From Bounded Checking to Verification of Equivalence via Symbolic Up-to Techniques

We present a bounded equivalence verification technique for higher-order programs with local state. This technique combines fully abstract symbolic environmental bisimulations similar to symbolic game semantics, novel up-to techniques, and lightweight state invariant annotations. This yields an equivalence verification technique with no false positives or negatives. The technique is bounded-complete, in that all inequivalences are automatically detected given large enough bounds. Moreover, several hard equivalences are proved automatically or after being annotated with state invariants. We realise the technique in a tool prototype called Hobbit and benchmark it with an extensive set of new and existing examples. Hobbit can prove many classical equivalences including all Meyer and Sieber examples.


Introduction
Contextual equivalence is a relation over program expressions which guarantees that related expressions are interchangeable in any program context.It encompasses verification properties like safety and termination.It has attracted considerable attention from the semantics community (cf. the 2017 Alonzo Church Award), and has found its main applications in the verification of cryptographic protocols [4], compiler correctness [25] and regression verification [10,11,9,17].
In its full generality, contextual equivalence is hard as it requires reasoning about the behaviour of all program contexts, and becomes even more difficult in languages with higher-order features (e.g.callbacks) and local state.Advances in bisimulations [16,28,3], logical relations [1,13,15] and game semantics [18,24,8,20] have offered powerful theoretical techniques for hand-written proofs of contextual equivalence in higher-order languages with state.However, these advancements have yet to be fully integrated in verification tools for contextual equivalence in programming languages, especially in the case of bisimulation techniques.Existing tools [12,23,14] only tackle carefully delineated language fragments.
In this paper we aim to push the frontier further by proposing a bounded model checking technique for contextual equivalence for the entirety of a higherorder language with local state (Sec.3).This technique, realised in a tool called Hobbit, 3 automatically detects inequivalent program expressions given sufficient bounds, and proves hard equivalences automatically or semi-automatically.
Our technique uses a labelled transition system (LTS) for open expressions in order to express equivalence as a bisimulation.The LTS is symbolic both for higher-order arguments (Sec.4), similarly to symbolic game models [8,20] and derived proof techniques [3,15], and first-order ones (Sec.6), following established techniques (e.g.[6]).This enables the definition of a fully abstract symbolic environmental bisimulation, the bounded exploration of which is the task of the Hobbit tool.Full abstraction guarantees that our tool finds all inequivalences given sufficient bounds, and only reports true inequivalences.As is corroborated by our experiments, this makes Hobbit a practical inequivalence detector, similar to traditional bounded model checking [2] which has been proved an effective bug detection technique in industrial-scale C code [6,7,29].
However, while proficient in bug finding, bounded model checking can rarely prove the absence of errors, and in our setting prove an equivalence: a bound is usually reached before all-potentially infinite-program runs are explored.Inspired by hand-written equivalence proofs, we address this challenge by proposing two key technologies: new bisimulation up-to techniques, and lightweight user guidance in the form of state invariant annotations.Hence we increase significantly the number of equivalences proven by Hobbit, including for example all classical equivalences due to Meyer and Sieber [21].
Up-to techniques [27] are specific to bisimulation and concern the reduction of the size of bisimulation relations, oftentimes turning infinite transition systems into finite ones by focusing on a core part of the relation.Although extensively studied in the theory of bisimulation, up-to techniques have not been used in practice in an equivalence checker.We specifically propose three novel up-to techniques: up to separation and up to re-entry (Sec.5), dealing with infinity in the LTS due to the higher-order nature of the language, and up to state invariants (Sec.7), dealing with infinity due to state updates.Up to separation allows us to reduce the knowledge of the context the examined program expressions are running in, similar to a frame rule in separation logic.Up to re-entry removes the need of exploring unbounded nestings of higher-order function calls under specific conditions.Up to state invariants allows us to abstract parts of the state and make finite the number of explored configurations by introducing state invariant predicates in configurations.
State invariants are common in equivalence proofs of stateful programs, both in handwritten (e.g.[16]) and tool-based proofs.In the latter they are expressed manually in annotations (e.g.[9]) or automatically inferred (e.g.[14]).In Hob-bit we follow the manual approach, leaving heuristics for automatic invariant inference for future work.An important feature of our annotations is the ability to express relations between the states of the two compared terms, enabled by the up to state invariants technique.This leads to finite bisimulation transition systems in examples where concrete value semantics are infinite state.
The above technology, combined with standard up-to techniques, transform Hobbit from a bounded checker into an equivalence prover able to reason about infinite behaviour in a finite manner in a range of examples, including classical example equivalences (e.g.all in [21]) and some that previous work on up-to techniques would cannot algorithmically decide [3] (cf. Ex. 23).We have benchmarked Hobbit on examples from the literature and newly designed ones (Sec.8).Due to the undecidable nature of contextual equivalence, up-to techniques are not exhaustive: no set of up-to techniques is guaranteed to finitise all examples.Indeed there are a number of examples where the bisimulation transition system is still infinite and Hobbit reaches the exploration bound.For instance, Hobbit is not able to prove examples with inner recursion and wellbracketing properties, which we leave to future work.Nevertheless, our approach provides a contextual equivalence tool for a higher-order language with state that can prove many equivalences and inequivalences which previous work could not handle due to syntactic restrictions and other limitations (Sec.9).

Related work
Our paper marries techniques from environmental bisimulations up-to [16,28,27,3] with the work on fully abstract game models for higher-order languages with state [18,8,20].The closest to our technique is that of Biernacki et al. [3], which introduces up-to techniques for a similar symbolic LTS to ours, albeit with symbolic values restricted to higher-order types, resulting in infinite LTSs in examples such as Ex.22, and with inequivalence decided outside the bisimulation by (non-)termination, precluding the use up-to techniques in examples such as Ex.23.Close in spirit is the line of research on logical relations [1,13,15] which provides a powerful tool for hand-written proofs of contextual equivalence.Also related are the tools Hector [12] and Coneqct [23], and SyTeCi [14], based on game semantics and step-indexed logical relations respectively (cf.Sec.9).

