuration and D ′ a composite con-figuration s.t. D a = ⇒ D ′ , then D ′ is valid. Lemma 24. Taking C P , C O two compatible configurations, for all compositeconfiguration D ′ , if ( C P ∧∧ C O ) a = ⇒ C ′ then there exists two compatible configu-rations C ′ P , C ′ O s.t.: – D ′ = C ′ P ∧∧ C ′ O ; – C P a = ⇒ C ′ P and C O a ⊥ == ⇒ C ′ O .Proof. Without loss of generality, we suppose that C P is the active configura-tion and C O the passive one. So we write C P as h M, c, γ P , φ, h P i and C O as h γ O , φ, h O i . – If a is a Player Answer ¯ c ′ ( A ), then there exists V, h ′ P s.t.( C P ∧∧ C O ) τ −→ h V, c ′ , γ P , γ O , ξ, φ, h ′ P , h O i so that ( M, c, h P ) → ( V, c ′ , h ′ P ). Then there exists K, c ′′ s.t. γ O ( c ′ ) = K, ξ ( c ′ ) = c ′′ and there exists σ, γ ′ s.t. c ′ : σ and ( A, γ ′ ) ∈ AVal σ ( V ), so that D ′ = h K [ A ] , c ′′ , γ P · γ ′ , γ O , φ ⊎ dom( γ ′ ) , h ′ P , h O i .We then define C ′ P as h γ P · γ ′ , φ ⊎ dom( γ ′ ) , h ′ P i and C ′ O as h K [ A ] , c ′′ , γ O , φ ⊎ dom( γ ′ ) , h O i . One easily check that: • C ′ P , C ′ O are two compatible configurations; • D ′ = C ′ P ∧∧ C ′ O ; • C P τ −→ h V, c ′ , γ P , φ, h ′ P i ¯ c ′ ( A ) −−−→ C ′ P ; • C O c ′ ( A ) −−−→ C ′ O . – If a is a Player Question ¯ f ( A, c ′ ), then there exists K, V, c ′′ , h ′ P s.t.( C P ∧∧ C O ) τ −→ h K [ f V ] , c ′′ , γ P , γ O , ξ, φ, h ′ P , h O i so that ( M, c, h P ) → ( K [ f V ] , c ′′ , h ′ P ). Then there exists V ′ s.t γ O ( f ) = V ′ ,and there exists σ, σ ′ , γ ′ s.t. f : σ → σ ′ , and ( A, γ ′ ) ∈ AVal σ ( V ), so that D ′ = h V ′ A, c ′ , γ P · γ ′ · [ c ′ K ] , γ O , ξ · [ c ′ c ′′ ] , φ ⊎ dom( γ ′ ) · { c ′ } , h ′ P , h O i .We then define C ′ P as h γ P · γ ′ · [ c ′ K ] , ξ · [ c ′ c ′′ ] , φ ⊎ dom( γ ′ ) ⊎ { c ′ } , h ′ P i and C ′ O as h V ′ A, c ′ , γ O , φ ⊎ dom( γ ′ ) ⊎ { c ′ } , h O i . One easily check that: • C ′ P , C ′ O are two compatible configurations; • D ′ = C ′ P ∧∧ C ′ O ; • C P τ −→ h K [ f V ] , c ′′ , γ P , φ, h ′ P i ¯ f ( A,c ′ ) −−−−→ C ′ P ; • C O ¯ f ( A,c ′ ) −−−−→ C ′ O . Lemma 25. Taking C P , C O two compatible configurations, if – C P a = ⇒ C ′ P ; – C O a ⊥ == ⇒ C ′ O ;then C ′ P , C ′ O are two compatible configurations and ( C P ∧∧ C O ) a = ⇒ ( C ′ P ∧∧ C ′ O ) .Proof. Without loss of generality, we suppose that C P is the active configura-tion and C O the passive one. So we write C P as h M, c, γ P , φ, h P i and C O as h γ O , φ, h O i . – If a is a Player Answer ¯ c ′ ( A ), then there exists V, h ′ P s.t. C P τ −→ h V, c ′ , γ P , φ, h ′ P i so that ( M, c, h P ) → ( V, c ′ , h ′ P ). Then: • there exists σ s.t. c ′ : σ , and γ ′ , s.t. ( A, γ ′ ) ∈ AVal σ ( V ) so that C ′ P = h γ P · γ ′ , φ ⊎ dom( γ ′ ) , h ′ P i ; • there exists K, c ′′ s.t. γ O ( c ′ ) = K, ξ ( c ′ ) = c ′′ and C ′ O = h K [ A ] , c ′′ , γ O , φ ⊎ dom( γ ′ ) , h O i . omplete trace models of state and control 41 Then one easily checks that C ′ P , C ′ O are two compatible configurations, and:( C P ∧∧ C O ) τ −→ h V, c ′ , γ P , γ O , ξ, φ, h ′ P , h O i ¯ c ′ ( A ) −−−→ h K [ A ] , c ′′ , γ P · γ ′ , γ O , φ ⊎ dom( γ ′ ) , h ′ P , h O i so that h K [ A ] , c ′′ , γ P · γ ′ , γ O , φ ⊎ dom( γ ′ ) , h ′ P , h O i = C ′ P ∧∧ C ′ O . – If a is a Player Question ¯ f ( A, c ′ ), there exists K, V, c ′′ , h ′ P s.t. C P τ −→ h K [ f V ] , c ′′ , γ P , φ, h ′ P i so that ( M, c, h P ) → ( K [ f V ] , c ′′ , h ′ P ). Then: • there exists σ, σ ′ s.t. f : σ → σ ′ , and V ′ , γ ′ , s.t. γ O ( f ) = V ′ and ( A, γ ′ ) ∈ AVal σ ( V ) so that C ′ P = h γ P · γ ′ · [ c ′ K ] , ξ · [ c ′ c ′′ ] , φ ⊎ dom( γ ′ ) ⊎{ c ′ } , h ′ P i ; • there exists V ′ s.t. γ O ( f ) = V ′ and C ′ O = h V ′ A, c ′ , γ O , φ ⊎ dom( γ ′ ) ⊎{ c ′ } , h O i .Then one easily checks that C ′ P , C ′ O are two compatible configurations, and:( C P ∧∧ C O ) τ −→ h K [ f V ] , c ′′ , γ P , γ O , ξ, φ, h ′ P , h O i ¯ f ( A,c ′ ) −−−−→ h V ′ A, c ′ , γ P · γ ′ · [ c ′ K ] , γ O , ξ · [ c ′ c ′′ ] , φ ⊎ dom( γ ′ ) ⊎ { c ′ } , h ′ P , h O i so that h K [ A ] , c ′′ , γ P · γ ′ · [ c ′ K ] , γ O , ξ · [ c ′ c ′′ ] , φ ⊎ dom( γ ′ ) ⊎{ c ′ } , h ′ P · h O i = C ′ P ∧∧ C ′ O . Definition 26. A composite configuration D terminates following a trace t ,written D ⇓ t ter , when there exists a final composite configuration D f = h () , ◦ , γ P , γ O , ξ, φ, h P , h O i s.t. D t = ⇒ D f . We often omit the trace t and simply write D ⇓ ter . Definition 27. A composite configuration D errors following a trace t , written D ⇓ t err , when there exists a composite configuration D f = h K [ err ()] , c, γ P , γ O , ξ, φ, h P , h O i s.t. D t = ⇒ D f . We often omit the