Deciding contextual equivalence of ν -calculus with effectful contexts (full version)

. We prove decidability for contextual equivalence of the 𝜆𝜇𝜈 - calculus, that is the simply-typed call-by-value 𝜆𝜇 -calculus equipped with booleans and fresh name creation, with contexts taken in 𝜆𝜇 ref , that is 𝜆𝜇𝜈 -calculus extended with higher-order references. The proof exploits a labelled transition system capturing the interactions between 𝜆𝜇𝜈 programs and 𝜆𝜇 ref contexts. The induced bisimulation equivalence is characterized as equality of certain trees, inspired by the work of Lassen. Since these trees are computable and ﬁnite, decidability follows. Bisimulation coincides also with trace equivalence, which in turn coincides with contextual equivalence.


Introduction
Dynamic allocation is central to many of programming constructions.Many languages provide built-in support for dynamically-allocated resources, for example, objects in Java or references in ML.The creation of these resources is local, meaning that they can be accessed only within their scope.They can also be passed around via function applications, meaning that their scope is not static but evolves dynamically.While building semantics for such languages, one represents dynamic allocation as the creation of fresh locations, that can be seen as atoms or names.
In this paper, we study a paradigmatic language with dynamic allocation, namely the -calculus, a simply-typed call-by-value -calculus with fresh atom creation and equality test of atoms, as introduced by Pitts and Stark in [27].For instance, the -calculus program new in .(= ) allocates a new atom , receives an atom and returns the result of the comparison between and .
A central question while studying this language is to determine when two programs can be considered to be equivalent.The most studied approach to express behavioral equivalence between programs is contextual equivalence.Intuitively, two programs are deemed equivalent if and only if whenever they are run as part of an enclosing program called the context, it is not possible to distinguish one from the other.For instance, because the context has no way to guess the atom , we expect the program above to be equivalent to .false.
Reasoning on contextual equivalence for the -calculus has shown to be challenging, due to the interplay between the higher-order control flow and the scope extrusion of atoms.A variety of frameworks has been introduced to do so, based on logical relations [27], environmental bisimulations [6], and game semantics [1].
However, the question of whether this equivalence is decidable remains open since the introduction of this language 30 years ago.
In this paper, we address this question by working in an asymmetric setting, giving contexts more discriminating power than just the mere creation of atoms.Indeed, contextual equivalence depends on two languages: the language for programs, and the language for contexts interacting with these programs.We take contexts in the ref -calculus, an extension of the -calculus with both higherorder references and continuations.In this setting, atoms are simply references where only the unit value can be stored.Contextual equivalence is then coarser than for the symmetric setting when the contexts are also taken in the -calculus.For example, one of the standard examples of equivalence of the literature, is not an equivalence anymore, since a ref context can provide a function that stores its argument in a reference and use it to discriminate these programs.
The main result we establish in this paper is the decidability of contextual equivalence for terms of -calculus with contexts in the ref -calculus.More generally, we establish this result for terms of the -calculus, which corresponds to terms of the ref -calculus that only uses references storing the unit value.
To establish this result, we provide a Böhm-like tree representation [7,4] for the terms of the -calculus.Being in call-by-value, equality of such trees coincides with Lassen's eager normal form bisimulations [17].Moreover, since programs in the -calculus are terminating, these trees, which we call Lassen trees, are finite.It is thus straightforward to check their equality.Then, we prove that Lassen trees equality is fully-abstract, that is it coincides with contextual equivalence with contexts in the ref -calculus.
Proving this full-abstraction result is done through the introduction of an operational game semantics (OGS) for ref by defining an Labelled Transition System (LTS) that distinguishes between internal operations, Proponent moves (originating in the program) and Opponent moves (originating in the context).Trace equivalence based on these labelled transitions is shown to coincide with the contextual equivalence of ref .
The OGS also gives rise to a notion of bipartite bisimulation, describing a game between Proponent (the program in ref ) and Opponent (a context in ref ).Proponent reduces the program until it reaches a normal form, that triggers an interaction with the context.Along the game, knowledge is accumulated in configurations.When it is Opponent's turn to play, it chooses between answering a previous function call from Proponent, or generating a new function call, to which Proponent shall answer.Among this knowledge, we accumulate the atoms that have been disclosed by the two players, so that Opponent cannot use an atom private to Proponent.
The OGS LTS generates infinite trees since Opponent can interrogate an arbitrary number of times each value provided by Proponent.The Lassen trees used to decide contextual equivalence are generated using a linearized variant of the OGS LTS, called the Prime Operational Game Semantics (POGS) LTS.This LTS enforces that Opponent interrogates only once each value provided by Proponent.For this linearization to be sound, one has to guess the disclosed status of atoms as soon as they are created.Indeed, looking at the following example of inequivalence new in . .