High-Level Intuitions
Contextual equivalence requires that two program expressions lead to the same observable result in any program context these may be fed in.This quantification is hard to work with e.g.due to redundancy in program contexts.Alternatively, we can translate programs into a semantic model that is fully abstract, i.e. it assigns to program expressions the same denotation just if these are contextually equivalent.Thus doing, contextual equivalence is reduced to semantic equality.
The semantic model we use is that of Game Semantics [18].We model programs as formal interactions between two players: a Proponent (corresponding to the program) and an Opponent (standing for any program context).Concretely, these interactions are sets of traces produced from a Labelled Transition System (LTS), the nodes and labels of which are called configurations and moves respec-  Fig. 1.Sample LTS's modelling expressions in Section 2. Note that in these diagrams we include in each configuration only part of their components, for better exposition.
tively.The LTS captures the interaction of the program with its environment, which is realised via function applications and returns: moves can be questions (i.e.function applications) or answers (returns), and belong to proponent or opponent.E.g. a program calling an external function will issue a proponent question, while the return of the external function will be an opponent answer.
In the examples that follow, moves that correspond to the opponent shall be underlined.
Example 1.Consider the following expression of type (unit → unit) → int.
N = fun f -> f (); 0 Evaluating N leads to a function, call it g, being returned (i.e.g is λf.f (); 0).When g is called with some input f 1 , it will always return 0 but in the process it may call the external function f 1 .The call to f 1 may immediately return or it may call g again (i.e.reenter), and so on.The LTS for N is as in Fig. 1

(top).
Given two expressions M, N , checking their equivalence will amount to checking bisimulation equivalence of their (generally infinite) LTS's.Our checking routine performs a bounded analysis that aims to either find a finite counterexample and thus prove inequivalence, or build a bisimulation relation that shows the equivalence of the expressions.The former case is easier as it is relatively rapid to explore a bisimulation graph up to a given depth.The latter one is harder, as the target bisimulation can be infinite.To tackle part of this infinity, we use three novel up-to techniques for environmental bisimulation.
Up-to techniques roughly assert that if a core set of configurations in the bisimulation graph explored can be proven to be part of a relation satisfying a definition that is more permissive than standard bisimulation, then a superset of configurations forms a proper bisimulation relation.This has the implication that a bounded analysis can be used to explore a finite part of the bisimulation graph to verify potentially infinitely many configurations.As there can be no complete set of up-to techniques, the pertaining question is how useful they are in practice.In the remainder of this section we present the first of our up-to techniques, called up to separation, via an example equivalence.The intuition behind this technique comes from Separation Logic and amounts to saying that functions that access separate regions of the state can be explored independently.As a corollary, a function that manipulates only its own local references may be explored independently of itself, i.e. it suffices to call it once.
Example 2. Consider the following pair of expressions, where N is from Ex. 1.
The LTS corresponding to M and N are shown in Fig. 1 (middle and top).Regarding M , we can see that opponent is always allowed to reenter the proponent function g, which creates a new reference x n each time.This makes each configuration unique, which prevents us from finding cycles and thus finitise the bisimulation graph.Moreover, both the LTS for M and N are infinite because of the stack discipline they need to adhere to when O issues reentrant calls.With separation, however, we could prune the two LTS's as in Fig. 1 (bottom).We denote the configurations after the first opponent call as C 1 .Any opponent call after C 1 leads to a configuration which differs from C 1 either by a state component that is not accessible anymore and can thus be separated, or by a stack component that can be similarly separated.Hence, the LTS's that we need to consider are finite and thus the expressions are proven equivalent.

Language and Semantics
We develop our technique for the language λ imp , a simply typed lambda calculus with local state whose syntax and reduction semantics are shown in Fig. 2. Expressions (Exp) include the standard lambda expressions with recursive functions (fixf (x).e), together with location creation (ref l = v in e), dereferencing (!l), and assignment (l := e), as well as standard base type constants (c) and operations (op( e)).Locations are mapped to values, including function values, in a store (St).We write • for the empty store and let fl(χ) denote the set of free locations in χ.
The language λ imp is simply-typed with typing judgements of the form ∆; Σ ⊢ e : T , where ∆ is a type environment (omitted when empty), Σ a store typing and T a value type (Type); Σ s is the typing of store s.The rules of the type system are standard and omitted here (Appendix A).Values consist of boolean, integer, and unit constants, functions and arbitrary length tuples of values.To keep the presentation of our technique simple we do not include reference types as value types, effectively keeping all locations local.Exchange of locations between expressions can be encoded using get and set functions.In Ex. 23 we show the encoding of a classic equivalence with location exchange between expressions and their context.Future work extensions to our technique to handle location types can be informed from previous work [18,14].The reduction semantics is by small-step transitions between configurations containing a store and an expression, s ; e → s ′ ; e ′ , defined using single-hole evaluation contexts (ECxt) over a base relation ֒→.Holes [•] T are annotated with the type T of closed values they accept, which we may omit to lighten notation.Beta substitution of x with v in e is written as e[v/x].We write s ; e ⇓ to denote s ; e → * t ; v for some t, v.We write χ to mean a syntactic sequence, and assume standard syntactic sugar from the lambda calculus.In our examples we assume an ML-like syntax and implementation of the type system, which is also the concrete syntax of Hobbit.
General contexts D contain multiple, non-uniquely indexed holes [•] i,T , where T is the type of value that can replace the hole.Notation D[Γ ] denotes the context D with each hole [•] i,T replaced with Γ (i), provided that i ∈ dom(Γ ) and Σ ⊢ Γ (i) : T , for some Σ.We omit hole types where possible and indices when all holes in D are annotated with the same i.In the latter case we write D[v] instead of D[( i v)] and allow to replace all holes of D with a closed expression e, written D[e].We assume the Barendregt convention for locations, thus replacing context holes avoids location capture.Standard contextual equivalence [22] follows.

