http://wrap.warwick.ac.uk/

Original citation: Murawski, Andrzej S. and Tzevelekos, Nikos (2014) Game semantics for interface middleweight Java. ACM SIGPLAN Notices, Volume 49 (Number 1). pp. 517-529. Permanent WRAP url: http://wrap.warwick.ac.uk/60292 Copyright and reuse: The Warwick Research Archive Portal (WRAP) makes this work of researchers of the University of Warwick available open access under the following conditions. Copyright © and all moral rights to the version of the paper presented here belong to the individual author(s) and/or other copyright owners. To the extent reasonable and practicable the material made available in WRAP has been checked for eligibility before being made available. Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. Publisher statement: © Murawski, A. S. and Tzevelekos, N. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in ACM SIGPLAN Notices http://dx.doi.org/10.1145/2535838.2535880 A note on versions: The version presented here may differ from the published version or, version of record, if you wish to cite this item you are advised to consult the publisher’s version. Please see the ‘permanent WRAP url’ above for details on accessing the published version and note that access may require a subscription. For more information, please contact the WRAP Team at: publications@warwick.ac.uk

Game Semantics for Interface Middleweight Java

⇤

Andrzej S. MurawskiDIMAP and Department of Computer Science

University of Warwick

Nikos TzevelekosSchool of Electronic Engineering and Computer Science

Queen Mary, University of London

Abstract

We consider an object calculus in which open terms interact withthe environment through interfaces. The calculus is intended tocapture the essence of contextual interactions of Middleweight Javacode. Using game semantics, we provide fully abstract models forthe induced notions of contextual approximation and equivalence.These are the first denotational models of this kind.

Categories and Subject Descriptors D.3.1 [Formal Definitionsand Theory]: Semantics; F.3.2 [Semantics of Programming Lan-guages]: Denotational semantics

General Terms Languages, Theory

Keywords Full Abstraction, Game Semantics, Contextual Equiv-alence, Java

1. Introduction

Denotational semantics is charged with the construction of mathe-matical universes (denotations) that capture program behaviour. Itconcentrates on compositional, syntax-independent modelling withthe aim of illuminating the structure of computation and facilitat-ing reasoning about programs. Many developments in denotationalsemantics have been driven by the quest for full abstraction [21]: amodel is fully abstract if the interpretations of two programs are thesame precisely when the programs behave in the same way (i.e. arecontextually equivalent). A faithful correspondence like this opensthe path to a broad range of applications, such as compiler opti-misation and program transformation, in which the preservation ofsemantics is of paramount importance.

Recent years have seen game semantics emerge as a robust de-notational paradigm [4, 6, 12]. It has been used to construct thefirst fully abstract models for a wide spectrum of programming lan-guages, previously out of reach of denotational semantics. Gamesemantics models computation as an exchange of moves betweentwo players, representing respectively the program and its compu-tational environment. Accordingly, a program is interpreted as a

⇤ Research supported by the Engineering and Physical Sciences ResearchCouncil (EP/J019577/1) and a Royal Academy of Engineering ResearchFellowship (Tzevelekos).

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.POPL’14, January 22–24, 2014, San Diego, CA, USA.Copyright is held by the owner/author(s). Publication rights licensed to ACM.ACM 978-1-4503-2544-8/14/01. . . $15.00.http://dx.doi.org/10.1145/http://dx.doi.org/10.1145/2535838.2535880

strategy in a game corresponding to its type. Intuitively, the playsthat game semantics generates constitute the observable patternsthat a program produces when interacting with its environment, andthis is what underlies the full abstraction results. Game semantics iscompositional: the strategy corresponding to a compound programphrase is obtained by canonical combinations of those correspond-ing to its sub-phrases. An important advance in game semanticswas the development of nominal games [3, 17, 26], which under-pinned full abstraction results for languages with dynamic gener-ative behaviours, such as the ⌫-calculus [3], higher-order concur-rency [18] and ML references [24]. A distinctive feature of nominalgame models is the presence of names (e.g. memory locations, ref-erences names) in game moves, often along with some abstractionof the store.

The aim of the present paper is to extend the range of thegame approach towards real-life programming languages, by fo-cussing on Java-style objects. To that end, we define an impera-tive object calculus, called Interface Middleweight Java (IMJ), in-tended to capture contextual interactions of code written in Mid-dleweight Java (MJ) [9], as specified by interfaces with inheritance.We present both equational (contextual equivalence) and inequa-tional (contextual approximation) full abstraction results for thelanguage. To the best of our knowledge, these are the first deno-tational models of this kind.

Related Work While the operational semantics of Java has beenresearched extensively [7], there have been relatively few resultsregarding its denotational semantics. More generally, most existingmodels of object-oriented languages, such as [8, 15], have beenbased on global state and consequently could not be fully abstract.

On the other hand, contextual equivalence in Java-like lan-guages has been studied successfully using operational approachessuch as trace semantics [2, 13, 14] and environmental bisimu-lation [16]. The trace-based approaches are closest to ours andthe three papers listed also provide characterizations of contextualequivalence. The main difference is that traces are derived opera-tionally through a carefully designed labelled transition system and,thus, do not admit an immediate compositional description in thestyle of denotational semantics.

However, similarities between traces and plays in game seman-tics indicate a deeper correspondence between the two areas, whichalso manifested itself in other cases, e.g. [20] vs [19]. At the timeof writing, there is no general methodology for moving smoothlybetween the two approaches, but we believe that there is scope forunifying the two fields in the not so distant future.

In comparison to other game models, ours has quite lightweightstructure. For the most part, playing consists of calling the oppo-nent’s methods and returning results to calls made by the opponent.In particular, there are no justification pointers between moves.This can be attributed to the fact that Java does not feature first-class higher-order functions and that methods in Java objects can-not be updated. On the other hand, the absence of pointers makes

�|� ` x : ✓(x:✓)2�

�|� ` a : I (a:I)2��|� ` skip : void �|� ` null : I I2dom(�)

�|� ` i : int

�|� ` M : int �|� ` M 0 : int�|� ` M �M 0 : int

�|�, x : ✓0 ` M : ✓ �|� ` M 0 : ✓0

�|� ` letx = M 0 inM : ✓�|� ` M : I �|� ` M 0 : I

�|� ` M = M 0 : int�|� ` M : I0

�|� ` (I)M : I�`II0

_�`I0I

�|� ` M : int �|� ` M 0,M 00 : ✓�|� ` ifM thenM 0 elseM 00 : ✓

�|�, x : I ` M : ⇥�|� ` new(x : I;M) : I �(I)�Meths=⇥

�|� ` M : I �|� ` M 0 : ✓�|� ` M.f := M 0 : void

�(I).f=✓

�|� ` M : I�|� ` M.f : ✓

�(I).f=✓�|� ` M : I

Vni=1(�|� ` Mi : ✓i)

�|� ` M.m(M1, · · · ,Mn) : ✓�(I).m=~✓!✓

Vni=1(�|� ] {~xi : ~✓i} ` Mi : ✓i)

�|� ` M : ⇥⇥={mi:~✓i!✓i | 1in}M={mi:�~xi.Mi | 1in}

Figure 1. Typing rules for IMJ terms and method-set implementations

definitions of simple notions, such as well-bracketing, less direct,since the dependencies between moves are not given explicitly anymore and need to be inferred from plays. The latter renders strategycomposition non-standard. Because it is impossible to determinestatically to which arena a move belongs, the switching conditions(cf. [6]) governing interactions become crucial for determining thestrategy responsible for each move. Finally, it is worth noting thattraditional copycat links are by definition excluded from our set-ting: a call/return move for a given object cannot be copycatted bythe other player, as the move has a fixed polarity, determined by theownership of the object. In fact, identity strategies contain plays oflength at most two!

Further Directions In future work, we would like to look forautomata-theoretic representations of fragments of our model inorder to use them as a foundation for a program verification toolfor Java programs. Our aim is to take advantage of the latest devel-opments in automata theory over infinite alphabets [10], and fresh-register automata in particular [23, 27], to account for the nominalfeatures of the model.

2. The language IMJWe introduce an imperative object calculus, called Interface Mid-dleweight Java (IMJ), in which objects are typed using interfaces.The calculus is a stripped down version of Middleweight Java (MJ),expressive enough to expose the interactions of MJ-style objectswith the environment.

Definition 1. Let Ints , Flds and Meths be sets of interface, fieldand method identifiers. We range over them respectively by I, f, mand variants. The types ✓ of IMJ are given below, where ~✓ stands fora sequence ✓1, ..., ✓n of types (for any n). An interface definition⇥ is a finite set of typed fields and methods. An interface table �is a finite assignment of interface definitions to interface identifiers.

Types 3 ✓ ::= void | int | IIDfns 3 ⇥ ::= ; | (f : ✓),⇥ | (m : ~✓ ! ✓),⇥

ITbls 3 � ::= ; | (I : ⇥),� | (IhIi : ⇥),�

We write IhI0i : ⇥ for interface extension: interface I extends I0

with fields and methods from ⇥. We stipulate that the extensionrelation must not lead to circular dependencies. Moreover, eachidentifier f,m can appear at most once in each ⇥, and each I can bedefined at most once in � (i.e. there is at most one element of � ofthe form I : ⇥ or IhI0i : ⇥). Thus, each ⇥ can be seen as a finitepartial function ⇥ : (Flds [Meths) * Types⇤. We write ⇥.f for⇥(f) and ⇥.m for ⇥(m). Similarly, � defines a partial function

� : Ints * IDfns given by

�(I) =

8><

>:

⇥ (I : ⇥) 2 �

�(I0) [⇥ (IhI0i : ⇥) 2 �

undefined otherwise

An interface table � is well-formed if, for all interface types I, I0:• if I0 appears in �(I) then I0 2 dom(�),• if (IhI0i : ⇥) 2 � then dom(�(I0)) \ dom(⇥) = ;.

Henceforth we assume that interface tables are well-formed. In-terface extensions yield a subtyping relation. Given a table �, wedefine � ` ✓1 ✓2 by the following rules.

(IhI0i : ⇥),� ` I I0

� ` ✓ ✓

� ` ✓1 ✓2 � ` ✓2 ✓3� ` ✓1 ✓3

We might omit � from subtyping judgements for economy.

Definition 2. Let A be a countably infinite set of object names,which we range over by a and variants. IMJ terms are listed below,where we let x range over a set of variables Vars , and i over Z.Moreover, � is selected from some set of binary numeric opera-tions. M is a method-set implementation. Again, we stipulate thateach m appear in each M at most once.