trace t and simply write D ⇓ err . Lemma 26. Taking C P , C O two compatible configurations if ( C P ∧∧ C O ) ⇓ t ter then: – if C P is active and C O passive, t is even-length; – if C P is passive and C O active, t is odd-length.Proof. By induction on the length of t : – If t = ǫ , then C P ∧∧ C O can be written as h () , ◦ , γ P , γ O , ξ, φ, h P , h O i . Writing φ P for the name environment component of C P , and φ O for the one of C O ,then φ = φ O = φ P ⊎ {◦} . So necessarily is the C O active one. – If t = a · t ′ , then we conclude using Lemma 24 and the induction hypothesis. Definition 28. Taking C P , C O two compatible configurations, one write ( C P | C O ) ↓ t y ,with y ∈ { ter , err } , when t ∈ Tr ( C P ) and – if y = ter then t ⊥ · ¯ ◦ (()) ∈ Tr ( C O ) ; – if y = err then t ⊥ · ¯ ⋄ (() , c ) ∈ Tr ( C O ) for some c ∈ CNames ; Lemma 27. Taking C P , C O two compatible configurations and t a trace, then ( C P | C O ) ↓ t y iff ( C P ∧∧ C O ) ⇓ t y , with y ∈ { ter , err } .Proof. We first prove that if ( C P | C O ) ↓ t y then ( C P ∧∧ C O ) ⇓ t y by induction onthe length of t : – if t is empty and y = ter , then ¯ ◦ (()) ∈ Tr ( C O ), so there exists γ O , φ, h O s.t. C O τ −→ h () , ◦ , γ O , φ, h O i . Since C O is an active configuration, C P mustbe a passive configuration, that we write as h γ P , φ, h P i . Then C P ∧∧ C O = h () , ◦ , γ P , γ O , ξ, φ, h P , h O i , so that indeed ( C P ∧∧ C O ) ⇓ ǫ ter . – if t is empty and y = err , then ¯ err (() , c ) ∈ Tr ( C O ), so there exists γ O , φ, h O s.t. C O τ −→ h K [ err ()] , c, γ O , φ, h O i . Since C O is an active configuration, C P must be a passive configuration, that we write as h γ P , φ, h P i . Then C P ∧∧ C O = h K [ err ()] , c, γ P , γ O , ξ, φ, h P , h O i , so that indeed ( C P ∧∧ C O ) ⇓ ǫ ter . – if t = a · t ′ , then there exists two configurations C ′ P , C ′ O s.t.: • C P a = ⇒ C ′ P ; • C O a ⊥ == ⇒ C ′ O ; • ( C ′ P | C ′ O ) ↓ t ′ ter .From Lemma 25, we get that C ′ P , C ′ O are two compatible configurations and( C P ∧∧ C O ) a = ⇒ ( C ′ P ∧∧ C ′ O ). Using the induction hypothesis we get that( C ′ P ∧∧ C ′ O ) ⇓ t ′ y . So ( C P ∧∧ C O ) ⇓ t y .We now prove that if ( C P ∧∧ C O ) ⇓ t y then ( C P | C O ) ↓ t y , by induction on thelength of t : – if t is empty and y = ter , then ( C P ∧∧ C O ) τ −→ h () , ◦ , γ P , γ O , ξ, φ, h P , h O i . So C O τ −→ h () , ◦ , γ O , φ, h O i and C P = h γ P , φ, h P i . Thus C O ¯ ◦ (()) === ⇒ h γ O , φ, h O i ,so ( C P | C O ) ↓ ǫ ter . – if t is empty and y = err , then ( C P ∧∧ C O ) τ −→ h K [ err ()] , c, γ P , γ O , ξ, φ, h P , h O i .So C O τ −→ h K [ err ()] , c, γ O , φ, h O i and C P = h γ P , φ, h P i . Thus C O ¯ err (() ,c ) ====== ⇒h γ O , φ, h O i , so ( C P | C O ) ↓ ǫ ter . – if t = a · t ′ , then there exists a composite configuration D ′ s.t. ( C P ∧∧ C O ) a = ⇒ D ′ and D ′ ⇓ t ′ ter . From Lemma 24, we get the existence of two compatibleconfigurations C ′ P , C ′ O s.t.: • D ′ = C ′ P ∧∧ C ′ O ; • C P a = ⇒ C ′ P ; • C O a ⊥ == ⇒ C ′ O .From ( C ′ P ∧∧ C ′ O ) ⇓ t ′ y , we get from the induction hypothesis that ( C ′ P | C ′ O ) ↓ t ′ y .So ( C P | C O ) ↓ t y . Definition 29. Taking γ, ξ a valid environment and c, c ′ two continuation namess.t. c ≺ ∗ ξ c ′ , we define the evaluation context K c,c ′ as: omplete trace models of state and control 43 – K c,c , • – K c,c ′ , K c ′′ ,c ′ [ K ] , when γ ( c ) = K and ξ ( c ) = c ′′ .We write K c for K c, ◦ . Definition 30. To an environment γ , we associate an idempotent substitution δ defined as the relation: – δ , { ( f, V ) | f ∈ dom( γ ) ∧ γ ( f ) = V } ∪ { ( c, K ) | c ∈ dom( γ ) ∧ γ ( c ) = K } – δ i +1 , { ( f, V { δ i } ) | ( f, V ) ∈ δ i } ∪ { ( c, K { δ i } ) | ( c, K ) ∈ δ i } where we write V { δ i } for the action of the substitution δ i to V then there exists n ∈ N s.t. δ n +1 = δ n , and δ is then defined as δ n . One need this iterative construction to get the idempotency result, that cor-responds to the fact that the support of the values and evaluation contexts inthe codomain of δ are empty (i.e. they do not have continuation or functionalnames anymore). This is possible because there is no cycles between names. Lemma 28. Taking D = h K [ f V ] , c, γ P , γ O , ξ, φ, h P , h O i a valid composite con-figuration that is going to perform a question, with f ∈ dom( γ ) , where γ = γ P · γ O , there exists a functional name g , an abstract value A , a composite con-figuration D ′ and a trace t formed by questions s.t.: – γ ( g ) is a λ -abstraction λx.M ; – δ ( f ) = δ ( g ) , writing δ for the idempotent substitution associated to γ ; – D t −→ D ′ ; – D ′ can be written as h g A, c ′ , γ P · γ ′ P , γ O · γ ′ O , φ ⊎ dom( γ ′ P ) , h P , h O i ; – A { δ ′ } = V , with δ ′ the idempotent substitution associated to γ ′ P · γ ′ O ; – K γc ′ ,c = • . Lemma 29. Let D = h V, c, γ P , γ O , ξ, φ, h P , h O i be a valid composite config-uration that is going to perform an answer. Suppose that there exists c ′ s.t. c ≺ ∗ γ c ′ and K γc,c ′ = • . Then there exists a composite configuration D ′ = h A, c ′ , γ P · γ ′ P , γ O · γ ′ O , φ ⊎ dom( γ ′ P ) , h P , h O i and a trace t formed only by answerss.t. D t −→ D ′ and A { δ ′ } = V , with δ ′ the idempotent substitution associated to γ ′ P · γ ′ O . Definition 31. One define the configuration transformation θ from valid com-posite configurations to pair formed by a term and a heap, defined as θ : h M, c, γ P , γ O , ξ, φ, h P , h O i 7→ (( K γc [ M ]) { δ } , ( h P · h O ) { δ } ) writing γ for γ P · γ O and δ for the idempotent substitution associated to γ . Lemma 30. Taking D , D ′ two valid composite configuration and a an action(different of τ ) s.t. D a −→ D ′ then θ ( D ) = θ ( D ′ ) .Proof. Let us write D as h M, c, γ P , γ O , ξ, φ, h P , h O i . Without loss of generality,we suppose the composite configuration D to be P -active, i.e. c ∈ dom( γ O )We reason by case analysis over α : – If α = ¯ c ( A ), so that M is a value V . Then we have: • γ O ( c ) = K and c : τ for some context K and type τ ; • γ ′ O = γ O , γ ′ P = γ P · γ A and φ ′ = φ ⊎ dom( γ A ); with ( A, γ A ) ∈ AVal τ ( V ); • h ′ P = h P and h ′ O = h O ; • M ′ = K [ A ].We conclude using these and the fact that: • K γc = K γc ′ [ K ], where c ′ = ξ ( c ); • A { γ A } = V ;that ( K γc [ V ]) { δ } = ( K γ ′ c ′ [ K [ A ]]) { δ ′ } . So θ ( D ) = θ ( D ′ ). – If α = ¯ f ( A, c ′ ), so that M is a callback K [ f V ] for some context K, value V ,and functional name f . Then we have: • γ O ( f ) = V ′ and f : σ → σ ′ for some value V and type σ, σ ′ ; • γ ′ O = γ O , γ ′ P = γ P · γ A · [ c ′ K ], ξ ′ = ξ · [ c ′ c ] and φ ′ = φ ⊎ dom( γ A ) ·{ c ′ } , with ( A, γ A ) ∈ AVal σ ( V ); • h ′ P = h P and h ′ O = h O ; • M ′ = V ′ A .We conclude using these and the fact that: • K γc ′ = K γc [ K ]; • γ O ( f ) = V ′ ; • A { γ A } = V ;that ( K γc [ K [ f V ]]) { δ } = ( K γ ′ c ′ [ V ′ A ]) { δ ′ } . So θ ( D ) = θ ( D ′ ). Definition 32. Taking D , D ′ two composite configuration, we write D D ′ when there exists a trace t of actions (without any τ -actions) s.t. D t · τ −−→ D ′ . Lemma 31. The configuration transformation θ is a functional bisimulation be-tween the transition system over composite configurations ( CompConf, ) andthe operational transition system ( Λ × Heap , → ) , that is, for all valid compositeconfiguration D : – for all composite configuration D ′ , if D D ′ then θ ( D ) → θ ( D ′ ) ; – for all pairs ( N, h ) formed by a term an a heap h ′ , if θ ( D ) → ( N, h ′ ) thenthere exists a valid composite configuration D ′ s.t. D D ′ and ( N, h ′ ) = θ ( D ′ ) Proof. We write: – D as h M, c, γ P , γ O , ξ, φ, h P , h O i ; – γ for γ P · γ O ; – δ for the idempotent substitution associated to γ P · γ O ; – θ ( D ) as ( K γc [ M ]) { δ } , h ) with h = ( h P · h O ) { δ } .We first suppose that D D ′ , i.e. there exists a trace t of actions (withoutany τ ) and a composite configurations D s.t. D t −→ D τ −→ D ′ . From Lemma 30,we get that θ ( D ) = θ ( D ).Without loss of generality, we suppose the composite configuration D is P -active. We write D ′ as h M ′ , c ′ , γ ′ P , γ ′ O , φ ′ , h ′ P , h O i and D as h M , c , γ ′ P , γ ′ O , φ ′ , h P , h O i ,so that we have ( M , c , h P ) → ( M ′ , c ′ , h ′ P ). omplete trace models of state and control 45 From Lemma 9, writing δ ′ for the idempotent substitution associated to γ ′ P · γ ′ O , and δ ′ C for its restriction to the domain of continuation names, one has that( K γ ′ c [ M ] { δ ′ C } , h P { δ ′ C } ) → ( K γ ′ c ′ [ M ′ ] { δ ′ C } , h ′ P { δ ′ C } ). Extending the heap with h O and the substitution to δ ′ , we get that ( K γ ′ c [ M ] { δ ′ } , h ) → ( K γ ′ c ′ [ M ′ ] { δ ′ } , ( h ′ P · h O ) { δ ′ } ), i.e. θ ( D ) → θ ( D ′ ).Now, we suppose that there exists a term N and a heap h ′ s.t. θ ( D ) → ( N, h ′ ).From Lemma 20, there is three possible cases for the reduction θ ( D ) → ( N, h ′ ): – Either ( M, c, h P · h O ) is reducible. Without loss of generality, we suppose thecomposite configuration D is P -active, so that ( M, c, h P ) is reducible. Thenthere exists ( M ′ , c ′ , h ′ P ) s.t.: • ( M, c, h P ) → ( M ′ , c ′ , h ′ P ); • N = ( K γ ′ c ′ [ M ′ ]) { δ } ; • h ′ = ( h ′ P · h O ) { δ } .So