Alg

Progress in Theoretical Computer Science
Editor
Ronald V. Book, University of California
Editorial Board
Erwin Engeler, ETH Zentrum, Zurich, Switzerland
Jean-Pierre Jouannaud, Universite de Paris-Sud, Orsay, France
Robin Milner, Cambridge University, England
Martin Wirsing, Universität Passau, Passau, Germany
ALGOL-like Languages
Volume2
Peter W. O'Hearn
Robert D. Tennent
Editors
Springer Science+Business Media, LLC

Peter O'Hearn Robert D. Tennent
Dept. of Computer Science Dept. of Computing and Information Science
Queen Mary&Westfield College Queen's University
London E1 4NS Kingston, Ontario
England Canada K7L 3N6
Library of Congress Cataloging-in-Publication Data
ALGOL-like languages I Peter W. O'Hearn, Robert D. Tennent, editors.

p. cm. -- (Progress in theoretical computer science)
Includes bibliographical references and index.
ISBN 978-1-4757-3853-7 ISBN 978-1-4757-3851-3 (eBook)
DOI 10.1007/978-1-4757-3851-3
1. ALGOL (Computer program language) I. O'Hearn, Peter W. (Peter
William), 1963- . II. Tennent, R. D., 1944- III. Series.
QA76.73.A24A413 1997
005.13'1--dc21 96-46972
CIP
Printedon acid-free paper

© 1997 Springer Science+Business Media N ew York
Originally published by Birkhäuser Boston in 1997
Softcoverreprint of the bardeover 1st edition 1997
Copyright is not claimed for works ofU.S. Govemment employees.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording,
or otherwise, without prior permission of the copyright owner.
Permission to photocopy for internal or personal use of specific clients is granted by

Springer Science+Business Media, LLC
for libraries and other users registered with the Copyright Clearance
Center (CCC), provided that the base fee of$6.00 per copy, plus $0.20 per page is paid directly
to CCC, 222 Rosewood Drive, Danvers, MA 01923, U.S.A. Special requests should be
addressed directly to Springer Science+Business Media, LLC.
Cover design by R. D. Tennent and Typesmith, with apologies to Guy Steele, designer of
the cover for The Little Lisper, by Daniel Friedman, Science Research Associates (1974).
ISBN 978-1-4757-3853-7
Typeset by the Authors in 1EX.
9 R7 6 5 4 3 2 1
Table of Contents
Contributors vü
Part IV FUNCTOR-cATEGORY SEMANTICS 1

11 Functor Categories and Store Shapes 3
Frank]. Oles
12 Using Functor Categories to Generate Intermediate Code 13

]ohn C. Reynolds
Part V SPECIFICATION LOGIC 39

13 Semantical Analysis of Specification Logic 41
Robert D. Tennent
14 Semantical Analysis of Specification Logic, 2 65

Peter W. O'Hearn and Robert D. Tennent
Part VI PROCEDURES AND LOCAL VARIABLES 95

15 Full Abstraction for the Second-Order Subset 97
Kurt Sieber
16 Parametridty and Local Variables 109

17 Operationally-Based Reasoning About Local Variables 165

Andrew M. Pitts
Part VII INTERFERENCE, IRREVERSffiiLITY, AND CONCURRENCY 187

18 Syntactic Control of Interference Revisited 189
Peter W. O'Hearn, A. ]ohn Power, Makoto Takeyama and
Robert D. Tennent
19 Global State Considered Unnecessary 227
Uday S. Reddy
20 Linearity, Sharing and State 297