M ::= x | a | skip | null | i | M �M | letx = M inM

| M = M | ifM thenM elseM | (I)M | new(x : I;M)

| M.f | M.f := M | M.m(�!M)

MImps 3 M ::= ; | (m : �~x.M),MThe terms are typed in contexts comprising an interface table �and a variable context � = {x1 : ✓1, · · · , xn : ✓n} [ {a1 :I1, · · · , am : Im} such that any interface in � occurs in dom(�).The typing rules are given in Figure 1.

For the operational semantics, we define the sets of term values,heap configurations and states by:

TVals 3 v ::= skip | i | null | aHCnfs 3 V ::= ; | (f : v), VStates 3 S : A * Ints ⇥ (HCnfs ⇥MImps)

If S(a) = (I, (V,M)) then we write S(a) : I, while S(a).f andS(a).m stand for V.f and M.m respectively, for each f and m.

Given an interface table � such that I 2 dom(�), we let thedefault heap configuration of type I be VI = {f : v✓ | �(I).f =

(S, i� i0) �! (S, j), if j = i� i0 (S, letx = v inM) �! (S,M [v/x]) (S, (I)null) �! (S, null)

(S, if 0 thenM elseM 0) �! (S,M 0) (S, if 1 thenM elseM 0) �! (S,M) (S, a = a) �! (S, 1)

(S, (I)a) �! (S, a), if S(a) : I0 ^ I0 I (S, a = a0) �! (S, 0), if a 6= a0 (S, a.f) �! (S, S(a).f)

(S, new(x : I;M)) �! (S ] {(a, I, (VI ,M[a/x]))}, a) (S, a.m(~v)) �! (S,M [~v/~x]), if S(a).m = �~x.M

(S, a.f := v) �! (S[a 7! (I, (V [f 7! v],M)], skip), if S(a) = (I, (V,M))

(S,E[M ]) �! (S0, E[M 0]), if (S,M) �! (S0,M 0)

Figure 2. Operational semantics of IMJ.

✓}, where vvoid

= skip, vint

= 0 and vI = null. The operational se-mantics of IMJ is given by means of a small-step transition relationbetween terms-in-state. Terms are evaluated using the evaluationcontexts given below.

E ::= letx = inM | �M | i� | = M | a =

| if thenM elseM 0 | (I) | .f | .f := M | a.f :=

| .m(�!M) | a.m(v1, · · · , vi, ,Mi+2, · · · ,Mn)

The transition relation is presented in Figure 2. Given �|; `M : void, we write M + if there exists S such that (;,M) �!⇤

(S, skip).

Definition 3. Given �|� ` Mi : ✓ (i = 1, 2), we shall say that�|� ` M1 : ✓ contextually approximates �|� ` M2 : ✓ if, forall �0 ◆ � and all contexts C such that �0|; ` C[Mi] : void, ifC[M1] + then C[M2] +. We then write �|� ` M1 @⇠ M2 : ✓. Twoterms are contextually equivalent (written �|� ` M1

⇠= M2 : ✓)if they approximate each other.

For technical convenience, IMJ features the let construct,even though it is definable: given �|�, x : ✓0 ` M : ✓ and�|� ` M 0 : ✓0, consider new(x : I;m :�x.M ).m(M 0), whereI is a fresh interface with a single method m : ✓ ! ✓0. As usual,we write M ;M 0 for letx = M inM 0, where x is not free in M 0.

Although IMJ does not have explicit local variables, they couldeasily be introduced by taking let (x = new(y : I✓; )) in · · · ,where I✓ has a single field of type ✓. In the same manner, onecan define variables and methods that are private to objects, andinvisible to the environment through interfaces.

Example 1 ([16]). Let � = {Empty : ;,Cell : (get : void!Empty,set : Empty ! void),VarE : (val : Empty),VarI : (val : int)}and consider the terms �|; ` Mi : Cell (i = 1, 2) defined by

M1 ⌘ let v = new(x : VarE ; ) in new(x : Cell;M1)

M2 ⌘ let b = new(x : VarI ; ) inlet v1 = new(x : VarE ; ) inlet v2 = new(x : VarE ; )in new(x : Cell;M2)

withM1 = (get : �().v.val,

set : �y.(v.val := y))

M2 = (get : �().if (b.val) then (b.val := 0; v1.val)else (b.val := 1; v2.val),

set : �y.(v1.val := y; v2.val := y)).

We have �|; ` M1⇠= M2 : Cell. Intuitively, each of the two im-

plementations of Cell corresponds to recording a single value oftype Empty (using set) and providing access to it via get. The dif-ference lies in the way the value is stored: a single private variableis used in M1, while two variables are used in M2. However, in the

latter case the variables always hold the same value, so it does notmatter which of the variables is used to return the value.The game semantics of the two terms will turn out to consist ofplays of the shape ⇤; n⌃0 G⇤

0 S1 G⇤1 · · · Sk G

⇤k, where

Gi =

(calln.get(⇤)⌃0 retn.get(nul)⌃0 i = 0

calln.get(⇤)⌃i retn.get(ni)⌃i i > 0

Si = calln.set(ni)⌃i retn.set(⇤)⌃i

and ⌃i = {n 7! (Cell, ;)} [ {nj 7! (Empty, ;) | 0 < j i}.Intuitively, the plays describe all possible interactions of a Cellobject. The first two moves ⇤; n⌃0 correspond to object creation.After that, the Gi segments represent the environment reading thecurrent content (initially having null value), while the Si segmentscorrespond to updating the content with a reference name providedby the environment. The stores ⌃i attached to moves consist of allnames that have been introduced during the interaction so far.

It is worth noting that, because IMJ has explicit casting, acontext can always guess the actual interface of an object andextract any information we may want to hide through casting.

Example 2. Let � = {Empty : ;,PointhEmptyi : (x : int, y : int)}and consider the terms �|; ` Mi : Empty (i = 1, 2) defined by:

M1 ⌘ new(x : Empty; ),

M2 ⌘ let p = new(x : Point; ) in p.x := 0; p.y := 1; (Empty)p.

In our model they will be interpreted by the strategies �1 ={✏, ⇤; n{n 7!(Empty,;)}} and �2 = {✏, ⇤; n{n 7!(Point,{x 7!0,y 7!1})}respectively. Using e.g. the casting context C ⌘ (Point) ; skip,we can see that �|; ` M2 6@⇠ M1 : Empty. On the other hand,Theorem 20 will imply �|; ` M1 @⇠ M2 : Empty.

On the whole, IMJ is a compact calculus that strips down Mid-dleweight Java to the essentials needed for interface-based interac-tion. Accordingly, we suppressed the introduction of explicit classhierarchy, as it would remain invisible to the environment anywayand any class-based internal computations can be represented usingstandard object encodings [1].

At the moment the calculus allows for single inheritance forinterfaces only, but extending it to multiple inheritance is not prob-lematic. The following semantic developments only rely on the as-sumption that must not give rise to circularities.

3. The game model

In our discussion below we assume a fixed interface table �.The game model will be constructed using mathematical objects

(moves, plays, strategies) that feature names drawn from the setA. Although names underpin various elements of our model, wedo not want to delve into the precise nature of the sets containing

them. Hence, all of our definitions preserve name-invariance, i.e.our objects are (strong) nominal sets [11, 26]. Note that we do notneed the full power of the theory but mainly the basic notion ofname-permutation. For an element x belonging to a (nominal) setX we write ⌫(x) for its name-support, which is the set of namesoccurring in x. Moreover, for any x, y 2 X , we write x ⇠ y ifthere is a permutation ⇡ such that x = ⇡ · y.

We proceed to define a category of games. The objects of ourcategory will be arenas, which are nominal sets carrying specifictype information.

Definition 4. An arena is a pair A = (MA, ⇠A) where:

• MA is a nominal set of moves;• ⇠A : MA ! (A * Ints) is a nominal typing function;

such that, for all m 2 MA, dom(⇠A(m)) = ⌫(m).

We start by defining the following basic arenas,

1 = ({⇤}, {(⇤, ;)}, Z = (Z, {(i, ;)},I = (A [ {nul}, {(nul, ;)} [ {(a, a, I)}),

for all interfaces I. Given arenas A and B, we can form the arenaA⇥B by:

MA⇥B = {(m,n) 2 MA ⇥MB | a 2 ⌫(m) \ ⌫(n)

=) ⇠A(m, a) ⇠B(n, a) _ ⇠B(n, a) ⇠A(m, a)}

⇠A⇥B((m,n), a) =

(⇠A(m, a) if a /2 ⌫(n) _ ⇠A(m, a) ⇠B(n, a)

⇠B(n, a) otherwise

Another important arena is #(I1, · · · , In), with:

M#(~I) = {(a1, · · · , an) 2 An | ai’s distinct}⇠#(~I)((a1, · · · , an), ai) = Ii

for all n 2 N. In particular, A#0 = 1.For each type ✓, we set Val✓ to be the set of semantic values of

type ✓, given by:

Valvoid

= M1, Valint

= MZ, ValI = MI .

For each type sequence ~✓ = ✓1, · · · , ✓n, we set Val~✓ = Val✓1 ⇥· · ·⇥ Val✓n .

We let a store ⌃ be a type-preserving finite partial function fromnames to object types and field assignments, that is, ⌃ : A *Ints ⇥ (Flds * Val) such that |⌃| is finite and

⌃(a) : I ^�(I).f = ✓ =) ⌃(a).f = v ^⌃ ` v ✓,

where the new notation is explained below. First, assuming ⌃(a) =(I0,�), the judgement ⌃(a) : I holds iff I = I0 and ⌃(a).fstands for �(f). Next we define typing rules for values in storecontexts:

v 2 Valvoid

⌃ ` v : voidv 2 Val

int

⌃ ` v : int⌃(v) : I _ v = nul

⌃ ` v : Iand write ⌃ ` v ✓ for ⌃ ` v : ✓ _ (⌃ ` v : I0 ^ I0 ✓).

We let Sto be the set of all stores. We write dom(⌃(a)) forthe set of all f such that ⌃(a).f is defined. We let Sto0 contain allstores ⌃ such that:

8a 2 dom(⌃), f 2 dom(⌃(a)). ⌃(a).f 2 {⇤, 0, nul}and we call such a ⌃ a default store.

Given arenas A and B, plays in AB will consist of sequences ofmoves (with store) which will be either moves from MA [MB , ormoves representing method calls and returns. Formally, we define:

MAB = MA [MB [ Calls [ Retns

where we set Calls = {call a.m(~v) | a 2 A^~v 2 Val⇤} andRetns = {ret a.m(v) | a 2 A ^ v 2 Val }.

