Algorithmic games for full ground references
 439 Downloads
 1 Citations
Abstract
We present a full classification of decidable and undecidable cases for contextual equivalence in a finitary MLlike language equipped with full ground storage (both integers and reference names can be stored). The simplest undecidable type is \(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}\). At the technical level, our results marry game semantics with automatatheoretic techniques developed to handle infinite alphabets. On the automatatheoretic front, we show decidability of the emptiness problem for register pushdown automata extended with freshsymbol generation.
Keywords
Program equivalence Game semantics Full abstraction Automata over infinite alphabets1 Introduction
Mutable variables in which numerical values can be stored for future access and update are the pillar of imperative programming. The memory in which the values are deposited can be allocated statically, typically to coincide with the lifetime of the defining block, or dynamically, on demand, with the potential to persist forever. In order to support memory management, modern programming languages feature mechanisms such as pointers or references, which allow programmers to access memory via addresses. Languages like C (through int*) or ML (via \(\texttt {\small int}\,\texttt {\small ref}\,\texttt {\small ref}\)) make it possible to store the addresses themselves, which creates the need for storing references to references etc. We refer to this scenario as full ground storage. In this paper we study an MLlike language \(\mathsf {GRef}\) with full ground storage, which permits the creation of references to integers as well as references to integer references, and so on.
We concentrate on contextual equivalence^{1} in that setting. Reasoning about program equivalence has been a central topic in programming language semantics since its inception. This is in no small part due to important applications, such as verification problems (equivalence between a given implementation and a model implementation) and compiler optimization (equivalence between the original program and its transform). Specifically, we attack the problem of automated reasoning about our language in a finitary setting, with finite datatypes and with looping instead of recursion, where decidability questions become interesting and the decidability/undecidability frontier can be identified. In particular, it is possible to quantify the impact of higherorder types on decidability, which goes unnoticed in Turingcomplete frameworks.
The automata we use are especially designed to read moveswithstores in a single computational step. They are equipped with a finite set of registers for storing elements from the infinite alphabet (names). Moreover, in a single transition step, the content of a subset of registers can be pushed onto the stack (along with a symbol from the stack alphabet), to be popped back at a later stage. We use visibly pushdown stacks [3], i.e. the alphabet can be partitioned into letters that consistently trigger the same stack actions (push, pop or noop). Conceptually, the automata extend register pushdown automata [7] with the ability to generate fresh names, as opposed to their existing capability to generate names not currently present in registers. Crucially, we can show that the emptiness problem for the extended machine model remains decidable.
Because the stores used in gamesemantic plays can grow unboundedly, one cannot hope to construct the automata in such a way that they will accept the full game semantics of terms. Instead we construct automata that, without loss of generality, will accept plays in which the domains of stores are bounded in size. Each such restricted play can be taken to represent a set of real plays compatible with the representation. Compatibility means that values of names omitted in environmentmoves (Omoves) can be filled in arbitrarily, but values of names omitted in programmoves (Pmoves) must be the same as in preceding Omoves. That is to say, the omissions leading to bounded representation correspond to copycat behaviour.
Because we work with representations of plays, we cannot simply use offtheshelf procedures for checking program equivalence, as the same plays can be represented in different ways: copycat behaviour can be modelled explicitly or implicitly via the convention. However, taking advantage of the fact that stacks of two visibly pushdown automata over the same partitioning of the alphabet can be synchronized, we show how to devise another automaton that can run automata corresponding to two terms in parallel and detect inconsistencies in the representations of plays. Exploiting decidability of the associated emptiness problem, we can conclude that \(\mathsf {GRef}\) program equivalence in the abovementioned cases is decidable.
This article is the journal version of [25], with full proofs and rearrangement of the material. Also, we relate our work to what has been done after the conference version was published. We start by introducing the language \(\mathsf {GRef}\) in Sect. 2 along with a canonical form result. Then, in Sect. 3 we introduce the game model of \(\mathsf {GRef}\) (we refer the interested reader to [28] for a detailed account of the model, which is in effect a restricted version of game models for larger languages presented in [19, 24]). The first main results are obtained in Sect. 4 and concern undecidability of equivalence in specific fragments of \(\mathsf {GRef}\) via reductions to queue machine problems. Finally, in Sect. 5 we present a decidability procedure for equivalence in the remaining fragment Open image in new window . The argument implements a reduction to checking nonemptiness in a specific kind of automata over infinite alphabets, the decidability of which is proved in Sect. 5.4.
2 \(\mathsf {GRef}\)
Definition 1
Given \({} \vdash {M:\mathsf {unit}}\), we write \(M{\Downarrow }\) if M evaluates to (). We say that the termincontext \({\varGamma } \vdash {M_1:\theta }\) approximates \({\varGamma } \vdash {M_2:\theta }\) (written Open image in new window ) if Open image in new window implies Open image in new window for any context \({C}[]\) such that Open image in new window . Two termsincontext are equivalent if one approximates the other (written Open image in new window ).
Lemma 2
Let Open image in new window be an \(\mathsf {GRef}\)term. There exists a \(\mathsf {GRef}\)term \({\varGamma } \vdash {\mathbb {C}_M:\theta }\) in canonical form, effectively constructible from M, such that \({\varGamma } \vdash {M\cong \mathbb {C}_M}\).
3 Game semantics
Game semantics views computation as a dialogue between the environment (Opponent, O) and the program (Proponent, P). We give an overview of the fully abstract game model of \(\mathsf {GRef}\) [28]. Let \(\mathbb {A}=\biguplus _\gamma \mathbb {A}_{\gamma }\) be a collection of countably infinite sets of reference names, or just names. The model is constructed using mathematical objects (moves, plays, strategies) that will feature names drawn from \(\mathbb {A}\). Although names underpin various elements of our model, their precise nature is irrelevant. Hence, all of our definitions preserve nameinvariance, i.e. our objects are (strong) nominal sets [11, 32]. Note that we do not need the full power of the theory but mainly the basic notion of namepermutation. For an element x belonging to a (nominal) set X, we write \(\nu (x)\) for its namesupport, i.e. the set of names occurring in x. Moreover, for any \(x,y\in X\), we write \(x\sim y\) if x and y are the same up to a permutation of \(\mathbb {A}\). Our model is couched in the HondaYoshida style of modelling callbyvalue computation [13]. Before we define what it means to play our games, let us introduce the auxiliary concept of an arena. Q and A are used to distinguish question and answermoves respectively.
Definition 3

\(m\in I_A\implies \lambda _A(m)=(P,A)\),

\(m\vdash _A m'\wedge \lambda _A^{QA}(m)=A \implies \lambda _A^{QA}(m')=Q\),

and \(m\vdash _A m' \implies \lambda _A^{OP}(m)\not =\lambda _A^{OP}(m')\).
Definition 4
A justified sequence on a prearena A is a sequence of moveswithstore on A such that, apart from the first move, which must be of the form \(\mathrm {i}^\varSigma \) with \(\mathrm {i}\in I_A\), every move \(n^{\varSigma '}\) in s is equipped with a pointer to an earlier move \(m^{\varSigma }\) such that \(m\vdash _A n\).m is then called the justifier of n, which is represented as Open image in new window in drawings.
Definition 5

No adjacent moves belong to the same player (Alternation).

The justifier of each answer is the most recent unanswered question (Bracketing).

For any \(s' m^\varSigma \sqsubseteq s\) with nonempty \(s'\), the justifier of m occurs in \( view (s')\) (Visibility).

For any \(s'm^\varSigma \sqsubseteq s\), \(\mathsf {dom}(\varSigma )=\mathsf {Av}(s'm^\varSigma )\) (Frugality).
Definition 6

If \(so^{\varSigma }p^{\varSigma '}\in \sigma \) then \(s\in \sigma \) (Evenprefix closure).

If \(s\in \sigma \) and \(s\sim t\) then \(t\in \sigma \) (Equivariance).

If \(s_1p_1^{\varSigma _1},s_2p_2^{\varSigma _2}\in \sigma \) and \(s_1\sim s_2\) then \(s_1p_1^{\varSigma _1}\sim s_2p_2^{\varSigma _2}\) (Nominal determinacy).
\(\mathsf {GRef}\)terms \({\varGamma } \vdash {M:\theta }\), where \(\varGamma =\{x_1:\theta _1,\cdots ,x_n:\theta _n\}\), are interpreted by strategies for the prearena \(\llbracket \theta _1 \rrbracket \otimes \cdots \otimes \llbracket \theta _n \rrbracket \rightarrow \llbracket \theta \rrbracket \), which we shall denote by \(\llbracket {\varGamma } \vdash {\theta } \rrbracket \). Given a set of plays X, let us write Open image in new window for the set of complete plays in X, i.e. those in which each occurrence of a question justifies an answer. The interpretation is then fully abstract in the following sense.
Proposition 7
([19, 24, 28]) Let \({\varGamma } \vdash {M_1,M_2:\theta }\) be \(\mathsf {GRef}\)terms. Open image in new window if, and only if, Open image in new window . Hence, \({\varGamma } \vdash {M_1\cong M_2}\) if, and only if, Open image in new window .
We shall rely on the result for proving both undecidability and decidability results, by referring to complete plays generated by terms.
Example 8
Note that in the above example the sizes of stores keep on growing indefinitely. However, the essence of the strategy is already captured by plays of the shape \(q {\star } q_0\, a_0^{(a_0,0)} \cdots q_0\, a_i^{(a_i,0)} q_0\cdots \) under the assumption that, whenever a value is missing from the store of an Omove, it is arbitrary and, for Pmoves, it is the same as in the preceding Omove. Next we spell out how a sequence of moveswithstore, not containing enough information to qualify as a play, can be taken to represent proper plays.
Definition 9
Let \(s=m_1^{\varSigma _1}\cdots m_k^{\varSigma _k}\) be a play over \({\varGamma } \vdash {\theta }\) and \(t=m_1^{\varTheta _1} \cdots m_k^{\varTheta _k}\) be a sequence of moveswithstore. We say that s is an extension of t if \(\varTheta _i\subseteq \varSigma _i\) (\(1\le i\le k\)) and, for any \(1\le i\le \lfloor {k/2}\rfloor \), if \(a\in \mathsf {dom}{(\varSigma _{2i})}{\setminus } \mathsf {dom}{(\varTheta _{2i})}\) then \(\varSigma _{2i}(a)=\varSigma _{2i1}(a)\). We write Open image in new window for the set of all extensions of t.
Because we cannot hope to encode plays with unbounded stores through automata, our decidability results will be based on representations of plays that capture strategies via extensions.
4 Undecidability arguments
We begin with undecidable cases. Our argument will rely on queue machines, which are finitestate devices equipped with a queue.
Definition 10
Let \(\mathcal {A}\) be a finite alphabet. A queue machine over \(\mathcal {A}\) is specified by \(\langle Q, Q_E, Q_D, init , \delta _E, \delta _D \rangle \), where Q is a finite set of states such that \(Q=Q_E\uplus Q_D\), \( init \in Q_E\) is the initial state, \(\delta _E:Q_E \rightarrow Q\times \mathcal {A}\) is the enqueuing function, whereas \(\delta _D: Q_D\times \mathcal {A}\rightarrow Q\) is the dequeuing function.
A queue machine starts at state \( init \) with an empty queue. Whenever it reaches a state \(q\in Q_E\), it will progress to the state \(\pi _1 (\delta _E(q))\) and \(\pi _2 (\delta _E(q))\) will be added to the associated queue, where \(\pi _1, \pi _2\) are the first and second projections respectively. If the machine reaches a state \(q\in Q_D\) and its queue is empty, the machine is said to halt. Otherwise, it moves to the state \(\delta _D (q,x)\), where x is the symbol at the head of the associated queue, which is then removed from the queue. The halting problem for queue machines is well known to be undecidable (e.g. [17]). By encoding computation histories of queue machines as plays generated by \(\mathsf {GRef}\) terms we next show that the equivalence problem for \(\mathsf {GRef}\) terms must be undecidable. Note that this entails undecidability of the associated notion of term approximation.
Theorem 11