Definition 3 (Contextual Equivalence).
Expressions ⊢ e 1 : T and ⊢ e 2 : T are contextually equivalent, written as e 1 ≡ e 2 , when for all contexts D such that ⊢ D[e 1 ] : unit and ⊢ D[e 2 ] : unit we have

LTS with Symbolic Higher-Order Transitions
Our Labelled Transition System (LTS) has symbolic transitions for both higherorder and first-order transitions.For simplicity we first present our LTS with symbolic higher-order and concrete first-order transitions.We develop our theory and most up-to techniques on this simpler LTS.We then show its extension with symbolic first-order transitions and develop up to state invariants which relies on this extension.We extend the syntax with abstract function names α: We assume that α's are annotated by the type of function they represent, written α T →T ′ , and omitted where possible; an(χ) is the set of abstract names in χ.
We define our LTS (shown in Fig. 3) by opponent and proponent call and return transitions, based on Game Semantics [18].Proponent transitions are the moves of an expression interacting with its context.Opponent transitions are the moves of the context surrounding this expression.These transitions are over proponent and opponent configurations A ; Γ ; K ; s ; e and A ; Γ ; K ; s ; • , respectively.In these configurations: -A is a set of abstract function names been used so far in the interaction; -Γ is an environment indexing proponent functions known to opponent;4 -K is a stack of proponent continuations, created by nested proponent calls; -s is the store containing proponent locations; -e is the expression reduced in proponent configurations; ê denotes e or •.
In addition, we introduce a special configuration ⊥ which is used in order to represent expressions that cannot perform given transitions (cf.Remark 6).We let a trace be a sequence of app and ret moves (i.e.labels), as defined in Fig. 3.
For the LTS to provide a fully abstract model of the language, it is necessary that functions which are passed as arguments or return values from proponent to opponent be abstracted away, as the actual syntax of functions is not directly observable in λ imp .This is achieved by deconstructing such values v to: an ultimate pattern D (cf.[19]), which is a context obtained from v by replacing each function in v with a distinct numbered hole; together with an environment Γ whose domain is the indices of these holes, and We let ulpatt(v) contain all such pairs (D, Γ ) for v; e.g.: ulpatt((λx.e 1 , 5) Ultimate pattern matching is extended to types through the use of symbolic function names: ulpatt(T ) is the largest set of pairs (D, α) such that ⊢ D[ α] : T , where α is an environment with indices omitted, and D does not contain functions.
In Fig. 3, proponent application and return transitions (PropApp, PropRet) use ultimate pattern matching for values and accumulate the functions generated by the proponent in the Γ environment of the configuration, leaving only their indices on the label of the transition itself.Opponent application and return transitions (OpApp, OpRet) use ultimate pattern matching for types to generate opponent-generated values which can only contain abstract functions.This eliminates the need for quantifying over all functions in opponent transitions but still includes infinite quantification over all base values.Symbolic first-order values in Sec.6 will obviate the latter.
At opponent application the following preorder performs a beta reduction when opponent applies a concrete function.This technicality is needed for soundness.
In our LTS, C ranges over configurations and η over transition labels; If R, R −1 are weak simulations then R is a weak bisimulation.Similarity ( ⊏ ≈ ) and bisimilarity (≈) are the largest weak simulation and bisimulation, respectively.Remark 6.Any proponent configuration that cannot match a standard bisimulation transition challenge can trivially respond to the challenge by transitioning into ⊥ by the Response rule in Fig. 3.By the same rule, this configuration can trivially perform all transitions except a special termination transition, labelled with ↓.However, regular configurations that have no pending proponent calls (K = •), can perform the special termination transition (Term rule), signalling the end of a complete trace, i.e. a completed computation.This mechanism allows us to encode complete trace equivalence, which coincides with contextual equivalence [18], as bisimulation equivalence.In a bisimulation proof, if a proponent configuration is unable to match a bisimulation transition with a regular transition, it can still transition to ⊥ where it can simulate every transition of the other expression, apart from ↓ − → leading to a complete trace.Our mechanism for treating unmatched transitions has the benefit of enabling us to use the standard definition of bisimulation over our LTS.This is in contrast to previous work [3,15], where termination/non-termination needed to be proven independently or baked in the simulation conditions.More importantly, our approach allows us to use bisimulation up-to techniques even when one of the related configurations diverges, which is not possible in previous symbolic LTSs [18,15,3] As a final remark, the LTS presented in this section is finite state only for a small number of trivial equivalence examples, such as the following one.However, even simple modifications to this example, such as allocation of a fresh location within one of the functions, leads to infinite state transition systems.The following section addresses multiple sources of infinity in the transition systems through bisimulation up-to techniques.