Samson Abramsky and Guy McCusker
21 The Essence of PARALLEL ALGOL 331

Stephen Brookes
Contents of Volume 1 349

Contributors
Samson Abramsky A. John Power
Department of Computer Science Laboratory for the Foundations of
University of Edinburgh Computer Science
Edinburgh, U.K. EH9 3JZ Department of Computer Science
samson@dcs.ed.ac.uk University of Edinburgh
Edinburgh, U.K. EH9 3JZ
Stephen Brookes
ajp@dcs.ed.ac.uk
School of Computer Science
Carnegie-Mellon University Uday S. Reddy
Pittsburgh, PA 15213-3890 Computer Science Department
Stephen.Brookes@cs.cmu.edu University of lllinois
Mattbias Felleisen Urbana, IL 61801
Department of Computer Science reddy@cs.uiuc.edu
Rice University John C. Reynolds
Houston, TX 77251 School of Computer Science
matthias@cs.rice.edu Carnegie Mellon University
Evan Ireland Pittsburgh, PA 15213
School of Information Science John.Reynolds@cs.cmu.edu
Massey University
Palmerston North, New Zealand Kurt Sieher
E.Ireland@massey.ac.nz Informatik
Universität des Saarlandes
Guy McCusker Saarbrücken, Germany 66041
Department of Computing sieber@cs.uni-sb.de
Imperial College
London, U.K. SW7 2BZ Vipin Swarup
gam@doc.ic.ac.uk The MITRE Corporation
Hurlington Road
Albert R. Meyer Bedford, MA 01730
Laboratory for Computer Science swarup@linus.mitre.org
MIT
Cambridge, MA 02139 Makoto Takeyama
meyer@theory.lcs.mit.edu Department of Computing Science
Peter W. O'Hearn Chalmers University of Technology and
Department of Computer Science Göteborg University
Queen Mary and Westfield College Göteborg, Sweden S 41296
London, U.K. E1 4NS makoto@cs.chalmers.se
ohearn@dcs.qmw.ac.uk Robert D. Tennent
Frank J. Oles Department of Computing and
Mathematical Seiences Department Information Science
ffiM T. J. Watson Research Center Queen's University
Yorktown Heights, NY 10598 Kingston, Canada K7L 3N6
oles@watson.ibm.com rdt@qucis.queensu.ca
Andrew M. Pitts Stephen Weeks
Computer Laboratory School of Computer Science
University of Cambridge Carnegie Mellon University
Cambridge, U.K. CB2 3QG Pittsburgh, PA 15213
ap@cl.cam.ac.uk Stephen.Weeks@cs.cmu.edu
Part IV
FUNCTOR-CATEGORY SEMANTICS
Chapter 11
Functor Categories and Store Shapes
Frank]. Oles
Contents
1 Introduction 3
2 The Utility of Functor Categories 3
3 A Category of Store Shapes 8
4 Concluding Remarks 11
References 12
1 Introduction
An intuitive grasp of the nature of variable declarations and of what is hap-
pening as one enters and exits from blocks is essential to programming in
an ALGOL-like language. However, a precise semantic description of the con-
structs involved is difficult, and it is particularly difficult if one wants seman-
tics for block structure that mesh elegantly with semantics for procedures.
Our goal is to outline in general terms how functor categories can be used
to explain the semantics of ALGOL-like languages which possess a rich type
structure, higher-order procedures whose types may be arbitrarily complex,
imperative capabilities, and block structure. It is our aim to draw a sharp dis-
tinction between change of state and change of underlying structure. Block
entrances and block exits in connection with variable declarations change the
shape of the store (underlying structure), whereas commands alter the store
(state). It is our feeling that, far from being abstract nonsense, functor cate-
gories are a natural vehicle for giving mathematical substance to these intu-
itions about stack discipline.
2 The Utility of Functor Categories

We think of a language as beginning with the specification of a set of data
types; let's say int (for integer) and bool (for boolean). Each data type ö
gives rise to three primitive phrase types ö-exp (for ö-expression), ö-var (for
ö-variable), and ö-acc (for ö-acceptor). Another primitive phrase type is comm
(for command). The reader probably has an excellent intuitive feeling for the
nature of phrases that are assigned the phrase types ö-exp, ö-var, and comm.
A phrase has type ö-acc if it gobbles up values of type ö and produces com-
mands. Thus, if x and y are ö-variables, then, in the assignment command
x := y, the ö-variable x is used as a ö-acceptor. Even if a language turnsout
Adapted by the author and the editors from material in Section 1 of F. J. Oles: "Type algebras,
functor categories, and block structure," in M. Nivat and J. C. Reynolds (editors): Algebraic Methods
in Semantics, © Cambridge University Press 1985 (reprinted with the permission of Cambridge
University Press), andin Chapters I and V1 of F. J. Oles: A Category·Theoretic Approach to the
Semantics of Programming Languages, Ph.D. thesis, Syracuse University, Syracuse, N.Y., August
1982.
P. W. O’Hearn et al. (eds.), Algol -like Languages