\({} \vdash {M_1\cong M_2:\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}}\)

\({f:(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}} \vdash {M_1\cong M_2:\mathsf {unit}}\)

\({f:(((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}} \vdash {M_1\cong M_2:\mathsf {unit}}\)

\({} \vdash {M_1\cong M_2: ((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}}\)
In the following we prove undecidability in each of the cases of Theorem 11.
\({} \vdash {{\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}}}\): We first sketch the argument. The arena used to interpret closed terms of type \(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}\) has the shape given on the right.
We are going to use plays from the arena to represent sequences of queue operations. Enqueuing will be represented by segments of the form \(q_0 \star _0\), whereas \(q_1 \star _1\) will be used to represent dequeuing. Additionally, in the latter case \(q_1\) will be justified by \(\star _0\) belonging to the segment representing the enqueuing of the element that is now being dequeued. For instance, the sequence EEDEDE, in which E, D stand for enqueing and dequeing respectively, will be represented as follows.
Note that all such plays are complete. Given a queue machine \(\mathbb Q\), let us write \(\mathsf {hist}(\mathbb Q)\) for the (prefixclosed) subset of \((E\uplus D)^*\) corresponding to all sequences of queue operations performed by \(\mathbb Q\). Note that \(\mathsf {hist}(\mathbb Q)\) is finite if and only if \(\mathbb Q\) halts. Additionally, define \(\mathsf {hist}^(\mathbb Q)\) to be \(\mathsf {hist}(\mathbb Q)\) from which the longest sequence is removed (if \(\mathsf {hist}(\mathbb Q)\) is infinite and the sequence in question does not exist we set \(\mathsf {hist}^(\mathbb Q)=\mathsf {hist}(\mathbb Q)\)). Note that the sequence corresponds to a terminating run and necessarily ends in D.
Lemma 12
Let \(\mathbb Q\) be a queue machine. There exist \(\mathsf {GRef}\) terms \({} \vdash {M,M^:\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow }{\mathsf {unit}}\) such that Open image in new window , Open image in new window represent \(\mathsf {hist}(\mathbb Q)\), \(\mathsf {hist}^(\mathbb Q)\) respectively.
Proof

If O plays \(q_0\) when \(\mathbb Q\) is not able to enqueue, P will not respond. This is caused by the condition \(! STATE \not \in Q_E\) in \(C_0[]\). However, if \(\mathbb Q\) is in enqueuing mode, local references \( SYM \) and \( PREV \) will be created. \( SYM \) is initialized to the symbol that \(\mathbb Q\) will add to the queue. \( PREV \) contains the name of the reference cell in which the previously enqueued symbol was stored (as soon as the symbol is dequeued, the value stored in that cell will be set to \(*\)).
The “global” reference \( LAST \) (of type \(\mathsf {ref}(\mathsf {ref}\,\mathsf {int})\)) is used to pass the name from one \(q_0 \star _0\) segment to the next. Hence, the current value of \( SYM \) is written to \( LAST \) as soon as the previous value of \( LAST \) got recorded in \( PREV \). The assignment is followed by the value \(\lambda y.C_3[]\), so P will respond with \(\star _0\).
 If O plays \(q_1\) in an enqueuing state, P will not respond due to the \(! STATE \not \in Q_D\) check in \(C_1[]\). Furthermore, P will not reply whenOtherwise (i.e. if O plays \(q_1\) and justifies it with \(\star _0\) from the \(q_0 \star _0\) corresponding to the least recent symbol that has not been dequeued) \( STATE \) will be updated and \( SYM \) will be set to \(*\) to record the access. The strategy corresponding to M will then reply with \(\star _0\) (because of ()). The one associated with \(M^\) will do the same, unless \(\mathbb Q\) is about to halt. This is thanks to the \((! STATE \in Q_D\, \wedge \, !! LAST =*)\) condition, which checks whether \(\mathbb Q\) is about to dequeue (\(! STATE \in Q_D\)) the empty queue (\(!! LAST =*\)).

\(q_1\) is justified by \(\star _0\) from a block corresponding to an element that has already been taken off the queue (\(! SYM =*\));

\(q_1\) is justified by \(\star _0\) from a block corresponding to elements that are still present in the queue, but do not occur at its head (\(!! PREV \ne *\)).

Observe that \(\mathsf {hist}(\mathbb Q)=\mathsf {hist}^(\mathbb Q)\) exactly when \(\mathbb Q\) does not halt. Consequently, the problem of deciding \(\mathsf {hist}(\mathbb Q)=\mathsf {hist}^(\mathbb Q)\) is undecidable. Thus, via Proposition 7, we can conclude that program equivalence is undecidable for closed terms of type \(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}\). The remaining cases are discussed below. \({(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}} \vdash {\mathsf {unit}}\): The arena at hand has the following shape. As before, we use \(q_0 \star _0\) and \(q_1\star _1\) to represent enqueuing and dequeuing respectively. They will be preceded by a single segment \(q q'\). Note that this means that no complete plays will arise until q is answered. We shall arrange for this to happen only when the whole terminating run (if any) has been represented.
Lemma 13
Proof
Reusing \(C[], C_0[], C_1[]\) from the previous case, we take M to be \(C[ f (\lambda x. C_0 [\lambda y. C_1[()]]); test ]\), where \( test \) stands for \(\mathsf {if}\,(! STATE \in Q_D\, \wedge \, !! LAST =*)\,\mathsf {then}\,()\,\mathsf {else}\,\varOmega \). The last condition \((! STATE \in Q_D\, \wedge \, !! LAST =*)\) means that whenever O plays \(\star '\), P will not respond unless \(\mathbb Q\) terminates and the terminating run has been wholly represented in the play. The argument showing that M represents \(\mathbb Q\) is analogous to that for Lemma 12. \(\square \)
Proposition 14
It is undecidable whether a given term \({f:(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}} \vdash {M:\mathsf {unit}}\) is equivalent to ().
\({(((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}} \vdash {\mathsf {unit}}\): The corresponding arena has the shape given on the right. Our representation scheme in this case will start off with \(q q'\), enqueuing will be interpreted by \(q_0 q_1\) and dequeuing by \(q_2\star _2\), where \(q_2\) is justified by \(q_1\) corresponding to the element being dequeued. Note that sequences of this kind are not complete plays, because \(q, q', q_0, q_1\) will remain unanswered. Hence, in the term construction it will not be possible to answer them until a terminating run has been fully simulated. Then O’s \(\star _1\) will trigger P’s \(\star _0\), and \(\star '\) will trigger \(\star \).
Lemma 15
Proof
Take \(M_\mathbb Q\) to be \(C[f(\lambda g. C_0[g(\lambda h. C_1[()] )]; test )]; test \). The \( test \) phrases block P from answering \(\star _1\) or \(\star '\) prematurely. \(\square \)
Proposition 16
\({} \vdash {((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}}\): The corresponding arena has the shape given on the right. Our representation scheme in this case will start off with \(q \star \), enqueuing will be interpreted by \(q_0 q_1\) and dequeuing by \(q_2\star _2\), where \(q_2\) is justified by \(q_1\) corresponding to the element being dequeued. Note that, apart from \(q\star \), sequences of this kind are not complete plays, because \(q_0, q_1\) will remain unanswered. Hence, in the term construction it will not be possible to answer them until a terminating run has been fully simulated. Then O’s \(\star _1\) will trigger P’s \(\star _0\).
Lemma 17
Let \(\mathbb Q\) be a queue machine. Then there exists a term \({} \vdash {M_\mathbb Q}: ((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}\) such that Open image in new window if and only \(\mathbb Q\) does not halt.
Proof
Take \(M_\mathbb Q\) to be \(C[\lambda f^{(\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}}.C_0[f (\lambda g^\mathsf {unit}. C_1[()]); test ]]\). The \( test \) phrases block P from answering \(\star _1\) prematurely. \(\square \)
Proposition 18
The problem of deciding whether a given term \({} \vdash {M}:((\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}\) is equivalent to \(\lambda f^{(\mathsf {unit}\rightarrow \mathsf {unit})\rightarrow \mathsf {unit}}.\varOmega \) is undecidable.
5 Decidability
We now focus on a fragment of \(\mathsf {GRef}\), called Open image in new window , that comprises all types that do not fall under the undecidable cases identified earlier.
Definition 19
Suppose \(\varGamma ={x_1:\theta _1,\cdots ,x_m:\theta _m}\). The termincontext \({\varGamma } \vdash {M:\theta }\) belongs to Open image in new window provided \(\theta _1,\cdots , \theta _m\) can be generated from \(\varTheta _L\) and \(\theta \) is generated from \(\varTheta _R\), where \(\varTheta _L{:}{:}{=} \beta \ \ \varTheta _R\rightarrow \varTheta _L\), \(\varTheta _R{:}{:}{=} \beta \ \ \varTheta _1\rightarrow \beta \) and \(\varTheta _1{:}{:}{=} \beta \ \ \beta \rightarrow \varTheta _1\).
Each type \(\theta \) can be written in the form \(\theta =\theta _n\rightarrow \ldots \rightarrow \theta _1\rightarrow \beta \), for types \(\theta _1,\dots ,\theta _n\) and base type \(\beta \). For brevity, we shall write \(\theta =(\theta _n,\dots ,\theta _1,\beta )\). We call n the arity of \(\theta \) and denote it by \( ar (\theta )\).
Definition 20
Let us fix notation for referring to moves that are available in arenas corresponding to Open image in new window typing judgments: each move can be viewed as a pair \((l,t)\) subject to consistency constraints induced by the subtypes which contribute them, e.g. the label corresponding to a tag related to \(\mathsf {int}\) must be a number from \([0, max ]\).

If \(t=\mathsf {r}_{\downarrow }\) then \(l\in \mathcal {L}_{\theta }\).

If \(t=\mathsf {c}^x_i\) then \(l\in \mathcal {L}_{\theta _i}\).

If \(t=\mathsf {r}^x_i\) then \(l\in \mathcal {L}_{(\theta _{i1},\dots ,\theta _{1},\beta )}\).

If \(t=\mathsf {c}^x_{j,i}\) then \(l\in \mathcal {L}_{\theta _{j,i}}\), where \(\theta _j\equiv \theta _{j,0}\rightarrow \beta \) and \(\theta _{j,0}\equiv (\theta _{j,k},\cdots ,\theta _{j,1},\beta ')\).

If \(t=\mathsf {r}^x_{j,i}\) then \(l\in \mathcal {L}_{\theta _{j,i}}\), where \(\theta _j\equiv (\beta _k,\cdots ,\beta _1,\beta )\rightarrow \beta _{0}\), \(\theta _{j,0}\equiv \beta _{0}\) and \(\theta _{j,i}\equiv (\beta _{i1},\cdots ,\beta _1,\beta )\) for \(i>0\).

If \(t=\mathsf {c}_i\) then \(l\in \mathcal {L}_{\theta _i}\), where \(\theta \equiv \theta _0\rightarrow \beta \) and \(\theta _0\equiv (\theta _n,\cdots ,\theta _1,\beta ')\).

