Algorithmic games for full ground references

We present a full classification of decidable and undecidable cases for contextual equivalence in a finitary ML-like language equipped with full ground storage (both integers and reference names can be stored). The simplest undecidable type is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {unit}\rightarrow \mathsf {unit}\rightarrow \mathsf {unit}$$\end{document}unit→unit→unit. At the technical level, our results marry game semantics with automata-theoretic techniques developed to handle infinite alphabets. On the automata-theoretic front, we show decidability of the emptiness problem for register pushdown automata extended with fresh-symbol generation.


Introduction
Mutable variables in which numerical values can be stored for future access and update are the pillar of imperative programming. The memory in which the values are deposited can be allocated statically, typically to coincide with the lifetime of the defining block, or dynamically, on demand, with the potential to persist forever. In order to support memory management, modern programming languages feature mechanisms such as pointers or references, which allow programmers to access memory via addresses. Languages like C (through int*) or ML (via int ref ref) make it possible to store the addresses themselves, which creates the need for storing references to references etc. We refer to this scenario as full ground storage. In this paper we study an ML-like language GRef with full ground storage, which permits the creation of references to integers as well as references to integer references, and so on.
B Andrzej S. Murawski a.murawski@warwick.ac.uk 1 University of Warwick, Coventry, UK 2 Queen Mary University of London, London, UK We concentrate on contextual equivalence 1 in that setting. Reasoning about program equivalence has been a central topic in programming language semantics since its inception. This is in no small part due to important applications, such as verification problems (equivalence between a given implementation and a model implementation) and compiler optimization (equivalence between the original program and its transform). Specifically, we attack the problem of automated reasoning about our language in a finitary setting, with finite datatypes and with looping instead of recursion, where decidability questions become interesting and the decidability/undecidability frontier can be identified. In particular, it is possible to quantify the impact of higher-order types on decidability, which goes unnoticed in Turing-complete frameworks.
The paper presents a complete classification of cases in which GRef program equivalence is decidable. The result is phrased in terms of the syntactic shape of types. We write θ 1 , · · · , θ k θ to refer to the problem of deciding contextual equivalence between two terms M 1 , M 2 such that x 1 : θ 1 , · · · , x m : θ m M i : θ (i = 1, 2). We investigate the problem using a fully abstract game model of GRef. 2 Such a model can be easily obtained by modifying existing models of more general languages, e.g. by either adding type information to Laird's model of untyped references [19] or trimming down our own model for general references [24]. The models are nominal in that moves may involve elements from an infinite set of names to account for reference names. Additionally, each move is equipped with a store whose domain consists of all names that have been revealed (played) thus far and the corresponding values. Note that values of reference types also become part of the domain of the store. This representation grows as the play unfolds and new names are encountered. We shall rely on the model both for decidability and undecidability results. Our work identifies the following undecidable cases as minimal.
unit → unit → unit (unit → unit → unit) → unit unit ((unit → unit) → unit) → unit (((unit → unit) → unit) → unit) → unit unit Obviously, undecidability extends to typing judgments featuring syntactic supertypes of those listed above (for instance, when fourth-order types appear on the left-hand side of the turnstile or types of the shape θ 1 → θ 2 → θ 3 occur on the right). The remaining cases are summarized by typing judgements in which each of θ 1 , · · · , θ m is generated by the grammar given on the left below, and θ by the grammar on the right, where β stands any ground type and Θ 1 is a first-order type, i.e. β ::=unit | int | ref i int and Θ 1 ::=β | β → Θ 1 . We shall show that all these cases are in fact decidable. In order to arrive at a decision procedure we rely on effective reducibility to a canonical (β-normal) form. These forms are then inductively translated into a class of automata over infinite alphabets that represent the associated game semantics. Finally, we show that the representations can be effectively compared for equivalence. The automata we use are especially designed to read moves-with-stores in a single computational step. They are equipped with a finite set of registers for storing elements from the infinite alphabet (names). Moreover, in a single transition step, the content of a subset of registers can be pushed onto the stack (along with a symbol from the stack alphabet), to be popped back at a later stage. We use visibly pushdown stacks [3], i.e. the alphabet can be partitioned into letters that consistently trigger the same stack actions (push, pop or no-op). Conceptually, the automata extend register pushdown automata [7] with the ability to generate fresh names, as opposed to their existing capability to generate names not currently present in registers. Crucially, we can show that the emptiness problem for the extended machine model remains decidable.
Because the stores used in game-semantic plays can grow unboundedly, one cannot hope to construct the automata in such a way that they will accept the full game semantics of terms. Instead we construct automata that, without loss of generality, will accept plays in which the domains of stores are bounded in size. Each such restricted play can be taken to represent a set of real plays compatible with the representation. Compatibility means that values of names omitted in environment-moves (O-moves) can be filled in arbitrarily, but values of names omitted in program-moves (P-moves) must be the same as in preceding Omoves. That is to say, the omissions leading to bounded representation correspond to copy-cat behaviour.
Because we work with representations of plays, we cannot simply use off-the-shelf procedures for checking program equivalence, as the same plays can be represented in different ways: copy-cat behaviour can be modelled explicitly or implicitly via the convention. However, taking advantage of the fact that stacks of two visibly pushdown automata over the same partitioning of the alphabet can be synchronized, we show how to devise another automaton that can run automata corresponding to two terms in parallel and detect inconsistencies in the representations of plays. Exploiting decidability of the associated emptiness problem, we can conclude that GRef program equivalence in the above-mentioned cases is decidable.
This article is the journal version of [25], with full proofs and rearrangement of the material. Also, we relate our work to what has been done after the conference version was published. We start by introducing the language GRef in Sect. 2 along with a canonical form result. Then, in Sect. 3 we introduce the game model of GRef (we refer the interested reader to [28] for a detailed account of the model, which is in effect a restricted version of game models for larger languages presented in [19,24]). The first main results are obtained in Sect. 4 and concern undecidability of equivalence in specific fragments of GRef via reductions to queue machine problems. Finally, in Sect. 5 we present a decidability procedure for equivalence in the remaining fragment GRef . The argument implements a reduction to checking nonemptiness in a specific kind of automata over infinite alphabets, the decidability of which is proved in Sect. 5.4.

GRef
We work with a finitary ML-like language GRef whose types θ are generated according to the following grammar.
θ :: =β | θ → θ β ::= unit | γ γ ::= int | ref γ Note that reference types are available for each type of the shape γ (full ground storage). The language is best described as the call-by-value λ-calculus over the ground types β augmented with finitely many constants, do-nothing command, case distinction, looping, and reference manipulation (allocation, dereferencing, assignment). The typing rules are: Let us write [i, j] for the set {i, i + 1, · · · , j}. For each type θ we can define the corresponding arena θ .
Although types are interpreted by arenas, the actual games will be played in prearenas, which are defined in the same way as arenas with the exception that initial moves are O-questions. Given arenas A, B we define the prearena A → B as follows.
A store is a type-sensitive finite partial function Σ : We write Sto for the set of all stores. A move-with-store on a (pre)arena A is a pair m Σ with m ∈ M A and Σ ∈ Sto.

Definition 4 A justified sequence on a prearena
A is a sequence of moves-with-store on A such that, apart from the first move, which must be of the form i Σ with i ∈ I A , every move n Σ in s is equipped with a pointer to an earlier move m Σ such that m A n. m is then called the justifier of n, which is represented as · · · m Σ · · · n · · · in drawings.
The set of available names of a justified sequence is defined inductively by Av( ) = ∅ and Av(sm Σ ) = Σ * (Av(s)∪ν(m)). The view of a justified sequence is defined by: We shall write s s to mean that s is a prefix of s .