new in
Opponent must be able to interrogate at least twice each of these two programs to discriminate them.The first program would then return the same atom at each call, while the second program would return two different atoms.The Lassen tree of the first program would declare to be disclosed when giving back the control to Opponent by providing the -abstraction, but this could not be matched by the second program, since would not exist yet at that point of the interaction.
The main technical challenge at this point is to prove that this forecasting of the disclosure process is sound and complete.This is done by proving that the bipartite bisimilarities defined over the OGS LTS and the POGS LTS coincide.One direction is proven by lifting POGS bisimulations into OGS bisimulation via an up-to technique.The other direction is done by introducing a new limit construction of the disclosed set of atoms appearing in the OGS bisimulations, to transform it into a POGS bisimulation.A store, ranged over by S, T, is a finite mapping from locations to values.S(ℓ) stands for the value associated to ℓ in S. We use notation S • [ℓ ↦ → V] for the extension of S with a mapping for ℓ, which is only defined if ℓ is not defined in S. S[ℓ ↦ → V] denotes the store S in which the value associated to ℓ is updated.
The operational semantics ↦ → op of the ref -calculus is defined over configurations, which are pairs (M, S) formed by a term and a store.It is given by the following rules: The typing system for terms is given by the rules in Figure 1.We chose here a typing judgement with a single typing context Γ, so that continuation variables are given types of the shape ¬ .Such negated types are also used to type evaluation contexts, as given by the two last rules in Figure 1.While we cannot store continuation variable c in a reference, we can always store its associated function .[c] .Typing rules force terms of type ⊥ to be of the shape [ ]M, following Parigot's original presentation of the -calculus [25].
We also consider a typing judgement of the shape Σ ⊢ C : (Γ; ) (Δ; ), for contexts C that take terms M of type Σ; Γ ⊢ M : and produce terms of type Σ; Δ ⊢ C[M] : .The typing rules defining this judgement are standard and not recalled here.
In the following, we consider the -calculus, the fragment of the refcalculus that only handles references of type ref Unit .That is, for all the reference type ref appearing in the typing derivation, we have = Unit.
We use a, b, . . . to range over locations of type ref Unit , also called atoms, and introduce the slightly shorter notation new in M to stand for new = () in M in .The syntax for values and terms of the -calculus is thus: In this setting, we see stores S directly as sets of atoms, all mapping to the unit value ().For L a set of atoms.we write L for the store that maps atoms in L to the unit value ().
We consider the following extension of the typing judgement respectively to stores S, value-mapping substitutions , and evaluation contexts: ) is a configuration that is irreducible for the reduction relation ↦ → op .We write (M, S) ⇓ N when there exists a store T such that (M; S) ↦ → * op (N; T) and that (N; T) is a normal form.We call the types Bool, Unit and ref positive types, while → and ¬ are called negative types.By only allowing free variables of negative types, we provide a sharp characterization of normal forms.
Theorem 2. Taking a term M such that Σ; Γ ⊢ M : ⊥ with Γ a typing context mapping variables to negative types, if (M, S) is in normal form with respect to Moreover, for any configuration (M, S) such that M is in , Σ; Γ ⊢ M : ⊥ and ⊢ S : Σ, there exists N such that (M, S) ⇓ N. Definition 3. Taking two terms M, N such that Σ; Γ ⊢ M : and Σ; Γ ⊢ N : , we say that they are contextually equivalent, written Σ; Γ ⊢ M ≃ N : , when for all continuation variable c and context C such that Σ ⊢ C : (Γ; ) (c : ¬Unit; ⊥), and for all store S such that ⊢ S : Σ ′ , we have In the definition above, we use ref contexts to observe terms.Such contexts can use higher-order references, and lead to divergent computations.For this reason, testing for convergence to () is enough when defining ≃ .

Operational Game Semantics
We now introduce a fully-abstract trace semantics for ref programs.We follow a modular presentation, inspired by the one provided by Laird in [16], where the semantics is built from a synchronization product of three LTS: the Interactive LTS L I , that represents the raw interactions of programs with their environment.-the Typing LTS L Ty , that keeps track of the polarization and types of names exchanged, to preserve well-typedness.-the Disclosing LTS L Di , that prevents the environment to use private resources that have not been disclosed by Proponent.

Abstract values
To represent the interaction between the program and its environment, we distinguish between values that we can observe and values that we can interact with.The two players only exchange observable values, called abstract values in this paper.They are defined by the following grammar: with f a function name, that is a variables used to represent functions exchanged between the two players.They correspond to the positive part of values, and are also called ultimate patterns in [18].Like for terms, supp(A) stands for the set of atoms occurring in A. We consider the typing judgement Δ A : for abstract values, with a positive type, that is defined similarly than for terms, with the extra condition that all variables appearing in A are distinct.Then we introduce the abstraction relation that transforms a value V into a pair (A, ) formed by an abstract value and a substitution, such that A{ } = V:

Labelled Transition Systems
The two players, Opponent and Proponent, exchange moves, which are in one of six forms: P-question P-answer O-question O-answer P-init question O-init question We use m to range over moves, and p (resp.o) to range over Proponent (resp.Opponent) moves.Initial questions are the introductory moves.Compared to other moves, they can introduce multiple abstract values in a row, which is used to instantiate all the variables of a typing context Γ.They use a distinguished function name ?.
Traces t are sequences of moves.We write m for the corresponding move with reversed polarity (input switched to output, and vice-versa).We extend this definition to switch traces, written t.
The three labelled transition systems we define are instances of the following definition: Taking C a configuration of an LTS L, we write Tr L (C) for the set of traces, as sequences of moves generated by this LTS over C (so with op actions removed).We write C ≃ tr D for the trace equivalence relation, which equates configurations C, D when both have the same set of traces.

Interactive LTS
We consider interactive configurations I; J ∈ IConfs which are either passive of the shape S; , or active of the shape M; S; with M a term, S a store, and a substitution.The Interactive LTS L I is then defined as the triple (IConfs, Actions, − → I ) with − → I defined in Figure 2. The two rules for Proponent moves describe transitions performed by normal forms and make use of the abstraction relation.In the two rules for Opponent, the notation S ⊙ [ supp(A)] stands for S extended with a binding a ↦ → () in the case when A = a and a is fresh for Proponent, and simply S otherwise: Proponent extends its store when a new atom is received.

Typing LTS
We consider type-context configurations S, T ∈ Confs Ty which are either active of the shape Δ O | ⊥; Δ P or passive of the shape Δ O | Δ P with Δ O , Δ P two disjoint typing contexts that map variables to negative types.
The Interactive LTS L I is then defined as the triple (Confs Ty , Actions, − → Ty ) with − → Ty defined in Figure 3. Notice that the type of the active term is ⊥ since the reduction relation ↦ → op is well defined only on terms of this type.
Typing configurations can be used to specify interactive configurations, via the following validity judgement.
The initial question generated by Σ; Γ ⊢ M : provides a way for Opponent to instantiate variables of Γ with abstract values.In this setting Σ only contains atoms since M is a term of .The transition for c : ¬Unit ⊢ (S; ) : (Σ; Γ) represents this behavior from the point of view of Opponent.Since contexts are written in ref , these initial configurations come equipped with an initial store S of type Σ, but only the locations of type ref Unit are considered to be disclosed, since the other ones cannot be used by Proponent.The continuation name c is used for Opponent to perform its final answer, which is of type Unit, following the notion of observation used to define contextual equivalence.
We use notation Such a full-abstraction theorem was proven in [14] for RefML, that is the intuitionistic fragment of ref -calculus, without control operators.It was also proven in [11] for HOSC, a variant of the ref -calculus, with the call/cc operator, but without atom disclosure.Such a full-abstraction result being rather standard, we have chosen to present its proof in Appendix A.
In the remainder of the paper, we focus on the -calculus.In particular, we only consider OGS configurations corresponding to from now on.
4 Lassen Trees for the -calculus