Definition 5. A legal sequence in AB is a sequence of moves fromMAB that adheres to the following grammar (Well-Bracketing),where mA and mB range over MA and MB respectively.

LAB ::= ✏ | mAX | mAY mBX

X ::= Y | Y (call a.m(~v))X

Y ::= ✏ | Y Y | (call a.m(~v))Y (ret a.m(v))

We write LAB for the set of legal sequences in AB. In the lastclause above, we say that call a.m(~v) justifies ret a.m(v).

To each s 2 LAB we assign a polarity function p from moveoccurrences in s to the set Pol1 = {O,P}. Polarities represent thetwo players in our game reading of programs: O is the Opponentand P is the Proponent in the game. The latter corresponds to themodelled program, while the former models the possible computa-tional environments surrounding the program. Polarities are com-plemented via O = {P} and P = {O}. In addition, the polarityfunction must satisfy the condition:• For all mX 2 MX (X = A,B) occurring in s we havep(mA) = O and p(mB) = P ; (O-starting)

• If mn are consecutive moves in s then p(n) 2 p(m). (Alterna-tion)

It follows that there is a unique p for each legal sequence s, namelythe one which assigns O precisely to those moves appearing in oddpositions in s.

A move-with-store in AB is a pair m⌃ with ⌃ 2 Sto andm 2 MAB . For each sequence s of moves-with-store we definethe set of available names of s by:

Av(✏) = ;, Av(sm⌃) = ⌃⇤(Av(s) [ ⌫(m))

where, for each X ✓ A, we let ⌃⇤(X) =S

i ⌃i(X), with

⌃0(X) = X, ⌃i+1(X) = ⌫(⌃(⌃i(X))).

That is, a name is available in s just if it appears inside a move ins, or it can be reached from an available name through some storein s. We write s for the underlying sequence of moves of s (i.e.⇡1(s)), and let v denote the prefix relation between sequences. Ifs0m⌃ v s and a 2 ⌫(m⌃) \ ⌫(s0) then we say a is introducedby m⌃ in s.1 In such a case, we define the owner of the name a ins, written o(a), to be p(m) (where p is the polarity associated withs). For each polarity X 2 {O,P} we let

X(s) = {a 2 ⌫(s) | o(a) = X}be the set of names in s owned by X .

Definition 6. A play in AB is a sequence of moves-with-store ssuch that s is a legal sequence and, moreover, for all s0m⌃ v s:

• It holds that dom(⌃) = Av(s0m⌃). (Frugality)• If a 2 dom(⌃) with ⌃(a) : I then:

if m 2 MX , for X 2 {A,B}, then I ⇠X(m, a);for all nT in s0, if a 2 dom(T ) then T (a) : I;if �(I).m = ~✓ ! ✓ then:� if m = call a.m(~v) then ⌃ ` ~v : ~✓0 for some ~✓0 ~✓,� if m = ret a.m(v) then ⌃ ` v : ✓0 for some ✓0 ✓.

(Well-classing)

1 By abuse of notation, we frequently write instead “a is introduced by m

in s”. Recall also that ⌫(s) collects all names appearing in s; in particular,⌫(m⌃1

1 · · ·m⌃ii ) = ⌫(m1) [ ⌫(⌃1) [ · · · [ ⌫(mi) [ ⌫(⌃i).

• If m = call a.m(~v) then o(a) 2 p(m). (Well-calling)

We write PAB for the set of plays in AB.

Note above that, because of well-bracketing and alternation, ifm = ret a.m(v) then well-calling implies o(a) = p(m). Thus,the frugality condition stipulates that names cannot appear in aplay in unreachable parts of a store (cf. [17]). Moreover, well-classing ensures that the typing information in stores is consistentand adheres to the constraints imposed by � and the underlyingarenas. Finally, well-calling implements the specification that eachplayer need only call the other player’s methods. This is becausecalls to each player’s own methods cannot in general be observedand so should not be accounted for in plays.

Given arenas A,B,C, next we define interaction sequences,which show how plays from AB and BC can interact to produce aplay in AC. The sequences will rely on moves with stores, wherethe moves come from the set:

MABC = MA [MB [MC [ Calls [ Retns .

The moves will be assigned polarities from the set:

Pol2 = { OL, PL, OLPR, PLOR, OR, PR } .The index L stands for “left”, while R means “right”. The indicesindicate which part of the interaction (A,B or C) a move comesfrom, and what polarity it has therein. We also consider an auxiliarynotion of pseudo-polarities:

OO = {OL, OR}, PO = {PL, PLOR}, OP = {PR, OLPR}.Each polarity has an opposite pseudo-polarity determined by:

OL = OLPR = PO, OR = PLOR = OP, PL = PR = OO.

Finally, each X 2 {AB,BC,AC} has a designated set of polari-ties given by:

p(AB) = {OL, PL, OLPR, PLOR},p(BC) = {OR, PR, OLPR, PLOR},p(AC) = {OL, PL, OR, PR}.

Note the slight abuse of notation with p, as it is also used for movepolarities.

Suppose X 2 {AB,BC,AC}. Consider a sequence s ofmoves-with-store from ABC (i.e. a sequence with elements m⌃

with m 2 MABC ) along with an assignment p of polarities fromPol2 to moves of s. Let s � X be the subsequence of s containingthose moves-with-store m⌃ of s for which p(m) 2 p(X). Addi-tionally, we define s �� X to be �(s � X), where the function� acts on moves-with-store by restricting the domains of stores toavailable names:

�(✏) = ✏, �(sm⌃) = �(s)m⌃�Av(sm⌃).

Definition 7. An interaction sequence in ABC is a sequence s ofmoves-with-store in ABC such that the following conditions aresatisfied.

• For each s0m⌃ v s, dom(⌃) = Av(s0m⌃). (Frugality)• If s0m⌃ v s and a 2 dom(⌃) with ⌃(a) : I then:

if m 2 MX , for X 2 {A,B,C}, then I ⇠X(m, a);for all nT in s0, if a 2 dom(T ) then T (a) : I;if �(I).m = ~✓ ! ✓ then:� if m = call a.m(~v) then ⌃ ` ~v : ~✓0 for some ~✓0 ~✓,� if m = ret a.m(v) then ⌃ ` v : ✓0 for some ✓0 ✓.

(Well-classing)• There is a polarity function p from move occurrences in s toPol2 such that:

OO

OL

��

OR

��PO

PL

HH

PLOR,,OP

OLPR

ll

PR

VV

Figure 3. Interaction diagram for Int(ABC). The diagram spec-ifies the alternation of polarities in interaction sequences. Transi-tions are labelled by move polarities, while OO is the initial state.

For all mX 2 MX (X = A,B,C) occurring in s we havep(mA) = OL, p(mB) = PLOR and p(mC) = PR;If mn are consecutive moves in s then p(n) 2 p(m).

(Alternation)• If s0m⌃ v s then m = call a.m(v) implies o(a) 2 p(m).

(Well-calling)• For each X 2 {AB,BC,AC}, s � X 2 LX . (Projecting)• If s0m⌃ v s and m = ret a.m(v) then there is a move nT ins0 such that, for all X such that p(m) 2 p(X), n is the justifierof m in s � X . (Well-returning)

• Laird’s conditions [17]:P (s �� AB) \ P (s �� BC) = ;;(P (s �� AB) [ P (s �� BC)) \O(s �� AC) = ;;For each s0 v s ending in m⌃nT and each a 2 dom(T ), if� p(m) 2 PO and a /2 ⌫(s0 �� AB),� or p(m) 2 OP and a /2 ⌫(s0 �� BC),� or p(m) 2 OO and a /2 ⌫(s0 �� AC),

then ⌃(a) = T (a).

We write Int(ABC) for the set of interaction sequences in ABC.

Note that, by projecting and well-returning, each return movein s has a unique justifier. Next we show that the polarities ofmoves inside an interaction sequence are uniquely determined bythe interaction diagram of Figure 3. The diagram can be seen asan automaton accepting s, for each s 2 Int(ABC). The edgesrepresent moves by their polarities, while the labels of verticesspecify the polarity of the next (outgoing) move. For example, fromOO we can only have a move m with p(m) 2 {OL, OR}, for anyp.

Lemma 1. Each s 2 Int(ABC) has a unique polarity function p.

Proof. Suppose s 2 Int(ABC). We claim that the alternation,well-calling, projecting and well-returning conditions uniquelyspecify p. Consider the interaction diagram of Figure 3, whichwe read as an automaton accepting s, call it A. The edges representmoves by their polarities, while the labels of vertices specify thepolarity of the next (outgoing) move. By projecting we obtain thatthe first element of s is some mA and, by alternation, its polarity isOL. Thus, OO is the initial state.We now use induction on |s| to show that A has a unique run ons. The base case is trivial, so suppose s = s0m. By induction hy-pothesis, A has a unique run on s0, which reaches some state X .We do a case analysis on m. If m 2 MA [MB [MC then thereis a unique edge accepting m and, by alternation, this edge mustdepart from X . If, on the other hand, m = call a.m(~v) then thefact that o(a) 2 p(m) gives two possible edges for accepting m.But observe that no combination of such edges can depart from X .Finally, let m = ret a.m(v) be justified by some n in s0. Then, bywell-bracketing, n is the justifier of m in all projections, and hence

the edge accepting m must be the opposite of the one accepting n(e.g. if m is accepted by OL then n is accepted by PL).

Next we show that interaction sequences project to plays. Theprojection of interaction sequences in ABC on AB, BC and ACleads to the following definition of projections of polarities,

⇡AB(XL) = X ⇡AB(XLYR) = X ⇡AB(YR) = undef.⇡BC(XL) = undef. ⇡BC(XLYR) = Y ⇡BC(YR) = Y

⇡AC(XL) = X ⇡AC(XLYR) = undef. ⇡AC(YR) = Y

where X,Y 2 {O,P}. We can now show the following.

Lemma 2. Let s 2 Int(ABC). Then, for each X 2 {AB,BC,AC}and each m⌃ in s, if p(m) 2 p(X) then ⇡X(p(m)) = pX(m),where pX is the polarity function of s � X .