Definition 5 Let
A be a prearena. A justified sequence s on A is called a play, if it satisfies the conditions below.
-No adjacent moves belong to the same player (Alternation).
-The justifier of each answer is the most recent unanswered question (Bracketing).
-For any s m Σ s with non-empty s , the justifier of m occurs in view(s ) (Visibility).

Definition 6
A strategy σ on a prearena A, written σ : A, is a set of even-length plays of A satisfying: GRef-terms Γ M : θ , where Γ = {x 1 : θ 1 , · · · , x n : θ n }, are interpreted by strategies for the prearena θ 1 ⊗ · · · ⊗ θ n → θ , which we shall denote by Γ θ . Given a set of plays X , let us write comp(X ) for the set of complete plays in X , i.e. those in which each occurrence of a question justifies an answer. The interpretation is then fully abstract in the following sense.
Proposition 7 ([19,24,28] We shall rely on the result for proving both undecidability and decidability results, by referring to complete plays generated by terms.

Example 8
The name-generating term λx unit .ref(0) : unit → ref int yields complete plays of the shape given below (the corresponding prearena is given on the right).
for any i = j we have a i = a j . Note that Σ i can be different from Σ i , i.e. the environment is free to change the values stored at all of the locations that have been revealed to it.
Note that in the above example the sizes of stores keep on growing indefinitely. However, the essence of the strategy is already captured by plays of the shape q q 0 a (a 0 ,0) 0 · · · q 0 a (a i ,0) i q 0 · · · under the assumption that, whenever a value is missing from the store of an O-move, it is arbitrary and, for P-moves, it is the same as in the preceding O-move. Next we spell out how a sequence of moves-with-store, not containing enough information to qualify as a play, can be taken to represent proper plays.

Definition 9
Let s = m Σ 1 1 · · · m Σ k k be a play over Γ θ and t = m Θ 1 1 · · · m Θ k k be a sequence of moves-with-store. We say that s is an extension of t if Θ i ⊆ Σ i (1 ≤ i ≤ k) and, for any We write ext(t) for the set of all extensions of t.
Because we cannot hope to encode plays with unbounded stores through automata, our decidability results will be based on representations of plays that capture strategies via extensions.

Undecidability arguments
We begin with undecidable cases. Our argument will rely on queue machines, which are finite-state devices equipped with a queue.
A queue machine starts at state init with an empty queue. Whenever it reaches a state q ∈ Q E , it will progress to the state π 1 (δ E (q)) and π 2 (δ E (q)) will be added to the associated queue, where π 1 , π 2 are the first and second projections respectively. If the machine reaches a state q ∈ Q D and its queue is empty, the machine is said to halt. Otherwise, it moves to the state δ D (q, x), where x is the symbol at the head of the associated queue, which is then removed from the queue. The halting problem for queue machines is well known to be undecidable (e.g. [17]). By encoding computation histories of queue machines as plays generated by GRef terms we next show that the equivalence problem for GRef terms must be undecidable. Note that this entails undecidability of the associated notion of term approximation.

Theorem 11
The contextual equivalence problem is undecidable in the following cases (even in absence of looping). - In the following we prove undecidability in each of the cases of Theorem 11. unit → unit → unit: We first sketch the argument. The arena used to interpret closed terms of type unit → unit → unit has the shape given on the right.
We are going to use plays from the arena to represent sequences of queue operations. Enqueuing will be represented by segments of the form q 0 0 , whereas q 1 1 will be used to represent dequeuing. Additionally, in the latter case q 1 will be justified by 0 belonging to the segment representing the enqueuing of the element that is now being dequeued. For instance, the sequence E E DE DE, in which E, D stand for enqueing and dequeing respectively, will be represented as follows. Note that all such plays are complete. Given a queue machine Q, let us write hist(Q) for the (prefix-closed) subset of (E D) * corresponding to all sequences of queue operations performed by Q. Note that hist(Q) is finite if and only if Q halts. Additionally, define hist − (Q) to be hist(Q) from which the longest sequence is removed (if hist(Q) is infinite and the sequence in question does not exist we set hist − (Q) = hist(Q)). Note that the sequence corresponds to a terminating run and necessarily ends in D.
Proof WLOG we shall assume that Q can be fitted into int (otherwise, we could use a fixed number of variables to achieve the desired storage capacity). Fig. 1 ( * is a special symbol not in the queue alphabet and Ω is a canonical divergent term). C 0 [−] and C 1 [−] handle enqueuing and dequeuing respectively. We take Note that there are only three moves that O can play: q, q 0 and q 1 . After the initial q, P must follow with thanks to C[−], which will not cause divergence. Note that it declares the variable STATE (initialized to init), whose scope spans over the whole term and which will be updated at each step to mimic the state of Q. After q is played, it can never be played again, but O can still play q 0 or q 1 . These are handled by C 0 [−] and C 1 [−] respectively. -If O plays q 0 when Q is not able to enqueue, P will not respond. This is caused by the However, if Q is in enqueuing mode, local references SYM and PREV will be created. SYM is initialized to the symbol that Q will add to the queue. PREV contains the name of the reference cell in which the previously enqueued symbol was stored (as soon as the symbol is dequeued, the value stored in that cell will be set to * ). The "global" reference LAST (of type ref(ref int)) is used to pass the name from one q 0 0 segment to the next. Hence, the current value of SYM is written to LAST as soon as the previous value of LAST got recorded in PREV . The assignment is followed by the value λy.C 3 [−], so P will respond with 0 .
-If O plays q 1 in an enqueuing state, P will not respond due to the !STATE / ∈ Q D check in C 1 [−]. Furthermore, P will not reply when q 1 is justified by 0 from a block corresponding to an element that has already been taken off the queue (!SYM = * ); q 1 is justified by 0 from a block corresponding to elements that are still present in the queue, but do not occur at its head (!!PREV = * ).
Otherwise (i.e. if O plays q 1 and justifies it with 0 from the q 0 0 corresponding to the least recent symbol that has not been dequeued) STATE will be updated and SYM will be set to * to record the access. The strategy corresponding to M will then reply with 0 (because of ()). The one associated with M − will do the same, unless Q is about to halt. This is thanks to the (!STATE ∈ Q D ∧ !!LAST = * ) condition, which checks whether Q is about to dequeue (!STATE ∈ Q D ) the empty queue (!!LAST = * ).
Hence, M and M − both represent the behaviour of Q, except that, if Q halts, the strategy corresponding to M 1 will not generate the last q 1 1 segment corresponding to the last dequeuing operation. Consequently, M 0 and M 1 corresponds to hist(Q) and hist − (Q) respectively.
Observe that hist(Q) = hist − (Q) exactly when Q does not halt. Consequently, the problem of deciding hist(Q) = hist − (Q) is undecidable. Thus, via Proposition 7, we can conclude that program equivalence is undecidable for closed terms of type unit → unit → unit. The remaining cases are discussed below. (unit → unit → unit) → unit unit: The arena at hand has the following shape. As before, we use q 0 0 and q 1 1 to represent enqueuing and dequeuing respectively. They will be preceded by a single segment qq . Note that this means that no complete plays will arise until q is answered. We shall arrange for this to happen only when the whole terminating run (if any) has been represented.  (((unit → unit) → unit) → unit) → unit unit: The corresponding arena has the shape given on the right. Our representation scheme in this case will start off with qq , enqueuing will be interpreted by q 0 q 1 and dequeuing by q 2 2 , where q 2 is justified by q 1 corresponding to the element being dequeued. Note that sequences of this kind are not complete plays, because q, q , q 0 , q 1 will remain unanswered. Hence, in the term construction it will not be possible to answer them until a terminating run has been fully simulated. Then O's 1 will trigger P's 0 , and will trigger .
The test phrases block P from answering 1 or prematurely.