If \(t=\mathsf {r}_i\) then \(l\in \mathcal {L}_{\theta _i}\), where \(\theta \equiv (\beta _n,\cdots ,\beta _1,\beta )\rightarrow \beta _0\), \(\theta _0\equiv \beta _0\) and \(\theta _i\equiv (\beta _{i1},\cdots ,\beta _1,\beta )\) for \(i>0\).
We next introduce a class of automata (over an infinite input alphabet) which will be the target of our translation from canonical forms of Open image in new window .
5.1 A class of automata
Definition 21

\(\mathbb {L}=\mathbb {C}\cup \{\,{\texttt {R}}_{i}\ \ 1\le i\le n\,\}\) is the set of symbolic labels. We use \(\ell \) to range over its elements.

\(\mathsf {Reg}\) is the set of injective partial functions \(\rho :\{1,\cdots ,n\}\rightharpoonup \mathbb {A}\). Its elements are called register assignments and we use \(\rho \) to range over them.

\(\mathsf {Sto}\) is the set of partial functions \(\varSigma {:}\mathbb {A}\rightharpoonup [0, max ]\cup \mathbb {A}\) such that \(\mathsf {dom}{(\varSigma )}\) contains at most n elements and, moreover, if \(\varSigma (a)=v\) then: if \(a\in \mathbb {A}_{\mathsf {int}}\) then \(v\in [0, max ]\); if \(a\in \mathbb {A}_{\mathsf {ref}\, \gamma }\) then \(v\in \mathbb {A}_{\gamma }\cap \mathsf {dom}(\varSigma )\) (i.e. \(\varSigma \) is closed and welltyped). Its elements will be called stores and ranged over by \(\varSigma \).
 \(\mathsf {SSto}\) is the set of partial functions \( S{:}[1,n]\rightharpoonup [0, max ]\cup \{{\texttt {R}}_{1},\cdots ,{\texttt {R}}_{n}\} \) such that \([1,n_{\mathsf {r}}]\subseteq \mathsf {dom}(S)\) and, for each \(i\in \mathsf {dom}(S)\), \(\mathsf {depth}(S,i)\) is welldefined (and finite). The depth and the full value of an index \(i\in \mathsf {dom}(S)\) are given respectively by:The elements of \(\mathsf {SSto}\) will be called symbolic stores and ranged over by S.^{3} The depth restriction ensures that symbolic stores are closed and acyclic.$$\begin{aligned} \mathsf {depth}(S,i) = {\left\{ \begin{array}{ll} 1 \\ 1+\mathsf {depth}(S,j) \end{array}\right. }\quad S^*(i) = {\left\{ \begin{array}{ll} S(i) &{} \text { if }S(i)\in \{0,..., max \} \\ ({\texttt {R}}_{j},S^*(j)) &{}\text { if }S(i)={\texttt {R}}_{j} \end{array}\right. } \end{aligned}$$

\(\mathsf {Sta}=(\mathbb {C}_{\mathsf {stack}}\times \mathsf {Reg})^*\) is the set of stacks. We shall range over stacks by \(\sigma \), and over elements of a stack \(\sigma \) by \((s,\rho )\).

\(\mathsf {Mix}\) is the set of partial injections \(\pi :[n_{\mathsf {r}}{+}1,n]{\rightharpoonup }[n_{\mathsf {r}}{+}1,n]\).^{4} For each \(\pi \), we write \(\overline{\pi }\) for the extension of \(\pi \) on [1, n]: \(\overline{\pi }=\pi \cup \{(i,i)\ \ i\in [1,n_{\mathsf {r}}]\}\).
 \(\mathsf {TL}\) is the set of transition labels, taken from the set:We range over \(\mathsf {TL}\) by \(\nu X.(\ell ,t,\phi )^S\), where \(\phi \) can either be:$$\begin{aligned}&(\mathcal {P}([n_{\mathsf {r}}{+}1,n])\times \mathbb {L}\times \mathbb {T}_{\mathsf {push}}\times \mathbb {C}_{\mathsf {stack}}\times \mathsf {Mix}\times \mathsf {SSto}) \\ \cup&(\mathcal {P}([n_{\mathsf {r}}{+}1,n])\times \mathbb {L}\times \mathbb {T}_{\mathsf {pop}}\times \mathbb {C}_{\mathsf {stack}}\times \mathsf {Mix}\times \mathsf {SSto}) \\ \cup&(\mathcal {P}([n_{\mathsf {r}}{+}1,n])\times \mathbb {L}\times \mathbb {T}_{\mathsf {noop}}\times \mathsf {SSto}) \end{aligned}$$We stipulate that S(j) be defined whenever \(\nu X.(\ell ,t,\phi )^S\in \mathsf {TL}\) and \(j\in X\) or \(\ell ={\texttt {R}}_{j}\). Moreover, we partition \(\mathsf {TL}=\mathsf {TL}_{\mathsf {push}}\uplus \mathsf {TL}_{\mathsf {pop}}\uplus \mathsf {TL}_{\mathsf {noop}}\) depending on the partitioning of tags (e.g. \(\mathsf {TL}_{\mathsf {push}}=\{\nu X.(\ell ,t,\phi )^S\ \ t\in \mathbb {T}_{\mathsf {push}}\}\)).

a push pair \((s,\pi )\), in which case we may also write \(\nu X.(\ell ,t)^S/(s,\pi )\);

a pop pair \((s,\pi )\), in which case we may also write \(\nu X.(\ell ,t)^S,(s,\pi )\);

or a noop (), in which case we may simply write \(\nu X.(\ell ,t)^S\).

We can now define \((n_{\mathsf {r}},n)\)automata, which will be used for representing game semantics. An \((n_{\mathsf {r}},n)\)automaton is equipped with n registers, the first \(n_{\mathsf {r}}\) of which will be readonly, and utilises a pushdown stack where it pushes stack symbols along with full register assignments.
Definition 22

Q is a finite set of states, partitioned into \(Q_{O}\) (Ostates) and \(Q_{P}\) (Pstates);

\(q_0\in Q_{P}\) is the initial state; \(F\subseteq Q_{O}\) is the set of final states;

\(\rho _0\in \mathsf {Reg}\) is the initial register assignment such that \([1,n_{\mathsf {r}}]\subseteq \mathsf {dom}(\rho _0)\);

\(\delta \subseteq (Q_P\times (\mathsf {TL}_{\mathsf {push}}\cup \mathsf {TL}_{\mathsf {noop}})\times Q_O) \cup (Q_O\times (\mathsf {TL}_{\mathsf {pop}}\cup \mathsf {TL}_{\mathsf {noop}})\times Q_P) \cup ( Q_O\times \mathsf {Mix}\times Q_O)\cup (Q_P\times \mathsf {Mix}\times Q_P)\) is the transition relation.
 If \((q_1,\nu X.(\ell ,t,\phi )^S,q_2)\in \delta \), \(\mathcal {A}\) will accept an input \((l,t)^\varSigma \) and move to state \(q_2\) if the following steps are successful.

If \(t\in \mathbb {T}_{\mathsf {pop}}\) and \(\phi =(s,\pi )\), \(\mathcal {A}\) will check whether the stack has the form \(\sigma =(s,\rho ')::\sigma '\) with \(\rho (i)=\rho '(i')\in \mathbb {A}\) iff \(\pi (i)=i'\), for all \(i,i'\), and \(\mathsf {dom}(\rho )\cap \mathsf {dom}(\rho ')=\emptyset \). In such a case \(\mathcal {A}\) will pop from the stack, that is, it will set \(\sigma =\sigma '\) and \(\rho =\rho [(i_1,...,i_m)\mapsto (\rho '(i_1),...,\rho '(n_m))]\), where \(i_1,...,i_m\) is an enlisting of \(\mathsf {dom}(\rho '){\setminus }\mathsf {cod}(\pi )\).
 \(\mathcal {A}\) will update \(\rho \) with fresh names, that is, it will check whether \(\mathsf {dom}(\rho )\cap X=\emptyset \) and, if so, it will set \(\rho =\rho [(i_1,\cdots ,i_m)\mapsto (a_1,\cdots ,a_m)]\), where \(i_1,\cdots ,i_m\) is an enumeration of X and \(a_1,\cdots ,a_m\) are distinct names such that:

if \(q_1\in Q_O\) then \(a_1,\cdots ,a_m\notin \rho ([1,n])\) (locally fresh),

if \(q_1\in Q_P\) then \(a_1,\cdots ,a_m\) have not appeared in the current run of \(\mathcal {A}\) (globally fresh).


\(\mathcal {A}\) will check if \((l,\varSigma )\) corresponds to \((\ell ,S)\) via \(\rho \), that is, whether \(\varSigma =\mathsf {Sto}(\rho ,S)\) and either \(\ell =l\in \mathbb {C}\), or \(\ell ={\texttt {R}}_{i}\) and \(\rho (i)=l\).

If \(t\in \mathbb {T}_{\mathsf {push}}\) and \(\phi =(s,\pi )\), \(\mathcal {A}\) will perform a push of the registers in \(\mathsf {dom}(\pi )\), after rearranging them according to \(\pi \), that is, it will set \(\sigma =(s,\rho \circ \pi )::\sigma \).


If \((q_1,\pi ,q_2)\in \delta \), for \(\pi \in \mathsf {Mix}\), \(\mathcal {A}\) will reorganize the contents of registers in \([n_{\mathsf {r}}{+}1,n]\) according to \(\pi \), that is, set \(\rho =\rho \circ \overline{\pi }\), and move to \(q_2\) without reading any input symbol (\(\epsilon \)transition).
Definition 23
 if \(t\in \mathbb {T}_{\mathsf {pop}}\) and \(\phi =(s,\pi )\) then \(\sigma =(s,\rho _0)::\sigma '\) andotherwise \(\rho _1=\rho \);

for all \(i,i'\), \(\rho (i)=\rho _0(i')\) iff \((i,i')\in \pi \), and \(\mathsf {dom}(\rho _0)\cap \mathsf {dom}(\rho )=\emptyset \),

\(\rho _1=\rho [(i_1,...,i_m)\mapsto (\rho _0(i_1),...,\rho _0(i_m))]\) with \(\{i_1,...,i_m\}=\mathsf {dom}(\rho _0){{\setminus }}\mathsf {cod}(\pi )\);

 if \(X=\{i_1,\cdots ,i_m\}\) then \(\mathsf {dom}(\rho _1)\cap X=\emptyset \), \(H_1=H\cup \{a_1,\cdots ,a_m\}\) and \(\rho '=\rho _1[(i_1,\cdots ,i_m)\mapsto (a_1,\cdots ,a_m)]\) where \(a_1,\cdots ,a_m\) are distinct names and:

if \(q\in Q_{O}\) then \(a_1,\cdots ,a_m\notin \rho _1([1,n])\),

if \(q\in Q_{P}\) then \(a_1,\cdots ,a_m\notin \rho _1([1,n])\cup H\);


if \(\ell \in \mathbb {C}\) then \(l=\ell \) and \(H'=H_1\);

if \(\ell ={\texttt {R}}_{i}\) then \(l=\rho '(i)\) and \(H'=H_1\cup \{l\}\);

if \(t\in \mathbb {T}_{\mathsf {push}}\) and \(\phi =(s,\pi )\) then \(\sigma '=(s,\rho '\circ \pi )::\sigma \).
The set of strings accepted by \(\mathcal {A}\) is defined as below, where \(\epsilon \) is the empty stack.
We say that \(\mathcal {A}\) is deterministic if, for any reachable configuration \(\hat{q}\), any \(x_1, x_2\in \{\epsilon \}\cup (\mathbb {C}\cup \mathbb {A})\times \mathbb {T}\times \mathsf {Sto}\), and any Open image in new window , if \(x_1=x_2\) then \(\hat{q}_1=\hat{q}_2\). The automata specifically used for our constructions follow some stronger disciplines.
Definition 24