Proof. We show this for X = AB, the other cases are provensimilarly, by induction on |s| � 0; the base case is trivial. Forthe inductive case, if m is the first move in s with polarity inp(AB) then, by projecting, m 2 MA and therefore p(m) = OL

and pAB(m) = O, as required. Otherwise, let n be the lastmove in s with polarity in p(AB) before m. By IH, pAB(n) =⇡AB(p(n)). Now, by projecting, pAB(m) = pAB(n) and observethat, for all X 2 p(n), ⇡AB(X) = ⇡AB(p(n)), so in particular⇡AB(p(m)) = ⇡AB(p(n)) = pAB(n) = pAB(m).

The following lemma formulates a taxonomy on names appear-ing in interaction sequences.

Lemma 3. Let s 2 Int(ABC). Then,

1. ⌫(s) = O(s �� AC) ] P (s �� AB) ] P (s �� BC);2. if s = tm⌃ and:

• p(m) 2 OO and s �� AC = t0m⌃0,

• or p(m) 2 PO and s �� AB = t0m⌃0,

• or p(m) 2 OP and s �� BC = t0m⌃0,

then ⌫(t)\ ⌫(m⌃0) ✓ ⌫(t0) and, in particular, if m introduces

name a in t0m⌃0then m introduces a in s.

Proof. For 1, by definition of interactions we have that these setsare disjoint. It therefore suffices to show the left-to-right inclusion.Suppose that a 2 ⌫(s) is introduced in some m⌃ in s, withp(m) 2 PO, and let s �� AB = · · ·m⌃0

· · · . If a 2 ⌫(m⌃0)

then a 2 P (s �� AB), as required. Otherwise, by Laird’s lastset of conditions, a is copied from the store of the move precedingm⌃ in s, a contradiction to its being introduced at m⌃ . Similarlyif p(m) 2 OP . Finally, if p(m) 2 OO then we work similarly,considering O(s �� AC).For 2, we show the first case, and the other cases are similar. Itsuffices to show that (⌫(m⌃0

) \ ⌫(t0)) \ ⌫(t) = ;. So supposea 2 ⌫(m⌃0

) \ ⌫(t0), therefore a 2 O(s �� AC). But thenwe cannot have a 2 ⌫(t) as the latter, by item 1, would implya 2 P (s �� AB) [ P (s �� BC).

Proposition 4. For all s 2 Int(ABC), the projections s �� AB,s �� BC and s �� AC are plays in AB, BC and AC respectively.

Proof. By frugality of s and application of �, all projections satisfyfrugality. Moreover, well-classing is preserved by projections. Forwell-calling, let m = call a.m(~v) be a move in s and let nT bethe move introducing a in s. Suppose p(m) 2 p(AB) and letus assume pAB(m) = O. We need to show that oAB(m) = P .By pAB(m) = O we obtain that p(m) 2 {OL, OLPR} and, bywell-calling of s, we have that o(a) 2 PO. Thus, p(n) 2 POand, by Lemma 3, n introduces a in s �� AB and therefore

oAB(n) = P , as required. If, on the other hand, pAB(m) = Pthen we obtain p(n) 2 OO [ OP and therefore, by Lemma 3,a 2 P (s �� BC) [ O(s �� AC). Thus, by the same lemma,a /2 P (s �� AB) and hence oAB(a) = O. The cases for the otherprojections are shown similarly.

In our setting programs will be represented by strategies be-tween arenas. We shall introduce them next after a few auxiliarydefinitions. Intuitively, strategies capture the observable computa-tional patterns produced by a program.

Let us define the following notion of subtyping between stores.For ⌃,⌃0 2 Sto, ⌃ ⌃0 holds if, for all names a,

⌃0(a) : I0 =) ⌃(a) I0^8f 2 dom(⌃0(a)).⌃(a).f = ⌃0(a).f

In particular, if a is in the domain of ⌃0, ⌃ may contain moreinformation about a because of assigning to a a larger interface.Accordingly, for plays s, s0 2 PAB , we say that s is an O-extensionof s0 if s and s0 agree on their underlying sequences, while theirstores may differ due to subtyping related to O-names. Where suchsubtyping leads to s having stores with more fields than those in s0,P is assumed to copy the values of those fields. Formally, s O s0

is defined by the rules:

✏ O ✏

s O s0 ⌃ ⌃0 ⌃ � P (sm⌃) ✓ ⌃0

sm⌃ O s0m⌃0 p(m)=O

snT O s0 ⌃ ⌃0 ⌃ extends ⌃0 by T

snTm⌃ O s0m⌃0 p(m)=P

where ⌃ extends ⌃0 by T if:• for all a 2 dom(⌃) \ dom(⌃0), ⌃(a) = T (a);• for all a and f 2 dom(⌃(a))\dom(⌃0(a)), ⌃(a).f = T (a).f.

The utility of O-extension is to express semantically the fact that theenvironment of a program may use up-casting to inject in its objectsadditional fields (and methods) not accessible to the program.

Definition 8. A strategy � in AB is a non-empty set of even-lengthplays from PAB satisfying the conditions:

• If sm⌃nT 2 � then s 2 �. (Even-prefix closure)• If sm⌃ , snT 2 � then sm⌃ ⇠ snT . (Determinacy)• If s 2 � and s ⇠ t then t 2 �. (Equivariance)2

• If s 2 � and t O s then t 2 �. (O-extension)

We write � : A ! B when � is a strategy in AB. If � : A ! Band ⌧ : B ! C, we define their composition �; ⌧ by:

�; ⌧ = {s �� AC | s 2 �k⌧}where �k⌧ = {s 2 Int(ABC) | s �� AB 2 � ^ s �� BC 2 ⌧}.

In definitions of strategies we may often leave the presence ofthe empty sequence implicit, as the latter is a member of everystrategy. For example, for each arena A, we define the strategy:

idA : A ! A = {m⌃Am⌃

A 2 PAA}The next series of lemmata allow us to show that strategy com-

position is well defined.

Lemma 5. If sm⌃ , snT 2 �k⌧ with p(m) /2 OO then sm⌃ ⇠snT . Hence, if s1m⌃ , s2n

T 2 �k⌧ with p(m) /2 OO and s1 ⇠ s2then s1m

⌃ ⇠ s2nT .

Proof. For the latter part, if s1 = ⇡ · s2 then, since ⇡ · (s2nT ) 2�k⌧ , by former part of the claim we have s1m

⌃ ⇠ ⇡ · (s2nT ) so

2 Recall that, for any nominal set X and x, y 2 X , we write x ⇠ y just ifthere is a permutation ⇡ such that x = ⇡ · y.

s1m⌃ ⇠ s2n

T .Now, for the former part, suppose WLOG that p(m) 2 PO.Then, by the interaction diagram, we also have p(n) 2 PO. Assm⌃, snT �� AB 2 �, by determinacy of � we get s0m⌃0

⇠ s0nT 0,

with s0m⌃0= sm⌃ �� AB and s0nT 0

= snT �� AB. We there-fore have (s0,m⌃0

) ⇠ (s0, nT ) and, trivially, (s, s0) ⇠ (s, s0).Moreover, by Lemma 3, ⌫(m⌃0

) \ ⌫(s) ✓ ⌫(s0) and ⌫(nT 0) \

⌫(s) ✓ ⌫(s0) hence, by Strong Support Lemma [26], sm⌃0⇠

snT 0. By Laird’s last set of conditions, the remaining values of

⌃, T are determined by the last store in s, hence sm⌃ ⇠ snT .

Lemma 6. If s1, s2 2 �k⌧ end in moves with polarities in p(AC)and s1 �� AC = s2 �� AC then s1 ⇠ s2.

Proof. By induction on |s1 �� AC| > 0. The base case is encom-passed in si = s0im

⌃i with p(m) 2 OO, i = 1, 2, where note thatby IH m will have the same polarity in s1, s2. Then, by IH we gets01 = ⇡ · s02, for some ⇡. Let s00i m⌃0

= si �� AC, for i = 1, 2, soin particular s001 = ⇡ · s002 and therefore (s01, s

001 ) ⇠ (s02, s

002 ). More-

over, by hypothesis, we trivially have (m⌃0, s001 ) ⇠ (m⌃0

, s002 ) andhence, by Lemma 3 and Strong Support Lemma [26], we obtains01m

⌃0⇠ s02m

⌃0which implies s1 ⇠ s2 by Laird’s conditions.

Suppose now si = s0is00i m

⌃i , i = 1, 2, with p(m) 2 P (AC)\OOand the last move in s0i being the last move in s0is

00i having polarity

in p(AC). By IH, s01 ⇠ s02. Then, by consecutive applications ofLemma 5, we obtain s1 ⇠ s2.

Proposition 7. If � : A ! B and ⌧ : B ! C then �; ⌧ : A ! C.

Proof. We show that �; ⌧ is a strategy. Even-prefix closure andequivariance are clear. Moreover, since each s 2 �k⌧ has even-length projections in AB and BC, we can show that its projectionin AC is even-length too. For O-extension, if s 2 �; ⌧ and t O swith s = u �� AC and u 2 �k⌧ , we can construct v 2 Int(ABC)such that t = v �� AC and v O u, where O is definedfor interaction sequences in an analogous way as for plays (withcondition p(m) = O replaced by p(m) 2 OO, and p(m) =P by p(m) 2 PO [ OP ). Moreover, v �� AB O u ��AB and v �� BC O u �� BC, so t 2 �; ⌧ . Finally, fordeterminacy, let sm⌃ , snT 2 �; ⌧ be due to s1s

01m

⌃0, s2s

02n

T 02

�k⌧ respectively, where s1, s2 both end in the last move of s.Then, by Lemma 6, we have s1 ⇠ s2 and thus, by consecutiveapplications of Lemma 5, we obtain s1s

01m

⌃0⇠ s2s

02n

T 0, so

sm⌃ ⇠ snT .

The above result shows that strategies are closed under com-position. We can prove that composition is associative and, conse-quently, obtain a category of games.

Proposition 8. For all ⇢ : A ! B, � : B ! C and ⌧ : C ! D,(⇢;�); ⌧ = ⇢; (�; ⌧).

Definition 9. Given a class table �, we define the category G�

having arenas as objects and strategies as morphisms. Identitymorphisms are given by idA, for each arena A.

Note that neutrality of identity strategies easily follows from thedefinitions and, hence, G� is well defined. In the sequel, when �can be inferred from the context, we shall write G� simply as G.As a final note, for class tables � ✓ �0, we can define a functor

�/�0 : G� ! G�0

which acts as the identity map on arenas, and sends each � : A !B of G� to:

(�/�0)(�) = {s 2 P�0AB | 9t 2 �. s O t}

where P�0AB refers to plays in G�0 . In the other direction, we can

define a strategy transformation:

(�0/�)(�) = � \ P�AB

which satisfies �0/�(�/�0(�)) = �.