Proposition 16
The problem of deciding whether a given term ((unit → unit) → unit) → unit: The corresponding arena has the shape given on the right. Our representation scheme in this case will start off with q , enqueuing will be interpreted by q 0 q 1 and dequeuing by q 2 2 , where q 2 is justified by q 1 corresponding to the element being dequeued. Note that, apart from q , sequences of this kind are not complete plays, because q 0 , q 1 will remain unanswered. Hence, in the term construction it will not be possible to answer them until a terminating run has been fully simulated. Then O's 1 will trigger P's 0 .
The test phrases block P from answering 1 prematurely.

Proposition 18
The problem of deciding whether a given term M : ((unit → unit) → unit) → unit is equivalent to λ f (unit→unit)→unit .Ω is undecidable.

Decidability
We now focus on a fragment of GRef, called GRef , that comprises all types that do not fall under the undecidable cases identified earlier.

Definition 20
For every type θ let us define the associated set of labels L θ as follows: We shall write L for the set of all labels.
Let us fix notation for referring to moves that are available in arenas corresponding to GRef typing judgments: each move can be viewed as a pair (l, t) subject to consistency constraints induced by the subtypes which contribute them, e.g. the label corresponding to a tag related to int must be a number from [0, max].
Thus, consistent pairs (t, l) uniquely specify moves of Γ θ . The tag t specifies the position of the move within the arena, while l determines its actual value. We shall write T to refer to the set of tags.
In order to show decidability we first translate GRef terms into automata that represent their game semantics. A corollary of Lemma 2 is that any GRef term can be effectively converted to an equivalent term in canonical shape.
Consequently, it suffices to show that program equivalence between terms in canonical form is decidable. Accordingly, in what follows, we focus exclusively on translating terms in canonical shape. We next introduce a class of automata (over an infinite input alphabet) which will be the target of our translation from canonical forms of GRef .

A class of automata
To enable a finite specification of our automata and to describe their semantics we introduce the following definitions. Recall that A is the set of names, partitioned as: max} be the set of constants. Let us also fix natural numbers n r , n with n r ≤ n, a finite set C stack of stack symbols and a finite set T of tags, partitioned into push tags, pop tags and no-op tags:

Definition 21
We introduce the following notions.
is the set of symbolic labels. We use to range over its elements. -Reg is the set of injective partial functions ρ : {1, · · · , n} A. Its elements are called register assignments and we use ρ to range over them.
-Sto is the set of partial functions Σ:A [0, max] ∪ A such that dom(Σ) contains at most n elements and, moreover, if Σ is closed and well-typed). Its elements will be called stores and ranged over by Σ.
-SSto is the set of partial functions S: [1, n] [0, max]∪{R 1 , · · · , R n } such that [1, n r ] ⊆ dom(S) and, for each i ∈ dom(S), depth(S, i) is well-defined (and finite). The depth and the full value of an index i ∈ dom(S) are given respectively by: The elements of SSto will be called symbolic stores and ranged over by S. 3 The depth restriction ensures that symbolic stores are closed and acyclic.
-Sta = (C stack × Reg) * is the set of stacks. We shall range over stacks by σ , and over elements of a stack σ by (s, ρ). -Mix is the set of partial injections π : [n r +1, n] [n r +1, n]. 4 For each π, we write π for the extension of π on [1, n]: -TL is the set of transition labels, taken from the set: -a push pair (s, π), in which case we may also write ν X.( , t) S /(s, π); -a pop pair (s, π), in which case we may also write ν X.( , t) S , (s, π); -or a no-op (), in which case we may simply write ν X.( , t) S .
We stipulate that S( j) be defined whenever ν X.( , t, φ) S ∈ TL and j ∈ X or = R j . Moreover, we partition TL = TL push TL pop TL noop depending on the partitioning of tags (e.g.
In such a case, we can derive the store: Moreover, we shall be using the following notation for assignment updates, Note in particular that the symbol is used for register deletions. Similar notations will be used for store and partial-injection updates. Furthermore, for a store Σ and a set of names B, we define Finally, we let clo(Σ, B) be the least set of names C such that B ⊆ C and, for all a ∈ C, if Σ(a) ∈ A then Σ(a) ∈ C. For each symbolic store S and set of indices X , we define S X , S\X and clo(S, X ) in an analogous manner.
We can now define (n r , n)-automata, which will be used for representing game semantics. An (n r , n)-automaton is equipped with n registers, the first n r of which will be read-only, and utilises a pushdown stack where it pushes stack symbols along with full register assignments.
Additionally, if θ is a base type then there is a unique final state q F without outgoing transitions and reachable only via no-op transitions.
Our automata operate on words over the infinite alphabet (C ∪ A) × T × Sto. We shall write (l, t) Σ to refer to its elements. We first explain the meaning of the transition relation informally. Suppose A is at state q 1 , ρ is the current register assignment and σ is the current stack. - will accept an input (l, t) Σ and move to state q 2 if the following steps are successful.
The above is formalized next is the set of finite subsets of A.

Definition 23
Let A = Q, q 0 , ρ 0 , δ, F be an (n r , n)-automaton. The configuration graph (Q, − → δ ) of A is defined as follows (transitions are labelled by or elements of (C∪A)×T× where a 1 , · · · , a m are distinct names and: The set of strings accepted by A is defined as below, where is the empty stack.
We say that A is deterministic if, for any reachable configurationq, any The automata specifically used for our constructions follow some stronger disciplines.

Definition 24
We say that A is strongly deterministic if: -for each q ∈ Q P there is at most one transition out of q (i.e. |δ {q}| ≤ 1), and if (q, ν X.( , t, φ) S , q ) ∈ δ then |δ {q }| ≤ 1 and in particular q may only have an outgoing transition of the form (q , π, q ) such that ∀π , q . (q , π , q ) / ∈ δ; For such an A, we may write q P The last condition above corresponds to frugality (cf. Definition 5): fresh names must be reachable from names that were already available or appear in the current transition label.

Lemma 25 If A is strongly deterministic then it is deterministic.
Proof The claim is obvious for configurations with P-states, as well as for (reachable) configurations with O-states and outgoing transitions of the form q π − → q , because of the first condition in the previous definition. For configurations with O-states and transitions of the the second condition above ensures that each label has at most one accepting edge, as long as in each configuration each top stack element can be popped uniquely (i.e. with at most one φ). The latter follows from the definition of configuration graphs.