we take D ′ = h M ′ , c ′ , γ P , γ O , ξ, φ, h ′ P , h O i so that D τ −→ D ′ . – Or M is a callback: • M = K [ f V ] for some context K , value V , and functional name f ; • δ ( f ) is a λ -abstraction that we write λx.P (with x / ∈ dom( δ )); • N = ( K γc [ K [ P { V /x } ]]) { δ } ; • h ′ = h ;From Lemma 28, there exists a functional name g , an abstract value A , acomposite configuration D and a trace t formed by questions s.t.: • γ ( g ) is a λ -abstraction λx. ˆ P ; • δ ( f ) = δ ( g ); • D t −→ D ; • D can be written as h g A , c , γ P · γ ,P , γ O · γ ,O , φ ⊎ dom( γ ,P ) , h P , h O i ; • A { δ } = V , with δ the idempotent substitution associated to γ ,P · γ ,O ; • K γ c ,c = K .Without loss of generality, we suppose the composite configuration D is P -active. Then we have: D t −→ D g ( A ,c ) −−−−−→ D z }| { h ( λx. ˆ P ) A , c , γ ,P , γ O · γ ,O , φ , h P , h O i τ −−→ h ˆ P { A /x } , c , γ ,P , γ O · γ ,O , φ , h P , h O i | {z } D ′ with γ ,P = γ P · γ ,P · γ A · [ c ( • , c )] and A { γ A } = A . From Lemma 30,we have that θ ( D ) = θ ( D ).We prove that ( ˆ P { A /x } ) { δ } = P { V { δ } /x } from the fact that: • A { δ } = V { δ } since A { δ } = V and A = A { γ A } ; • ˆ P { δ } = P since δ ( f ) = δ ( g ), δ ( f ) = λx.P and γ ( g ) = λx. ˆ P .Finally, from K γ c ,c = K and γ ( c ) = ( • , c ), we get that K γ c = K γc [ K ]. So θ ( D ′ ) = ( N, h ). – Or M is a value V and K γc an evaluation context larger than • . Then thereexists a continuation name c s.t.: • c ≺ ∗ γ c • K γc,c = • . • γ ( c ) = K with K an evaluation context larger than • ;From Lemma 29, there exists an abstract value A , a composite configuration D and a trace t formed by answers s.t.: • D t −→ D ; • D can be written as h A , c , γ P · γ ,P , γ O · γ ,O , φ ⊎ dom( γ ,O ) , h P , h O i ; • A { δ } = V , with δ the idempotent substitution associated to γ ,P · γ ,O ;Without loss of generality, we suppose the composite configuration D is P -active. Then we have: D t −→ D c ( A ) −−−−→ D z }| { h K [ A ] , c , γ ,P , γ ,O , φ , h P , h O i with ξ ( c ) = c , γ ,P = γ ,P · γ A and A { γ A } = A .From Lemma 30, we have that θ ( D ) = θ ( D ). From K γc,c = • , we get that K γc = K γ c , so that K γ c [ K ] = K γc . Since K is larger than • , K [ A ] cannotbe a value, so from Lemma 19 we have that: • either ( K [ A ] , c , h P ) is reducible, and we conclude using a similar rea-soning as in the first case, on D . • or K [ A ] is a callback, and we conclude using a similar reasoning as inthe second case, on D . Corollary 5. Taking D a valid composite configurations, D ⇓ ter iff θ ( D ) ⇓ ter .Proof. We write D as h M, c, γ P , γ O , ξ, φ, h P , h O i .We first prove that if D ⇓ ter then θ ( D ) ⇓ ter . From D ⇓ ter , we get theexistence of a sequence of reductions D ∗ D f z }| { h () , ◦ , γ f,P , γ f,O , φ f , h f,P , h f,O i . Wereason by induction over the length of this reduction. – if D = D f , then θ ( D ) = (() , ) since M = () and c = ◦ so that K γ P · γ O c = • . – if there exists a composite configuration D ′ s.t. D D ′ ∗ D f , thenby induction hypothesis θ ( D ′ ) ⇓ ter , and from Theorem 31 one has that θ ( D ) → θ ( D ′ ), so that θ ( D ) ⇓ ter .We now prove that if θ ( D ) ⇓ ter then D ⇓ ter . From θ ( D ) ⇓ ter we get theexistence of (() , h ) s.t. θ ( D ) → ∗ (() , h ). We reason by induction over the lengthof this reduction. – if the reduction is empty, then θ ( D ) = (() , h ). So necessarily M = () and K γc, ◦ = • . Then from Lemma 29, θ ( D ) ⇓ ter . – if there exists ( M ′ , h ′ ) s.t. θ ( D ) → ( M ′ , h ′ ) → ∗ (() , h ), then from Theo-rem 31, there exists a configuration D ′ s.t. θ ( D ) → θ ( D ′ ) and θ ( D ′ ) =( M ′ , h ′ ). Then by induction hypothesis, since θ ( D ′ ) → ∗ (() , h ), we get that θ ( D ′ ) ⇓ ter , so that θ ( D ) ⇓ ter . omplete trace models of state and control 47 Corollary 6. Taking D a valid composite configurations, D ⇓ err iff θ ( D ) ⇓ err . Finally, we can prove Lemma 4 Lemma 32 (Correctness). Let Γ ⊢ M : τ be a cr-free HOSC term, let Σ, h, K, γ be as above, ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) , and c : τ ( c 6∈ ◦ ). Then – ( K [ M { γ } ] , h ) ⇓ err iff there exist t, c ′ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ) . – ( K [ M { γ } ] , h ) ⇓ ter iff there exist t, A, τ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ◦ τ ′ ( A ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ) .Moreover, t must satisfy ν ( t ) ∩ ( ◦ ∪ {⋄} ) = ∅ .Proof. Let y ∈ { ter , err } . Note that ( K [ M { γ } ] , h ) ⇓ y iff θ ( C ρ ~Ai ,cM ∧∧ C ~γ i h,K,γ ) ⇓ y .From Corollary 5 and 6, this is equivalent