Up-to Techniques
We start by the definition of a sound up-to technique.
Definition 10 (Weak Bisimulation up to f ).R is a weak simulation up to f when for all are weak simulations up to f then R is a weak bisimulation up to f .Definition 11 (Sound up-to technique).A function f is a sound up-to technique when for any R which is a simulation up to f we have R ⊆ ( ⊏ ≈ ).
Hobbit employs the standard techniques: up to identity, up to garbage collection, up to beta reductions and up to name permutations (see Appendix D).
Here we present two novel up-to techniques: up to separation and up to reentry.
Up to Separation Our experience with Hobbit has shown that one of the most effective up-to techniques for finitising bisimulation transition systems is the novel up to separation which we propose here.The intuition of this technique is that if different functions operate on disjoint parts of the store, they can be explored in disjoint parts of the bisimulation transition system.Taken to the extreme, a function that does not contain free locations can be applied only once in a bisimulation test as two copies of the function will not interfere with each other, even if they allocate new locations after application.To define up to separation we need to define a separating conjunction for configurations.
Definition 12 (Stack Interleaving).Let K 1 , K 2 be lists of evaluation contexts from ECxt (Fig. 2); we define the interleaving operation K 1 # k K 2 inductively, and write Definition 13 (Separating Conjuction).Let C 1 = A 1 ; Γ 1 ; K 1 ; s 1 ; ê1 and C 2 = A 2 ; Γ 2 ; K 2 ; s 2 ; ê2 be well-formed configurations.We define: The function sep provides the up to separation technique; it is defined as: Its soundness follows by extending [27,26] with a more powerful proof obligation (see Appendix D.1).Lemma 14. Function sep is a sound up-to technique.
Many example equivalences have a finite transition system when using up to separation in conjunction with the simple techniques of the preceding section.
Example 15.The following is a classic example equivalence from Meyer and Sieber [21].The following expressions are equivalent at type (unit → unit) → unit.
After initial application of the function by the opponent, the proponent calls f, growing the stack K in the two configurations.At that point the opponent can apply the same functions again.The LTS of this example is thus infinite because K can grow indefinitely.It is additionally infinite because the opponent can keep applying the initial function applications even after these return.However, if we apply the up-to separation technique immediately after the first opponent application, the Γ environments become empty, and thus no second application of the same functions can happen.The LTS thus becomes trivially small.Note that no other up to technique is needed here.
Example 16.This example is due to Bohr and Birkedal [5] which includes a non-synchronised divergence.
Note that _ bot _ is a diverging computation.This is a hard example to prove using environmental bisimulation even with up to techniques; requiring quantification over contexts within the proof.However, with up-to separation after the opponent applies the two functions, the Γ environments are emptied, thus leaving only one application of M and N that needs to be explored by the bisimulation.Applications of the inner function provided as argument to f only leads to a small number of reachable configurations.Hobbit can indeed prove this equivalence.
Up to Proponent Function Re-entry The higher-order nature of λ imp and its LTS allows infinite nesting of opponent and proponent calls.Although up to separation avoids those in a number of examples, here we present a second novel up-to technique, which we call up to proponent function re-entry (or simply, up to re-entry).This technique has connections to the induction hypothesis in the definition of environmental bisimulations in [16].However up to re-entry is specifically aimed at avoiding nested calls to proponent functions, and it is designed to work with our symbolic LTS.In combination with other techniques this eliminates the need to consider configurations with unbounded stacks K in many classical equivalences, including those in [21].
Up to re-entry is realised by function reent in Fig. 4. The intuition of this up-to technique is that if the application of related functions at i in the Γ environments has no potential to change the local stores (up to garbage collection) or increase the Γ environments, then there are no additional observations to be made by nested calls to the i-functions.Soundness follows similarly to up-to separation.
In Hobbit we require the user to flag the functions to be considered for the up to re-entry technique.This annotation is later combined with state invariant annotations, as they are often used together.Below is an example where the state invariant needed is trivial and up to separation together with up to re-entry are sufficient to finitise the LTS and thus prove the equivalence.
This is like Ex. 2 except the reference in M is created outside of the function body.The LTS for this is as follows.Labels •; !x 1 are continuations.
Again, the opponent is allowed to reenter g as before.With up-to reentry, however, the opponent skips nested calls to g as these do not modify the state.
x 1 : 0 6 Symbolic First-Order Transitions We extend λ imp constants (Const) with a countable set of symbolic constants ranged over by κ.We define symbolic environments σ ::= • | (κ ⌢ e), σ, where ⌢ is either = or =, and e is an arithmetic expression over constants, and interpret them as conjunctions of (in-)equalities, with the empty set interpreted as ⊤.
Definition 18 (Satisfiability).Symbolic environment σ is satisfiable if there exists an assignment δ, mapping the symbolic constants of σ to actual constants, such that δσ is a tautology; we then write δ σ.
We extend reduction configurations with a symbolic environment σ, written as σ ⊢ s ; e .These constants are implicitly annotated with their type.We modify the reduction semantics from Fig. 2 to consider symbolic constants: All other reduction semantics rules carry the σ.The LTS from Sec. 4 is modified to operate over configurations of the form σ ⊢ C or • ⊢ ⊥ .We let C range over both forms of configurations.All LTS rules for proponent transitions simply carry the σ; rule Tau may increase σ due to the inner reduction.Opponent transitions generate fresh symbolic constants, instead of actual constants: labels app(i, D[ α]) and ret(D[ α]) in rules OpApp and OpRet of Fig. 3, respectively, contain D with symbolic, instead of concrete constants.We adapt (bi-)simulation as follows.
Definition 19.Binary relation R on symbolic configurations is a weak simulation when for all Corollary 21 (Soundness, Completeness).
The up-to techniques we have developed in previous sections apply unmodified to the extended LTS as the techniques do not involve symbolic constants, with the exception of up to beta which requires adapting the definition of a beta move to consider all possible δ.The introduction of symbolic first-order transitions allows us to prove many interesting first-order examples, such as the equivalence of bubble sort and insertion sort, an example borrowed from Hector [12] (omitted here, see the Hobbit distribution).Below is a simpler example showing the equivalence of two integer swap functions which Hobbit is able to prove.

Up to State Invariants
The addition of symbolic constants into λ imp and the LTS not only allows us to consider all possible opponent-generated constants simultaneously in a symbolic execution of proponent expressions, but also allows us to define an additional powerful up-to technique: up to state invariants.We define this technique in two parts: up to abstraction and up to tautology realised by abs and taut. 5pToabs The first function abs allows us to derive the equivalence of configurations by abstracting constants with fresh symbolic constants (of the same type) and instead prove equivalent the more abstract configurations.The second function taut allows us to introduce tautologies into the symbolic environments.These are predicates which are valid; i.e., they hold for all instantiations of the abstract variables.Combining the two functions we can introduce a tautology I( c) into the symbolic environments, and then abstract constants c from the predicate but also from the configurations with symbolic ones, obtaining I( κ), which encodes an invariant that always holds.
Currently in Hobbit, up to abstraction and tautology are combined and applied in a principled way.Functions can be annotated with the following syntax: The annotation instructs Hobbit to use the two techniques when opponent applies related functions where at least one of them has such an annotation.If both functions contain annotations, then they are combined and the same κ are used in both annotations.The techniques are used again when proponent returns from the functions, and proponent calls opponent from within the functions. 6s discussed in Sec. 5, the same annotation enables up to reentry in Hobbit.
When Hobbit uses the above two up-to techniques it 1) pattern-matches the values currently in each location l i with the value context C i where fresh symbolic constants κ are in its holes, obtaining a substitution [ c/ κ]; 2) the up to tautology technique is applied for the formula φ[ c/ κ]; and 3) the up to abstraction technique is applied by replacing φ[ c/ κ] in the symbolic environment with φ, and the contents of locations if loc _ eq (locx,locz) then x := 1 else x := !x + 2 in q almostadd _ 2; if !x mod 2 = 0 then _ bot _ else () In this example we simulate general references as a pair of read-write functions.Function loc _ eq implements a standard location equality test (see Appendix G.3).The two higher-order expressions are equivalent because the opponent can only increase the contents of x through the function almostadd _ 2. As the number of times the opponent can call this function is unbounded, the LTS is infinite.However, the annotation of function almostadd _ 2 applies the up to state invariants technique when the function is called (and, less crucially, when it returns), replacing the concrete value of x with a symbolic integer constant w satisfying the invariant w mod 2 == 0. This makes the LTS finite, up to permutations of symbolic constants.Moreover, up to separation removes the outer functions from the Γ environments, thus preventing re-entrant calls to these functions.Note the up to techniques are applied even though one of the configurations is diverging ( _ bot _ ).This would not be possible with the LTS and bisimulation of [3].