Lemma 26 Given
Proof WLOG we assume that w 1 , w 2 have the same underlying sequence of moves. Let w i m Σ i be the prefix of w i of length n (i = 1, 2). We show by induction on n that Σ 1 = Σ 2 . By IH (if n > 1) or by definition (if n = 1) we have that w 1 = w 2 . Moreover, by the previous lemma, w 1 , w 2 lead to some common configurationq of A. If n is even then, by the first clause of Definition 24, we have that Σ 1 = Σ 2 . If n is odd then by hypothesis we have that Σ 1 , Σ 2 have a common extension and, thus, using the last clause of Definition 24, we obtain Definition 27 Let A = Q, q 0 , ρ 0 , δ, q F be a strongly deterministic automaton of base type. We define the set of quasi-final states E to be the set of states that reach q F in one step. Then E is canonically partitioned as

Automata for GRef
Recall we are only going to translate terms in canonical form.
Let Γ = {x 1 : θ 1 , · · · , x m : θ m } and Γ C : θ be a GRef -term in canonical form. Let us write P 1 Γ θ for the set of plays-with-store of length 1 over Γ θ . Recall that each of them will have the form These can be ordered by use of register assignments, of fixed size appropriate to contain all names in Σ 0 and names created while translating GRef -terms, leading to the following construction.
For brevity, we shall write each element (i Σ 0 , ρ 0 ) ∈ I + Γ θ as i Σ 0 ρ 0 . We now instantiate the automata defined in the previous section by using the finite set of tags Moreover, we will impose the following condition on our automata. All push/pops will not involve any registers (i.e. they will have φ = (s, ∅)), except if the tag t in question satisfies: Remark 28 A canonical form of GRef will be translated into a family of automata indexed by I + Γ θ . For each i Σ 0 ρ 0 ∈ I + Γ θ , the corresponding automaton will accept exactly the words w such that i Σ 0 w is a representation of a complete play induced by the canonical form. The family will be infinite, but finite when considered up to name permutations.
For any GRef -term Γ C : θ in canonical form we define an I + Γ θ -indexed family of by induction on the shape of C. In all cases C i Σ 0 ρ 0 will have n 0 = |ν(i)| read-only registers and the initial assignment will be ρ 0 . The precise number of registers can be calculated easily by reference to the constituent automata. Let us write S 0 for the symbolic store defined by S 0 (i) The base and inductive cases are as follows.
and the initial transition deletes all names in ρ 0 which break frugality of i Σ 0 , that is, if it is a name, to the register in position n 0 +1, and leaves all other names in ρ 0 untouched.
where z has arity r and Σ ranges over stores with dom(Σ) = clo(Σ, ν(i)). These are infinitely many, but finitely many up to permutations of fresh names. In the transitions we pick X, S such that there is one transition for each of the (finitely many) equivalence classes. Moreover, ρ 0 is specified by stipulating dom(ρ 0 ) = [1, n 0 ] ∪ X and Σ = Sto(ρ 0 , S).
where r, Σ, S, X, ρ 0 are as above, j ranges over elements of We pick X , S such that there is one symbolic transition for each of the intended transitions (b, r z r ) Σ and specify ρ 0 accordingly, making sure that ρ 0 (n 0 + 1) = b.
where r, Σ, S, X, ρ 0 are as above and where we have replaced every tag superscript y with z.
are defined similarly to the above.
Here the inductive hypothesis gives us an automaton for Γ, x : ref 2 γ C : θ . In order to transform the latter into an automaton for our given term, we need to hide the name corresponding to x from the automaton, until the point where the name is eventually revealed in some move (it is also possible that the name remains private indefinitely). This hiding of x effectively has wider repercussions as we need also to hide any name that x exclusively points to, and so on, along with their stored values. It is therefore useful to define a more general hiding construction.
Let A be an (n r , n)-automaton, let X 0 , · · · , X h be an enumeration of all subsets of [n r + 1, n] and let T i,0 , · · · , T i,g i be an enumeration of all partial symbolic stores on X i (i.e. of all T = S X i for some symbolic store S). For each 0 ≤ i ≤ h and 0 ≤ j ≤ g i we define an (n r , n)-automaton A T i, j X i to be a copy of A in which we have hidden the names in registers X i , while the stored restricted to the names in those registers is T i, j . Concretely, A and in those remaining transitions we have removed X i from the domains of all symbolic stores. We define νA as the (n r , n)-automaton fragment (no initial state) obtained by interconnecting these automata as below.
The transitions are as follows. Let (X, T ) be an element of the above enumeration.
• For (while (!x) do C); C , given the automata C and C , with appropriate initialisations, we construct a new automaton as follows. Suppose x ≡ x k and ρ 0 (k ) = l k . If the initial value stored for x is 0 (i.e. if Σ 0 (l k ) = 0) then we simply return Otherwise, we need to combine the automata for C and C in such a away so that C is involved repeatedly (with appropriate initialisation), until it reaches a final state with a final transition with a symbolic store assigning 0 to k . At this point, the automaton would switch and start simulating C . An important point in this construction is that the final transitions of C are hidden in the new automaton, as the return values of the while guard are not revealed in the semantics. This hiding implies a potential hiding of names as well: any names created in final transitions of C need to be hidden as well. This latter kind of hiding is delegated to the ν-construction that we described two cases above.
Formally, let Σ 0 , · · · , Σ h be an enumeration (modulo permutation of fresh names) of all stores Σ with dom(Σ) = clo(Σ, ν(i)). Recall x ≡ x k , ρ 0 (k ) = l k , and recall the presentation of an automaton given in Definition 27. We define (while , with each ρ i specified by Σ i as above, connected together as below.
The initial state is the one of the (∅, . Let S i be specified by each is an (n 0 + 1, n)-automaton, but we render it into an (n 0 , n) one by changing each We let X, S be derived from Σ and denote the two copies by C S , C S . Each state q in C (i ) Σ ρ 0 has copiesq,q in C S , C S respectively.
The unique final state is q 1 . The transitions in typewriter font are defined as follows.
-We connect every final state of C S with q 1 using a transition with label ∅ (done). Similarly for done .
The other cases of λx β→Θ 1 .C are dealt with in a similar way. The case of λx β .C is treated as above, excluding q 2 and C S from the construction.
• For the case of let y = z(λx unit→Θ 1 .C) in C it is useful to introduce a notion of automaton which operates by interleaving runs from two constituent automata. Since a similar construction will be of use in the next section, we give a general notion of automaton which can combine runs either by matching or by interleaving them. We define these generalised automata and give the construction of the one corresponding to let y = z(λx unit→Θ 1 .C) in C . Generalised automata can be reduced to equivalent ones.
Let n r ≤ n 1 , n 2 and set n = n 1 + n 2 − n r . For each i ∈ [n r + 1, n 2 ] we define its shift i + = i + n 1 − n r ; note that i + ∈ [n 1 + 1, n ]. We also fix a fresh label symbol , which is used to indicate the automaton that will not advance in a given transition. For any set X , we write X for (X { }) 2 \{( , )}.
We now proceed with the case of let y = z(λx unit→Θ 1 .C) in C . The corresponding automaton will first read a move indicating that z is being called (tag c z r ). After that, a detour to λx.C will be an option, which O can initiate with a move tagged with c z,0 r . Modelling the detour is analogous to the interpretation of λx.C. Once the detour is completed or the possibility is not exercised, O can play a move tagged with r z r corresponding to the return by z (tagged r z r ). This will trigger a transition to the automaton for C , in which we need to modify labels by replacing y with z and to allow for detours to λx.C each time C makes a transition on a P-move corresponding to y. Note that this is consistent with the behaviour of the corresponding strategy, due to the visibility and well-bracketing conditions.
Technically, for each Σ and related S , X , ρ 0 , we consider two modified copies of C i Σ ρ 0 in which: 7 i.e. We stipulate that Σ 1 , Σ 2 agree on common names, while values of private names remain unchanged. This stems from the fact that we do not compare plays but, rather, representations thereof. with t A having superscript y, are tagged as q C ; -we replace tag superscripts y with z.
We set n 2 to be the maximum number of registers in these automata, and let n = n 1 + n 2 − n 0 with n 1 defined below. We denote the two copies by C S and C S respectively and consider them to be (n 0 , n 1 , n 2 )-automata. In the first one we write states asq, while the other one has (the same) states in formq.
For each tagged stateq C of C S , and each Σ and related X, S, ρ 0 , consider the automaton C (i ) Σ ρ 0 . We set n 1 to be the maximum number of registers in these automata. We define a modified copy of each -replacing all tags r ↓ by r z r,0 , where r is the arity of z.
we denote the resulting automaton by C q C S , considered as an (n 0 , n 1 , n 2 )-automaton, and its states by (q,q C , S). We construct another copy C q C S following the same routine, albeit for each stateq C of C S .
We construct an (n 0 , n 1 , n 2 )-automaton for let y All the arrows above represent transitions in the first partition of the automaton (but we have omitted the RHS for economy), and the same goes for all transitions inside subautomata involving C. The transitions in subautomata coming from C contribute to the second component. We connect each stateq C of C S with the initial state of -We connect every final state of each C q C S withq C using a transition with label ∅ (done). Similarly for done .
-For each q C , S and each q A with φ A = ((q A ,q C , S), π) and φ B = ((q B ,q C , S), ∅).
We also add (push , pop ) (q A ,q C , S) The other cases of let y = z(λx β→Θ 1 .C) in C are dealt with in a similar way.
Observe that the basic cases in our construction yield strongly deterministic automata. Moreover, strong determinacy is preserved in the inductive cases. This is obvious in cases without interaction between different sub-automata. Moreover, in the cases of let x = ref(y) in C and (while (!x) do C); C , the connections between different components are made from states which end up having unique outgoing transitions. The same holds also for the cases of λx.C and let y = z(λx.C) in C , with the addition that now there are also new pop transitions to be taken into account which, however, operate on fresh stack symbols and therefore do not interfere with the constituent automata. In the latter case, the reduction from the generalised interleaving automaton to the ordinary one preserves strong determinacy.
Recall from Remark 28 that · · · and · · · merely differ by the absence of initial moves in · · · . Consequently, the constructions outlined above imply the following lemma.
is the set of plays over Γ θ that start from i Σ 0 .