4. Soundness

Here we introduce constructions that will allow us to build a modelof IMJ. We begin by defining a special class of strategies. A strategy� : A ! B is called evaluated if there is a function f� : MA !MB such that:

� = {m⌃Am⌃

B 2 PAB | mB = f�(mA)} .Note that equivariance of � implies that, for all mA 2 MA andpermutations ⇡, it holds that ⇡ · f�(mA) = f�(⇡ ·mA). Thus, inparticular, ⌫(f�(mA)) ✓ ⌫(mA).

Recall that, for arenas A and B, we can construct a productarena A⇥B. We can also define projection strategies:

⇡1 : A⇥B ! A = {(mA,mB)⌃m⌃

A 2 P(A⇥B)A}and, analogously, ⇡2 : A ⇥ B ! B. Note that the projections areevaluated. Moreover, for each object A,

!A = {m⌃A ⇤⌃ | m⌃

A 2 PA1}is the unique evaluated strategy of type A ! 1.

Given strategies � : A ! B and ⌧ : A ! C, with ⌧ evaluated,we define:

h�, ⌧i : A ! B⇥C = {m⌃A s[(mB , f⌧ (mA))/mB ] |m⌃

As 2 �}where we write s[m0/mB ] for the sequence obtained from s byreplacing any occurrences of mB in it by m0 (note that there canbe at most one occurrence of mB in s).

The above structure yields products for evaluated strategies.

Lemma 9. Evaluated strategies form a wide subcategory of Gwhich has finite products, given by the above constructions.Moreover, for all � : A ! B and ⌧ : A ! C with ⌧ evaluated,h�, ⌧i;⇡1 = � and h�, ⌧i = h�, idAi; h⇡1,⇡2; ⌧i.

Using the above result, we can extend pairings to general � :A ! B and ⌧ : A ! C by:

h�, ⌧i = Ah�,idAi�����! B ⇥A

h⇡2;⌧,⇡1i������! C ⇥B⇠=�! B ⇥ C

where ⇠= is the isomorphism h⇡2,⇡1i. The above represents anotion of left-pairing of � and ⌧ , where the effects of � precedethose of ⌧ . We can also define a left-tensor between strategies:

� ⇥ ⌧ = A⇥Bh⇡1;�,⇡2i������! A0 ⇥B

h⇡1,⇡2;⌧i������! A0 ⇥B0

for any � : A ! A0 and ⌧ : B ! B0.

Lemma 10. Let ⌧ 0 : A0 ! A, � : A ! B1, ⌧ : A ! B2,�1 : B1 ⇥B2 ! C1 and �2 : B2 ! C2, with ⌧ and ⌧ 0 evaluated.Then ⌧ 0; h�, ⌧i; h�1,⇡2;�2i = h⌧ 0; h�, ⌧i;�1, ⌧

0; ⌧ ;�2i.

Proof. The result follows from the simpler statements:

⌧ ; h�, idi = h⌧ ;�, ⌧i, h�, idi; h�0,⇡2i = hh�; idi;�0, idi,for all appropriately typed �,�0, ⌧ , with ⌧ evaluated, and Lemma 9.

An immediate consequence of the above is:

Ah�;⌧i���! B1 ⇥B2

�1⇥�2����! C1 ⇥ C2 = Ah�;�1,⌧ ;�2i�������! C1 ⇥ C2

More generally, Lemma 10 provides us with naturality conditionssimilar to those present in Freyd categories [25] or, equivalently,categories with monadic products [22].

We also introduce the following weak notion of coproduct.Given strategies �, ⌧ : A ! B, we define:

[�, ⌧ ] : Z⇥A ! B = {(1,mA)⌃s | m⌃

As 2 �}[ {(0,mA)

⌃s | m⌃As 2 ⌧}

Setting i : 1 ! Z = {⇤ i}, for each i 2 Z, we can show thefollowing.

Lemma 11. For all strategies �0 : A0 ! A and �, ⌧ : A ! B,

• h!; 0, idi; [�, ⌧ ] = ⌧ and h!; 1, idi; [�, ⌧ ] = �;• if �0 is evaluated then (idZ ⇥ �0); [�, ⌧ ] = [�0;�,�0; ⌧ ].

Method definitions in IMJ induce a form of exponentiation:Vn

i=1(�|� ] {~xi : ~✓i} ` Mi : ✓i)

�|� ` M : ⇥⇥={mi:~✓i!✓i | 1in}^M={mi:�~xi.Mi | 1in}

the modelling of which requires some extra semantic machinery.Traditionally, in call-by-value game models, exponentiation leadsto ‘effectless’ strategies, corresponding to higher-order value terms.In our case, higher-order values are methods, manifesting them-selves via the objects they may inhabit. Hence, exponentiation nec-essarily passes through generation of fresh object names containingthese values. These considerations give rise to two classes of strate-gies introduced below.

We say that an even-length play s 2 PAB is total if it is eitherempty or s = m⌃

Am⌃]TB s0 and:

• T 2 Sto0 and ⌫(mB) \ ⌫(⌃) ✓ ⌫(mA),

• if s0= s00m⌃0nT 0

and a 2 dom(⌃)\⌫(�(m⌃0A m⌃0]T

B s0)), for⌃0 2 Sto0, then a /2 ⌫(n) and T 0(a) = ⌃0(a).

We write P tAB for the set of total plays in AB. Thus, in total plays,

the initial move mA is immediately followed by a move mB , andthe initial store ⌃ is invisible to P in the sense that P cannot useits names nor their values. A strategy � : A ! B is called single-threaded if it consists of total plays and satisfies the conditions:3

• for all m⌃A 2 PAB there is m⌃

AmTB 2 �;

• if m⌃A m⌃]T

B s 2 � then �(m⌃0A m⌃0]T

B s) 2 �, for ⌃0 2 Sto0;

• if m⌃Am⌃]T

B s call a.m(~v)⌃0s0 2 � and a 2 ⌫(T ) then s = ✏.

Thus, single-threaded strategies reply to every initial move m⌃A

with a move mTB which depends only on mA (i.e. P does not read

before playing). Moreover, mTB does not change the values of ⌃ (P

does not write) and may introduce some fresh objects, albeit withdefault values. Finally, plays of single-threaded strategies consistof just one thread, where a thread is a total play in which there canbe at most one call to names introduced by its second move.

Conversely, given a total play starting with m⌃Am⌃]T

B , we canextract its threads by tracing back for each move in s the methodcall of the object a 2 ⌫(T ) it is related to. Formally, for each totalplay s = m⌃

Am⌃]TB s0 with |s0| > 0, the threader move of s,

written thrr(s), is given by induction:

• thrr(s0m⌃0) = thrr(s0), if p(m) = P ;

• thrr(s0call a.m(~v)⌃0) = call a.m(~v)⌃

0, if a 2 ⌫(T );

• thrr(s0nT 0s00call a.m(~v)⌃

0) = thrr(s0nT 0

), if a 2 P (s)\⌫(T )and n introduces a.

• thrr(s0nT 0s00m⌃0

)= thrr(s0nT 0), if p(m) = O and n justifies m.

3 Note that the use of the term “thread” here is internal to game semanticsparlance and in particular should not be confused with Java threads.

If s = s0nT 0s00 with |s0| � 2, we set thrr(nT 0

) = thrr(s0nT 0).

Then, the current thread of s is the subsequence of s containingonly moves with the same threader move as s, that is, if thrr(s) =m⌃0

and s = m⌃Am⌃]T

B s0 then

dse = m⌃Am⌃]T

B (s0 � m⌃0)

where the restriction retains only those moves nT 0of s0 such that

thrr(nT 0) = m⌃0

. We extend this to the case of |s| 2 by settingdse = s. Finally, we call a total play s 2 PAB thread-independentif for all s0m⌃0

veven s with |s0| > 2:

• if �(ds0m⌃0e) = s00m⌃00

then ⌫(⌃00) \ ⌫(s0) ✓ ⌫(s00);

• if s0 ends in some nT 0and a 2 dom(⌃0)\⌫(�(ds0m⌃0

e)) then⌃0(a) = T 0(a).

We write P tiAB for the set of thread-independent plays in AB.

We can now define strategies which occur as interleavings ofsingle-threaded ones. Let � : A ! B be a single-threaded strategy.We define: �† = {s 2 P ti

AB | 8s0 vevens. �(ds0e) 2 �}.

Lemma 12. �† is a strategy, for each single-threaded �.

Proof. Equivariance, Even-prefix closure and O-extension fol-low from the corresponding conditions on �. For determinacy,if sm⌃ , snT 2 �† with |s| > 0 then, using determinacy of �and the fact that P-moves do not change the current thread, nor dothey modify or use names from other threads, we can show thatsm⌃ ⇠ snT .

We say that a strategy � is thread-independent if � = ⌧ † forsome single-threaded strategy ⌧ . Thus, thread-independent strate-gies do not depend on initial stores and behave in each of theirthreads in an independent manner. Note in particular that evaluatedstrategies are thread-independent (and single-threaded).

Lemma 13. Let � : A ! B and ⌧ : A ! C be strategies with ⌧thread-independent. Then, h�, ⌧i;⇡1 = � and:

h�, ⌧i = Ah⌧,�i���! C ⇥B

⇠=�! B ⇥ C .

Proof. The former claim is straightforward. For the latter, we ob-serve that the initial effects of � and ⌧ commute: on initial movem⌃

A , ⌧ does not read the store updates that � includes in its re-sponse m⌃0

B , while � cannot access the names created by ⌧ in itssecond move m⌃0]T

C .

It is worth noting that the above lemma does not suffice for ob-taining categorical products. Allowing thread-independent strate-gies to create fresh names in their second move breaks universalityof pairings. Considering, for example, the strategy:

� : 1 ! I ⇥ I = {⇤ (a, a)⌃ 2 P1(I⇥I) | ⌃ 2 Sto0}we can see that � 6= h�;⇡1,�;⇡2i, as the right-hand-side containsplays of the form ⇤ (a, b)T with a 6= b.

We can now define an appropriate notion of exponential for ourgames. Let us assume a translation assigning an arena J~✓K to eachtype sequence ~✓. Moreover, let I be an interface such that

�(I) � Meths = {m1 : ~✓1 ! ✓1, · · · ,mn : ~✓n ! ✓n}

where ~✓i = ✓i1, · · · , ✓imi , for each i. For any arena A, givensingle-threaded strategies �1, · · · ,�n : A ! I such that, for eachi, if m⌃

Aa⌃]T s 2 �i then

a /2 ⌫(⌃) ^ T (a) : I ^ (call a.m(~v) 2 s =) m = mi),

we can group them into one single-threaded strategy:

hh�1, . . . ,�nii : A ! I =[n

i=1�i .