for each \(q\in Q_{P}\) there is at most one transition out of q (i.e. \(\delta \upharpoonright \{q\}\le 1\)), and if \((q,\nu X.(\ell ,t,\phi )^S,q')\in \delta \) then \(\delta \upharpoonright \{q'\}\le 1\) and in particular \(q'\) may only have an outgoing transition of the form \((q',\pi ,q'')\) such that \(\forall \pi ',q'''.\ (q'',\pi ',q''')\notin \delta \);

for each \(q\in Q_{O}\) and \((q,\nu X_i.(\ell _i,t,\phi )^{S_i},q_i)\in \delta \), \(i=1,2\), if \(\nu X_1.(\ell _1,S_1)\) and \(\nu X_2.(\ell _2,S_2)\) are equal up to permutation of indices^{5} in \(X_1,X_2\) then \(\nu X_1.(\ell _1,t,\phi )^{S_1} = \nu X_2.(\ell _2,t,\phi )^{S_2}\) and \(q_1=q_2\);

for each \((q,\nu X.(\ell ,t,\phi )^S,q')\in \delta \), X is contained in \(\mathsf {clo}(S,X_{\mathsf {Av}})\) where \(X_{\mathsf {Av}}=(\mathsf {dom}(S){\setminus } X)\cup \{j\ \ \ell ={\texttt {R}}_{j}\}\).
For such an \(\mathcal {A}\), we may write \(q_P\xrightarrow {\nu X.(\ell ,t,\phi )^S;\pi }q_O\) for \(q_P\xrightarrow {\nu X.(\ell ,t,\phi )^S}q_O'\xrightarrow {\pi }q_O\), where \(q_P\in Q_{P}\), \(q_O\in Q_{O}\). The last condition above corresponds to frugality (cf. Definition 5): fresh names must be reachable from names that were already available or appear in the current transition label.
Lemma 25
If \(\mathcal {A}\) is strongly deterministic then it is deterministic.
Proof
The claim is obvious for configurations with Pstates, as well as for (reachable) configurations with Ostates and outgoing transitions of the form \(q\xrightarrow {\pi }q'\), because of the first condition in the previous definition. For configurations with Ostates and transitions of the form \(q\xrightarrow {\nu X.(\ell ,t,\phi )^S}q'\), the second condition above ensures that each label has at most one accepting edge, as long as in each configuration each top stack element can be popped uniquely (i.e. with at most one \(\phi \)). The latter follows from the definition of configuration graphs. \(\square \)
Lemma 26
Given \(\mathcal {A}\) strongly deterministic and \(w_1,w_2\in L(\mathcal {A})\), if \(\mathrm {ext}(w_1)\cap \mathrm {ext}(w_2)\not =\emptyset \) then \(w_1=w_2\).
Proof
WLOG we assume that \(w_1,w_2\) have the same underlying sequence of moves. Let \(w_i'm^{\varSigma _i}\) be the prefix of \(w_i\) of length n (\(i=1,2\)). We show by induction on n that \(\varSigma _1=\varSigma _2\). By IH (if \(n>1\)) or by definition (if \(n=1\)) we have that \(w_1'=w_2'\). Moreover, by the previous lemma, \(w_1',w_2'\) lead to some common configuration \(\hat{q}\) of \(\mathcal {A}\). If n is even then, by the first clause of Definition 24, we have that \(\varSigma _1=\varSigma _2\). If n is odd then by hypothesis we have that \(\varSigma _1,\varSigma _2\) have a common extension and, thus, using the last clause of Definition 24, we obtain \(\varSigma _1=\varSigma _2\). \(\square \)
Definition 27
Let \(\mathcal {A}=\langle \, Q,q_0,\rho _0,\delta ,q_F \,\rangle \) be a strongly deterministic automaton of base type. We define the set of quasifinal states E to be the set of states that reach \(q_F\) in one step. Then E is canonically partitioned as \(E = \biguplus \nolimits _{(X,\ell ,t,S)}E_{\nu X.(\ell ,t)^S}\) where \(E_{\nu X.(\ell ,t)^S}=\{\,q\in Q\ \ (q,\nu X.(\ell ,t,())^S,q_F)\in \delta \,\}\) and \(\mathcal {A}\) is uniquely determined by the structure \(\mathcal {A}^{}=\langle Q,q_0,\rho _0,\delta ,E\rangle \).
5.2 Automata for Open image in new window
Recall we are only going to translate terms in canonical form.
Remark 28
A canonical form of Open image in new window will be translated into a family of automata indexed by \(I_{{\varGamma } \vdash {\theta }}^+\). For each \(\mathrm {i}^{\varSigma _0}_{\rho _0}\in I_{{\varGamma } \vdash {\theta }}^+\), the corresponding automaton will accept exactly the words w such that \(\mathrm {i}^{\varSigma _0} w\) is a representation of a complete play induced by the canonical form. The family will be infinite, but finite when considered up to name permutations.

Open image in new window , where \(x\equiv x_k\) and \(l_k=\rho _0(j)\).

Open image in new window , where \(x\equiv x_k\) and \(l_k=j.\)

Open image in new window where \(x\equiv x_k\), \(y\equiv x_j\) and \(\varSigma '_0=\varSigma _0[l_k\mapsto l_j]\), and the initial transition deletes all names in \(\rho _0\) which break frugality of \(\mathrm {i}^{\varSigma _0'}\), that is, \(\pi (i)=i\) just if \(\rho _0(i)\in \mathsf {clo}(\varSigma _0',\nu (\mathrm {i}))\). Moreover, \(\rho _0'=\rho _0\circ \overline{\pi }\) and \(\varSigma _0''=\varSigma _0'\upharpoonright \mathsf {cod}(\rho _0').\)

Open image in new window where \(x\equiv x_k\) and \(\pi \) transfers \(\varSigma _0(l_k)\), if it is a name, to the register in position \(n_0+1\), and leaves all other names in \(\rho _0\) untouched. Moreover, \(\rho _0'=\rho _0\circ \overline{\pi }\).

Open image in new window where z has arity r and \(\varSigma \) ranges over stores with \(\mathsf {dom}(\varSigma )=\mathsf {clo}(\varSigma ,\nu (\mathrm {i}))\). These are infinitely many, but finitely many up to permutations of fresh names. In the transitions we pick X, S such that there is one transition for each of the (finitely many) equivalence classes. Moreover, \(\rho _0'\) is specified by stipulating \(\mathsf {dom}(\rho _0')=[1,n_0]\cup X\) and \(\varSigma =\mathsf {Sto}(\rho _0',S)\).

Open image in new window with \(r,\varSigma ,S,X,\rho _0'\) as above and j ranging over \([0, max ]\).

Open image in new window where \(r,\varSigma ,S,X,\rho _0'\) are as above, j ranges over elements of \(\mathsf {dom}(S)\) such that \(\mathsf {ref}\, \gamma =\mathsf {ref}^{\mathsf {depth}(S,j)}\, \mathsf {int}\), and \(b\in \mathbb {A}_{\gamma }\) is a fresh name. We let \(\varSigma '\) range over all stores with \(\mathsf {dom}(\varSigma ')=\mathsf {clo}(\varSigma ',\nu (\mathrm {i})\cup \{b\})\). We pick \(X',S'\) such that there is one symbolic transition for each of the intended transitions \((b,\mathsf {r}_r^z)^{\varSigma '}\) and specify \(\rho _0''\) accordingly, making sure that \(\rho _0''(n_0+1)=b\).

Open image in new window where \(r,\varSigma ,S,X,\rho _0'\) are as above and Open image in new window is Open image in new window where we have replaced every tag superscript y with z.

Open image in new window and Open image in new window are defined similarly to the above.

Case of \(\mathsf {let}\,x^{\mathsf {ref}^2\, \gamma }=\mathsf {ref}(y^{\mathsf {ref}\, \gamma })\,\mathsf {in}\,\mathbb {C}\). Here the inductive hypothesis gives us an automaton for \(\varGamma ,x\,{:}\,\mathsf {ref}^2\, \gamma \vdash \mathbb {C}\,{:}\,\theta \). In order to transform the latter into an automaton for our given term, we need to hide the name corresponding to x from the automaton, until the point where the name is eventually revealed in some move (it is also possible that the name remains private indefinitely). This hiding of x effectively has wider repercussions as we need also to hide any name that x exclusively points to, and so on, along with their stored values. It is therefore useful to define a more general hiding construction.

For each \(q_1\xrightarrow {\nu Y.(\ell ,t,\phi )^S}q_2\) in \(\mathcal {A}\) with \(q_1\) a Pstate, add a transition from \(q_1\) in \(\mathcal {A}_X^T\) to \(q_2\) in \(\mathcal {A}_{X'}^{T'}\) with label \(\nu Y'.(\ell ,t,\phi )^{S'}\), where \(X'=(X\cup Y){\setminus } Y'\), \(S'=S{\setminus } X'\), \(T'=S\upharpoonright X'\) and \(Y' = \mathsf {clo}(S,(\mathsf {dom}(S){\setminus } X)\cup \{j\ \ \ell ={\texttt {R}}_{j}\})\).

For each \(q_1\xrightarrow {\pi }q_2\) in \(\mathcal {A}\) add a transition from \(q_1\) in \(\mathcal {A}_X^T\) to \(q_2\) in \(\mathcal {A}_{X'}^{T'}\) with label \(\pi \), where \(X'=\pi ^{1}(X)\) and \(T'=\pi ^{1}(T)\).

The case of \(\mathsf {let}\,x^{\mathsf {ref}\, \mathsf {int}}=\mathsf {ref}(0)\,\mathsf {in}\,\mathbb {C}\) is dealt with similarly to the above.

For \((\mathsf {while}\,(!x)\,\mathsf {do}\,\mathbb {C});\mathbb {C}'\), given the automata Open image in new window and Open image in new window , with appropriate initialisations, we construct a new automaton as follows. Suppose \(x\equiv x_k\) and \(\rho _0(k')=l_k\). If the initial value stored for x is 0 (i.e. if \(\varSigma _0(l_k)=0\)) then we simply return Open image in new window . Otherwise, we need to combine the automata for \(\mathbb {C}\) and \(\mathbb {C}'\) in such a away so that Open image in new window is involved repeatedly (with appropriate initialisation), until it reaches a final state with a final transition with a symbolic store assigning 0 to \(k'\). At this point, the automaton would switch and start simulating Open image in new window . An important point in this construction is that the final transitions of Open image in new window are hidden in the new automaton, as the return values of the while guard are not revealed in the semantics. This hiding implies a potential hiding of names as well: any names created in final transitions of Open image in new window need to be hidden as well. This latter kind of hiding is delegated to the \(\nu \)construction that we described two cases above.

if \(S(k')=0\), from q to the initial state of the \((X',T')\) component of Open image in new window ,

if \(S(k')\ne 0\), from q to the initial state of the \((X',T')\) component of Open image in new window .
 Case of \(\lambda x^{\mathsf {unit}\rightarrow \varTheta _1}.\mathbb {C}\). We define Open image in new window as an automaton which combines states \(q_0,q_1,q_2\) and two modified copies of Open image in new window , for each (of the finitely many relevant) \(\varSigma \), in each of which we have replaced tags \(\mathsf {r}_\downarrow \) by \(\mathsf {r}_0\) and removed all transitions with tags \(\mathsf {c}_i^x,\mathsf {r}_i^x\). We let X, S be derived from \(\varSigma \) and denote the two copies by Open image in new window . Each state q in Open image in new window has copies \(\hat{q},\tilde{q}\) in Open image in new window respectively.