POGS and POGS bipartite bisimulation
We introduce Lassen trees for terms of the -calculus, as a form of linearized version of L OGS , where Opponent can interrogate a name provided by Proponent only once, immediately after it has been introduced.So we consider prime interactive configurations which are either passive of the shape L; , or active of the shape M; L with M a term, L a set of atoms, and a substitution.Compared to interactive configurations, the active configurations do not carry an environment .Furthermore, we have a set of atoms rather than a full store, since this LTS is defined only for the -calculus and not for the whole ref -calculus.The Prime Interactive LTS, L PI , is then defined as (Confs PI , Actions, − → PI ), with − → PI defined in Figure 5.The corresponding Typing LTS is defined using the transitions given in Figure 6, which are very close in spirit to the transitions in Figure 3.
The transitions for the Disclosing LTS for POGS are presented on Figure 7.We compare these with the Disclosing LTS for OGS (Figure 4) below.
The Prime Operational Game Semantics LTS is introduced as a synchronization product, together with initial transitions, like for OGS.More precisely, the synchronization between the interactive and typing LTSs requires that active configurations M; L correspond to type-contexts of the shape To synchronize with the Disclosing LTS, whose states are of the form L; D , we simply impose that the L component is the same in the state of L PI , both for active and passive configurations.
We call L POGS the LTS obtained by synchronizing L PI , L PTy and L PDi .We write P, Q ∈ Confs POGS the configurations of L POGS .The Lassen tree of a term is then defined as the unfolding of the L POGS on the initial active configuration associated to this term.
Due to the condition supp(p) ⊆ D in p − → pd , some configurations with terms in normal form do not have a corresponding Proponent transition.The dashed arrows correspond to op transitions that lead to such stuck configurations.

Bipartite Bisimulations for OGS and POGS
We consider typed relations on passive and active configurations, that is, we require related configurations to have the same type.This means in particular that the environment components of the two configurations have the same domain.In addition to the typing, we also enforce that both sets of disclosed atoms are identical.Definition 9. A bipartite bisimulation is a pair of relations (R , R ) respectively on active and passive configurations, such that: then there exists a Proponent move p and An OGS-bipartite bisimulation is a bipartite bisimulation defined over L OGS , and a POGS-bipartite bisimulation is a bipartite bisimulation defined over L POGS .We write ≃ ogs and ≃ pogs respectively for the greatest bipartite bisimulation respectively over L OGS and L POGS .
The following property follows from the fact that the transition relation is deterministic (up to the choice of fresh names).
For op transitions, the difference between OGS and POGS shows up in the disclosing LTS: in op − − → pd , a D ′ component can be chosen non-deterministically.This observation is related to the existential quantification in the second clause of Definition 13.Both in L OGS and L POGS , there is only one possible next visible (Proponent) move.However, in ≃ pogs , the game involves choosing an appropriate set of atoms to be disclosed along op − − → pd transitions.For instance, when constructing a POGS bipartite bisimulation between terms new in .and .new in from Example 8, we have two choices for the second step: The latter does not satisfy the constraint on the disclosed set, since the sets are not the same in the two configurations.The former leads to a stuck configuration: ( [c ′ ] ( .a)(), {a} , {a}, ∅ ) cannot perform any Proponent move.Thus the two programs are not equivalent.

Deciding ≃ pogs
We now study how to decide when two POGS configurations are bisimilar.First, trees generated by L POGS are of finite depth.This lemma is proven using a biorthogonal logical predicate, following the use of biorthogonality to prove strong normalization of -calculus [26], the computational metalanguage [19], and cut elimination for linear logic [10].The proof can be found in Appendix D.
Due to the non-determinism of atom generation in ↦ → op , of function name generation in , and of name picking in Opponent transitions, the trees generated by L POGS are infinitely branching.To tame this infinite branching, we see the set of moves Moves and the set of configurations Confs POGS of L POGS as nominal sets [9] over atoms, function and continuation variables.So taking a finite permutation over these sets, we write * for the action of permutation over elements of nominal set .The transition relation − → pogs of L POGS preserves this action of permutation, i.e., it is equivariant : if P m − → pogs Q then for all finite permutation , we have * P * m − −− → pogs * Q.One can then consider a variant L DPOGS of the POGS LTS which uses the same set of configurations as L POGS , but whose transition relation − → dpogs chooses fresh atoms and names deterministically.So − → dpogs is then deterministic on op and Proponent actions, and finitely branching on Opponent actions.
We remark at this point that the notion of bipartite bisimulation ≃ pogs introduced in Definition 13 is not suited for L DPOGS .Indeed, it requires equality of actions in the bisimulation game, and also that configurations related by bisimulation have the same type.So we relax the definition of ≃ pogs and work with ternary relations, adding a finite permutation of names and atoms in order to match the actions, rather than enforcing syntactic equality.Definition 12.A relation R ⊆ Confs POGS ×Confs POGS ×Perm is said to be valid when, for all ((I, S, , D ), (J, T, , D ′ ), ) ∈ R, we have T = * S and D ′ = * D. Definition 13.A relaxed bipartite bisimulation is a pair of valid relations (R , R ) respectively on active and passive configurations such that: - then for all Opponent moves o 1 , o 2 , for all permutation ′ extending , and active then there exists a permutation ′ extending , two Proponent moves p 2 = ′ * p 1 , and two passive We write ≃ pogs for the greatest relaxed bipartite bisimulation over L POGS .From the fact that − → pogs is equivariant, we deduce that ≃ pogs and ≃ ogs coincide.Since L DPOGS generates finite Lassen trees, we deduce that the bisimulation game can be decided.Theorem 14. Taking two POGS configurations P, Q, we can decide if P ≃ pogs Q.

Relating the Transitions in OGS and POGS
To relate the transitions in the OGS and in the POGS, we need to introduce some relations and operations on OGS configurations.When G ⊆ Di H, the configurations only differ by their set of disclosed atoms.
Lemma 17.Let P be an active prime configuration.We have the following: In POGS, the disclosed set increases in op transitions as seen above, but not in p.In a sense, disclosing in OGS is done only when needed, whereas in POGS, disclosing must be declared as soon as the atom is created.This is ensured by the additional condition supp(p) ⊆ D in the rule for Using the following notion of limit (on OGS configurations), we can intuitively replace D by its minimal extension, preventing this from happening.
Definition 19.Given a configuration G = (I, S, L; D ), we define its limit as: We have that G ⊆ Di lim(G) and lim is idempotent.We call limit configurations those configurations that are a limit (or alternatively, that are their own limit).Being a limit configuration is preserved by moves but not necessarily by op.For Opponent transitions, the situation is less simple since not all active OGS configurations are active POGS configurations.To circumvent that issue, we reuse the tensor product from [13].For two OGS configurations where at least one is passive, we define the tensor product, written ⊗, as follows: The side conditions for the L and D components ensure that no shared atom is disclosed on one configuration but not the other.We can then describe an active OGS configuration as the tensor of two POGS configurations (where S = L): Finally, we have the following for opponent transitions:

Relating Bisimilarities in OGS and POGS
In this section, we show that ≃ pogs can be used to characterize ≃ ogs for the limit configurations introduced above.We rely for that on up-to techniques for bipartite bisimulation in OGS, which we introduce first.