Note that the a above is fresh for each m⌃A (i.e. a /2 ⌫(m⌃

A)).Let now �1, · · · ,�n be strategies with �i : A ⇥ J~✓iK ! J✓iK.

For each i, we define the single-threaded strategy ⇤(�i) : A ! I:

⇤(�i) = {m⌃Aa⌃]Tcall a.mi(~v)

⌃0s 2 P t

AI | �((mA,~v)⌃0s) 2 �i}

[ {m⌃Aa⌃]T call a.mi(~v)

⌃0s ret a.mi(v)

T 0s0 2 P t

AI |

�((mA,~v)⌃0s vT

0s0) 2 �i} [ {m⌃

Aa⌃]T 2 P tAI}

where a /2 ⌫(⌃,~v, v, s, s0,⌃0, T 0) and T (a) : I. By definition,⇤(�i) is single-threaded. Therefore, setting

⇤(�1, . . . ,�n) = hh⇤(�1), . . . ,⇤(�n)ii† : A ! I,we obtain a thread-independent strategy implementing a simultane-ous currying of �1, · · · ,�n. In particular, given translations JMiKfor each method in a method-set implementation M, we can con-struct:

JMK : J�K ! I = ⇤(JM1K, · · · , JMnK).Finally, we define evaluation strategies ev

mi : I ⇥ J~✓iK ! J✓iK by(taking even-length prefixes of):

evmi = {(a,~v)⌃call a.mi(~v)

⌃ret a.mi(v)TvT 2 PAi |⌃(a) I}

where Ai = (I⇥J~✓iK)J✓iK. We can now show the following naturalmapping from groups of strategies in A ⇥ J~✓iK ! J✓iK to thread-independent ones in A ! I.

Lemma 14. Let �1, · · · ,�n be as above, and let ⌧ : A0 ! A beevaluated. Then,• ⇤(�1, . . . ,�n)⇥ id; ev

mi = �i,• ⌧ ;⇤(�1, . . . ,�n) = ⇤((⌧ ⇥ id);�1, . . . , (⌧ ⇥ id);�n).

Apart from dealing with exponentials, in order to complete ourtranslation we need also to address the appearance of x : I in therule4

�, x : I,� ` M : ⇥�,� ` new(x : I;M) : I �(I)�Meths=⇥.

Recall thatJMK : J�K ⇥ I ! I (1)

is obtained using exponentiation. Thus, the second move of JMKwill appear in the right-hand-side I above and will be a fresh nameb which will serve as a handle to the methods of M: in order toinvoke m : �~x.M on input ~v, the Opponent would have to callb.m(~v). The remaining challenge is to merge the two occurrencesof I in (1). We achieve this as follows. Let us assume a well-formedextension �0 of �:

�0 = (I0 : (f0 : I)),�that is, I0 contains a single field f0 of type I. We next define thestrategy I : 1 ! I0 ⇥ I of G�0 :

I = {⇤ (a0, a)⌃0call a.m(~v)⌃call b.m(~v)⌃ret b.m(v)T ret a.m(v)T }†

where m 2 dom(�(I)), b = ⌃(a0).f0, and ⌃0 2 Sto0 is suchthat ⌃0(a) : I and ⌃0(a

0) : I0. We let Jnew(x : I;M)K be thestrategy:5

J�K hid,!;Ii;⇠=�������! I0⇥J�K⇥I id⇥hJMK,⇡2i��������! I0⇥I⇥I(asn

f

0⇥id);⇡2��������! I

4 Note that x may appear free in M; it stands for the keyword this of Java.5 Here we omit wrapping JMK inside �/�0, as well as wrapping the wholeJnew(x : I;M)K in �0

/�, for conciseness.

and asnf

is the assignment strategy:

asnf

: I ⇥ J✓K ! 1 = {(a, v)⌃⇤⌃[a.f 7!v] 2 P(I⇥J✓K)1},for each field f. Thus, object creation involves creating a pair ofnames (a0, a) with a : I and a0 : I0, where a is the name of theobject we want to return. The name a0 serves as a store where thehandle of the method implementations, that is, the name createdby the second move of JMK, will be passed. The strategy I ,upon receiving a request call a.m(~v)⌃ , simply forwards it to therespective method of a0.f0 and, once it receives a return value,copies it back as the return value of the original call.

Let #(~I) :�!I ! #(

�!I ) = {~a⌃~a⌃ | ais distinct}, for eachsequence of interfaces

�!I . The latter has a right inverse #(~I)�r :

#(�!I ) ! �!I with the same plays. We can now define the semantic

translation of terms.

Definition 10. The semantic translation is given as follows.• Contexts � = {x1 : ✓1, · · ·, xn : ✓n}[{a1 : I1,· · · , am : Im}

are translated into arenas by

J�K = J✓1K ⇥ · · ·⇥ J✓nK ⇥#(I1, · · · , Im),

where JvoidK = 1, JintK = Z and JIK = I.• Terms are translated as in Figure 4 (top part).

In order to prove that the semantics is sound, we will also needto interpret terms inside state contexts. Let � ` M : ✓, with� = �1 [ �2, where �1 contains only variables and dom(�2) =dom(S). A term-in-state-context (S,M) is translated into the strat-egy:

J�1 ` (S,M)K = J�1KJSK��! J�1K ⇥

�!I id⇥#(~I)�����! J�K JMK���! J✓K.The semantic translation of states (Figure 4, lower part), comprisestwo stages:

J�1 ` SK = J�1KJSK1���! J�1K ⇥

�!I JSK2���! J�1K ⇥�!I .

The first stage, JSK1, creates the objects in dom(S) and implementstheir methods. The second stage of the translation, JSK2, initialisesthe fields of the newly created objects.

In the rest of this section we show soundness of the seman-tics. Let us call NEW, FIELDUP, FIELDAC and METHODCL re-spectively the transition rules in Figure 2 which involve state.Given a rule r, we write (S,M)

r�! (S0,M 0) if the transition(S,M) �! (S0,M 0) involves applying r and context rules.

Proposition 15 (Correctness). Let (S,M) be a term-in-state-context and suppose (S,M)

r�! (S0,M 0).

1. If the transition r is not stateful then JMK = JM 0K.2. If r is one of FIELDAC or FIELDUP then JSK2; (id⇥#(~I)); JMK =

JS0K2; (id⇥#(~I)); JM 0K.3. If r is one of METHODCL or NEW then J(S,M)K = J(S0,M 0)K.

Thus, in every case, J(S,M)K = J(S0,M 0)K.

Proof. Claim 1 is proved by using the naturality results of thissection. For the let construct, we show by induction on M thatJM [v/x]K = hid, JvKi; JMK. For 2 we use the following propertiesof field assignment and access:

hasnf

,⇡1i;⇡2; drff = hasnf

,⇡2i;⇡2 : I ⇥ J✓K ! J✓Khasn

f

,⇡1i ⇥ id;⇡2; asnf = id⇥ ⇡2; asnf : I ⇥ J✓K ⇥ J✓K ! 1

which are easily verifiable (the former one states that assigning afield value and accessing it returns the same value; the latter that

• J� ` xi : ✓iK = J�K ⇡i�! J✓iK; • J� ` ai : IiK = J�K ⇡n+1���! #(�!I )

#(~I)�r

�����! �!I ⇡i�! Ii;

• J� ` skip : voidK = J�K !�! 1; • J� ` null : IK = J�K !; ˆnul���! I, where ˆnul : 1 ! I = {⇤ nul};

• J� ` i : intK = J�K !;i�! Z; • J� ` letx = M 0 inM :✓K = J�K hid,JM0Ki������! J�K ⇥ J✓0K JMK���! J✓K;

• J� ` (I)M : IK = J�K JMK���! I0 stpI0I����! I, where stpI0I : I0 ! I = {nul nul} [ {a⌃a⌃ 2 PI0I | ⌃(a) I};

• J� ` M �M 0 : intK = J�K hJMK,JM0Ki�������! Z⇥ Z ��! Z, where � : Z⇥ Z ! Z = {(i, j) (i� j)};

• J� ` M = M 0 : intK = J�K hJMK,JM0Ki�������! I ⇥ I eq�! Z, where eq = {(a, a)⌃ 1⌃ 2 P(I⇥I)Z} [ {(a, b)⌃ 0⌃ 2 P(I⇥I)Z | a 6= b};

• J� ` ifM thenM 0 elseM 00 : ✓K = J�K hJMK,idi�����! Z⇥ J�K [JM0K,JM00K]��������! J✓K;

• J� ` new(x :I;M) : IK = J�K hid,!;Ii;⇠=�������! I0 ⇥ J�K ⇥ I id⇥hJMK,⇡2i��������! I0 ⇥ I ⇥ Iasn

f

0⇥id�����! 1⇥ I ⇡2�! I,

where JMK = J�K ⇥ I ⇤(JM1K,...,JMnK)�����������! I if M = {m1 : �~x1.M1, · · · ,mn : �~xn.Mn};

• J� ` M.f := M 0 : voidK = J�K hJMK,JM0Ki�������! I ⇥ J✓K asnf��! 1;

• J� ` M.f : ✓K = J�K JMK���! I drff��! J✓K, where drf

f

: I ! J✓K = {a⌃v⌃ 2 PIJ✓K | ⌃(a).f = v};

• J� ` M.m(�!M) : ✓K = J�K hJMK,J�!MKi�������! I ⇥ J~✓K ev

m��! J✓K, where J�!MK = hhhJM1K, JM2Ki, · · · i, JMnKi.

• J�1 ` SK = J�1Khid,�!Ii�����! J�1K⇥

�����!(I0 ⇥ I)

⇠=�!�!I0⇥(J�1K⇥

�!I )id⇥h⇡2;J

�!MK,idi����������!�!I0⇥�!I ⇥(J�1K⇥

�!I )⇠=⇥id���!