Implementation and Evaluation
We implemented the LTS and up-to techniques for λ imp in a tool prototype called Hobbit, which we ran on a test-suite of 105 equivalences and 68 inequivalences-3338 and 2263 lines of code for equivalences and inequivalences respectively.
Hobbit is bounded in the total number of function calls it explores per path.We ran Hobbit with a default bound of 6 calls except where a larger bound was found to prove or disprove equivalence-46 examples required a larger bound, and the largest bound used was 348.To illustrate the impact of up-to techniques, we checked all files (pairs of expressions to be checked for equivalence) in five configurations: default (all up-to techniques on), up to separation off, annotations (up to state invariants and re-entry) off, up to re-entry off, and everything off.The tool stops at the first trace that disproves equivalence, after enumerating all traces up to the bound, or after timing out at 150 seconds.Time taken and exit status (equivalent, inequivalent, inconclusive) were recorded for each file; an overview of the experiment can be seen in the following table .All experiments ran on an Ubuntu 18.04 machine with 32GB RAM, Intel Core i7 1.90GHz CPU, with intermediate calls to Z3 4.8.10 to prune invalid internal symbolic branching and decide symbolic bisimulation conditions.All constraints passed to Z3 are of propositional satisfiability in conjunctive normal form (CNF).We can observe that Hobbit was sound and bounded-complete for our examples; no false reports and all inequivalences were identified.Up-to techniques also had a significant impact on proving equivalence.With all techniques on, it proved 68.6% of our equivalences; a dramatic improvement over 2.9% proven with none on.The most significant technique was up-to separation-necessary for 55.6% of equivalences proven and reducing time taken by 99.99%-which was useful when functions could be independently explored by the context.Following was annotations-necessary for 34.7% of equivalences and decreasing time by 96.9%-and up-to re-entry-20.8% of files and decreased time by 96.8%.Although the latter two required manual annotation, they enabled equivalences where our language was able to capture the proof conditions.Note that, since turning off invariant annotations also turns off re-entry, only 10 files needed upto re-entry on top of invariant annotations.In contrast, inequivalences did not benefit as much.This was expected as without up-to techniques Hobbit is still based on bounded model checking, which is theoretically sound and complete for inequivalences.Nonetheless, three files timed out with techniques turned off, which suggests that the reduction in state space is still relevant when searching for counterexamples.

Comparison with Existing Tools
There are two main classes of tools for contextual equivalence checking.The first one includes semantics-driven tools that tackle higher-order languages with state like ours.In this class belong game-based tools Hector [12] and Coneqct [23], which can only address carefully crafted fragments of the language, delineated by type restrictions and bounded data types.The most advanced tool in this class is SyTeCi [14], which is based on logical relations and removes a good part of the language restrictions needed in the previous tools.The second class concerns tools that focus on first-order languages, typically variants of C, with main tools including Rêve [9], SymDiff [17] and RVT [11].These are highly optimised for handling internal loops, a problem orthogonal to handling the interactions between higher-order functions and their environment, addressed by Hobbit and related tools.We believe the techniques used in these tools may be useful when adapted to Hobbit, which we leave for future work.
In the higher-order contextual equivalence setting, the most relevant tool to compare with Hobbit is SyTeCi.This is because SyTeCi supersedes previous tools by proving examples with fewer syntactical limitations.We ran the tools on examples from both SyTeCi's and our own benchmarks-7 and 15 equivalences, and 2 and 7 inequivalences from SyTeCi and Hobbit respectively-with a timeout of 150s and using Z3.Unfortunately, due to differences in parsing and SyTeCi's syntactical restrictions, the input languages were not entirely compatible and only few manually translated programs were chosen.We were unable to translate many of our examples because of restrictions in the input syntax supported by SyTeCi.Some of these restrictions were inessential (e.g.absence of tuples) while others were substantial: the tool does not support programs where references are allocated both inside and outside functions (e.g.Ex. 16), or with non-synchroniseable recursive calls.Moreover, SyTeCi relies on Constrained Horn Clause satisfiability which is undecidable.In our testing SyTeCi sometimes timed out on examples; in private correspondence with its creator this was attributed to Z3's ability to solve Constrained Horn Clauses.Finally, SyTeCi was sound for equivalences, but not always for inequivalences as can be seen in the table above; the reason is unclear and may be due to bugs.On the other hand, SyTeCi was able to solve equivalences we are not able to handle; e.g.synchronisable recursive calls and examples like the well-bracketed state problem:

Conclusion
Our experience with Hobbit suggests that our technique provides a significant contribution to verification of contextual equivalence.In the higher-order case, Hobbit does not impose language restrictions as present in other tools.Our tool is able to solve several examples that can not be solved by SyTeCi, which is the most advanced tool in this family.In the first-order case, the problem of contextual equivalence differs significantly as the interactions that a firstorder expression can have with its context are limited; e.g.equivalence analyses do not need to consider callbacks or re-entrant calls.Moreover, the distinction between global and local state is only meaningful in higher-order languages where a program phrase can invoke different calls of the same function, each with its own state.Therefore, tools for first-order languages focus on what in our setting are internal transitions and the complexities arising from e.g.unbounded datatypes and recursion, whereas we focus on external interactions with the context.
As for limitations, Hobbit does not handle synchronised internal recursion and well-bracketed state, which SyTeCi can often solve.More generally, Hobbit is not optimised for internal recursion as first-order tools are.In this work we have also disallowed reference types in λ imp to simplify the technical development; location exchange is encoded via function exchange (cf.Ex. 23).We intend to address these limitations in future work.
This appendix is provided for the benefit of the reviewers, and will not appear in a final version of this paper.We let a trace be a sequence of app and ret moves (i.e.labels), as defined in Fig. 3.A trace is complete if it is starts with a fully bracketed segment, followed by a proponent return and is afterwards again fully bracketed, i.e. it adheres to the grammar: Proof of Thm. 8 We first note that our LTS is deterministic modulo the selection of fresh locations in tau transitions.Moreover, by Thm. 24, it suffices to show that e 1 , e 2 are bisimilar iff they have the same complete traces.
If the two expressions have the same complete traces then each of them can match any challenge posed by the other, so long as such a challenge can lead to a complete trace.If a challenge is doomed to not complete, then it can be matched by a transition to ⊥ .Conversely, if e 1 , e 2 are bisimilar then any transition sequence yielding a complete trace of e 1 can be simulated by e 2 , and viceversa, so the two expressions have the same complete traces.
⊓ ⊔ Remark 25.Soundness is also proved via the up to techniques in Appendix E.
Completeness is also proved directly in Appendix F.