to the existence of a trace t suchthat ( C ρ ~Ai ,cM ∧∧ C ~γ i h,K,γ ) ⇓ t y . By Lemma 27, this is the same as ( C ρ ~Ai ,cM | C ~γ i h,K,γ ) ↓ t y ,which implies the Lemma. D Additional material for Section 4 (GOSC[HOSC]) D.1 Proof of Lemma 7 (visibility) We write C t −→ C ′ to say that there exists a sequence of transitions from C to C ′ such that the collected labels, including τ transitions, give a trace t . The proofis based on an auxiliary lemma (Lemma 33), which generalizes P-visibility toconfigurations, enabling an inductive proof. Lemma (Original Statement of Lemma 7). Let C O = C ~γ i ,ch,K,γ , where h, K, γ are from GOSC, and ( ~A i , ~γ i ) ∈ AVal Γ ( γ ). All traces in Tr evenHOSC ( C O ) are P-visible. Proof. Suppose C O a ··· a i +1 ====== ⇒ C and C τ ∗ −→ C ′ a i +2 −−−→ C ′′ . By Lemma 33, C ′ = h M ′ , c ′ , · · · i with ν ( M ′ , c ′ ) ⊆ Vis P ( a · · · a i +1 ). Because the O-names in a i +2 come from ν ( M ′ , c ′ ), P-visibility follows. Lemma 33. Suppose C O a ··· a k −−−−→ C .1. If C = h γ, ξ, φ, h i then, for any n ∈ dom( γ ) , if n was introduced in a i ( ≤ i ≤ k/ ) then ν ( γ ( n )) ⊆ Vis P ( a · · · a i − ) and if n ∈ CNames then ξ ( n ) ∈ Vis P ( a · · · a i − ) (introduced in a is taken to mean ⋄ , ◦ and Vis P ( a · · · a ) stands for {⋄ , ◦} ).2. If C = h M, c, γ, ξ, φ, h i then ν ( M, c ) ⊆ Vis P ( a · · · a k ) and all of the condi-tions listed above hold. Proof. By induction on the number of transitions between C O and C , including τ -transitions.The base case is C O = C . The Lemma then holds because ν ( γ ) ⊆ {⋄} , ξ ( c ) = ◦ , and Vis P ( a · · · a ) = {⋄ , ◦} .Suppose C O a ··· a k −−−−→ C ′ and C O t −→ C x −→ C ′ , where t is a trace and x is anaction or x = τ . – If x = τ then γ, ξ do not change during the transition and the reductiondoes not generate new names by Lemma 6. Hence, the Lemma follows fromIH. – Suppose x is an O-action, i.e. x = a k . Then C ′ = h M ′ , c ′ , γ ′ , ξ ′ , φ ′ , h ′ i and C = h γ ′ , ξ ′ , φ ′ \ A, h ′ i . By IH for C , all the conditions for γ ′ , ξ ′ hold, so itremains to check ν ( M ′ , c ′ ). • If x = c ′′ ( A ′′ ) then ν ( M ′ , c ′ ) = ν ( γ ′ ( c ′′ )[ A ′′ ] , ξ ′ ( c ′′ )). By IH for C , c ′′ ,assuming c ′′ was introduced in a i , we get ν ( M ′ , c ′ ) ⊆ Vis P ( a · · · a i − ) ∪ ν ( A ′′ ) = Vis P ( a · · · a k ). • If x = f ( A ′′ , c ′′ ) then ν ( M ′ , c ′ ) = ν ( γ ′ ( f )[ A ′′ ] , c ′′ ). By IH for C , f , as-suming f was introduced in a i , we get ν ( M ′ , c ′ ) ⊆ Vis P ( a · · · a i − ) ∪ ν ( A ′′ ) ∪ { c ′′ } = Vis P ( a · · · a k ). – Suppose x is a P-action, i.e. x = a k . Then C ′ = h γ ′ , ξ ′ , φ ′ , h ′ i . • If x = ¯ c ′′ ( A ′′ ) then C = h V, c ′′ , γ ′ \ ν ( A ′′ ) , ξ ′ , φ \ ν ( A ′′ ) , h ′ i . By IH, γ ′ \ ν ( A ′′ ) and ξ ′ satisfy the Lemma. It suffices to check γ ′ ( n ) for n ∈ ν ( A ′′ ).Observe that then ν ( γ ′ ( n )) ⊆ ν ( V, c ′′ ) and, by IH for C , ν ( V, c ′′ ) ⊆ Vis P ( a · · · a k − ), as required. • If x = ¯ f ( A ′′ , c ′′ ) then C = h K [ f V ] , c ′′′ , γ ′ \ X, ξ ′ \ { c ′′ } , φ \ X, h ′ i , where X = ν ( A ′′ ) ∪ { c ′′ } . By IH, γ ′ \ X and ξ ′ \ { c ′′ } satisfy the Lemma. Itsuffices to check γ ′ ( n ) for n ∈ ν ( A ′′ ), γ ′ ( c ′′ ) and ξ ′ ( c ′′ ). Observe thatthen ν ( γ ′ ( n )) ∪ ν ( γ ′ ( c ′′ )) ∪ { ξ ′ ( c ′′ ) } ⊆ ν ( K [ f V ] , c ′′′ ) and, by IH for C , ν ( K [ f V ] , c ′′′ ) ⊆ Vis P ( a · · · a k − ), as required. D.2 Proof of Theorem 3 Proof. Suppose Tr GOSC ( Γ ⊢ M ) ⊆ Tr GOSC ( Γ ⊢ M ). Consider Σ, h, K, γ (asin the definition of . GOSC( ciu ) err ) such that ( K [ M { γ } ] , h ) ⇓ err . In particular, h, K, γ consist of GOSC syntax. Suppose ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) and c : τ ( c ). By Lemma 4 (left-to-right), there exist t, c ′ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM )and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ). By Lemma 7, t ⊥ ¯ ⋄ (() , c ′ ) is P-visible. Thus, t is O-visible and, by Lemma 36 (right-to-left), t ∈ Tr GOSC ( C ρ ~Ai ,cM ). From Tr GOSC ( Γ ⊢ M ) ⊆ Tr GOSC ( Γ ⊢ M ), we get t ∈ Tr GOSC ( C ρ ~Ai ,cM ). By Lemma 36(left-to-right), t ∈ Tr HOSC ( C ρ ~Ai ,cM ). Because t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ), by Lemma 4 (right-to-left), we can conclude ( K [ M { γ } ] , h ) ⇓ err .Thus, Γ ⊢ M . GOSC( ciu ) err M . omplete trace models of state and control 49 D.3 Proof of Lemma 9 Lemma 5 follows from the lemma given below for i = 0. Consider h ′ = h , K ′ = γ ( c ), γ ′ = γ \ c . We have ν (img( γ ) , img( h )) ⊆ ◦ ⊎ {⋄} . As names ◦ σ can only occur inside terms of the form cont ( K ′ , ◦ σ ), we can conclude that( h ′ , K ′ , γ ′ ) = ( h ◦ , K ◦ , γ ◦ ), where h, K, γ are from GOSC. Lemma 34. Suppose φ ⊎ {⋄} ⊆ FNames , c ∈ CNames and t = o p · · · o n p n is a P-visible ( ◦ ⊎ {⋄} , φ ⊎ { c } ) -trace starting with an O-action. Given ≤ i ≤ n , let t i = o i +1 p i +1 · · · o n p n . There exist passive configurations C i such that Tr even ( C i ) consists of even-length prefixes of o i +1 p i +1 · · · o n p n (along with theirrenamings via permutations on Names that fix φ i ). Moreover, C i = h γ i , ξ i , φ i , h i i ( ≤ i ≤ n ), where – dom( γ i ) consists of φ ∪ { c } and all names introduced by P in o p · · · o i p i ; – img( γ i ) contains GOSC syntax; – ν ( γ i ( x )) ⊆ Vis P ( o p · · · o i ) if x has been introduced in p i ( φ ⊎{ c } are deemedto have been introduced in p and we assume Vis P ( o · · · o ) = ◦ ⊎ {⋄} ); – for all d ∈ dom( γ i ) ∩ CNames , if d : σ d and d was introduced in p j then ⊢ γ i ( d ) : σ d → σ j , where top P ( o · · · o j ) : σ j ; – dom( ξ i ) consists of c and all continuation names introduced by P in o p · · · o i p i ; – for all d ∈ dom( ξ i ) , ξ i ( d ) = top P ( o · · · o j ) if d was introduced in p j (weregard c as being introduced in p and define top P ( o · · · o ) = ◦ τ ′ ); – φ i consists of ◦ ⊎ {⋄} ⊎ φ ⊎ { c } and all names introduced in o p · · · o i p i ; – for all ≤ i ≤ n , h i = { time i } , where time : ref Int .Proof. Note that the heap will consist of a single reference only, which willcorrespond to counting steps in the translation. At every step of the translation,the value of the reference will be used to schedule the right actions and disableothers.The above description already specifies φ i , dom( γ i ), ξ i and h i . To completethe definition of C i , it remains to specify the environments γ i . Recall that, weneed to define γ ( x ) for x ∈ φ ∪ { c P } and, in other cases, γ j ( x ) ( x ∈ Names)will be defined for all j ≥ i if x was introduced by P in p i . Recall also that once γ j ( x ) is defined, it never changes. Hence if x was introduced by in p i , we willonly specify γ i ( x ) on the understanding that γ i ′ ( x ) = γ i ( x ) for all i ′ > i .We define γ i ( x ) by induction using the reverse order of name introduction in t , i.e. when defining γ i ( x ) we will refer to γ i ′ ( y ), where y is introduced in a latermove in t . In particular, the names φ ∪ { c } are deemed to be introduced first.Once γ i ( x ) is defined, we will argue that ν ( γ i ( x )) ⊆ Vis P ( o p · · · o i ). – Suppose f : σ f → τ f is a function name introduced by P in action p i (1 ≤ i ≤ n ) or f ∈ φ , in which case we let i = 0. Consider all subsequentoccurrences of f in t : suppose I f = { i < u ≤ n | o u = f ( A u , c u ) } , i.e. I f contains all the time points when it is necessary to respond to f ( A ′ , c ′ ). Thenwe let γ i ( f ) = λx. ( time :=! time +1); if (! time ∈ I f ) ( assert ( x ∼ A ! time ); M ! time ) Ω, where ( assert ( x ∼ A ! time ); M ! time ) is shorthand for code that performs casedistinction on ! time and directs reduction to ( assert ( x ∼ A u ); M u ) for u =! time ∈ I f . The term assert ( x ∼ A u ) has been defined earlier, so we specify M u ( u ∈ I f ), aiming to have x : σ f ⊢ M u : τ f in each case. M u will dependon the shape of p u . Note that if I f = ∅ , i.e. f is not used in t , then theconstruction degenerates to γ i ( f ) = λx. ( time :=! time + 1); Ω . p u = ¯ c ′ u ( A ′ u ) As u > i , γ u is already defined for all names in A ′ u . Let V = A ′ u { γ u } . Recall that o u = f ( A u , c u ). We let M u = call / cc( y. (throw V to cont ( • , c ′ u )) [ y/ cont ( • , c u )] [ πx/A u ] ) . • [ y/ cont ( • , c u )] is meant to mimic the reversal of the reduction rule forcall / cc: because after o u the continuation name in the active config-uration will be c u , the then current continuation will be cont ( • , c u ).Since all continuation names c ′ are only ever used via the termcont ( • , c ′ ), the substitution [ y/ cont ( • , c u )] will remove all occur-rences of c u from V . • The substitution [ πx/A u ] has been defined before the first definabil-ity proof.Note that, because of throw, M u can indeed be given type τ f . Overall,the shape of M u guarantees the desired progression ( o u p u ) at time u (theconfiguration will reduce to ( V, c ′ u , · · · ), to be followed by p u = ¯ c ′ u ( A ′ u )).Because we can assume ν ( γ u ( x )) ⊆ Vis P ( o · · · o u ) for any x introducedin p u (IH), we have ν ( V ) = ν ( A ′ u { γ u } ) ⊆ Vis P ( o · · · o u ). As all names in-troduced in o u will be substituted for, we have ν ( M u ) ⊆ Vis P ( o · · · o i ) ∪{ c ′ u } . However, by