Up-to techniques for ≃ ogs
The proofs in this section use the theory of compatible functions [30,28].More details can be found in Appendix B.
Definition 22 (Bipartite bisimulation up-to).Given a function , a bipartite bisimulation up to is a pair (R , R ) such that: then for all Opponent moves o and then there exists a Proponent move p and We then define hide(R , R ) Recall that we still require that hide(R , R ) only contains pairs of configurations with the same disclosed set.The soundness of hide can be proved using Lemma 16.
Lemma 23. hide is a sound up-to technique, i.e. if (R , R ) is a bisimulation up to hide, then (R , R ) ⊆≃ ogs .
Given a pair of relations (R , R ) on active and passive OGS configurations respectively, we define the following functions: tensor is not a sound up-to technique.It is nevertheless useful to reason about POGS bipartite bisimilar configurations; see Theorem 30 below.

Properties of the Limit (in OGS)
Lemma 25 shows that transitions can only increase the substitution and the store (corresponding to the G ′ component), and the set of disclosed atoms (represented by the use of ⊆ Di ).More precisely, ⊆ Di is required if some atoms from G are disclosed along the trace t, in which case new ones can appear in G ′ .Lemma 25 is language specific.It does not hold when the language allows the content of the store to be modified (like, e.g. in ref ).Additionally, LTSs enforcing some local restriction on the usage of function or continuation names usually have extra components that are modified along the transitions; we return to this point in Section 7.
In a limit configuration (Definition 19), all atoms that may be disclosed at some point are disclosed.By Lemma 25, these atoms can be disclosed using a single trace.
Lemma 26.Given a passive configuration G, there exists a trace t and a configuration H such that The limit is also useful to relate transitions in OGS and in POGS as follows.
Lemma 27.Take a POGS configuration P.
If P is active and All in all, we obtain that ≃ ogs is a congruence for lim.For R a relation over configurations, we write lim(R) for the set {(lim(G), lim(H)) | (G, H) ∈ R}.
The case for passive configurations follows immediately from Lemmas 26 and 24.
The property of the limit might make us think that the disclosure process of an atom could be decided statically, by annotating new syntactically.The following example shows that it is not the case: .new , in .ifthen else Either or will be disclosed depending on the boolean given by Opponent, but never both.So this term is indeed contextually equivalent to .new in . .

Correspondence Between ≃ ogs and ≃ pogs
Theorem 29 (From ≃ ogs to ≃ pogs ).Consider two POGS configurations P and Q.If P ≃ ogs Q are both limit configurations, then P ≃ pogs Q.
To reason about bisimilar POGS configurations, we use the closure of tensor, written tensor.Intuitively, tensor(R ) contains the pairs Theorem 30 (From ≃ pogs to ≃ ogs ).Suppose R is a POGS bipartite bisimulation.Then tensor(R) is a OGS bipartite bisimulation up-to hiding.
By Lemma 23, Theorem 30 means that if P ≃ pogs Q, then P ≃ ogs Q.The correspondence between ≃ ogs and ≃ pogs is restricted to prime configurations as ≃ pogs can only relate those.Having the additional conditions of configurations being limits is enough for our decidability result.
The -calculus was introduced in [27], together with logical relations to reason over contextual equivalence for this language.These logical relations use a Kripke-style definition, worlds being defined as spans of atoms to keep track of the disclosed atoms, similar to the permutation we use in our relaxed bipartite bisimulations.They capture contextual equivalence for programs of first order type, but are an incomplete technique for higher-order programs.This entails a decidability result for the first-order fragment of the -calculus, since logical relations only quantify over finite objects at first-order types.
Categorical models of the -calculus were provided in [32,33], using a representation of name creation via a strong monad.Two examples of such models were given: (i) the functor category with the category of finite sets and injection; (ii) the category B of continuous -sets, with the topological group of automorphisms over N. None of these models are fully-abstract, since they distinguish new in .= from .false.
These models were later refined using nominal sets [9], so that types are interpreted via Fraenkel-Mostowski sets [31] or domains [15].Both of these works are continuation models; they might be used to provide a semantics for the calculus studied in this paper, a direction we wish to explore in future work.Such use of continuations was justified in [31] to provide a model for an extension of the -calculus with recursion.More recently, proof-relevant logical relations were introduced to deal with recursion in the presence of name generation [5].
In [29], a model of the -calculus is given in quasi-Borel spaces, showing a correspondence between random sampling and fresh name generation.This model is shown to be fully-abstract for terms of first-order types.
In [6], environmental bisimulations for the -calculus are defined and shown to be fully abstract.Nevertheless, it does not seem possible to extract a decision procedure from that result, since environmental bisimulations are played over a higher-order LTS, that is, an LTS whose actions contain -terms.So this LTS is infinitely branching at higher-order types.
Eager normal-form bisimulations have been introduced by Lassen for the callby-value -calculus [17] and -calculus.In [34], a notion of bisimulation similar to ≃ ogs is introduced and shown to be fully abstract for an untyped version of ref .Compared to the standard notion of eager normal form bisimulations, the configurations in the bisimulations in [34] contain an environment similar to the environment component of the OGS LTS in Section 3.
In [1], a fully-abstract game model is provided for the -calculus.However, this model requires an extensional collapse, that is not directly computable at higher-order type.So that model could only be used to prove the decidability of contextual equivalence for terms of first-order types.Enforcing a well-bracketed and visible behavior for Opponent in the OGS model, we believe that our trace model would coincide with the intentional game model of [1].Nominal game semantics was developed for languages with nominal references and exceptions in [36].In that setting, algorithmic presentations of game semantics make it possible to provide a classification of decidability of call-by-value languages with (bounded) integer references [22], and ground references [24].In this setting, the undecidability of contextual equivalence originates from the use of integer references by Proponent.A detailed survey on the literature on contextual equivalence for the -calculus is available in [37].