C Theory of Enhancements
We develop our up-to techniques using the theory of bisimulation enhancements from [27,26].Here we summarise main definitions, starting with the notions of progressions and compatible functions [27].The main result of this section is a set of proof obligations with which we can proof an up-to technique sound, shown in Lem.37. We start by defining basic operations on monotone functions.
Definition 26.Consider monotone functions f, g : P(X) → P(X) on some set X. We write f • g for the composition of f and g, and f ⊔ g for the function S → f (S) ⊔ g(S).For any set F of functions, we write F for the function S → f ∈F f (S).We also write c X to be the constant function with range {X}.
We let f 0 def = id and f n+1 def = f • f n .Moreover, we write f ω to mean k<ω f k .We write f ⊑ g when, for all S ∈ P(X), f (S) ⊆ g(S).
The theory of enhancements we use here is based on the notion of weak progression.Weak progression is first defined as a monotone function on configuration relations (wp(R)), and then used for a pre-fixpoint predicate on configuration relations (R wp S) and one on monotone functions over said relations (f wp g).The latter functions are meant to encode up-to techniques.
Definition 27 (Progressions ( )). - -R weakly progresses to S, and we write R wp S when R ⊆ wp(S).
-For monotone functions f, g we write f wp g when f • wp ⊑ wp • g.
Lemma 28.R is a weak simulation when R wp R. Also, ( ⊏ ≈ ) = (gfp(wp)).⊓ ⊔ The following gives the definition of an up-to technique, what it means to be sound, and the stronger notion of compatibility.
-Bisimulation up-to: R is a weak simulation up to f when R wp f (R).Lemma 36 (Function Composition Laws).Consider monotone functions f, g, h : P(X) → P(X) and set S ∈ P(X).We have We distil this up-to technique to the following three proof obligations, each sufficient for proving the soundness of up-to techniques.
Lemma 37 (POs for Up-To Soundness).Let f be a monotone function and R be a weak simulation; f is wp-sound when one of the following holds: , where F is a set of monotone functions and, for all Proof.
3. Let g = fi∈F g i .By Lem.35, it suffices to show f ⊑ t wp .Because . This is proven by showing that for all k, We proceed by induction on k.The base case is straightforward: In the inductive case we assume P (k) and prove P (k + 1) as follows: 36 and premise on g i )

and definition of h )
As we are only interested in weak progression, in the following we drop the wp annotation from progressions, compatibility and companion.

D Simple Up-To Techniques
We develop our up-to techniques using the theory of bisimulation enhancements from [27,26] (see Appendix C).We start by presenting three straightforward upto techniques which nevertheless are needed to reduce the configurations considered by bisimulation, achieving finite LTSs in many examples.These techniques are up to permutations, beta reductions, garbage collection, and weakening of knowledge environments.To present these techniques we first need the following definitions.
Definition 38 (Permutations).We consider permutations of store locations, π l , abstract names, π α and environment indices, π i , respectively.When applying a permutation π l to a store s, the former acts on both the domain and range of the latter.When applying a permutation π i to an environment Γ , it only acts on its domain; other types of permutations only act on the codomain of Γ .
Definition 40 (Garbage Collection).We let (≍) be the largest equivalence relation between well-formed configurations with the axioms: Lemma 41.Let π l , π α , and π i be permutations on locations, abstract names, and indices, respectively, and Proof.By nominal sets reasoning (all transition rules are closed under permutations).
then for all finite L 0 , A 0 , I 0 there exist π l , π α , π i such that Proof.By induction on the length of the transition from C 1 , using Lem.42.The monotone functions on relations perm, beta, gc, and weak, as shown on Fig. 5, define the sound enhancement techniques: up to permutations, up to beta reductions, up to garbage collection, and up to weakening, respectively.

Soundness follows by the bisimulation enhancement technique
Lemma 45.Function perm is a sound up-to technique.
Lemma 46.Function beta is a sound up-to technique.
We need to show that for all C ′′ In the former case the proof is trivial.In the latter case, by definition of wp(R), there exists Lemma 47. Function gc is a sound up-to technique.
Proof.From Lem. 37 (2) and Lem.45, it suffices to show that gc gc • perm.Let C 1 gc(wp(R)) C 2 .By case analysis on this derivation we have two cases: 2 as required.
UpToGC⊥: C 3 R ⊥ and C 1 ≍ C 3 and C 2 = ⊥ .We proceed with the same reasoning as in the above case, with the exception that C ′ 4 = ⊥ .
Lemma 48.Function weak is a sound up-to technique.
Proof.Similar to the preceding proof, using Lem.59.
The up to beta technique is useful in reducing the configurations considered in bisimulation, focusing only on the configurations before the observable transitions of Fig. 3; τ -transitions are all beta transitions and can be considered all at once.
Many simple example equivalences have infinite transition systems without these up-to techniques, even when combined with the more sophisticated up-to techniques in the following sections.A simple example is the following.
Example 49.Consider the equivalent functions Due to the allocation of l the LTS of this equivalence is finite only using the up to gc technique.
We proceed by induction on the derivation of 1 is produced by rule Response then the proof is trivial as C 2 can perform the same transition and We thus consider only non-Response transitions from C 1 .We proceed by case analysis on the derivation C 1 sep( ⊏ ≈ ) C 2 .There are three cases: UpTo⊕, UpTo⊕⊥L and UpTo⊕⊥R.We only show the proof for the first case; the last two cases are handled in a similar but simpler fashion.
W.l.o.g.we let i = 1 and we have We proceed by cases on the transition ?, PropApp, ?, PropRet, Tau: In all proponent transitions the proof is similar.We show the case PropApp.In this case e 3 = E[α v] and ?,OpApp: We show the case for OpApp.In this case η = app(i, α), and ê3 = •, and by Lem.62, ê4 = •.
Moreover by the simulation we can show that C 4 ?,OpRet: We show the cases for OpRet.Here k is either (1, k ′ ) or (2, k ′ ).We consider the former case, the latter is symmetric.In this case K 3 = E, K ′ 3 and ). Therefore we have: By C 3 ⊏ ≈ C 4 there are two possibilities: . By Lem.61 we derive: Tau: In this case we have In the former case the proof is completed by C 2 τ − → ⊥ and C ′ 1 sep( ⊏ ≈ ) ⊥ by rule UpTo⊕⊥L.In the latter case, by Cor.43, there exists π l4 such that Term: In this case we have K E Soundness of (≈)

E.1 Language Lemmas
The following lemmas hold for λ imp extended with abstract names.Proof.By definition of the transition, using Lem.52.
Proof.By cases on the transition.
Proof.By induction on the derivation of C 1 ≍ C 2 and case analysis on the transition from C 1 .Lemma 59.Let C 1 = A ; Γ ; K ; s ; ê and C 2 = A ; Γ, i v ; K ; s ; ê be well formed configurations.Then the following hold: where η ′ = app(α, j) or η ′ = ret(j), respectively, and j = i.
Proof.By case analysis on the transitions.Lemma 60.Let C 1 = A ; Γ ; K ; s ; ê and C 1 {v/α} be well-formed configurations; then the following hold: Proof.By case analysis on the transitions.