P-visibility, we have c ′ u ∈ Vis P ( o · · · o u ), so either c ′ u = c u or c ′ u ∈ Vis P ( o · · · o i ). Either way, we can conclude ν ( M u ) ⊆ Vis P ( o · · · o i ), i.e. ν ( γ i ( f )) ⊆ Vis P ( o · · · o i ). p u = ¯ f ′ ( A ′ u , c ′ u ) As in the previous case, by IH, γ u is already defined for allnames in A ′ u and c ′ u . Let V = A ′ u { γ u } and K = γ u ( c ′ u )[ • ] : σ c ′ u → σ j ,where top P ( o · · · o u ) : σ j (IH). Note that top P ( o · · · o u ) = c u in thiscase, i.e. τ f = σ j . We let M u = K [ f ′ V ] [ πx/A u ] . The shape of M u then guarantees the right progression in the u th step o u p u (after o u the LTS will reach a configuration of the form ( γ u ( c ′ u )[ f ′ V ] , top P ( o · · · o u ) , · · · ),from which p u = ¯ f ′ ( A ′ u , c ′ u ) can follow).Because ν ( V ) , ν ( γ u ( c ′ u )) ⊆ Vis P ( o · · · o u ) and all names introduced in o u are substituted for above, we have ν ( M u ) ⊆ Vis P ( o · · · o i ) ∪ { f ′ } .By P-visibility, f ′ ∈ Vis P ( o · · · o i ), so we can conclude that ν ( M u ) ⊆ Vis P ( o · · · o i ), i.e. ν ( γ i ( f )) ⊆ Vis P ( o · · · o i ). – Suppose now that d : σ d is a continuation name introduced by P in action p i (1 ≤ i ≤ n ), or d = c , in which case we let i = 0. Let us consider allsubsequent occurrences of d in t : suppose I d = { i < u ≤ n | o u = d ( A u ) } .Then we let γ i ( d ) = ( λx. ( time :=! time +1); if (! time ∈ I d ) ( assert ( x ∼ A ! time ); M ! time ) Ω )[ • ] omplete trace models of state and control 51 where the terms M u ( u ∈ I c ) are the same as in the previous case, thoughthis time we aim for x : τ d ⊢ M u : τ j , where d : τ d and top P ( o · · · o u ) : τ j (recall that ξ i ( d ) = top P ( o · · · o u )). As argued above, in the second case M u will have the required type and in the first case it can be forced thanks tothrow.Similarly, we can conclude that ν ( γ i ( d )) ⊆ Vis P ( o · · · o i ).This completes the definition of configurations. They evolve as required by con-struction, because the definition of γ i is compatible with the evolution of theGOSC[HOSC] LTS: at each stage, the value of the clock time is incrementedand the corresponding term M u is selected.It is is easy to check that the syntax used in the construction belongs toGOSC only. D.4 Proof of Theorem 4 Proof. We follow the same path as in the proof of Theorem 2 except that, in thiscase, we will have t, t ∈ Tr GOSC ( C ρ ~Ai ,cM ). Consequently, we can conclude that t = t ⊥ ¯ ⋄ (() , c ′ ) is P-visible and invoke Lemma 9 (instead of Lemma 5) to obtain C O that corresponds to h, K, γ from GOSC. Because k, K, γ are in GOSC, wecan then appeal to the assumption Γ ⊢ M . GOSC( ciu ) err M and complete theproof like for Theorem 2. E Additional material for Section 5 (HOS[HOSC]) E.1 Proof of Lemma 11 To enable a proof by induction we generalize the Lemma as follows. Lemma 35. Consider C O = C ~γ i ,ch,K,γ , where h, K, γ are from HOS and ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) . Let t ∈ Tr HOSC ( C O ) and suppose C O t ′ −→ C . – If t ′ is of odd length then C = h M, c ′ , · · · i and c ′ = top P ( t ′ ) . – If t ′ is of even length and t ′ = t ¯ f ( A, c ′ ) then C = h· · · , ξ, · · · i and ξ ( c ′ ) = top P ( t ) . – If t ′ is of even length and t ′ = t ¯ c ′ ( A ) then c ′ = top P ( t ) .Proof. By induction on the number of transitions in C O t −→ C . In the base case(no transitions) the Lemma holds vacuously.Note that the Lemma is preserved by silent transitions ( t is of odd lengththen) by Lemma 10.Suppose C O t −→ C a −→ C ′ . – The even-length cases follow immediately the odd-length case due to theshape of LTS rules. – Suppose t ′ = ta is of odd length. • If a = f ( A, c ′′ ) then top P ( t ′ ) = c ′′ and c ′ = c ′′ , so the Lemma holds. • If a = c ′′ ( A ) then c ′ = ξ ( c ′′ ). ∗ If c ′′ = c then c ′ = ◦ and indeed top P ( t ′ ) = ◦ . ∗ Otherwise top P ( t ′ ) = top P ( t ′′ ), where c ′′ is introduced by an ac-tion (question) after t ′′ . Then, by IH, ξ ( c ′′ ) = top P ( t ′′ ). Because top P ( t ′′ ) = top P ( t ′ ), we get c ′ = top P ( t ′ ), as required. E.2 Proof of Theorem 5 Proof. Suppose Tr HOS ( Γ ⊢ M ) ⊆ Tr HOS ( Γ ⊢ M ). Consider Σ, h, K, γ (as inthe definition of . HOS ciu , err ) such that ( K [ M { γ } ] , h ) ⇓ err . In particular, h, K, γ consist of HOS syntax. Suppose ( ~A i , ~γ i ) ∈ AVal Γ ( γ ) and c : σ ( c = ◦ ). ByLemma 4 (left-to-right), there exist t, c ′ such that t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ). By Lemma 11, t ⊥ ¯ ⋄ (() , c ′ ) is P-bracketed. Thus, t is O-bracketed and, by Lemma 12 (right-to-left), t ∈ Tr HOS ( C ρ ~Ai ,cM ). From Tr HOS ( Γ ⊢ M ) ⊆ Tr HOS ( Γ ⊢ M ), we get t ∈ Tr HOS ( C ρ ~Ai ,cM ). By Lemma 12(left-to-right), t ∈ Tr HOSC ( C ρ ~Ai ,cM ). Because t ∈ Tr HOSC ( C ρ ~Ai ,cM ) and t ⊥ ¯ ⋄ (() , c ′ ) ∈ Tr HOSC ( C ~γ i ,ch,K,γ ), by Lemma 4 (right-to-left), we can conclude ( K [ M { γ } ] , h ) ⇓ err .Thus, Γ ⊢ M . HOS ciu , err M . E.3 Proof of Lemma 13 Proof. We take advantage of the definability result for HOSC (Lemma 34) andargue that, for P-bracketed traces, continuation-related syntax can be elimi-nated. This will follow from the careful integration of top P () in the construction.Indeed, the only place where “throw” is needed in the construction is totransition from configuration D i to E i . The second component (current contin-uation) in D i is equal to top P ( o · · · o i +1 ), whereas the second component in E i in this case is c j ′ O . For a P-bracketed trace, the two continuation names will bethe same (Definition 17). Consequently, the use of “throw” in this case is trivial:it will have the form (throw V A to cont ( • , c ) , c, · · · ), where c = c j ′ O , becausethe continuation in cor j ′ is cont ( • , c j ′ O ) by one of our invariants. This use of“throw” can be replaced simply by ( V A , c, . . . ), i.e. occurrences of “throw” canbe eliminated.Next, one observes that references to continuations ( cor j ) are redundant aswell, because they are only used in connection with “throw”, and we alreadyknow that “throw” is redundant.Finally, “callcc” is redundant, because the only purpose of invoking it was torecord continuations in a reference, and we know from the previous point thatsuch references will not be needed.Overall this yields a construction that involves only HOS syntax. omplete trace models of state and control 53 E.4 Proof of Theorem 6 Proof. We follow the same path as in the proof of Theorem 2 except that, inthis case, we have t, t ∈ Tr HOS ( C ρ ~Ai ,cM ). Consequently, we can conclude that t = t ⊥ ¯ ⋄ (() , c ′ ) is P-bracketed and invoke Lemma ?? (instead of Lemma 5) toobtain C O that corresponds to h, K, γ from HOS. Because k, K, γ are in HOS,we can appeal to the assumption Γ ⊢ M . HOS ciu , err M and complete the prooflike for Theorem 2. F Additional material for Section 6 (GOS[HOSC]) F.1 GOS[HOSC] LTS ( P τ ) h M, c, γ, ξ, φ, h, Fi τ −−→ h N, c ′ , γ, ξ, φ, h ′ , Fi when ( M, c, h ) → ( N, c ′ , h ′ )( P A ) h V, c, γ, ξ, φ, h, Fi ¯ c ( A ) −−−→ h γ · γ ′ , ξ, φ ⊎ ν ( A ) , h, F , F ( c ) ⊎ ν ( A ) , c ′ i when c : σ, ( A, γ ′ ) ∈ AVal σ ( V ) , ξ ( c ) = c ′ ( P Q ) h K [ fV ] , c, γ, ξ, φ, h, Fi ¯ f ( A,c ′ ) −−−−−→ h γ · γ ′ · [ c ′ K ] , ξ · [ c ′ c ] , φ ⊎ φ ′ , h, F , F ( f ) ⊎ φ ′ , c ′ i when f : σ → σ ′ , ( A, γ ′ ) ∈ AVal σ ( V ) , c ′ : σ ′ and φ ′ = ν ( A ) ⊎ { c ′ } ( OA ) h γ, ξ, φ, h, F , V , c ′′ i c ( A ) −−−→ h K [ A ] , c ′ , γ, ξ, φ ⊎ ν ( A ) , h, F · [ ν ( A ) 7→ V ] i when c ∈ V , c = c ′′ , c : σ, A : σ, γ ( c ) = K, ξ ( c ) = c ′ ( OQ ) h γ, ξ, φ, h, F , V , c ′′ i f ( A,c ) −−−−→ h V A, c, γ, ξ · [ c c ′′ ] , φ ⊎ φ ′ , h, F · [ φ ′ 7→ V ] i when f ∈ V , f : σ → σ ′ , A : σ, c : σ ′ , γ ( f ) = V and φ ′ = ν ( A ) ⊎ { c } Given N ⊆ Names, [ N 7→ V ] stands for the map [ n 7→ V | n ∈ N ]. Fig. 10. GOS[HOSC] LTS Recall that, given a Γ -assignment ρ , term Γ ⊢ M : τ and c ∈ CNames τ , theactive configuration C ρ,cM was defined by C ρ,cM = h M { ρ } , c, ∅ , ∅ , ν ( ρ ) ∪ { c } , ∅i . Weneed to upgrade it to the LTS by initializing the new components: C ρ,cM, vis , bra = h M { ρ } , c, ∅ , [ c 7→ ⊥ ] , ν ( ρ ) ∪ { c } , ∅ , ∅i . Definition 33. The GOS[HOSC] trace semantics of a cr-free HOSC term Γ ⊢ M : τ is defined to be Tr GOS ( Γ ⊢ M : τ ) = { (( ρ, c ) , t ) | ρ is a Γ -assignment , c : τ, t ∈ Tr GOSC ( C ρ,cM, vis , bra ) } . By construction and from the GOSC and HOS sections, it follows that Lemma 36. t ∈ Tr GOS ( C ρ,cM, vis , bra ) iff t ∈ Tr HOSC ( C ρ,cM ) and t is O-visible andO-bracketed. Lemma 37 (Definability). Suppose φ ⊎ {⋄} ⊆ FNames and t is an even-length P-bracketed and P-visible ( {◦ τ ′ , ⋄} , φ ⊎ { c } ) -trace starting with an O-action. There exists a passive configuration C such that the even-length traces Tr HOSC ( C ) are exactly the even-length prefixes of t (along with all renamingsthat preserve types and φ ⊎ { c, ◦ τ ′ , ⋄} ). Moreover, C = h γ · [ c K ] , { c τ ′ } , φ ⊎ { c, ◦ τ ′ , ⋄} , h i , where h, K, γ are built from GOS syntax.Proof. Follows from the argument for GOSC. We first observe that throw isneeded before answer actions to adjust the continuation from top O ( o · · · o i ).With P-bracketing there is no need for such adjustments. Consequently, we donot need call //