Conclusion
To decide the contextual equivalence between two typed terms M and N with contexts in the ref -calculus, we first construct the corresponding initial configurations, and we can decide by Thm. 14 if they are POGS-bisimilar.This decidability result comes from the fact that the POGS LTS generates finite trees.
Then, we prove in Thm.29 and Thm.30 that two initial active configurations are POGS-bisimilar iff they are OGS-bisimilar.This is possible because initial configurations are prime (they are active and is empty) and are also limit configurations (their disclosed sets contain all the atoms of the store).In Thm. 7 and Lemma 10, we prove that M and N are contextually equivalent iff the corresponding initial configurations are OGS-bisimilar, which yields decidability.
We now examine the obstacles that remain to prove the decidability of contextual equivalence with contexts in the -calculus.
First of all, in that setting, trace equivalence would not be fully-abstract anymore (Thm.7).Indeed, without integer references, one cannot observe the sequentiality of calls and returns.So an extensional collapse would be necessary.
Another obstacle is that in the absence of higher-order references, Opponent must satisfy a condition of O-visibility [2], that corresponds to a local well-scoping discipline, for the function names it is allowed to call.Working in an intuitionistic type system, corresponding to the standard -calculus without control operators, the call-and-return discipline of the interaction between Proponent and Opponent has to be well-bracketed.These two conditions, namely O-visibility and well-bracketing, can be enforced operationally [14] in the LTS, by keeping track of part of the history of the interaction.However the reduction of ≃ ogs to ≃ pogs is not possible anymore in that setting.Indeed, the limit over-approximates the set of atoms that can be tested.This can be seen when comparing the programs new in let = ( .= ) in and new in let = ( .false) in Assuming is immediately disclosed makes it possible to distinguish the two programs.Because the local conditions of well-bracketing or visibility would prevent Opponent from playing some actions, Opponent could perform irreversible changes that would invalidate Lemma 25.This would make ≃ pogs incomplete.
To handle this difficulty, we could try and use Kripke eager normal-form bisimulation [12], using a structure for worlds richer than just a set of atoms.
Finally, in absence of full ground references, that can store locations, atoms played by Opponent would also follow a local well-scoping discipline, but the discriminatory power over Player atoms would also be restricted [23].In such a setting, the same difficulties as with well-bracketing and O-visibility would arise, and a more complex extensional collapse would be needed.

A Full Abstraction of the OGS LTS
We prove in this appendix that trace-equivalence ≃ tr and contextual equivalence ≃ coincide.The proof uses the notion of "closed instantiation of all use" (CIU) equivalence, as introduced in [20].
The proof goes through the introduction of a notion of "parallel composition with hiding" of OGS configurations, which is defined as a reduction relation ↦ → so .This composition is used to define an observational equivalence ≃ barb for the OGS LTS as a barbed equivalence.We then prove that -≃ and ≃ barb coincide on initial configurations, by using the fact that: • the observation over Unit type used in the definition of ≃ coincides with the observation used to define ≃ barb ; • the reduction relation used to define the composition and the operational semantics are bisimilar.-≃ tr is included in ≃ barb , since the notion of observation used to define ≃ barb corresponds to an answer c(()); -≃ barb is included in ≃ tr , by proving a definability result to build an OGS configuration that generates exactly a given trace.
A.1 CIU equivalence Definition 31.Two terms M, N are said to be ciu equivalent, written Σ; Γ ⊢ M ≃ N : , when for all store typing context Σ ′ ⊇ Σ for all covariable c, for all substitution such that Σ ′ ; c : ¬Unit ⊢ : Γ, for all store S such that ⊢ S : Σ ′ , and for all continuation variable c we have Following the general framework developed in [35], we can prove the correspondence between ≃ and ≃ .

A.2 Composition and Barbed Equivalence
We introduce the composition of two OGS configurations, one representing Proponent and the other Opponent.To do so, we first define when such a composition is possible, via a compatibility predicate.The latter is defined as a reduction relation between pairs of OGS configurations, following [16,13].
Definition 33.Taking a Ty configuration S, we define its c-dual configuration, written S * c , as: We say that two OGS configurations G = (I; S; D) and H = (J; T; E) are c-compatible, written compat c (G, H) when: the two are initial, with G of the shape Σ; Γ ⊢ M : ⊥ and H of the shape c : ¬Unit ⊢ (S; ) : (Σ; Γ) with Σ ⊆ Σ ′ .-or G = (I; S; D) and H = (J; T; E) one is active and the other passive, and: • writing S and T for the store component of I and J respectively, for all ℓ ∈ dom(S) ∩ dom(T), We write compat (G, H) when there exists a continuation variable c such that compat c (G, H).
The composition is then defined as a reduction relation over pairs of compatible OGS configurations.
Definition 35 (Synchronization).We define the Synchronizing/Operational transition system L SO as the transition system whoses configurations are pairs of OGS compatible configurations, written G 1 ||G 2 , and whose reduction relation ↦ → so is defined as ↦ → op so ∪ ↦ → sync so , where: While compatibility is preserved by ↦ → sync so , it is not necessarily by ↦ → op so .Indeed, taking G 1 , H 1 two compatible OGS configurations, if G 1 op − − → ogs H 1 , then this operational reduction could have allocated fresh locations that already exist in G 2 .This explains why we have to restrict to compatible configurations in the rules defining ↦ → op so .However, in such a case there exists always a configuration H ′ 1 , equal to H 1 up-to renaming of the fresh locations, and such that G Using the SO reduction relation we define a notion of observation as a barb [21].
Definition 36.We write I||J ⇓ c when there exist two interactive configurations I, I ′ such that I||J ↦ → * so I ′ ||J ′ with I ′ is a passive configuration of the shape S P ; P and J ′ of the shape [c] (); S O ; O .This definition can be directly lifted to OGS configurations.This is used to define the following equivalence for OGS configurations.