We connect every final state of Open image in new window with \(q_1\) using a transition with label \(\emptyset \) (\(\texttt {done}\)). Similarly for \(\texttt {done}'\).

For each sequence \(q_A\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}^x_i)^{S_A}/(s,\emptyset )\,;\,\pi }q_B\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}^x_i)^{S_B},(s,\emptyset )} q_C\) in Open image in new window we add \(\hat{q}_A\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_i)^{S_A}/(\hat{q}_A,\pi )\,;\,\emptyset } q_2\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}_i)^{S_B},(\hat{q}_A,\emptyset )} \hat{q}_C\) (\(\texttt {push}\), \(\texttt {pop}\)) and \(\tilde{q}_A\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_i)^{S_A}/(\tilde{q}_A,\pi )\,;\,\emptyset }q_2\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}_i)^{S_B},(\tilde{q}_A,\emptyset )}\tilde{q}_C\) (\(\texttt {push}'\), \(\texttt {pop}'\)).

For the case of \(\mathsf {let}\,y=z(\lambda x^{\mathsf {unit}\rightarrow \varTheta _1}.\mathbb {C})\,\mathsf {in}\,\mathbb {C}'\) it is useful to introduce a notion of automaton which operates by interleaving runs from two constituent automata. Since a similar construction will be of use in the next section, we give a general notion of automaton which can combine runs either by matching or by interleaving them. We define these generalised automata and give the construction of the one corresponding to \(\mathsf {let}\,y=z(\lambda x^{\mathsf {unit}\rightarrow \varTheta _1}.\mathbb {C})\,\mathsf {in}\,\mathbb {C}'\). Generalised automata can be reduced to equivalent ones.

\(\delta \subseteq (Q_P\times (\mathsf {TL}_{\mathsf {push}}\cup \mathsf {TL}_{\mathsf {noop}})^\checkmark \times Q_O) \cup (Q_O\times (\mathsf {TL}_{\mathsf {pop}}\cup \mathsf {TL}_{\mathsf {noop}})^\checkmark \times Q_P) \cup ( Q_O\times \mathsf {Mix}^\checkmark \times Q_O)\cup (Q_P\times \mathsf {Mix}^\checkmark \times Q_P)\),

\(\rho _0\in \mathsf {Reg2}\) where \(\mathsf {Reg2}\) contains all \(\rho :[1,n']\rightharpoonup \mathbb {A}\) such that \(\rho \upharpoonright [1,n_1]\) and \(\rho \upharpoonright ([1,n_{\mathsf {r}}]\cup [n_1{+}1,n'])\) are both injective.

for each \(\rho \in \mathsf {Reg2}\) let \(\pi _1(\rho )=\rho \upharpoonright [1,n_1]\) and \(\pi _2(\rho )=\rho \upharpoonright [1,n_{\mathsf {r}}]\cup \{(i,\rho (i^+))\ \ i\in [n_{\mathsf {r}}{+}1,n_2]\}\); moreover, for each \(\rho _1,\rho _2\in \mathsf {Reg}\) let \(\langle \rho _1,\rho _2\rangle =\rho _1\cup \{(i^+,\rho _2(i))\ \ i\in [n_{\mathsf {r}}+1,n_2]\}\);

for each \((s_1,s_2,\rho )::\sigma \in \mathsf {Sta2}\) we set \(\pi _i((s_1,s_2,\rho )::\sigma )=(s_i,\pi _i(\rho ))::\pi _i(\sigma )\), and \(\pi _i(\epsilon )=\epsilon \), for \(i=1,2\); moreover, let \(\langle (s_1,\rho _1)::\sigma _1,(s_2,\rho _2)::\sigma _2\rangle =(s_1,s_2,\langle \rho _1,\rho _2\rangle )::\langle \sigma _1,\sigma _2\rangle \) and \(\langle \epsilon ,\epsilon \rangle =\epsilon \).
 1.
\((l_1,t_1)=(l_2,t_2)\),
 2.
if \(q\in Q_{P}\) then \(\varSigma [\varSigma _1]\cup \varSigma [\varSigma _2]\) is welldefined,^{7}
 3.
if \(q\in Q_{O}\) then \(\varSigma _1\cup \varSigma _2\) is welldefined,
Note in particular that if \(\mathcal {A}\) only contains transitions which include \(\checkmark \) then we can drop the component \(\varSigma \) in configurations and disregard divergence. In fact, any \((n_{\mathsf {r}},n_1)\)automaton can be rendered into an \((n_{\mathsf {r}},n_1,n_2)\)automaton by simply changing each transition \((q,z,q')\) to \((q,z,\checkmark ,q')\). The dual applies to every \((n_{\mathsf {r}},n_2)\)automaton.
We now proceed with the case of \(\mathsf {let}\,y=z(\lambda x^{\mathsf {unit}\rightarrow \varTheta _1}.\mathbb {C})\,\mathsf {in}\,\mathbb {C}'\). The corresponding automaton will first read a move indicating that z is being called (tag \(\mathsf {c}_r^z\)). After that, a detour to \(\lambda x.\mathbb {C}\) will be an option, which O can initiate with a move tagged with \(\mathsf {c}_r^{z,0}\). Modelling the detour is analogous to the interpretation of \(\lambda x.\mathbb {C}\). Once the detour is completed or the possibility is not exercised, O can play a move tagged with \(\mathsf {r}_r^z\) corresponding to the return by z (tagged \(\mathsf {r}_r^z\)). This will trigger a transition to the automaton for \(\mathbb {C}'\), in which we need to modify labels by replacing y with z and to allow for detours to \(\lambda x.\mathbb {C}\) each time \(\mathbb {C}'\) makes a transition on a Pmove corresponding to y. Note that this is consistent with the behaviour of the corresponding strategy, due to the visibility and wellbracketing conditions.

all Ostates q for which there are \(q_A\xrightarrow {\nu X_A.(\ell _A,t_A,\phi _A)^{S_A}\,;\,\pi } q\xrightarrow {\nu X_B.(\ell _B,t_B,\phi _B)^{S_B}}q_B\) in Open image in new window ,
with \(t_A\) having superscript y, are tagged as \(q_{\mathbb {C}'}\);

we replace tag superscripts y with z.

removing all transitions of the form \(q_A\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_i^x,\phi _A)^{S_A};\,\pi \!\!\!}q_B\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}_i^x,\phi _B)^{S_B}\!\!\!\!\!} q_C\);

replacing all tags \(\mathsf {r}_\downarrow \) by \(\mathsf {r}^z_{r,0}\), where r is the arity of z.

We connect every final state of each Open image in new window with \(\hat{q}_{\mathbb {C}'}\) using a transition with label \(\emptyset \) (\(\texttt {done}\)). Similarly for \(\texttt {done}'\).
 For each \(q_{\mathbb {C}'},S\) and each \(q_A\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_i^x)^{S_A}/(s,\emptyset )\,;\,\pi }q_B\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}_i^x)^{S_B},(s,\emptyset )} q_C\) in Open image in new window we add (\(\texttt {push}\), \(\texttt {pop}\))with \({\phi }_A=((q_A,\hat{q}_{\mathbb {C}'},S),\pi )\) and \({\phi }_B=((q_B,\hat{q}_{\mathbb {C}'},S),\emptyset )\). We also add (\(\texttt {push}'\), \(\texttt {pop}'\)) \((q_A,\tilde{q}_{\mathbb {C}'},S)\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_{r,i}^z)^{S_A}/{\phi }_A\,;\,\emptyset } \tilde{q}_{\mathbb {C}'}\xrightarrow {\nu X_B(\ell _B,\mathsf {r}_{r,i}^z)^{S_B},{\phi }_B} (q_C,\tilde{q}_{\mathbb {C}'},S)\) setting \({\phi }_A=((q_A,\tilde{q}_{\mathbb {C}'},S),\pi )\) and \({\phi }_B=((q_B,\tilde{q}_{\mathbb {C}'},S),\emptyset )\).$$\begin{aligned} (q_A,\hat{q}_{\mathbb {C}'},S)\xrightarrow {\nu X_A.(\ell _A,\mathsf {c}_{r,i}^z)^{S_A}/{\phi }_A\,;\,\emptyset } \hat{q}_{\mathbb {C}'}\xrightarrow {\nu X_B.(\ell _B,\mathsf {r}_{r,i}^z)^{S_B},{\phi }_B} (q_C,\hat{q}_{\mathbb {C}'},S) \end{aligned}$$
Observe that the basic cases in our construction yield strongly deterministic automata. Moreover, strong determinacy is preserved in the inductive cases. This is obvious in cases without interaction between different subautomata. Moreover, in the cases of \(\mathsf {let}\,x=\mathsf {ref}(y)\,\mathsf {in}\,\mathbb {C}\) and \((\mathsf {while}\,(!x)\,\mathsf {do}\,\mathbb {C});\mathbb {C}'\), the connections between different components are made from states which end up having unique outgoing transitions. The same holds also for the cases of \(\lambda x.\mathbb {C}\) and \(\mathsf {let}\,y=z(\lambda x.\mathbb {C})\,\mathsf {in}\,\mathbb {C}'\), with the addition that now there are also new pop transitions to be taken into account which, however, operate on fresh stack symbols and therefore do not interfere with the constituent automata. In the latter case, the reduction from the generalised interleaving automaton to the ordinary one preserves strong determinacy.
Recall from Remark 28 that Open image in new window and \(\llbracket \cdots \rrbracket \) merely differ by the absence of initial moves in Open image in new window . Consequently, the constructions outlined above imply the following lemma.
Lemma 29
Let \({\varGamma } \vdash {\mathbb {C}:\theta }\) be a Open image in new window term in canonical form. For each \(j=\mathrm {i}^{\varSigma _0}_{\rho _0}\in I_{{\varGamma } \vdash {\theta }}^+\), there exists a deterministic \((\nu (\mathrm {i}) ,m_j)\)automaton \(\mathcal {A}_j\) of type \(\theta \) with initial register assignment \(\rho _0\) such that Open image in new window , where \(P_{{\varGamma } \vdash {\theta }}^{ \mathrm {i}^{\varSigma _0}}\) is the set of plays over \(\llbracket {\varGamma } \vdash {\theta } \rrbracket \) that start from \(\mathrm {i}^{\varSigma _0}\).
5.3 Reduction of inclusion into emptiness
The aim of this section is to establish the following result.
Lemma 30
Let \({\varGamma } \vdash {\mathbb {C}_1,\mathbb {C}_2:\theta }\) be Open image in new window terms in canonical form. For each \(j=\mathrm {i}^{\varSigma _0}_{\rho _0}\in I_{{\varGamma } \vdash {\theta }}^+\), there exists a deterministic \((\nu (\mathrm {i}) ,n_j)\)automaton \(\mathcal {B}_j\) with initial register assignment \(\rho _0\) such that \({L}(\mathcal {B}_j)=\emptyset \) iff Open image in new window .

If \(q_i\xrightarrow {\pi _i}q_i'\), for \(i=1,2\), then \((q_1,q_2)\xrightarrow {\pi _1,\pi _2}(q_1',q_2')\). Otherwise, if \(q_1\xrightarrow {\pi }q_1'\) then \((q_1,q_2)\xrightarrow {\pi ,\checkmark }(q_1',q_2)\), and if \(q_2\xrightarrow {\pi }q_2'\) then \((q_1,q_2)\xrightarrow {\checkmark ,\pi }(q_1,q_2')\).