�����!(I0 ⇥ I)⇥(J�1K⇥

�!I )

(��!asnf

0⇥id);⇡2��������! J�1K ⇥�!I hid,h�!id,J�!V Kii��������! (J�1K ⇥

�!I )⇥�!�!I ⇥

�!�!J✓K id⇥⇠=���! (J�1K ⇥

�!I )⇥������!������!(I ⇥ J✓K) (id⇥��!asn

f

);⇡1��������! J�1K ⇥�!I ,

where dom(S) = {a1, · · · , an}, �!I = hI1 , · · · ,Ini, S(ai) : Ii,�!I0 = I0

1 ⇥ · · ·⇥ I0n,

�!I = I1 ⇥ · · ·⇥ In,�!M = (M1, · · · ,Mn),

Mi = S(ai) � MImps , J�!MK = hJM1K, · · · , JMnKi, asnf

0 = asnf

01⇥ · · ·⇥asn

f

0n

,�!V = (V1, · · · , Vn), Vi = S(ai) � HCnfs , J�!V K =

hJV1K, · · · , JVnKi, Vi = (f1i : v1i , · · · , fnii : vni

i ), JViK = hJv1i K, · · · , Jvnii Ki, ��!asn

f

= asnfi ⇥ · · ·⇥asn

fn , asnfi = asn

f

1i⇥ · · ·⇥asn

f

nii

.

Figure 4. The semantic translation of IMJ.

two assignments in a row have the same effect as just the lastone). The final claim follows by showing that the diagrams belowcommute (we write A for J�K ⇥�!I ),

�!I0⇥A⇥J~✓K

id⇥J�!MK⇥id //

id⇥hJ�!MK,JMiKi⇥id

✏✏

�!I0⇥�!I ⇥J~✓K

h⇠=,⇡2;⇡ii⇥id// ����!(I0⇥I)⇥Ii⇥J~✓K

(��!asnf

0⇥evm

);⇡2

✏✏�!I0⇥�!I ⇥Ii⇥J~✓K

⇠=⇥id // ����!(I0⇥I)⇥Ii⇥J~✓K(��!asn

f

0⇥evm

);⇡2 // J✓K

J�1K�✏✏

�!I0⇥A⇥A

id⇥h⇡2;⇡i,�0i//

id⇥�0✏✏

�!I0⇥A⇥Ii⇥J~✓K

id⇥J�!MK⇥id// �!I0⇥�!I ⇥Ii⇥J~✓K⇠=⇥id ✏✏

�!I0⇥A⇥J~✓K

id⇥J�!MK⇥id✏✏

����!(I0⇥I)⇥Ii⇥J~✓K

(��!asnf

0⇥evm

);⇡2✏✏�!

I0⇥�!I ⇥J~✓Kh⇠=,⇡2;⇡ii⇥id// ����!(I0⇥I)⇥Ii⇥J~✓K

(��!asnf

0⇥evm

);⇡2 // J✓Kwhere �0 : A ! J~✓K a combination of values and assignments, and

� = J�1Khid,�!Ii�����! J�1K ⇥

�!I0 ⇥�!I (�⇥id⇥�);⇠=�������!

�!I0 ⇥A⇥A

with � = hid, idi. The former diagram says that, assigning methodimplementations

�!M to object stores ~a0 and calling Mi on somemethod m is the same as assigning

�!M to ~a0 and evaluating instead

a new copy of Mi on m. The reason the diagram commutes isthat the copy of Mi differs from the original just in the handlename (the one returned in the codomain of JMiK), but the latteris hidden via composition with ev

m

. The latter diagram stipulatesthat if we create ~a with methods

�!M, then calling ai on m is thesame as calling Mi on m. The latter holds because of the way thatIi manipulates calls inside the interaction, by delegating calls tomethods of ai to Mi.

Proposition 16 (Computational Soundness). For all ` M : void,if M + then JMK = {⇤ ⇤} (i.e. JMK = JskipK).

Proof. This directly follows from Correctness.

Proposition 17 (Computational Adequacy). For all ` M : void,if JMK = {⇤ ⇤} then M +.

Proof. Suppose, for the sake of contradiction, that JMK = {⇤ ⇤}and M 6+. We notice that, by definition of the translation forblocking constructs (castings and conditionals may block) and dueto Correctness, if M 6+ were due to some reduction step beingblocked then the semantics would also block. Thus, M 6+ mustbe due to divergence. Now, the reduction relation restricted to allrules but METHODCL is strongly normalising, as each transitiondecreases the size of the term. Hence, if M diverges then it mustinvolve infinitely many METHODCL reductions and our argumentbelow shows that the latter would imply JMK = {✏}.For any term � ` N : ✓ and a 2 A \ dom(�), construct �a ` Na,where �a = �]{a : VarI}, by recursively replacing each subterm

of N of the shape N 0.m( ~N) with a.f := (a.f + 1);N 0.m( ~N).VarI is an interface with a sole field f : int. Observe that eachs 2 J� ` NK induces some s0 2 J�a ` NaK such that a appearsin s0 only in stores (and in a single place in the initial move)and O never changes the value of a.f, while P never decreasesthe value of a.f. We write J�a ` NaKa for the subset of J�a `NaK containing precisely these plays. Then, take M0 to be theterm letx = new(x : VarI ; ) in (Ma[x/a];x.f), where x a freshvariable. Because ⇤⇤ 2 JMK, we get ⇤j 2 JM0K for some j 2 Z.Consider now the infinite reduction sequence of (;,M). It musthave infinitely many METHODCL steps, so suppose (;,M) �!⇤

(S,M 0) contains j + 1 such steps. Then, we obtain (;,M0) �!⇤

(Sa, (M0)a; a.f), with Sa(a).f = j + 1. By Correctness, we

have that ⇤j 2 JSa, (M0)a; a.fK = JSaK; (id⇥#); J(M 0)a; a.fKa.

Since in J(M 0)aKa the value of a cannot decrease, and its initialvalue is j + 1 (as stipulated by Sa), we reach a contradiction.

5. Full Abstraction

Recall that, given plays s, s0, we call s an O-extension of s0 (writtens O s0) if s, s0 are identical except the type information regardingO-names present in stores: the types of O-names in s may besubtypes of those in s0. We shall write s P s0 for the dualnotion involving P-names, i.e., s P s0 if s, s0 are the same, butthe types of P-names in s0 may be subtypes of those in s. Then,given X 2 {O,P} and fixed A,B, let us define clX(s) = {s0 2PAB | s0 X s} and clX(�) =

Ss2� clX(s). We write P�|�`✓

for PJ�KJ✓K. A play will be called complete if it is of the formmAY mBY .

Next we establish a definability result stating that any completeplay (together with other plays implied by O-closure) originatesfrom a term.

Lemma 18 (Definability). Let s 2 P�|�`✓ be a complete play.There exists �0 ◆ � and �0|� ` M : ✓ such that J�0|� `M : ✓K = clO(s).

Proof. The argument proceeds by induction on |s|. For s = ✏,any divergent term suffices. For example, one can take �0 =� � {Div 7! (m : void ! void)}, and pre-compose any termof type ✓ with new(x : Div; m : �().m() ).m().

Suppose s 6= ✏. Then the second move can be a question or ananswer. We first show how to reduce the former case to the latter,so that only the latter needs to be attacked directly.

Suppose

s = q⌃q call o.m(~u)⌃1 s1 ret o.m(v)⌃2 s2 w⌃3 s3,

where o : I0 and �(I0)(m) :�!IL ! IR. Consider �0 =

� � {I00 7! (���!f0 : IL, m0 : IR ! ✓)} and the following play

from P�0|�`I00 :

s0 = q⌃q p⌃01 s01 call p.m0(v)

⌃02 s02 ret p.m0(v)

⌃03 s03,

where p 62 ⌫(s), ⌃0i = ⌃i � ⌃, ⌃ = {p 7! (I00,

����!f 0 7! u)} and

s0j is the same as sj except that each store is extended by ⌃. If�0|� ` M 0 : I0 satisfies the Lemma for s0 then, for s, one can takeletxp = M 0 inxp.m

0(y.m(���!xp.f

0)), where y refers to o, i.e., y isof the shape x.

�!f , where x 2 dom� and

�!f is a sequence of fields

that points at o in ⌃q .Thanks to the reduction given above we can now assume that

s 2 P�|�`✓ is non-empty and

s = q⌃q m⌃00 m⌃1

1 · · ·m⌃2k2k ,

where m0 is an answer. We are going to enrich s in two ways so thatit is easier to decompose. Ultimately, the decomposition of s will

be based on the observation that the m⌃11 · · ·m⌃2k

2k segment can beviewed as an interleaving of threads, each of which is started by amove of the form call p for some P-name p. A thread consists ofthe starting move and is generated according to the following tworules: m2i belongs to the thread of m2i�1 and every answer-movebelongs to the same thread as the corresponding question-move.

• The first transformation of s brings forward the point of P-namecreation to the second move. In this way, threads will nevercreate objects and, consequently, it will be possible to composethem without facing the problem of object fusion.Suppose P (s) = �!pi and pi : Ipi . Let �0 = � � {IP 7!����!fi : Ipi}. Consider s0 = (n, q)⌃

0q m

⌃00

0 m⌃0

11 · · ·m⌃0

2k2k , where

⌃0q = ⌃q � {n 7! (IP ,

�!null)} and ⌃0

i = ⌃i � {n 7!(IP ,

�!pi )}�{pi 7! (Ipi ,�!null) | ⌃i(pi) undefined, pi 2 P (s)}.

Let �0 = {xn : IP }� �. Observe that s0 2 P�0|�0`✓ .• The second transformation consists in storing the unfolding

play in a global variable. It should be clear that the recursivestructure of types along with the ability to store names is suf-ficient to store plays in objects. Let I

play

be a signature thatmakes this possible. This will be used to enforce the intendedinterleaving of threads after their composition (in the style ofInnocent Factorization [5]). Let �00 = �0�{History 7! play :Iplay

} and �00 = {xh : History}� �. Consider

s00 = (h, n, q)⌃00q m

⌃000

0 m⌃00

11 · · ·m⌃00

2k2k

with⌃00

q = ⌃0q � {h 7! (History, play 7! null)},

⌃002i = ⌃0

2i � {h 7! (History, play 7! s0m2i)},

⌃002i+1 = ⌃0

2i+1 � {h 7! (History, play 7! s0m2i)}.

Observe that s00 2 P�00|�0`✓ .

Now we shall decompose m⌃00

11 · · ·m⌃00

2k2k into threads. Recall that

each of them is a subsequence of s00 of the form

call p.m(�!u )⌃c t ret p.m(v)⌃r

where the segment t contains moves of the form call o or ret o forsome o 2 O(s). We would now like to invoke the IH for eachthread but, since a thread is not a play, we do so for the closelyrelated play (h, n, q,�!u )⌃c t0 v⌃r . Let us call the resultant termMp,m,�!u ,⌃c

. Next we combine terms related to the same p : Ip intoan object definition by

Mp ⌘ new(x : Ip;m : ��!u .case(�!u ,⌃c)[Mp,m,�!u ,⌃c]]).