A.3 Adequacy
To prove that ≃ barb and ≃ coincide, we introduce an intermediate transition system L bop , and we show that L bop and L SO (L I ) are bisimilar, and that L bop and the operational reduction relation are weakly bisimilar, ignoring the sync actions.
L bop can be seen as an abstract machine to compute the interaction represented by L SO (L I ).It relies on a notion of telescoped substitution, to avoid cycles in the concatenation of mappings coming from the composition of two interactive configurations.This enforces the absence of livelocks in the interaction.Definition 38.A telescoped substitution is a substitution seen as a list of mappings such that for all ∈ {1, . . ., }, we have supp(V ) ∩ { , . . ., } = .
A telescoped substitution can be transformed into a substitution * that maps names to closed values.
Definition 39.Taking a telescoped substitution and ∈ N * , we define the iterated telescoped substitution as: We then define * as with the size of the domain of .Then if Γ • Δ ⊢ : Γ, we have Δ ⊢ * : Γ.
Lemma 40.Taking a telescoped substitution and n ∈ dom( ), then there exists a name n ∈ dom( ) and a natural number ∈ N * such that (n) = m and (m) is a value that is not a name in dom( ).
Definition 41.We introduce the boxed operational (bop) transition system L bop (Confs bop , ↦ → bop ) with configurations A, B ∈ Confs bop of the shape (M; S; ) with a telescoped substitution such that there exists a typing context Γ and a store context with Σ; Γ ⊢ M : ⊥, Γ ⊢ S : Σ and Σ ⊢ : Γ.
Its reduction relation ↦ → bop is given by the two reduction relations ↦ → op bop and ↦ → sync bop defined in Figure 8.This transition system can be seen as an abstract machine, that performs a variant of the linear head reduction, which is known to be the way interaction in game semantics computes [8].Having a global environment , it is similar to the Milner Abstract Machine [3].
We define a bisimulation between ↦ → bop and ↦ → op by collapsing L bop configurations into operational ones.
Definition 42.We define the function Φ bop op : Confs bop → Terms × Stores as the function: (M; S; ) ↦ → (M{ * }; S{ * }) Proof.Taking a value V such that V (A; ) then: Using the fact that the environment of bop configurations are telescoped, we deduce that such configurations can only perform a finite number of sync reduction steps, after which they have to perform an op reduction.
Lemma 44.Taking A a bop configuration, then there exists a configuration B such that A(↦ → sync bop ) * B and B ∉ dom(↦ → sync bop ).
Proof.Suppose that A ∈ dom(↦ → sync bop ).We write A as M; S; , so that: either M is of the shape E[fV] with f ∈ dom( ).Then from Lemma 40, there exists a natural number and a function name g such that (f) = g and (g) is a value that is not a name in dom( ).So (g) must be a -abstraction.Then there exists a configuration B that can be written as (g)A; T; Then a similar reasoning applies.
From Theorem 2, we deduce the following theorem.
Proof.We write A as M; S; .Since A ∉ dom(↦ → sync bop ), we get that M cannot be of the shape E[fV] with f ∈ dom( ), or of the shape [c]V with c ∈ dom( ).We conclude using Lemma 46.
From this, we deduce that Φ bop op is a functional bisimulation, that is a bisimulation relation that is functional.
We now establish a bisimulation between L SO and L bop .
Definition 49.We define the function R so bop : Confs so → Confs bop as Notice that S P ∪ S O is well-formed in this definition thanks to the fact that I and J are compatible, being part of a SO configuration.
In order to prove that R so bop is a bisimulation, we prove in the following lemma that an Opponent configuration can always perform an action as soon as a compatible Player configuration can perform the dual action.
Lemma 50.Taking G, H two OGS configurations such that compat(G, H), for all Proponent action p, if G p − → ogs G ′ , then there exists a configuration H ′ s.t.
Proof.From the fact that there exists c such that compat c (G, H), we can write: -G as ( M; S P ; Then either p is a question of the shape f (A) with Δ O (f) = → , or an answer of the shape c(A) with Δ O (c) = ¬ .
There exists a typing context Δ disjoint from Δ P and Δ O such that Δ A : and From the fact that G is valid, we get that there exists a store typing context Σ P such that dom(Σ P ) = L and Σ P ; Lemma 51.R so bop is a bisimulation between L SO and L bop .Proof.We take G||H , A ∈ R so bop .Without loss of generality, suppose that G is the active configuration.So we write: -G as (I; S; D), -H as (J; T; E), -I as M; S P ; P -J as S O ; O , -A as (M; S P ∪ S O ; ), with a telescoped substitution of P • O .
First, suppose G||H ↦ → so a G ′ ||H ′ .There are two possible cases:  or a = op, (M, S) ↦ → op (N, T) and ′ = .From the fact that I is validated by S, we get that there exists a store Σ P such that ⊢ S P : Σ P and Σ P ; Δ O ⊢ M : ⊥.We deduce that there exists a store T ′ such that (M, S P ) ↦ → op (N, T) and T = T ′ ∪S O .
We define I ′ as N; T ′ ; P , and G ′ as (I ′ ; S; D).Then G From barb to ciu We first suppose that G 1 ≃ barb G 2 .We consider: a store typing context Σ ′ ⊇ Σ; -a substitution such that Σ ′ ; : ¬b ⊢ : Γ; -a store S such that ⊢ S : Σ ′ .

A.4 Relating barbed equivalence and traces equivalence
We now prove that trace equivalence and barbed equivalence coincide.To do so, we express the barb observation G||H ⇓ c of L SO as the existence of traces ending with c(()).
Definition 54.We write (G, H) ∈ c when there exists a trace t such that t ∈ Tr L OGS (G) and tc(()) ∈ Tr L OGS (H).
By definition, this notion of observation is preserved by trace equivalence: Proof.First suppose that (G, H) ∈ c , that is there exists a trace t such that t ∈ Tr L OGS (G) and tc(()) ∈ Tr L OGS (H).We reason by induction on the length of t to prove that G||H ⇓ c, using the fact that ⇓ is closed by anti-reduction of ↦ → so .When this trace is empty, we have G = S P , Combining Lemma 57 and 55, we prove the soundness of trace equivalence.
Theorem 58.Taking G, H two OGS configurations, if G ≃ tr H then G ≃ barb H.
In order to prove full abstraction, the opposite direction, we rely on a definability result over traces.
Definition 59.We say that an OGS LTS is O-definable when taking a trace t ∈ Tr OGS (G) with G prime, there exists a configuration H and a continuation name c such that compat c (G, H) and Tr OGS (H) = {t ′ | t ′ ∼ tc(())}.
Theorem 60.Considering an OGS LTS satisfying the O-definable condition, and taking G, H two OGS configurations, if G ≃ barb H then G ≃ tr H.
In the next section, we will prove that L OGS is -definable.Combining this result with Theorems 32, 53, 58 and 60, we deduce Theorem 7 stating the correspondence between trace equivalence and contextual equivalence.