Reduction of inclusion into emptiness
The aim of this section is to establish the following result.

there exists a deterministic (|ν(i)|, n j )-automaton B j with initial register assignment
Suppose Γ C 1 , C 2 : θ be GRef -terms in canonical form and let A 1 and A 2 be the automata representing their respective semantics for a given initial move i Σ 0 . We construct an automaton A such that: The idea behind the construction of A is the following. We arrange so that the automaton behaves as a product automaton for A 1 and A 2 , i.e. an automaton accepting their common strings (with possible extensions to stores on each side). The constructed automaton has the additional feature that, for each transition of A 1 , it checks whether the transition can be replicated by A 2 . If it can, then the automaton continues behaving as a product automaton. If the transition cannot be replicated then the automaton switches to divergence mode where it behaves as A 1 . The automaton accepts just if it reaches a final state in the divergence mode. The latter is justified by the fact that, in such a case, the automaton has detected a string in A 1 which A 2 cannot replicate and which leads to a complete play of C 1 .
Suppose now each A i is an (n r , n i )-automaton given by A i = Q i , q 0i , ρ 0i , δ i , F i and assume that ρ 01 = ρ 02 . We first construct a generalised (n r , n 1 , n 2 )-automaton A = Q, q 0 , ρ 0 , δ, F that operates equivalently to our target automaton A described above. In particular, we set: 1 and div the first projection. For each (q 1 , q 2 ) ∈ Q we include in δ precisely the following transitions.
Lemma 31 For C 1 , C 2 , A 1 , A 2 and A as above: . By construction of A, the accepting run for w A yields an accepting run for w 1 in A 1 via first projection. By Lemma 29, we have ext( On the other hand, via the second projection of the accepting run for w A up to the point of switching to divergence mode, we obtain a run of A 2 which, however, may only be resumed in A 2 by a different (up to extension) P-move than that required by w A . Hence, i Σ 0 w / ∈ Γ C 2 : θ . Conversely, let i Σ 0 w ∈ comp( Γ C 1 : θ )\ Γ C 2 : θ and let i Σ 0 w x y be its least prefix that appears in Γ C 1 : θ \ Γ C 2 : θ . By construction, our automata are closed under legal Oto P-transitions, so A 2 must accept (a representation of) i Σ 0 w x and fail to process y. On the other hand, A 1 will be able to process a whole representation of i Σ 0 w. Thus, A will operate as product automaton until i Σ 0 w x and then enter divergence mode and continue as A 1 . Consequently, A will accept some i Σ 0w such that i Σ 0 w ∈ ext(i Σ 0w ), i.e. L(A) = ∅.
Determinacy extends to generalised automata in the obvious way: an automaton is deterministic if its configuration graph is. The notion of strong determinacy extends the following manner. By construction, the automaton A above is strongly deterministic.

Lemma 33 If A is strongly deterministic then it is deterministic.
Proof Again, cases with P-to O-transitions and transitions with rearrangements are taken care of by the first condition above. The case of O-to P-transition in one component follows from the second condition as in Lemma 25, using the first and last subcases of the second condition above. Finally, if such transitions happen in both components and induce, say,q (l,t) Σ − −− →q i , i = 1, 2, whereq has state q, let these be combination of transitions with labels (l, t) Σ 11 and (l, t) Σ 12 , and of (l, t) Σ 21 and (l, t) Σ 22 respectively (here the second index specifies the component). We have Σ = Σ 11 ∪ Σ 12 = Σ 21 ∪ Σ 22 . Consider the associated ν X i j .( , t, φ i j ) S i j , for i, j = 1, 2, and in particular the ordinary transitions (q, ν X i1 .( , t, φ i1 ) S i1 , q 1 ). Since they are both accepting fromq, it must be that φ 11 = φ 21 . Moreover, as Σ 11 and Σ 21 agree on their common names, S 11 and S 21 may only disagree on X 11 , X 21 . But, by frugality, the latter are reachable from the indices of available registers and therefore S 11 = S 21 , modulo permutation of fresh indices. Thus, ν X 11 .( , t, φ 11 ) S 11 ∼ α ν X 21 .( , t, φ 21 ) S 21 and, similarly, 22 . By strong determinacy we get q 1 = q 2 and thuŝ q 1 =q 2 .
The operation of a generalised automaton can be faithfully simulated by a corresponding ordinary automaton. More precisely, we can show that from a given generalised automaton A we can effectively construct a bisimilar ordinary one.
Let G 1 , G 2 be labelled directed graphs with nodes selected from sets of configurationŝ Q 1 ,Q 2 respectively, and labels selected from the set { } ∪ (L × T × Sto). Moreover, let each G i have initial configurationq 0i and final configurationsQ i F . We say that a relation R ⊆Q 1 ×Q 2 is a simulation if, for allq 1 Rq 2 : We say that R is a bisimulation if both R and R −1 are simulations. Moreover, G 1 and G 2 are bisimilar, written G 1 ∼ G 2 , if there is a bisimulation R such thatq 01 Rq 02 .
In particular, we say that A and A are bisimilar, written A ∼ A , if their configuration graphs are bisimilar. A be a (n r , n 1 , n 2 )-automaton and set n = n 1 + n 2 − n r . We can effectively construct a (n r , n )-automaton A such that A ∼ A . Moreover, if A is strongly deterministic then so is A .

Lemma 34 Let
The construction of A is presented in Appendix B. Combining Lemmata 31 and 34, and using the fact that bisimilarity implies language equivalence, we obtain the following.

there exists a deterministic (|ν(i)|, n j )-automaton A j with initial register assignment
Lemma 30 then follows as a corollary.