If there exists a trace
⊓ ⊔
-? and PropApp: Here we show only the case for the latter rule.We have η = app(α, i) and • .We have the following three cases: In this case configuration C 3 can perform the same transition: In the case where In the other case we derive ) * Otherwise we have: Using Lem. 60 and LTS rule Tau, we can derive the following transitions from C 2 : We also have In this case configuration C 3 can perform the transitions: By analysis of the transitions we have Using Lem. 60 and LTS rule Tau, we can derive the following transitions from C 2 : We also have And by rule UTFv: -? and PropRet: here we show only the case for the latter rule.We have η = ret(i) and By analysis of the transitions we have Using Lem. 60 and LTS rule Tau, we can derive the following transitions from C 2 : • . In this case C 3 can perform the same transition: Thus C 3 can perform the transitions Moreover we derive the transitions: We also derive . By the LTS and C 3 ⊏ ≈ C ′ 3 we have: C 4 = A 2 ; Γ 2 ; E 2 , K 2 ; s 2 ; e 2 τ = ⇒ A 2 ; Γ 2 ; E 2 , K 2 ; s ′ UTFe2: In this case we have: 1 is produced by rule Response then the proof is trivial as C 2 can perform the same transition and We thus consider only non-Response transitions from C 1 .By case analysis, the derivation C 1 fldv( ⊏ ≈ ) C 2 can be produced by the UTFv or the UTFd3 rules.We show the former; the proof of the latter is similar but simpler.
-?, PropApp: Both cases are similar; here we show the latter.We have η = app(α ′ , j) and α ∈ A 3 (α = α ′ ) and ê3 and We choose j ′ ∈ dom(Γ 3 ) ⊎ i and create the permutation π = (j ↔ j ′ ).We derive In this case we have We have two cases.The first is when C ′ 4 = ⊥ .This case is straightforward using rule UTFd3 and relating the resulting configurations in perm(fldv( ⊏ ≈ )).The other case is as follows.
] and E 1 = E 3 κ 1 and u 1 = u 3 κ 1 and κ 1 = {α ′ /α} and v 3 = α.In this case we have We have two cases.The first is when C ′ 4 = ⊥ .This case is straightforward using rule UTFd3 and relating the resulting configurations in perm(fldv( ⊏ ≈ )).The other case is as follows.
In this case we derive: , and derive the transitions: we have two cases.The first is when C 4 weakly matches these transitions and becomes C ′ 4 = ⊥ .This case is proved using rule  where g 1 = ∅ and g 2 = g = perm.We have g i ⊑ t by Lem.45.We finally establish the needed progressions by Lem.(s) 64 and 65.

E.5 Up to Context
Lemma 67.

F Completeness of (≈)
Let us denote by A and I the countably infinite sets of abstract and index names respectively.In this section we present the proof of the following result.
We start off with a few auxiliary results.
Lemma 71.Let C be a configuration with state s, and r a location such that s(r) = ff and: all the assignments of r occurring in C are of the form r := ff -C contains a subterm (in one of its Γ, K, s, ê) of the form if !r then e tt else e ff .We call a finite partial bijection φ : A ∪ I ∼ = ⇀ A ∪ I a dualiser if, for all x ∈ dom(φ), x ∈ A ⇐⇒ φ(x) / ∈ A. Given stacks K 1 , K 2 , we define their (left) composition K 1 ⊲ K 2 recursively by: Thus, if well defined, K 1 ⊲ K 2 is an evaluation context.
We write C 1 ⋄ C 2 when C 1 and C 2 have the same contexts.We call a configuration C lost if either C = ⊥ or there is no context (C ′ , φ) for C such that C ′ [C] φ ⇓.Finally, for moves η, η ′ , we let η ≻ P η ′ hold if: η is in one of the forms app(α, i) or ret(i), and η ′ is in one of the forms app(α, c) or ret(c), respectively, for some constant c.Proof.Let us assume C 0 = A 0 ; Γ 0 ; K 0 ; s 0 ; ê0 , C ′ = A ′ ; Γ ′ ; K ′ ; s ′ ; ê′ and build a configuration C and a dualiser φ ′ ⊆ φ.We do case analysis on η.
If η = app(α, i), let i α = φ ′ (α) ∈ dom(Γ ′ ) and α i = φ ′ (i) ∈ A ′ .We have ê′ = e ′ and take φ = φ ′ \ {(i, α i )} and C = A ′ \ {α i } ; Γ ; K ; s ; e •[!l/α i ] with s = s ′ ⊎ [r → tt, l → tt].We also let dom(Γ ) = dom(Γ ′ ) and for each j ∈ dom(Γ ′ ), assuming Γ ′ (j) = λx.If η = app(α, c), let i α = φ ′ (α) ∈ dom(Γ ′ ).We have ê′ = e ′ and take C = A ′ ; Γ ; K ; s ; • with s = s ′ ⊎ [r → tt], and φ = φ ′ .We also let dom(Γ ) = dom(Γ ′ ) and for each j ∈ dom(Γ ′ ), assuming Γ ′ (j) = λx.This example is also like the previous two.This time, the reference x is incremented in M and the function checks whether x holds a positive integer.We can see above that each call to g increments the state, which makes it hard to find cycles.We annotate the function with an invariant as follows: The invariant-shown in the curly braces-states that the value in x can be abstracted by any w such that w ≥ 0, so long as x ≥ 0 is also valid.In this example, up to separation removes the outer functions from the Γ environments, thus they are only applied once.However the inner functions (fun y {} -> f !x y) and (fun y -> f (fix f) y), which are provided as arguments to opponent function f, cannot be removed from the Γ environments by up to separation because of the access to location x, and are arbitrarily nested in the bisimulation transition system.The up to re-entry technique removes the need for this nesting.The syntax {} serves as the flag to apply this technique to these inner functions.⊓ ⊔

G.3 Full Example 23
Example 81.The following is the full example by Meyer and Sieber [21] featuring location passing, adapted to λ imp where locations are local.