If \(q_i\xrightarrow {\nu X_i.(\ell _i,t_i,\phi _i)^{S_i}}q_i'\), \(i=1,2\), then \((q_1,q_2)\xrightarrow {\nu X_1.(\ell _1,t_1,\phi _1)^{S_1},\nu X_2.(\ell _2,t_2,\phi _2)^{S_2}}(q_1',q_2')\).

If \(q_1\xrightarrow {\nu X_1.(\ell _1,t_1,\phi _1)^{S_1}}q_1'\) then \(q_1\xrightarrow {\nu X_1.(\ell _1,t_1,\phi _1)^{S_1},\checkmark }q_1'\).

If \(q_1\xrightarrow {\pi _1}q_1'\) then \(q_1\xrightarrow {\pi _1,\emptyset }q_1'\).
Lemma 31
Proof
Suppose \(w_{\mathcal {A}}\in L(\mathcal {A})\). By construction of \(\mathcal {A}\), the accepting run for \(w_{\mathcal {A}}\) yields an accepting run for \(w_1\) in \(\mathcal {A}_1\) via first projection. By Lemma 29, we have Open image in new window . Consider \(\mathrm {i}^{\varSigma _0} w \in P_{{\varGamma } \vdash {\theta }}^{ \mathrm {i}^{\varSigma _0}}\) that extends \(\mathrm {i}^{\varSigma _0} w_{\mathcal {A}}\). We have \(\mathrm {i}^{\varSigma _0} w \in \mathsf {ext}(\mathrm {i}^{\varSigma _0}w_1)\) and thus Open image in new window . On the other hand, via the second projection of the accepting run for \(w_{\mathcal {A}}\) up to the point of switching to divergence mode, we obtain a run of \(\mathcal {A}_2\) which, however, may only be resumed in \(\mathcal {A}_2\) by a different (up to extension) Pmove than that required by \(w_{\mathcal {A}}\). Hence, \(\mathrm {i}^{\varSigma _0} w\notin \llbracket {\varGamma } \vdash {\mathbb {C}_2:\theta } \rrbracket \). Conversely, let Open image in new window and let \(\mathrm {i}^{\varSigma _0}w'xy\) be its least prefix that appears in \(\llbracket {\varGamma } \vdash {\mathbb {C}_1:\theta } \rrbracket {\setminus }\llbracket {\varGamma } \vdash {\mathbb {C}_2:\theta } \rrbracket \). By construction, our automata are closed under legal O to Ptransitions, so \(\mathcal {A}_2\) must accept (a representation of) \(\mathrm {i}^{\varSigma _0}w'x\) and fail to process y. On the other hand, \(\mathcal {A}_1\) will be able to process a whole representation of \(\mathrm {i}^{\varSigma _0}w\). Thus, \(\mathcal {A}\) will operate as product automaton until \(\mathrm {i}^{\varSigma _0}w'x\) and then enter divergence mode and continue as \(\mathcal {A}_1\). Consequently, \(\mathcal {A}\) will accept some \(\mathrm {i}^{\varSigma _0}\tilde{w}\) such that \(\mathrm {i}^{\varSigma _0} w\in \mathsf {ext}(\mathrm {i}^{\varSigma _0}\tilde{w})\), i.e. \(L(\mathcal {A})\ne \emptyset \). \(\square \)
Determinacy extends to generalised automata in the obvious way: an automaton is deterministic if its configuration graph is. The notion of strong determinacy extends the following manner. By construction, the automaton \(\mathcal {A}\) above is strongly deterministic.
Definition 32

for each \(q\in Q_{P}\) there is at most one transition out of q (i.e. \(\delta \upharpoonright \{q\}\le 1\)), and if \((q,z_1,z_2,q')\in \delta \) with either of \(z_1,z_2\) of the form \(\nu X.(\ell ,t,\phi )^S\) then \(\delta \upharpoonright \{q'\}\le 1\) and in particular \(q'\) may only have an outgoing transition \((q',z_1',z_2',q'')\) such that \(z_i'\in \mathsf {Mix}\) iff \(z_i\not =\checkmark \) and, for all \((q'',z_1'',z_2'',q''')\in \delta \), \(z_1'',z_2''\notin \mathsf {Mix}\);
 for each \(q\in Q_{O}\) and \((q,z_{i1},z_{i2},q_i)\in \delta \) with \(z_{i1},z_{i2}\not \in \mathsf {Mix}\), \(i=1,2\),

if \(z_{11}\sim _\alpha z_{21}\) and \(z_{12}\sim _\alpha z_{22}\) then \(z_{11}=z_{21}\), \(z_{12}=z_{22}\) and \(q_1=q_2\);^{8}

if \(z_{11},z_{12}\not =\checkmark \) then \(z_{21},z_{22}\not =\checkmark \);

of \(z_{11}=\checkmark \not =z_{12}\) and \(z_{21}\not =\checkmark =z_{22}\) then \(z_{12}\) and \(z_{21}\) contain different tags;


for each \((q,z_1,z_2,q')\in \delta \), if either of \(z_1,z_2\) is of the form \(\nu X.(\ell ,t,\phi )^S\) then X is contained in \(\mathsf {clo}(S,X_{\mathsf {Av}})\) where \(X_{\mathsf {Av}}=(\mathsf {dom}(S){\setminus } X)\cup \{j\ \ \ell ={\texttt {R}}_{j}\}\).
Lemma 33
If \(\mathcal {A}\) is strongly deterministic then it is deterministic.
Proof
Again, cases with P to Otransitions and transitions with rearrangements are taken care of by the first condition above. The case of O to Ptransition in one component follows from the second condition as in Lemma 25, using the first and last subcases of the second condition above. Finally, if such transitions happen in both components and induce, say, \(\hat{q}\xrightarrow {(l,t)^{\varSigma }}\hat{q}_i\), \(i=1,2\), where \(\hat{q}\) has state q, let these be combination of transitions with labels \((l,t)^{\varSigma _{11}}\) and \((l,t)^{\varSigma _{12}}\), and of \((l,t)^{\varSigma _{21}}\) and \((l,t)^{\varSigma _{22}}\) respectively (here the second index specifies the component). We have \(\varSigma =\varSigma _{11}\cup \varSigma _{12}=\varSigma _{21}\cup \varSigma _{22}\). Consider the associated \(\nu X_{ij}.(\ell ,t,\phi _{ij})^{S_{ij}}\), for \(i,j=1,2\), and in particular the ordinary transitions \((q,\nu X_{i1}.(\ell ,t,\phi _{i1})^{S_{i1}},q_1)\). Since they are both accepting from \(\hat{q}\), it must be that \(\phi _{11}=\phi _{21}\). Moreover, as \(\varSigma _{11}\) and \(\varSigma _{21}\) agree on their common names, \(S_{11}\) and \(S_{21}\) may only disagree on \(X_{11},X_{21}\). But, by frugality, the latter are reachable from the indices of available registers and therefore \(S_{11}=S_{21}\), modulo permutation of fresh indices. Thus, \(\nu X_{11}.(\ell ,t,\phi _{11})^{S_{11}}\sim _\alpha \nu X_{21}.(\ell ,t,\phi _{21})^{S_{21}}\) and, similarly, \(\nu X_{12}.(\ell ,t,\phi _{12})^{S_{12}}\sim _\alpha \nu X_{22}.(\ell ,t,\phi _{22})^{S_{22}}\). By strong determinacy we get \(q_1=q_2\) and thus \(\hat{q}_1=\hat{q}_2\). \(\square \)
The operation of a generalised automaton can be faithfully simulated by a corresponding ordinary automaton. More precisely, we can show that from a given generalised automaton \(\mathcal {A}\) we can effectively construct a bisimilar ordinary one.

if \(\hat{q}_1\in \hat{Q}_{1F}\) then \(\hat{q}_2\in \hat{Q}_{2F}\),

if \(\hat{q}_1\xrightarrow {l}_{G_1}\hat{q}_1'\), some \(l\in \{\epsilon \}\cup (\mathcal {L}\times \mathbb {T}\times \mathsf {Sto})\), then \(\hat{q}_2\xrightarrow {l}_{G_2}\hat{q}_2'\) for some \(\hat{q}_1'\mathcal {R}\hat{q}_2'\).
In particular, we say that \(\mathcal {A}\) and \(\mathcal {A}'\) are bisimilar, written \(\mathcal {A}\sim \mathcal {A}'\), if their configuration graphs are bisimilar.
Lemma 34
Let \(\mathcal {A}\) be a \((n_{\mathsf {r}},n_1,n_2)\)automaton and set \(n'=n_1+n_2n_{\mathsf {r}}\). We can effectively construct a \((n_{\mathsf {r}},n')\)automaton \(\mathcal {A}'\) such that \(\mathcal {A}\sim \mathcal {A}'\). Moreover, if \(\mathcal {A}\) is strongly deterministic then so is \(\mathcal {A}'\).
The construction of \(\mathcal {A}'\) is presented in Appendix B. Combining Lemmata 31 and 34, and using the fact that bisimilarity implies language equivalence, we obtain the following.
Lemma 35
Let \({\varGamma } \vdash {\mathbb {C}_1,\mathbb {C}_2:\theta }\) be Open image in new window terms in canonical form. For each \(j=\mathrm {i}^{\varSigma _0}_{\rho _0}\in I_{{\varGamma } \vdash {\theta }}^+\), there exists a deterministic \((\nu (\mathrm {i}) ,n_j)\)automaton \(\mathcal {A}_j'\) with initial register assignment \(\rho _0\) such that \({L}(\mathcal {A}_j')=\emptyset \) if and only if Open image in new window .
Lemma 30 then follows as a corollary.
5.4 Emptiness for fresh pushdown register automata
Returning to Lemma 30, note that, although \(I_{{\varGamma } \vdash {\theta }}^+\) is an infinite set, there exists a finite subset \(J\subseteq I_{{\varGamma } \vdash {\theta }}^+\) such that \(\{\mathcal {A}_j\}_{j\in J}\) already captures Open image in new window , because up to namepermutation there are only finitely many initial moves. Consequently, we only need finitely many of them to check whether Open image in new window . By Lemma 30, to achieve this we need to be able to decide the emptiness problem for \((n_{\mathsf {r}},n)\)automata.

PDRA can only process one name in a computational step, while \((n_{\mathsf {r}},n)\)automata read a label, a tag and a store in a single step. This can easily be overcome by decomposing transitions of our automata into a bounded number of steps (the existence of the bound follows from the fact that symbolic stores in our transition function are bounded).

All registers in PDRA must be full, while \((n_{\mathsf {r}},n)\)automata admit empty registers. This difference can be compensated by populating registers with dummy names, while storing information about which register is deemed to be empty in the finite state.

\((n_{\mathsf {r}},n)\) allow for rearrangements of registers in a single \(\epsilon \)step. Again this can be decomposed into a sequence of \(\epsilon \)transitions of an PDRA by using the stack.