Emptiness for fresh pushdown register automata
Returning to Lemma 30, note that, although I + Γ θ is an infinite set, there exists a finite subset J ⊆ I + Γ θ such that {A j } j∈J already captures comp( Γ C : θ ), because up to namepermutation there are only finitely many initial moves. Consequently, we only need finitely many of them to check whether Γ C 1 ∼ C 2 . By Lemma 30, to achieve this we need to be able to decide the emptiness problem for (n r , n)-automata.
To show decidability, we translate (n r , n)-automata into an extended variant of pushdown register automata [7] (PDRA) over infinite alphabets. They are similar to (n r , n)-automata in that they are equipped with registers and a stack. However, there are a few differences.
-PDRA can only process one name in a computational step, while (n r , n)-automata read a label, a tag and a store in a single step. This can easily be overcome by decomposing transitions of our automata into a bounded number of steps (the existence of the bound follows from the fact that symbolic stores in our transition function are bounded). -All registers in PDRA must be full, while (n r , n)-automata admit empty registers. This difference can be compensated by populating registers with dummy names, while storing information about which register is deemed to be empty in the finite state. -(n r , n) allow for rearrangements of registers in a single -step. Again this can be decomposed into a sequence of -transitions of an PDRA by using the stack. -(n r , n) have the ability to create globally fresh names (guaranteed not to have been encountered in the whole computational run), while PDRA can only create locally fresh names (through the so-called reassignment), which are guaranteed not to occur in the present register assignment. This discrepancy cannot be dealt with easily and we provide a separate argument why the emptiness problems for the extension of PDRA with (globally) fresh-name generation remains decidable.
We start off with a generalisation of pushdown register automata [7] to data words. That is to say, in a non-epsilon step, the automaton reads a pair consisting of a tag (taken from a finite set of tags) and a value, which comes from the infinite alphabet. The latter will often be referred to as a name. Such pairs are also pushed on the stack. Decidability of emptiness in absence of fresh-name generation was already shown in [7] in the tag-free case, but the generalisation to tags is rather cosmetic, since they can be emulated with fixed names. Let Σ be an infinite alphabet and T a finite set of tags with a distinguished bottom-of-stack tag ⊥.
Definition 36 An r -register pushdown automaton (PDRA) A over (Σ, T ) is a tuple Q, q in , u, ρ, μ, F , where -Q is a finite set of states; q in ∈ Q is the initial state; u : {1, · · · , r } → Σ is an injection, called the initial assignment; -ρ : Q → {1, · · · , r } is a partial function called the reassignment; -μ is the transition relation, which is a mapping from to finite subsets of Q × (T × {1, · · · , r }) * ; -F ⊆ Q is the set of final states.
A configuration is a triple (q, R, S) such that q ∈ Q, R : {1, · · · , r } → Σ is injective and S ∈ (T × Σ) * . The last component represents the stack content (the leftmost symbol stands for the top of the stack). A configuration is initial if q = q in , R = u and S = [(⊥, u(r ))]. A configuration is final if q ∈ F. A generalised run of A is a sequence C 0 ≤ k), and each C j (0 < j ≤ k) is obtained from C j−1 and x j according to μ. Note that in generalised runs R 0 is left unspecified. This will make working with them slightly simpler, because they will be closed under bijective renamings. A run is simply a generalised run such that C 0 is initial. In an accepting run we also have q k ∈ F.
We shall say that two generalised runs are related if they are of the same length and the corresponding steps rely on the same elements of μ. Consequently, related generalised runs differ only in the names they involve (respective states and tags must be the same). We will be interested in characterizing generalised runs that are related to each other. Below we introduce several definitions that will make this possible.
Suppose R is a generalised run of length k. Let us assign timestamps from the set {1, · · · , r + k} to all occurrences of names in R. They will indicate at which step the names were introduced into the run. Note that this can happen only in two ways: via the initial assignment in C 0 or reassignment through ρ. In other cases timestamps will be inherited from previous steps. Thus we can associate timestamps with occurrences of names in generalised runs as follows: -the occurrence of R 0 (i) in R 0 is timestamped with i for each 1 ≤ i ≤ r , the occurrence of R 0 (r ) in S 0 is timestamped with r ; -if a name is generated in step 1 ≤ j ≤ k through reassignment, its occurrence in R j gets timestamp r + j, otherwise occurrences of names in registers inherit timestamps from preceding configurations; -a name that was just pushed on the stack inherits the timestamp it had in the register before being pushed, the timestamps of other names on the stack are inherited from preceding configurations.
In what follows we shall refer to timestamps using notation such as t R j (i) or t top(S j ) . Let us write T ⊆ {1, · · · , r + k} for the set of all timestamps used to mark occurrences of names of R.
Remark 37 Note that, due to the stack discipline, whenever the same names are present on the stack in a configuration of a run, the associated sequence of timestaps, from top to bottom, must be non-increasing. Additionally, if the same name occurs in a register, its timestamp will not be smaller than the timestamps of occurrences of the same name on the stack.
We can replace all occurrences of names in R with their timestamps to obtain what we shall call a symbolic run: C sym 0 Recall that states and tags will remain the same as in R. Observe the following fact.

Lemma 38 Two generalised runs are related if and only if the corresponding symbolic runs are the same.
Next we characterize assignments α : T → Σ (of names to timestamps), which can be used to convert a symbolic run generated from R into a generalised run related to R.
-First, the initial register assignment must be injective: -The second set of constraints comes from reassignment steps, where it must be ensured that the reassigned name is different from those currently present in registers: if ρ(q i ) (0 ≤ i < k) is defined then we require that α(t R i+1 (ρ(q i )) ) = α(t R i ( j) ) for any 1 ≤ j ≤ r . -The third set of constraints is induced by popping during transitions: the name on top of the stack must match the content of a suitable register, as specified by μ: if the passage from q i to q i+1 (0 ≤ i < k) relies on an element of μ(q i , (t 1 , i 1 ), (t 2 , i 2 )) or μ(q i , , (t 2 , i 2 )) then α(t top(S i ) ) = α(t R i+1 (i 2 ) ).
Altogether, above we have extracted from R a set of conditions characterizing runs related to R, in terms of which names introduced into a run must be equal or unequal.

Lemma 39
Generalised runs related to R are in 1-1 correspondence with α:T → Σ satisfying the above constraints.
Below we single out a special family of such maps. Intuitively, we shall focus on generalised runs in which as many names as possible are used. Let us define = R to be the smallest equivalence relation such that if 'α(i) = α( j)' belongs to the third set of constraints we have i = R j. α : T → Σ will be called distinctive if, for all i, j ∈ T, we have α (i) = α ( j) if and only if i = R j.
Remark 40 Note that every distinctive α satisfies the first two kinds of constraints and, hence, gives rise to a generalised run. By definition distinctive maps α exist and are determined uniquely up to name-permutation. In particular, there exists a distinctive α that is compatible with the initial register assignment in R.
The following property of distinctive maps will play a role in a future argument.
Definition 42 A fresh PDRA (FPDRA) A over (Σ, T ) is defined in the same way as a PDRA except that the (partial) reassignment function has the form ρ : Q → {1, · · · , r } × {L , G}. Whenever π 2 (ρ(q)) = L (locally fresh), A must generate a name that is currently not present in registers. If π 2 (ρ(q)) = G (globally fresh) then the name must in addition not have occurred before in the present run (in particular, it will not occur on the stack).
We shall show that the emptiness problem for FPDRA is decidable by referring to the analogous result for PDRA [7]. Let A = Q, q in , u, ρ, μ, F be a FPDRA over (Σ, T ). Next we are going to define an PDRA A = Q , q in , u , ρ , μ , F such that there exists an accepting run of A iff there exists one for A .
A will mimic steps made by A except that it will not be able to generate globally fresh names, so it will use locally fresh ones instead. In addition, A will maintain information about such names by flagging registers and stack elements.
-A flagged register signifies the fact that in A the generated name would be different from any name currently occurring on the stack. -A flagged name on the stack means that in A all names underneath it would be different.
Register flags will be stored inside the extended state, flags for names on the stack will be assigned by appending F to the associated tag. The way the flags are managed is described below.
-Whenever a locally fresh name is generated instead of a globally fresh name, the corresponding register will remain flagged as long as its content is not pushed on the stack. -When a sequence of names is pushed on the stack, for each name that comes from a flagged register, we flag the rightmost (deepest) of its occurrences in the sequence. The registers in question become untagged. -A name can be popped only if it occurs in an unflagged register. If the name is flagged on the stack, we then add a flag to the register. Note that we do not allow A to follow A, if this would entail popping a symbol that occurs in a flagged register.
Next we present the construction formally. A will be an PDRA over (Σ, T ), where: To define μ , we use t 1 , t 2 to range over T and t f 2 , c f 1 , · · · , c f n for elements of T . Whenever we use t f to refer to elements of T , by dropping the superscript and writing t we mean to refer to the underlying tag from T . (t 1 , i 1 ), (t 2 , i 2 )) and i 2 / ∈ X , Y = X \{ j 1 , · · · , j n } where