A.5 Definability
To prove full abstraction of trace equivalence, we need to be able to define a program that generates a given trace.
Given such a trace t, we suppose given a function that maps all the function names f, continuations names c, and atoms appearing in t to locations ℓ f , ℓ c and ℓ a .These locations are then used to store all these names.To enforce that the moves appear in the right order, we use a clock implemented via a reference clock.
To build code from a given trace, we reason inductively on the tree structure inherited from the justification structure over the trace.
Definition 61.Taking a trace of the shape t m t 1 n t 2 we say that m is justified by n when m is a question over a function name f or an answer of a continuation name c, that is bound in n.
This tree structure corresponds to the Lassen trees generated by the POGS LTS.
Definition 62. Taking an execution trace we associate the view-tree viewtree(t) whose nodes are triples ( , S , D ) ∈{1,..., } , and such that ( , S , D ) m − → ( , S , D ) when m = m and: either m is an Opponent move justified by m ; -or m is a Proponent move and = + 1.
To a configuration ( , Δ O | , D) of a view tree, we associate the store S defined as: To a variable and an abstract value A, we associate the following terms set ,A and get A , defined by case analysis over A: get true true set ,false get false false Proving definability means building a prime Interactive configuration P such that the only "successful" interaction of P is represented by T (up-to renaming).Taking the function name f introduced in p, we consider all the occurrences o 1 , . . ., o of actions of (o ) ∈{1,..., } of the shape f (A ; c ).We then define ( ) as

B.2 Compatible Functions for ≃ ogs
The compatibility of hide follows from Lemma 16.
split is not directly compatible as it requires substitutions over atoms.Thus, we introduce an extra function.We use to range over substitutions over atoms.Given a pair of relations (R , R ) on active and passive OGS configurations respectively, we define the following function: The compatibility of isub follows from Lemma 74.
Finally, we can study the tensor and prove that split is compatible.
In both cases, the configuration that does not perform a transition is passive.Whenever G a − → ogs G ′ , then for all passive configuration H with G ⊗ H defined and The need for ⊆ Di occurs when a is a Proponent move that disclosed an atom shared by both G and H.This does not happen if they are limit configurations.The condition (L G ′ \ L G ) ∩ L H = ∅ ensures that the fresh names created via a -via allocation or given by the environment -do not appear in H. Up to renaming, this condition always holds: Proof.We consider two pairs of relations such that (R , R ) (R ′ , R ′ ).
-Take (A, A ′ ) ∈ split(R ), meaning (A ⊗ P, A ′ ⊗ P ′ ) ∈ R .By hypothesis, there exists p and (G, By lemma 76, we must have that A Thus, we can conclude as

C Proofs for the Comparison of ≃ ogs and ≃ pogs
We write G ≤ H where there exists Note that we can have (I, S, D) ≤ (J, T, E) when one configuration is Opponent and the other is Proponent, although we will focus on situations where this is not the case.Proof.This is a direct application of Remark 77 and Lemma 16.
The property above can be extended to traces, by a simple induction.
Lemma 80 (Asynchrony of atom disclosure).Consider a configuration G and two passive configurations H, G ′ such that G t − → ogs H and G t ′ − → ogs G ′ , for some t, t ′ .Then there exist t ′′ , H ′ such that G ′ t ′′ − → ogs H ′ and H ≤ H ′ .
Among other, this lemma states that if some existing names in D can be disclosed (using a trace t), then they can always be disclosed after an arbitrary trace t ′ .
Proof.If t ′ is empty, the result is trivial.If t is empty, then the result follows immediately from Lemma 25.
Otherwise if G is an active configuration, then t and t ′ start with the same transition so we can conclude by induction.
If G is a passive configuration, by Lemma 25, G ≤ G ′ .We show the expected result by an induction on the trace t using Lemmas 79 and 74.
We reason by induction on to show that there exists a reachable configuration G such that the disclosed set contains D ⊎ { 1 , . . ., }.
The induction case is a direct consequence of Lemma 80. Then by definition of the limit, we know that the result configuration cannot have a disclosed set D ′ bigger than D when restricting to existing names (D ′ ∩L = D ∩ L).Thus, the use of ⊆ Di in the definition of ≤ is not required.
Proof (Lemma 27).We note L for the set of atoms of P, D (resp.D ′ ) for the disclosed set of P (resp.Q), and D (resp.D ′ ) for the one for the limit configuration.We have the following inequalities: D ′ ∩ L ⊆ D ⊆ D ′ .This means that the disclosed set for lim(Q) may only change from the one of lim(P) in the new atoms that are created by the transition.
By Lemma 16, we know that lim(P) a − → ogs G for some G ⊇ Di Q (resp.G ⊇ Di Q ⊗ P).
for a = p, by Lemma 20, this means lim(P) p − → pogs G.We can verify that lim(Q) = G by looking at the LTS using the inequalities above.
for a = o, we have that G = P ′ ⊗ lim(P) with P ′ ⊇ Di Q.Then, by Lemma 21, lim(P) o − → pogs P ′ .We can verify that lim(Q) = P ′ by looking at the LTS using the inequalities above.
for a = op, the inequalities correspond to the conditions for the transition op − − → pd .Thus, there always is a transition in POGS for which the resulting configuration is lim(Q).
Proof (Theorem 29).We examine transitions in the target: for an Opponent transition, from Lemma 21, for all P o − → pogs P ′ , we have Proof (Theorem 30).Take G tensor(R) H.We write G P ⊗ G ′ and H Q ⊗ H ′ .
for a Proponent transition, we have P

D Finiteness of POGS Traces
We prove Lemma 11.We write O for the set of prime OGS configurations G such that any trace in Tr POGS (G) is finite.
We introduce Kripke biorthogonal logical predicates V , K ¬ and E respectively over quadruple formed by either a value V, an evaluation context E or a term M, together with two sets of atoms L, D and a typing context for continuation and function names Δ.They are defined in Figure 9, by recursion over the type .Notice that K ¬ is defined by orthogonality wrt V , and E by orthogonality wrt K ¬ , the pole being O.We extend their definition to terms with free variables, using a logical predicate G Γ on substitution from variable to values.From it, we define the logical predicate L; Γ | = M : on terms of type with free variables in Γ, locations in L and function names in Δ.The logical predicates V is included in E .

Fig. 1 .
Fig. 1. ref : typing rules for terms and evaluation contexts

Definition 4 .
A labelled transition system (LTS) L is a triple (Confs, Actions, − → ) with Confs a set of configurations C, D, Actions a set of actions a, formed by the moves m, together with a silent action op, corresponding to internal computations, and − →⊆ Confs × Actions × Confs the labelled transition relation.We write C a − → D for (C, a, D) ∈ − →.