=
⇒ otherwise.Standard weak (bi-)simulation follows.Definition 5 (Weak Bisimulation).Binary relation R is a weak simulation when for all C 1 R C 2 and C 1 η

Example 9 .
The following two implementations of conjunction (bool * bool → bool) have a finite transition system according to the rules of Fig. 3. M = fun xy -> let (x,y) = xy in if x then y else false N = fun xy -> let (x,y) = xy in x && y
and (fl(C ′ 1 ) \ fl(C 1 )) ∩ fl(C 2 ) = ∅.Proof.By induction on the length of the transition from C 1 and Lem.(s) 54 and 56.Lemma 58.Any transition C τ − → C ′ is a β-move, provided C ′ = ⊥ implies C = ⊥ .Proof.Case analysis on the transition relation gives us two cases: the transition is derived either by the Response or Tau rule.The former case is trivial because C = C ′ .The latter is also trivial because unique decomposition (Lem.50) implies that transitions derived by the Tau rule can only perform that transition and the transition derived by Response.The Tau-transition satisfies the first condition of definition 39 and the Response-transition satisfies the second condition of the same definition.

4 and C ′ 3 ⊏ ≈ C ′ 4 .
By analysis of the transitions we have two possibilities: * C ′ 4 = ⊥ and in this case we have C 2 η − → ⊥ .Moreover:

1 η− → C ′ 1 and suppose that C ′ 1 = 2 η= ⇒ C ′ 2 , 2 ↓= 1 ηi =⇒ C i 1 , 1 ↓=
Then, C ≈ C ′ , where C ′ is obtained from C by replacing the subterm above with e ff .Proof.Let us define the relation C ≻ r C ′ to hold for each pair of C, C ′ as above.The statement then follows by showing that R = {(C, C ′ ) | C ≻ * r C ′ } is a weak bisimulation up to beta.Lemma 72.Let C = A ; Γ ; K ; s ; e be a configuration with α ∈ A, s(l) = λz.αzfor some location l that has no assignments in C, and:-C ′ be obtained from C by replacing an occurrence of α with λz.αz; or -C ′ be obtained from C by replacing an occurrence of α with !l (other than in s(l) = λz.αz).Then, C ≈ C ′ .Proof.Let us define the relation C ≻ α C ′ to hold for each pair of C, C ′ as above.The statement then follows by showing thatR = {(C, C ′ ) | C ≻ * α C ′ } is a weak bisimulation up to beta.Lemma 73.Let C = A ; Γ ; K ; s ; e be a configuration with α ∈ A, s(l) = λz.czfor some constant c and location l that has no assignments in C, and:-C ′ be obtained from C by replacing an occurrence of α with λz.cz; or -C ′ be obtained from C by replacing an occurrence of α with !l (other than in s(l) = λz.cz).Then,C ′ ⊏ ≈ C.Proof.Let us define the relation C ≻ c C ′ to hold for each pair of C, C ′ as above.The statement then follows by showing that R = {(C ′ , C) | C ≻ * c C ′ } is a weak simulation up to beta.Definition 74 (Traces).For any C, we let Traces(C)def = { t | τ, ↓ / ∈ t ∧ C t = ⇒ * ↓ − → ⊥ }.Lemma 75.For any two configurationsC 1 and C 2 , C 1 ⊏ ≈ C 2 iff Traces(C 1 ) ⊆ Traces(C 2 ).Proof.For the right-to-left direction , let R be the relation:R def = {(C 1 , C 2 ) | Traces(C 1 ) ⊆ Traces(C 2 )}.We claim that R is a simulation.Take C 1 RC 2 .Let C ⊥ .If η = τ then, since the operational semantics is deterministic and transitions to ⊥ do not contribute traces, Traces(C 1 ) = Traces(C ′ 1 ) and therefore C ′ 1 RC 2 .If η is one of app(α, v), ret(v), for some α, v, then there are two cases:-If there exists some ηt ∈ Traces(C 1 ) then equality of traces implies that C for some C ′ 2 = ⊥ .By determinacy of the LTS outside ⊥ 's, we have thatTraces(C ′ 1 ) = Traces(C ′ 2 ).-Otherwise, C 2 η − → ⊥ and Traces(C ′ 1 ) = Traces( ⊥ ) = ∅.Therefore, in both cases C ′ 1 RC ′ 2 .Similarly if η is one of app(i, v), ret(v), for some i, v. Finally, let C 1 η − → ⊥ .If η = ↓ then ǫ ∈ Traces(C i ) and therefore C ⇒ ⊥ ; if η = ↓ then C 2 η − → ⊥ .In both cases, we conclude by noting that ⊥ R ⊥ .Conversely, suppose C 1 ⊏ ≈ C 2 and let t = η 1 • • • η n ∈ Traces(C 1 ).Then, there are C 1 = C 0 1 , C 1 1 , . . ., C n 1 such that C i−1 for each 1 ≤ i ≤ n,andC n ⇒ ⊥ .Since C 1 ⊏ ≈ C 2 , C2can simulate these transitions and produce the same trace t.Corollary 76.For any two doubly closed expressions e 1 and e 2 , e 1 ≈ e 2 iff Traces(C e1 ) = Traces(C e2 ), where C ei = • ; • ; • ; • ; e i .Proof.Directly from the previous lemma.
def = {f : 1⊓ ⊔ This gives rise a proof technique for proving up-to techniques sound.Lemma 35.Let f ⊑ t wp .Then f is wp-sound.Proof.By showing that f ∪ t wp wp f ∪ t wp and using Lem.31.
1.By Lem. 31.2. By Lem.35, it suffices to show f ⊑ t wp .Because f ⊑ f • (id ⊔ t wp ) ⊑ f • t wp , it suffices to show f • t wp wp f • t wp by unfolding definitions and the premise: [16]proof is similar in the remaining two cases.⊓⊔Lemma68.e 1 ≡ e 2 iff fixf (x).e 1 ≡ fixf (x).e 2 Proof.See Theorem 3.2 in[16].Theorem 69 (Soundness of ≈). e 1 ≈ e 2 implies e 1 ≡ e 2 .Proof.It suffices to show that (bisimil) is a congruence.By the above lemma, it suffices to show that (bisim) is a congruence for values.Let v 1 ≈ v 2 and context D. We have