\((n_{\mathsf {r}},n)\) have the ability to create globally fresh names (guaranteed not to have been encountered in the whole computational run), while PDRA can only create locally fresh names (through the socalled reassignment), which are guaranteed not to occur in the present register assignment. This discrepancy cannot be dealt with easily and we provide a separate argument why the emptiness problems for the extension of PDRA with (globally) freshname generation remains decidable.
Definition 36

Q is a finite set of states;

\(q^{ in }\in Q\) is the initial state;

\(u:\{1,\cdots ,r\}\rightarrow \varSigma \) is an injection, called the initial assignment;

\(\rho : Q\rightarrow \{1,\cdots , r\}\) is a partial function called the reassignment;
 \(\mu \) is the transition relation, which is a mapping fromto finite subsets of \(Q\times (\mathcal {T}\times \{1,\cdots ,r\})^*\);$$\begin{aligned} Q\times ((\mathcal {T}\times \{1,\cdots ,r\}) \cup \{\epsilon \})\times (\mathcal {T}\times \{1,\cdots ,r\}) \end{aligned}$$

\(F\subseteq Q\) is the set of final states.
A configuration is a triple (q, R, S) such that \(q\in Q\), \(R:\{1,\cdots ,r\}\rightarrow \varSigma \) is injective and \(S \in (\mathcal {T}\times \varSigma )^*\). The last component represents the stack content (the leftmost symbol stands for the top of the stack). A configuration is initial if \(q=q^{ in }\), \(R=u\) and \(S=[(\bot ,u(r))]\). A configuration is final if \(q\in F\). A generalised run of \(\mathcal {A}\) is a sequence \(C_0\mathop {\rightarrow }\limits ^{x_1} \ldots \mathop {\rightarrow }\limits ^{x_k} C_{k}\) such that each \(C_j =(q_i,R_i,S_i)\) (\(0\le j\le k\)) is a configuration, \(q_0=q^{ in }\), \(S_0=[(\bot ,R_0(r))]\), each \(x_j \in \{\epsilon \}\cup (\mathcal {T}\times \varSigma )\) (\(1\le j\le k\)), and each \(C_{j}\) (\(0<j\le k\)) is obtained from \(C_{j1}\) and \(x_{j}\) according to \(\mu \). Note that in generalised runs \(R_0\) is left unspecified. This will make working with them slightly simpler, because they will be closed under bijective renamings. A run is simply a generalised run such that \(C_0\) is initial. In an accepting run we also have \(q_k\in F\).
We shall say that two generalised runs are related if they are of the same length and the corresponding steps rely on the same elements of \(\mu \). Consequently, related generalised runs differ only in the names they involve (respective states and tags must be the same). We will be interested in characterizing generalised runs that are related to each other. Below we introduce several definitions that will make this possible.

the occurrence of \(R_0(i)\) in \(R_0\) is timestamped with i for each \(1\le i\le r\), the occurrence of \(R_0(r)\) in \(S_0\) is timestamped with r;

if a name is generated in step \(1\le j\le k\) through reassignment, its occurrence in \(R_j\) gets timestamp \(r+j\), otherwise occurrences of names in registers inherit timestamps from preceding configurations;

a name that was just pushed on the stack inherits the timestamp it had in the register before being pushed, the timestamps of other names on the stack are inherited from preceding configurations.
Let us write \(\mathbb {T}\subseteq \{1,\cdots , r+k\}\) for the set of all timestamps used to mark occurrences of names of \(\mathcal {R}\).
Remark 37
Note that, due to the stack discipline, whenever the same names are present on the stack in a configuration of a run, the associated sequence of timestaps, from top to bottom, must be nonincreasing. Additionally, if the same name occurs in a register, its timestamp will not be smaller than the timestamps of occurrences of the same name on the stack.
We can replace all occurrences of names in \(\mathcal {R}\) with their timestamps to obtain what we shall call a symbolic run: \(C_0^ sym \mathop {\rightarrow }\limits ^{x_1^{ sym }}\cdots \mathop {\rightarrow }\limits ^{x_k^ sym } C_k^{ sym }\). Recall that states and tags will remain the same as in \(\mathcal {R}\). Observe the following fact.
Lemma 38
Two generalised runs are related if and only if the corresponding symbolic runs are the same.

First, the initial register assignment must be injective: \(\alpha (i)\ne \alpha (j)\) for \(1\le i<j\le r\).

The second set of constraints comes from reassignment steps, where it must be ensured that the reassigned name is different from those currently present in registers: if \(\rho (q_i)\) (\(0\le i < k\)) is defined then we require that \(\alpha (t_{R_{i+1}(\rho (q_i))})\ne \alpha (t_{R_i (j)})\) for any \(1\le j\le r\).

The third set of constraints is induced by popping during transitions: the name on top of the stack must match the content of a suitable register, as specified by \(\mu \): if the passage from \(q_i\) to \(q_{i+1}\) (\(0\le i <k\)) relies on an element of \(\mu (q_i, (t_1,i_1), (t_2,i_2))\) or \(\mu (q_i, \epsilon , (t_2,i_2))\) then \(\alpha (t_{ top (S_i)}) = \alpha (t_{R_{i+1}(i_2)})\).
Lemma 39
Generalised runs related to \(\mathcal {R}\) are in 1–1 correspondence with \(\alpha {:}\mathbb {T}\rightarrow \varSigma \) satisfying the above constraints.
Below we single out a special family of such maps. Intuitively, we shall focus on generalised runs in which as many names as possible are used.
Let us define \(=_\mathcal {R}\) to be the smallest equivalence relation such that if ‘\(\alpha (i)=\alpha (j)\)’ belongs to the third set of constraints we have \(i=_\mathcal {R}j\). \(\alpha ': \mathbb {T}\rightarrow \varSigma \) will be called distinctive if, for all \(i,j\in \mathbb {T}\), we have \(\alpha '(i)=\alpha '(j)\) if and only if \(i=_\mathcal {R}j\).
Remark 40
Note that every distinctive \(\alpha '\) satisfies the first two kinds of constraints and, hence, gives rise to a generalised run. By definition distinctive maps \(\alpha '\) exist and are determined uniquely up to namepermutation. In particular, there exists a distinctive \(\alpha '\) that is compatible with the initial register assignment in \(\mathcal {R}\).
The following property of distinctive maps will play a role in a future argument.
Lemma 41
Let \(\alpha '\) be distinctive, \(i\in \mathbb {T}\) and \(k_i=\min \,\{j\,\, i=_\mathcal {R}j\}\). Then for all \(j < k_i\) we have \(\alpha '(j)\ne \alpha '(k_i)=\alpha '(i)\). In other words, \(\alpha '(k_i)\) is fresh.
Proof
Take \(j<k_i\). By definition of \(k_i\), it is not the case that \(i =_\mathcal {R}j\). Because \(\alpha '\) is distinctive, we must have \(\alpha '(j)\ne \alpha '(k_i)\). On the other hand, \(k_i=_\mathcal {R}i\), so by distinctiveness \(\alpha '(k_i)=\alpha '(i)\). \(\square \)
Definition 42
A fresh PDRA (FPDRA) \(\mathcal {A}\) over \((\varSigma ,\mathcal {T})\) is defined in the same way as a PDRA except that the (partial) reassignment function has the form \(\rho :Q\rightarrow \{1,\cdots ,r\}\times \{L,G\}\). Whenever \(\pi _2(\rho (q))= L\) (locally fresh), \(\mathcal {A}\) must generate a name that is currently not present in registers. If \(\pi _2(\rho (q))=G\) (globally fresh) then the name must in addition not have occurred before in the present run (in particular, it will not occur on the stack).
We shall show that the emptiness problem for FPDRA is decidable by referring to the analogous result for PDRA [7]. Let \(\mathcal {A}=\langle \, Q,q^ in ,u,\rho ,\mu ,F \,\rangle \) be a FPDRA over \((\varSigma ,\mathcal {T})\). Next we are going to define an PDRA \(\mathcal {A}'=\langle \, Q',q^{ in '},u', \rho ',\mu ', F' \,\rangle \) such that there exists an accepting run of \(\mathcal {A}\) iff there exists one for \(\mathcal {A}'\).

A flagged register signifies the fact that in \(\mathcal {A}\) the generated name would be different from any name currently occurring on the stack.

A flagged name on the stack means that in \(\mathcal {A}\) all names underneath it would be different.

Whenever a locally fresh name is generated instead of a globally fresh name, the corresponding register will remain flagged as long as its content is not pushed on the stack.

When a sequence of names is pushed on the stack, for each name that comes from a flagged register, we flag the rightmost (deepest) of its occurrences in the sequence. The registers in question become untagged.

A name can be popped only if it occurs in an unflagged register. If the name is flagged on the stack, we then add a flag to the register. Note that we do not allow \(\mathcal {A}'\) to follow \(\mathcal {A}\), if this would entail popping a symbol that occurs in a flagged register.
Lemma 43
\(\mathcal {A}\) has an accepting run if and only if \(\mathcal {A}'\) has one.
Proof
Suppose there exists an accepting run of \(\mathcal {A}\). The same run is then accepting for \(\mathcal {A}'\). This is because whenever a register is flagged in \(\mathcal {A}'\), it will indeed contain a name not present on the stack, and if a name is flagged on the stack the name will not occur below. Consequently, whenever a step of \(\mathcal {A}\) depends on matching a name on top of the stack with a register, the corresponding register in \(\mathcal {A}'\) will not be flagged. Thus, every step of \(\mathcal {A}\) can be simulated by \(\mathcal {A}'\).
Suppose we have an accepting run \(\mathcal {R}\) of \(\mathcal {A}'\). As \(\mathcal {A}'\)transitions are transitions of \(\mathcal {A}\) enriched with some information, it suffices to show that the locally fresh names generated instead of globally fresh names are globally fresh. This need not be the case for \(\mathcal {R}\), but will show how to rename \(\mathcal {R}\) so that another \(\mathcal {A}'\)run emerges, which does enjoy the property.

Unless the name is pushed immediately on the stack, it will stay flagged in registers for a number of steps. Thus no pops will rely on it. Hence no constraints using \(\alpha (t)\) will be generated.

After the name is pushed on the stack, its deepest occurrence in the push sequence will be flagged. The register will be unflagged but, as long as the flagged occurrence remains on the stack, all equational constraints that rely on the same name will involve timestamps greater than or equal to t (see Remark 37).