The case statement, which can be implemented in IMJ using nestedif’s, is needed to recognize instances of �!u and ⌃c that reallyoccur in threads related to p. In such cases the correspondingterm Mp,m,�!u ,⌃c

will be run. Otherwise, the statement leads todivergence.

The term M for s can now be obtained by taking

letxn = new(x : IP ; ) inletxh = new(x : History; ) in

let�������!xpi = Mpi in

assert(q⌃q );��������!xn.fi = xpi ;make(⌃00

0 ); play(m0)

where�������!xpi = Mpi represents a series of bindings (one for each

P-name pi 2 P (s)), assert((h, n, q)⌃00q ) is a conditional that

converges if and only if the initial values of free � identifiers aswell as values accessible through them are consistent with q and⌃q respectively, make(⌃00

0 ) is a sequence of assignments that setvalues to those specified in ⌃00

0 (up-casts need to be performed toensure typability) and play(m0) is skip, i, null or, if m0 is a name,

it is a term of the form (✓)y.~f , where y is xn or (x : Ix) 2 � suchthat y.~f gives an access path to m0 in ⌃00

0 .

We conclude with full abstraction results both in inequationaland equational forms. For technical convenience, we shall use amodified (but equivalent) definition of contextual approximation.

Lemma 19. Let � = {x1 : I1, · · · , xk : Ik}, �|� ` Mi : ✓(i = 1, 2), and �0 = �[{Wrap�,I 7! (f : (I1, · · · , Ik) ! ✓)}.Then �|� ` M1 @⇠ M2 if and only if, for all �00 ◆ �0 and�00, z : Wrap�,I ` test : void, if C

test

[M1] + then Ctest

[M2] +,where C

test

[�] ⌘ let z = new(x : Wrap�,I ; f : ��!xi .[�]) in test.

Proof. The Lemma holds because, on the one hand, it relies oncontexts of a specific shape and, on the other hand, any closingcontext C[�] for Mi can be presented in the above form withtest ⌘ C[z.f(x1, · · · , xk)].

Given a term �|� ` M : ✓, let us write J�|� ` M : ✓Kcomp

forthe set of complete plays from J�|� ` M : ✓K. In what follows, weshall often omit �|�,` for brevity.

Theorem 20 (Inequational full abstraction). Given �|� ` Mi : ✓(i = 1, 2), we have �|� ` M1 @⇠ M2 : ✓ if and only if

clP (J�|� ` M1 : ✓Kcomp

) ✓ clP (J�|� ` M2 : ✓Kcomp

).

Proof. The proof uses the following play transformation. Givent = q⌃qs1a

⌃as2 2 P�|�`✓ , we define t 2 P�0,Wrap�,I`void

as

n⌃n calln.f(q)⌃q�⌃n s�⌃n1 retn.f(a)⌃a�⌃n s�⌃n

2 ⇤⌃�⌃n ,

where �0,Wrap�,I are the same as in the above Lemma, ⌃n ={n 7! (Wrap�,I , ;)}, s�⌃n stands for s in which each storewas augmented by ⌃n and ⌃ is the store of the last move int. Intuitively, t is the play that C

test

[�] needs to provide for aterminating interaction with t.

()) Let s 2 clP (JM1Kcomp

). Then there exists s0 2 JM1Kcomp

with s 2 clP (s0). Apply Definability to s0 to obtain �00, z : Wrap�,I `

test : void such that JtestK = clO(s0). Because s0 2 JM1Kcomp

and Adequacy holds, we must have Ctest

[M1] +. From M1 @⇠ M2

we obtain Ctest

[M2] +. Hence, because of Soundness, there existss00 2 JM2Kcomp

such that s00 2 JtestK. Since JtestK = clO(s0), itfollows that s00 2 clO(s0) and, consequently, s0 2 clP (s

00). Thus,s 2 clP (s

0) and s0 2 clP (s00). Hence, s 2 clP (s

00) and, becauses00 2 JM2Kcomp

, we can conclude s 2 clP (JM2Kcomp

).

(() Let Ctest

[�] be such that Ctest

[M1] +. By Soundness, thereexists s 2 JM1Kcomp

such that s 2 JtestK. Because JM1Kcomp

✓clP (JM1Kcomp

) and clP (JM1Kcomp

) ✓ clP (JM2Kcomp

), we alsohave s 2 clP (JM2Kcomp

). Thus, there exists s0 2 JM2Kcomp

suchthat s 2 clP (s

0). Consequently, s0 2 clO(s). Since s 2 JtestK, wealso have s0 2 JtestK. Because s0 2 JM2Kcomp

and s0 2 JtestK, byAdequacy, we can conclude that C

test

[M2] +.

Example 3. Let us revisit Example 2. We have clP (�1) = �1 andclP (�2) = �2 [ {⇤;, n{n 7!(Empty,;)}}, i.e. clP (�1) ( clP (�2).Thus, it follows from Theorem 20 that �|; ` M1 @⇠ M2 and�|; ` M1 6⇠= M2.

Theorem 21 (Equational full abstraction). Given �|� ` Mi : ✓(i = 1, 2), �|� ` M1

⇠= M2 : ✓ if and only if

J�|� ` M1 : ✓Kcomp

= J�|� ` M2 : ✓Kcomp

.

Proof. The preceding result implies that M1⇠= M2 if and only

if clP (JM1Kcomp

) = clP (JM2Kcomp

). We show that this impliesJM1Kcomp

= JM2Kcomp

. Let s 2 JM1Kcomp

. By clP (JM1Kcomp

) =clP (JM2Kcomp

), it must be the case that s 2 clP (JM2Kcomp

),i.e., there exists s0 2 JM2Kcomp

such that s 2 clP (s0). Again,

by clP (JM1Kcomp

) = clP (JM2Kcomp

), it follows that s0 2clP (JM1Kcomp

), i.e., there exists s00 2 JM1Kcomp

such thats0 2 clP (s

00). So, we have s 2 clP (s0) and s0 2 clP (s

00), whichimplies s 2 clP (s

00). However, s, s00 2 JM1Kcomp

, so s 2 clP (s00)

entails s = s00. Hence, s 2 clP (s0) and s0 2 clP (s), and s = s0

follows. Because s0 2 JM2Kcomp

, we showed s 2 JM2Kcomp

. Theother inclusion is derived analogously.

References

[1] M. Abadi and L. Cardelli. A theory of objects. Springer Verlag, 1996.[2] E. Abraham, M. M. Bonsangue, F. S. de Boer, A. Gruener, and M. Stef-

fen. Observability, connectivity, and replay in a sequential calculus ofclasses. In Proceedings of FMCO, 2004.

[3] S. Abramsky, D. R. Ghica, A. S. Murawski, C.-H. L. Ong, and I. D. B.Stark. Nominal games and full abstraction for the nu-calculus. InProceedings of LICS, 2004.

[4] S. Abramsky, R. Jagadeesan, and P. Malacaria. Full abstraction forPCF. Information and Computation, 163:409–470, 2000.

[5] S. Abramsky and G. McCusker. Linearity, sharing and state: a fullyabstract game semantics for Idealized Algol with active expressions.In Algol-like languages, pages 297–329. Birkhauser, 1997.

[6] S. Abramsky and G. McCusker. Game semantics. In Logic andComputation: Marktoberdorf Proceedings. Springer-Verlag, 1998.

[7] J. Alves-Foss, editor. Formal Syntax and Semantics of Java, volume1523 of Lecture Notes in Computer Science. Springer, 1999.

[8] J. Alves-Foss and F. S. Lam. Dynamic denotational semantics of Java.In Formal Syntax and Semantics of Java, pages 201–240. 1999.

[9] G.M. Bierman, M.J. Parkinson, and A.M. Pitts. MJ: An imperativecore calculus for Java and Java with effects. Technical Report 563,Computer Laboratory, University of Cambridge, 2002.

[10] H. Bjorklund and T. Schwentick. On notions of regularity for datalanguages. Theor. Comput. Sci., 411(4-5):702–715, 2010.

[11] M. J. Gabbay and A. M. Pitts. A new approach to abstract syntax withvariable binding. Formal Aspects of Computing, 13:341–363, 2002.

[12] J. M. E. Hyland and C.-H. L. Ong. On Full Abstraction for PCF.Information and Computation, 163(2):285–408, 2000.

[13] A. Jeffrey and J. Rathke. Java Jr: Fully abstract trace semantics for acore Java language. In Proceedings of ESOP, 2003.

[14] A. Jeffrey and J. Rathke. A fully abstract may testing semantics forconcurrent objects. Theor. Comput. Sci., 338(1-3):17–63, 2005.

[15] S. N. Kamin and U. S. Reddy. Two semantic models of object-orientedlanguages. In Theoretical Aspects of Object Oriented Programming,pages 463–495. MIT Press, 1994.

[16] V. Koutavas and M. Wand. Reasoning about class behavior. InProceedings of FOOL/WOOD, 2007.

[17] J. Laird. A game semantics of local names and good variables. InProceedings of FOSSACS, 2004.

[18] J. Laird. Game semantics for higher-order concurrency. In Proceed-ings of FSTTCS, 2006.

[19] J. Laird. Game semantics for call-by-value polymorphism. In Pro-ceedings of ICALP, 2010.

[20] S. B. Lassen and P. B. Levy. Typed normal form bisimulation forparametric polymorphism. In Proceedings of LICS, 2008.

[21] R. Milner. Fully abstract models of typed lambda-calculi. TheoreticalComputer Science, 4(1):1–22, 1977.

[22] E. Moggi. Computational lambda-calculus and monads. In Proceed-ings of LICS, 1989.

[23] A. S. Murawski and N. Tzevelekos. Algorithmic nominal game se-mantics. In Proceedings of ESOP, 2011.

[24] A. S. Murawski and N. Tzevelekos. Game semantics for good generalreferences. In Proceedings of LICS, 2011.

[25] J. Power and E. Robinson. Premonoidal categories and notions ofcomputation. Math. Struct. in Comput. Sci., 7:453–468, 1997.

[26] N. Tzevelekos. Full abstraction for nominal general references. Logi-cal Methods in Computer Science, 5(3), 2009.

[27] N. Tzevelekos. Fresh-register automata. In Proc. of POPL, 2011.