Lemma 43 A has an accepting run if and only if A has one.
Proof Suppose there exists an accepting run of A. The same run is then accepting for A . This is because whenever a register is flagged in A , it will indeed contain a name not present on the stack, and if a name is flagged on the stack the name will not occur below. Consequently, whenever a step of A depends on matching a name on top of the stack with a register, the corresponding register in A will not be flagged. Thus, every step of A can be simulated by A . Suppose we have an accepting run R of A . As A -transitions are transitions of A enriched with some information, it suffices to show that the locally fresh names generated instead of globally fresh names are globally fresh. This need not be the case for R, but will show how to rename R so that another A -run emerges, which does enjoy the property.
Let us consider a step of R in which a locally fresh name is used as a substitute for a globally fresh one. Let t be the timestamp assigned to that name. We show that t = R t implies t ≥ t. For a start, we note that the 'α(i) = α( j)' constraints generated before time t concern i, j strictly smaller than t. We show that all the equational constraints that affect [t] = R later concern timestamps that are at least t. We analyze the history of the name timestamped t during the run.
-Unless the name is pushed immediately on the stack, it will stay flagged in registers for a number of steps. Thus no pops will rely on it. Hence no constraints using α(t) will be generated. -After the name is pushed on the stack, its deepest occurrence in the push sequence will be flagged. The register will be unflagged but, as long as the flagged occurrence remains on the stack, all equational constraints that rely on the same name will involve timestamps greater than or equal to t (see Remark 37). -When the flagged occurrence with timestap t is eventually popped (if at all), there must be a register containing the same name, but this occurrence will bear a timestamp t such that t ≥ t and will become flagged. From then on the reasoning can be repeated for t and, since t ≥ t, we can conclude that future constraints affecting [t ] = R = [t] = R will not involve timestamps smaller than t .
So, for each timestamp t corresponding to a globally fresh name in A, we have [t] = R ⊆ [t, ∞). Consequently, by Remark 40, in every related distinctive run, names with that timestamp will indeed be different from all names used by the automaton earlier, i.e. they will be globally fresh. Moreover, there exists a distinctive run whose initial assignment is u. That run is thus also a run of A (after erasing the flag information).
The above result reduces the emptiness problem for FPDRA to the analogous problem for PDRA. As the latter is decidable [7], we obtain the following.

Lemma 44 The emptiness problem for FPDRA is decidable.
Finally, summing up, we obtain the desired decidability result.

Theorem 45 Program approximation (and thus program equivalence) is decidable for
GRef -terms.
Proof Let Γ M 1 , M 2 : θ be GRef -terms. By Lemma 2, they can be converted into By Lemma 30 and our observations at the beginning of Sect. 5.4, the problem of determining whether Γ C M 1 ∼ C M 2 holds can be reduced to the emptiness problem for a finite number of FPDRA, all effectively constructible from C M 1 , C M 2 . Because FPDRA emptiness is decidable by Lemma 44, program approximation is decidable for GRef .

Related and further work
In this paper we achieved a full characterisation of decidability of program equivalence in GRef, a higher-order language with full ground storage. Moreover, for the decidable fragment that we identified, we devised a decidability procedure which builds on automatabased representations of terms.
The investigations into models and reasoning principles for storage have a long history. In this quest, storage of names was regarded by researchers as an indispensable intermediate step towards capturing realistic languages with dynamic-allocated storage, such as ML or Java. Relational methods and environmental bisimulations for reasoning about program equivalence in settings similar to ours were studied in [2,5,9,16,30,31], albeit without decidability results. More foundational work included labelled transition system semantics [15] and game semantics [19,24]. In both cases, it turned out that the addition of name storage simplified reasoning, be it bisimulation-based or game-semantic. In the former case, bisimulation was even unsound without full ground storage. In the latter case, the game model of integer storage [22] turned out more intricate (complicated store abstractions) than that for full ground or general storage [19,24].
As for decidability results, we studied finitary Reduced ML (integer storage only) in [23], yet only judgements of the form · · · , β → β, · · · β were tackled due to intricacies related to store abstractions (in absence of full ground storage, names cannot be remembered by programs). A closely related language, called RML [1] (integer storage but with bad references) was studied in [8,14,27], but no full classification has emerged yet. Interestingly, closed terms of first-order type become decidable in this setting [8], in contrast to unit → unit → unit for GRef. Finally, the approach presented herein was pursued for Interface Middleweight Java [21] and implemented in the equivalence checker Conneqct [20]. We note that, in presence of higher-order references and boolean storage, even termination is undecidable [26].
Apart from the semantics and programming languages community, program equivalence has been extensively examined in the context of regression verification [4,6,10,12,18]. There, the focus is put on sound methods for proving that newer versions of the same code fragment do not introduce new behaviours, outside the code specification. In terminology used in this paper, the property that is being verified is program approximation. Regression verification is based on strong abstraction techniques which are sound for approximation, and is typically applied to ground languages and code (i.e. no higher-order functions). In the future, we would like to expand the use of game models for checking equivalence to larger language fragments, where equivalence in undecidable. In doing so, we would abandon decidability and restrict ourselves to sound verification routines, using similar abstraction techniques.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