When the flagged occurrence with timestap t is eventually popped (if at all), there must be a register containing the same name, but this occurrence will bear a timestamp \(t'\) such that \(t'\ge t\) and will become flagged. From then on the reasoning can be repeated for \(t'\) and, since \(t'\ge t\), we can conclude that future constraints affecting \([t']_{=_\mathcal {R}}=[t]_{=_\mathcal {R}}\) will not involve timestamps smaller than \(t'\).
The above result reduces the emptiness problem for FPDRA to the analogous problem for PDRA. As the latter is decidable [7], we obtain the following.
Lemma 44
The emptiness problem for FPDRA is decidable.
Finally, summing up, we obtain the desired decidability result.
Theorem 45
Program approximation (and thus program equivalence) is decidable for Open image in new window terms.
Proof
Let \({\varGamma } \vdash {M_1,M_2:\theta }\) be Open image in new window terms. By Lemma 2, they can be converted into canonical forms \({\varGamma } \vdash {\mathbb {C}_{M_1}, \mathbb {C}_{M_2}:\theta }\) such that Open image in new window if and only if Open image in new window . By Lemma 30 and our observations at the beginning of Sect. 5.4, the problem of determining whether Open image in new window holds can be reduced to the emptiness problem for a finite number of FPDRA, all effectively constructible from \(\mathbb {C}_{M_1}, \mathbb {C}_{M_2}\). Because FPDRA emptiness is decidable by Lemma 44, program approximation is decidable for Open image in new window . \(\square \)
6 Related and further work
In this paper we achieved a full characterisation of decidability of program equivalence in \(\mathsf {GRef}\), a higherorder language with full ground storage. Moreover, for the decidable fragment that we identified, we devised a decidability procedure which builds on automatabased representations of terms.
The investigations into models and reasoning principles for storage have a long history. In this quest, storage of names was regarded by researchers as an indispensable intermediate step towards capturing realistic languages with dynamicallocated storage, such as ML or Java. Relational methods and environmental bisimulations for reasoning about program equivalence in settings similar to ours were studied in [2, 5, 9, 16, 30, 31], albeit without decidability results. More foundational work included labelled transition system semantics [15] and game semantics [19, 24]. In both cases, it turned out that the addition of name storage simplified reasoning, be it bisimulationbased or gamesemantic. In the former case, bisimulation was even unsound without full ground storage. In the latter case, the game model of integer storage [22] turned out more intricate (complicated store abstractions) than that for full ground or general storage [19, 24].
As for decidability results, we studied finitary Reduced ML (integer storage only) in [23], yet only judgements of the form \({\cdots , \beta \rightarrow \beta ,\cdots } \vdash {\beta }\) were tackled due to intricacies related to store abstractions (in absence of full ground storage, names cannot be remembered by programs). A closely related language, called RML [1] (integer storage but with bad references) was studied in [8, 14, 27], but no full classification has emerged yet. Interestingly, closed terms of firstorder type become decidable in this setting [8], in contrast to \(\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}\) for \(\mathsf {GRef}\). Finally, the approach presented herein was pursued for Interface Middleweight Java [21] and implemented in the equivalence checker Conneqct [20]. We note that, in presence of higherorder references and boolean storage, even termination is undecidable [26].
Apart from the semantics and programming languages community, program equivalence has been extensively examined in the context of regression verification [4, 6, 10, 12, 18]. There, the focus is put on sound methods for proving that newer versions of the same code fragment do not introduce new behaviours, outside the code specification. In terminology used in this paper, the property that is being verified is program approximation. Regression verification is based on strong abstraction techniques which are sound for approximation, and is typically applied to ground languages and code (i.e. no higherorder functions). In the future, we would like to expand the use of game models for checking equivalence to larger language fragments, where equivalence in undecidable. In doing so, we would abandon decidability and restrict ourselves to sound verification routines, using similar abstraction techniques.
Footnotes
 1.
Two program phrases are regarded as contextually equivalent, or simply equivalent, if they can be used interchangeably in any context without affecting the observable outcome.
 2.
A model is fully abstract if it captures contextual equivalence denotationally, i.e. equivalence can be confirmed/disproved by reference to the interpretations of terms.
 3.
Symbolic stores represent stores by use of indices instead of actual names. For example, \(S(i)={\texttt {R}}_{j}\) means that in S the ith name stores the jth name.
 4.
Explicitly, for all \(i\not =j\), if \(\pi (i),\pi (j)\) are both defined then \(\pi (i)\not =\pi (j)\).
 5.
Here, in fact, we refer to the alphaequivalence relation induced by the \(\nu \) binder: for example, \(\nu \{1,2\}.({\texttt {R}}_{1},\{(1,{\texttt {R}}_{2}),(2,0),(3,1)\}) \sim _\alpha \nu \{5,6\}.({\texttt {R}}_{6},\{(3,1),(5,0),(6,{\texttt {R}}_{5})\})\).
 6.
In fact, Open image in new window is an \((n_0+1,n)\)automaton, but we render it into an \((n_0,n)\) one by changing each \(q_1\xrightarrow {\pi }q_2\) to \(q_1\xrightarrow {\pi [n_0{+}1\mapsto n_0{+}1]}q_2\).
 7.
i.e. We stipulate that \(\varSigma _1,\varSigma _2\) agree on common names, while values of private names remain unchanged. This stems from the fact that we do not compare plays but, rather, representations thereof.
 8.
Here we use the alphaequivalence relation under the \(\nu \) binder mentioned in Definition 24.
 9.
Cases of the form \((\cdots );\mathbb {C}\) are covered by the \(\mathsf {let}\,\cdots \,\mathsf {in}\,\mathbb {C}\) clause.
 10.
Note here that rearrangements \(\pi _1\) and \(\pi _2\) kept intact except for the case when a name which is supposed to be shared from the two parts of the current assignment is deleted in the part that actually contains it but is retained in the other one. In such a case, the name is not deleted but copied to the other part of the assignment (this is what \(\pi \) achieves).
 11.
Here we match all freshly created names and store them in the first component of the assignment. Moreover, we match labels and symbolic stores (on related indices) according to the new \(R'\). For private indices we stipulate that values remain unchanged (this corresponds to \(\varSigma [\varSigma _2]\cup \varSigma [\varSigma _2]\) being consistent in the definition of generalised automata).
 12.
i.e. if two registers in the stack are related (by \(R_{\mathsf {p}}\)) and each is related to a register in the machine registers (by \(\pi _1,\pi _2\)) then the latter must also be related (by R); and viceversa. This condition ensures that we can correctly compute the span \(R_{\mathsf {p}}\) pertaining to the register assignment after popping.
 13.
Here we take into account the fact that, when popping, new matchings may occur between private registers in the ith component of private machine registers and the \(\bar{i}\)th component of the stack registers (cf. \(\pi _{B1}\) and \(\pi _{B2}\)).
 14.
Since \(X_1\) and \(X_2\) are filled with componentwise locally fresh names, we allow for new matchings between private registers in the ith component and indices in \(X_{\bar{i}}\) (cf. \(R_{C1}\) and \(R_{C2}\)). Intuitively, when the ith component creates a locally fresh name, it may very well be that the created name is in fact one of the private names of the \(\bar{i}\)th component.
 15.
Note here that, although the pop happens in the first component, it may be the case that the stack top contains a non\(\checkmark \) symbol in its second component (e.g. in the product construction this can happen because the automaton is allowed to move to divergence mode while the stack is nonempty), in which case we need to range over all possible such symbols.
 16.
As in the previous case, new matchings may occur in this step because of a locally fresh name created in an index from \(X_1\) being matched with a private name of the second component of the current assignment. Similar matchings may also occur above when popping.
Notes
Acknowledgements
Partially supported by the Royal Academy of Engineering (RF 10216/111) and the EPSRC (EP/P004172/1).
References
 1.Abramsky S, McCusker G (1997) Callbyvalue games. In: Proceedings of CSL (Lecture notes in computer science), vol 1414. Springer, pp 1–17Google Scholar
 2.Ahmed A, Dreyer D, Rossberg A (2009) Statedependent representation independence. In: Proceedings of POPL. ACM, pp 340–353Google Scholar
 3.Alur R, Madhusudan P (2004) Visibly pushdown languages. In: Proceedings of STOC’04, pp 202–211Google Scholar
 4.Barthe G, Crespo JM, Kunz C (2011) Relational verification using product programs. In: International symposium on formal methods. Springer, pp 200–214Google Scholar
 5.Benton N, Leperchey B (2005) Relational reasoning in a nominal semantics for storage. In: Proceedings of TLCA (Lecture notes in computer science), vol 3461. Springer, pp 86–101Google Scholar
 6.Chaki S, Gurfinkel A, Strichman O (2012) Regression verification for multithreaded programs. In: Proceedings of VMCAI. Springer, pp 119–135Google Scholar
 7.Cheng EYC, Kaminski M (1998) Contextfree languages over infinite alphabets. Acta Inf. 35(3):245–267MathSciNetCrossRefzbMATHGoogle Scholar
 8.CottonBarratt C, Hopkins D, Murawski AS, Ong CHL (2015) Fragments of ML decidable by nested data class memory automata. In: Proceedings of FOSSACS’15. Springer, pp 249–263Google Scholar
 9.Dreyer D, Neis G, Birkedal L (2010) The impact of higherorder state and control effects on local relational reasoning. In: Proceedings of ICFP. ACM, pp 143–156Google Scholar
 10.Fedyukovich G, Sery O, Sharygina N (2013) evolcheck: incremental upgrade checker for c. In: Proceedings of TACAS. Springer, pp 292–307Google Scholar
 11.Gabbay MJ, Pitts AM (2002) A new approach to abstract syntax with variable binding. Formal Asp Comput 13:341–363CrossRefzbMATHGoogle Scholar
 12.Godlin B, Strichman O (2009) Regression verification. In: Proceedings of the 46th annual design automation conference (DAC). ACM, pp 466–471Google Scholar
 13.Honda K, Yoshida N (1999) Gametheoretic analysis of callbyvalue computation. Theor Comput Sci 221(1–2):393–456MathSciNetCrossRefzbMATHGoogle Scholar
 14.Hopkins D, Murawski AS, Ong CHL (2011) A fragment of ML decidable by visibly pushdown automata. In: Proceedings of ICALP. Springer, pp 149–161Google Scholar
 15.Jeffrey A, Rathke J (1999) Towards a theory of bisimulation for local names. In: Proceedings of LICS, pp 56–66Google Scholar
 16.Koutavas V, Wand M (2006) Small bisimulations for reasoning about higherorder imperative programs. In: Proceedings of POPL. ACM, pp 141–152Google Scholar
 17.Kozen D (1997) Automata and computability. Springer, BerlinCrossRefzbMATHGoogle Scholar
 18.Lahiri SK, Hawblitzel C, Kawaguchi M, Rebêlo H (2012) Symdiff: a languageagnostic semantic diff tool for imperative programs. In: Proceedings of CAV. Springer, pp 712–717Google Scholar
 19.Laird J (2008) A game semantics of names and pointers. Ann Pure Appl Log 151:151–169MathSciNetCrossRefzbMATHGoogle Scholar
 20.Murawski AS, Ramsay SJ, Tzevelekos N (2015) A contextual equivalence checker for IMJ*. In: Proceedings of ATVA (LNCS). Springer, pp 234–240. Tool available at: http://bitbucket.org/sjr/coneqct/wiki/Home
 21.Murawski AS, Ramsay SJ, Tzevelekos N (2015) Game semantic analysis of equivalence in IMJ. In: Proceedings of ATVA (LNCS). Springer, pp 411–428Google Scholar
 22.Murawski AS, Tzevelekos N (2009) Full abstraction for Reduced ML. In: Proceedings of FOSSACS (Lecture notes in computer science), vol 5504. Springer, pp 32–47Google Scholar
 23.Murawski AS, Tzevelekos N (2011) Algorithmic nominal game semantics. In: Proceedings of ESOP (Lecture notes in computer science), vol 6602. Springer, pp 419–438Google Scholar
 24.Murawski AS, Tzevelekos N (2011) Game semantics for good general references. In: Proceedings of LICS. IEEE computer society press, pp 75–84Google Scholar
 25.Murawski AS, Tzevelekos N (2012) Algorithmic games for full ground references. In: Proceedings of ICALP (Lecture notes in computer science), vol 7392. Springer, pp 312–324Google Scholar
 26.Murawski AS, Tzevelekos N (2013) Deconstructing general references via game semantics. In: Proceedings of FOSSACS (Lecture notes in computer science), vol 7794. Springer, pp 241–256Google Scholar
 27.Murawski AS (2005) Functions with local state: regularity and undecidability. Theor Comput Sci 338(1/3):315–349MathSciNetCrossRefzbMATHGoogle Scholar
 28.Murawski AS, Tzevelekos N (2016) Nominal game semantics. Found Trends Progr Lang 2(4):191–269CrossRefzbMATHGoogle Scholar
 29.Pitts AM, Stark IDB (1998) Operational reasoning for functions with local state. In: Gordon AD, Pitts AM (eds) Higherorder operational techniques in semantics. CUP, Cambridge, pp 227–273Google Scholar
 30.Reddy US, Yang H (2004) Correctness of data representations involving heap data structures. Sci Comput Program 50(1–3):129–160MathSciNetCrossRefzbMATHGoogle Scholar
 31.Sangiorgi D, Kobayashi N, Sumii E (2011) Environmental bisimulations for higherorder languages. ACM Trans Program Lang Syst 33(1):5CrossRefGoogle Scholar
 32.Tzevelekos N (2009) Full abstraction for nominal general references. LMCS 5(3):1–69MathSciNetzbMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.