Definition 5 .Fig. 2 .
Fig. 2. Definition of L I , the Interactive LTS: transitions of interactive configurations

Theorem 7 .
p transition preceded by a possibly empty sequence of op transitions.Trace equivalence according to L OGS and contextual equivalence coincide.Taking two terms M, N such that Σ; Γ ⊢ M, N : , then Σ; Γ ⊢ M : ≃ tr Σ; Γ ⊢ N : if and only if Σ; Γ ⊢ M ≃ N : .

Lemma 11 .
Taking a POGS configuration G, any trace in Tr POGS (G) is finite.

Definition 15 .
Let G = (I, S, L; D ) and H = (I, S, L; D ′ ) be two OGS configurations.We write G ⊆ Di H for when D ⊆ D ′ .
Lemma 18.When P p − → pogs P ′ with P active, we also have P p − → ogs P ′ .However, the converse does not always hold, specifically if an atom has been declared non-disclosed but still appears in the action p.Indeed, the transition ( [c]a; L; ∅ , S, L; ∅ ) c(a) − −− → ogs ( L; ∅ , S, L; {a} ) is valid for OGS, but has no counterpart in POGS, since L; ∅ cannot make the transition c(a) − −− → pd .

Lemma 20 .
Let P be a limit configuration.If P p − → ogs P ′ , then P p − → pogs P ′ .

Definition 37 .
Two configurations G 1 , G 2 are said to be barbed equivalent, written G 1 ≃ barb G 2 , when for all configuration H such that compat c (G 1 , H) and compat c (G 2 , H), we have G 1 ||H ⇓ c if and only if G 2 ||H ⇓ c.

(
I; S; D)||(J; T; E) , (M; S P ∪ S O ; ) | a telescoped substitution of P • O with I = M; S P ; P and J = S O ; O , or I = S P ; P and J = M; S O ; O .
m − → ogs G ′ and H m − → ogs H ′ .We then have G ′ = ( S P ; P • ′ ; ; ) and H ′ = ( M ′ ; S O ; O ; ; ).′ • is a telescoped substitution, so that, defining B as M ′ ; S P ∪ S O ; ′ • , we have A ↦ → op bop B and G ′ ||H , B ∈ R so bop .Now suppose that A ↦ → bop B, and we write A as (M; S; ).There are three possible cases: -either a = sync and M is of the shape E[ V], and there exists a reduction V (A; ) such that N = ( )A and ′ = • .Then writing m for (A), we have the existence of G ′ such that G m − → ogs G ′ .From Lemma 50, we get that there exists H ′ such that H m − → ogs H ′ and G ′ ||H ′ , B ∈ R so bop .-or a = sync and M is a named value [c]V, and there exists a reduction V (A; ) such that N = O (c) [A], and ′ = • .Then writing m for c(A), we have the existence of an OGS configuration G ′ s.t.G m − → ogs G ′ .From Lemma 50, we get that there exists H ′ such that H m − → ogs H ′ and G ′ ||H ′ , B ∈ R so bop .
It is also closed by antireduction.Lemma 56.Taking G||H and G ′ ||H ′ two SO configurations such that G||H ↦ → so G||H and G ′ ||H ′ ∈ c , then G||H ∈ c .This trace predicate coincides with termination: Lemma 57.(G, H) ∈ c if and only if G||H ⇓ c.
P and H = [c] (); S O ; O .So G||H ⇓ c.Next, we suppose the following reduction: G||H ↦ → * so S P ; P || (); S O ; O We reason by induction over the length of this reduction, using the fact that c is closed by anti-reduction of ↦ → so (Lemma 56).When this reduction is empty, we conclude using the fact that [c] (); S O ; O c( ()) − −−− → ogs S O ; O .

Theorem 63 .
Taking S an active prime Ty configuration, c a continuation name, and T ∈ VT(S) a view-tree, there exists a Prime Interactive configuration P such that P ⊲ S * c and VT(P; S * c ) = {T ′ | T ′ = * T , a finite permutation}.Proof.By induction on the tree structure of T .For the induction step, we consider the tree generated by the LTS from the configuration P P , represented by the following paths: P P (p;ℎ) − −−− → PI P O (o ; ) − −−−− → PI P ⇓ op P P, for ∈ {1, . . ., }.We write P P, as M , S .

Remark 77 .
For any G a − → ogs G ′ and passive configuration H with G ⊗ H welldefined, there always exists an injective substitution , with G = G such that we can apply Lemma 76 on G a − − → ogs G ′ .Lemma 78.split is compatible up to isub.

Lemma 79 .
Suppose G ≤ H where G and H are either both passive or both active.Then G a − → ogs G ′ implies that H a − − → ogs H ′ and G ′ ≤ H ′ for some H ′ and injective such that H = H.
ogs P ′ ⊗ P and similarly for Q o − → pogs Q ′ .Thus, we have P ′ ⊗ P ≃ ogs Q ′ ⊗ Q.This means P ′ split(≃ ogs ) Q ′ which is included in ≃ ogs by Lemma 24.Both are limits by Lemma 27 so we can conclude.fora Proponent transition, we have P p = ⇒ ogs P ′ and Q p = ⇒ ogs Q ′ .By Lemma 28, lim(P ′ ) ≃ ogs lim(Q ′ ) and we conclude by Lemma 27.

VFig. 9 .
Fig. 9. Definition of the logical predicates and G op − − → ogs M ′ ; S ′ P , P and H = H ′ .Since G ′ is compatible with H, we deduce that new locations allocated in S ′ P cannot be in S O , so that S ′ P ∪ S O is well-defined.Then writing B as (M ′ ; S ′ P ∪ S O ; ), we have A ↦ → op bop B and G ′ ||H , B ∈ R so bop .-or a = sync so there exists a Proponent move m such that G S).Taking ∈ {1, 2} Suppose that (M { }, S) ⇓ [ ] ().Then from Theorem 52,we get that G ||H ⇓ .From G 1 ≃ barb G 2 , taking 1 if = 2 2 if = 1 ,we get that G ||H ⇓ .So from Theorem 52, we get that (M { }, S) ⇓ [ ] (), i.e.Σ; Γ ⊢ M 1 ≃ M 2 : .
an Opponent move o, and configurations G, G ′ such that P 1 ogs G ⊗ P 2 , and P ′ 1