A Canonical forms for GRef
In this section we prove Lemma 2: Let Γ M : θ be an GRef-term. There exists a GRef-term Γ C M : θ in canonical form, effectively constructible from M, such that Γ M ∼ = C M .
We prove two auxiliary results first, both of which are special cases of Lemma 2.
Proof Induction with respect to the structure of θ .
θ ≡ unit. Using the equivalences listed below, we reason by induction on the structure of C 1 , which can take one of the following shapes: (), case(x int )[C 0 , · · · , C max ] or let · · · in C 9 . Note that free identifiers of type unit never occur in canonical forms, hence the first equivalence.
let y = () in C 2 ∼ = C 2 let y = case(x int )[C 0 , · · · , C max ] in C 2 ∼ = case(x)[let y = C 0 in C 2 , · · · , let y = C max in C 2 ] let y = (let · · · in C) in C 2 ∼ = let · · · in (let y = C in C 2 ) -θ ≡ int. We reason by induction on the structure of C 1 , which can take one of the following shapes: i, case(x int )[C 0 , · · · , C max ] or let · · · in C. The last two cases are dealt with as before. For let y = i in C 2 , note that, whenever identifiers y int occur freely in canonical forms, it is always as part of a subterm of the form case(y int )[C 0 , · · · , C max ]. Given a canonical form C we write C y,i for the canonical term obtained from C by replacing each of its subterms of the form case(y int )[C 0 , · · · , C max ] with C i (i.e. by removing y and branches corresponding to y = i). Then We reason by induction on the structure of C 1 , which can take one of the following shapes: x ref γ , case(x)[C 0 , · · · , C max ] or let · · · in C. The last two inductive cases are dealt with as before. For let y = x ref γ in C 2 we observe that C 2 [x/y] is in canonical form and θ ≡ θ 1 → θ 2 . As earlier, we reason by induction on the structure of C 1 , which can now take one of the following shapes: λx θ 1 .C, case(x int )[C 0 , · · · , C max ] or let · · · in C. We can deal with the last two cases as before. The first one requires a separate argument, though. Suppose C 1 ≡ λx θ 1 1 .C 1 . Let us substitute C 1 for the rightmost occurrence of y in C 2 . This will create a non-canonical subterm in C 2 of the form let x θ 2 = (λx θ 1 1 . By inductive hypothesis for θ 1 , let x θ 1 1 = C in C 1 can be converted to canonical form, say, C 3 . Consequently, the non-canonical subterm let x θ 2 = (λx θ 1 1 .C 1 )C in C 2 can be converted to let x θ 2 = C 3 in C 2 , which -by inductive hypothesis for θ 2 -can also be converted to canonical form. Thus, we have shown how to recover canonical forms after substitution for the rightmost occurrence of y. Because of the choice of the rightmost occurrence, the transformation does not involve terms containing other occurrences of y, so it will also decrease their overall number in C 2 by one. Consequently, by repeated substitution for rightmost occurrences one can eventually arrive at a canonical form for let y θ = (λx θ 1 1 .C 1 ) in C 2 .
Now we are ready to prove Lemma 2.
Proof (Lemma 2) We proceed by induction on term structure.
-(), i are already in canonical form.
-For case(M)[N 0 , · · · , N max ] we simply appeal to Lemma 47 for -For !M we apply Lemma 47 to -For while M do N , we note that while M do N is equivalent to where z is fresh. We can find a canonical form for the latter term by appealing to the inductive hypothesis and previous lemmas. -Finally, we handle application M N. By inductive hypothesis we obtain C M which must take one of the following shapes: λx θ .C, case(x)[C 0 , · · · , C max ] or let · · · in C. Using the equivalences below (and Lemma 47) we can then reason by induction on the possible structure of C M .

B Reduction via spans
This section shows how to reduce generalised automata to ordinary ones. We shall achieve this via bisimulation equivalence, using a notion of correspondence between different name environments called span. Let A = Q, q 0 , ρ 0 , δ, F be a (n r , n 1 , n 2 )-automaton and set n = n 1 + n 2 − n r . We proceed to construct an (n r , n )-automaton A such that A ∼ A . The automaton will simulate A and in particular it will encode the pair of register assignments of the latter into a single one. For this, it will use an auxiliary environment component. Let N 1 = [n r + 1, n 1 ], N 2 = [n r + 1, n 2 ] and N = [n r + 1, n ]. We call We write N 1 N 2 for the set of spans on N 1 , N 2 . By abuse of notation, we write R for the whole of (X 1 , R, X 2 ), in which case we also use the notation xdom(R) = X 1 and xcod(R) = X 2 . We also define a map R : [1, n ] → [1, n ]: The notation extends to other domains containing indices, e.g. for labels: R(R i ) = R R(i) and R( ) = if is not a register.
The role of a span is to allow us to simulate a pair of register assignments in a single one. (X 1 , R, X 2 ) represents a pair of assignments where the first one has domain X 1 and the second one X 2 . Moreover, R relates the common names: e.g. if (i, j, z) ∈ R then register i in the first assignment contains the same name, say a, as register j in the second one. Finally, the index z specifies in which part of the simulating assignment does a really occur. For example, the pair of register assignments (suppose n r = 0 for simplicity, and n 1 = n 2 = 3), d), (2, a) In effect, R maps each index of the extended register ρ 1 , ρ 2 to its "real" position in ρ.
If ρ 1 , ρ 2 are register assignments of size n 1 , n 2 respectively and with common [1, n r ]-part then we can obtain the span which accommodates all common names to the left by: The single register assignment which simulates ρ 1 and ρ 2 via ρ 1 ↔ ρ 2 is then given by If R : N 1 N 2 and π 1 , π 2 ∈ Mix then we define the update of R with respect to the two (componentwise) rearrangements π 1 and π 2 : Moreover, we extend the shift notation componentwise to other constructions, e.g. for symbolic stores: Finally, if π, π ∈ Mix then we let π[π ] = π ∪ {(i, π(i)) | i / ∈ dom(π )}. For A given as above, we define an (n r , n )-automaton A = Q , q 0 , ρ 0 , δ , F by: The crux of the construction is the definition of δ . The automaton will simulate the generalised automaton using one copy of each common name. R will be used as a record of common/private names between the two register components of A, and as a specifier of which part of the registers do the common names appear in. Moreover, the automaton will operate with a stack belonging to Sta = (C stack ×(N 1 N 2 )×Reg) * . In order to simulate A's matching conditions for stores, A will use, apart from R, a symbolic store S (which will simulate to the store Σ appearing in configurations of A).
For each (q, R, S) ∈ Q we include in δ precisely the following transitions.
If q ∈ Q P and q -if t ∈ T noop thenR = R, and if t ∈ T pop and, say, φ i = (s i , π i ) then, assuming that the popped symbol will be (s 1 , s 2 , R p ): -R, π 1 , π 2 and R p should be consistent, that is: 12 • for each (i, j, z) ∈ R, if π 1 (i), π 2 ( j) are both defined or π 1 (i) ∈ dom(R p ) or π 2 ( j) ∈ cod(R p ) then (π 1 (i), π 2 ( j), z ) ∈ R p , for some z , • for each (i, j, z) ∈ R p if π −1 1 (i), π −1 2 ( j) are both defined or π −1 1 (i) ∈ dom(R) or π −1 2 ( j) ∈ cod(R) then (π −1 1 (i), π −1 2 ( j), z ) ∈ R, for some z ; 10 Note here that rearrangements π 1 and π 2 kept intact except for the case when a name which is supposed to be shared from the two parts of the current assignment is deleted in the part that actually contains it but is retained in the other one. In such a case, the name is not deleted but copied to the other part of the assignment (this is what π achieves). 11 Here we match all freshly created names and store them in the first component of the assignment. Moreover, we match labels and symbolic stores (on related indices) according to the new R . For private indices we stipulate that values remain unchanged (this corresponds to Σ[Σ 2 ] ∪ Σ[Σ 2 ] being consistent in the definition of generalised automata). 12 i.e. if two registers in the stack are related (by R p ) and each is related to a register in the machine registers (by π 1 , π 2 ) then the latter must also be related (by R); and viceversa. This condition ensures that we can correctly compute the span R p pertaining to the register assignment after popping.

Lemma 48 For
In moving from A to A , each transition of the former may yield several transitions of the latter, in the case of O-to P-transitions. From these transitions, though, those that have the same label (up to ∼ α ) are allowed to range solely because of the choice of the final R . In case A is strongly deterministic, these choices are unique up to ∼ α : we make a canonical choice to allocate all common fresh names on the first component of the assignment, while frugality ensures that all fresh names are reachable from those already available, which are uniquely specified from the given R andR. Thus, if A is strongly deterministic then so is A .