© Springer Science+Business Media New York 1997
4 Chapter 11. Functor Categories and Store Shapes
not actually to have any phrases of type 8-acc, it is still useful to introduce
that phrase type in order to explain 8-var.
Also, for any phrase types T and (}, there is a phrase type T => (} that is
assigned to procedures accepting arguments (i.e., having formal parameters)
of type T and producing results (i.e., having calls) of type 0. The symbol =>
will intentionally be used also to denote exponentiation in Cartesian closed
categories.
An integral part of the semantics of a typed language is the assignment to
each phrase type T of a meaning, denoted Mng T. One might suppose Mng T
is a set; however, the possible existence of nonterminating programs, which
lead to an "undefined" state, provides an inducement to partially order Mng T,
where the relation x ~ y means x is more undefined than y; for instance, see
[Sco71, Rey77]. The need to give meanings to recursively defined expressions
of type T causes us to require that directed subsets of Mng T have least upper
bounds, i.e., that Mng T be a predomain. Also, we generally want Mng T to have
a minimal element, but we must tread cautiously at this point to avoid becom-
ing overcommitted to the use of Vom (the category of domains) rather than
Paom (the category of predomains). As we shall see later, Vom is technically
inadequate.
Suppose we try to give the semantics of programs which do not contain
block entrances and exits. We start by positing the existence of a set S of
possible stores. Regard sets as discretely ordered predomains (i.e., x ~ y iff
x = y). Since a command is a transformation of S that possibly may not
terminate, and a function from S to Sj_ (i.e., toS with a new least element .L) is
the same as a continuous function from S to Sj_, we expect
Mngcomm = S= S.c.
where => is the intemal hom functor (exponentiation) for Paom. Also, for
each data type 8,
Mng8-exp = S=> (Val8)j_,
Mng8-acc = Val8=> Mngcomm,
Mng8-var = Mng8-acc x Mng8-exp,
where Val8 is the set of values of data-type 8. In other words, a 8-expression
attempts to compute a value of type 8 from the current store, a 8-acceptor
uses a value of type 8 to update the current store, and a 8-variable may be
used as either a 8-expression or a 8-acceptor. Finally, for all phrase types T
and (}, we expect
Mng(T => {}) = MngT => Mng (};
i.e., the predomain of meanings for the procedural phrase type T => (} is the
predomain of continuous functions from Mng T to Mng (}.
Although the approach of the preceding paragraph is attractively compre-
hensible, it is inadequate for the semantics of block structure because the set
S is fixed throughout the exposition. The whole point of block structure is to
permit S to vary during program execution. For instance, if we view stores as
being functions from finite sets of locations in memory to the set of data-type
values, then the domains of those functions may be regarded as store shapes.
Frank]. Oles 5
Variable declarations at the start of a block alter the shape of the store by
adding locations to it, whereas block exit restores the shape of the store to
its condition at block entrance. The semantics of a language obeying a stack
discipline should reflect this dynamic behaviour.
Therefore, let ~ be the collection of all store shapes. To each X E ~. there
is a set StX of storesofthat shape. Since the meaning of phrasetypeT varies
with the store shape, Mng T is not a predomain, but is rather a ~-indexed
collection of predomains. For instance we might arrange matters so that
MngcommX = StX=> (StX).l
Mngö-exp X = StX=> (Valöh
Mngö-accX = Valö=>MngcommX
Mng ö-var X = Mng ö-acc X x Mng ö-exp X,
where X e ~ and ö is a data type.
It is important to realize that, for any phrase type T and store shapes X and
Y, the predomains Mng T X and Mng T Y cannot be arbitrarily different. After
all, we want the notion of command to have a uniform meaning for all store
shapes, or else the definition of operations like ; (concatenation of commands)
will be bizarrely complicated. For instance, consider the program skeleton
begin
int-var x;
X:= 3;
begin
bool-var y;
x:= 3;
end;
end
Suppose X is the store shape corresponding to the outer block and Y is the
store shape corresponding to the inner block. Then Mng comm X is relevant
to the first occurrence of the assignment command x := 3, while Mngcomm Y
is relevant to the second occurrence. However, both occurrences are meant
to alter the contents of the same location. Roughly speaking, the fact that
X can be "expanded" to give Y induces a function from Mngcomm X to
Mngcomm Y. So it becomes important to contemplate the notion of an ex-
pansion from a store shape X to a store shape Y. Certainly expansions should
be composable. The composition should be associative. For each store shape
X there ought to be an identity expansion which involves "doing nothing" to
X. In short, we assert that we erred in letting ~ be the collection of store
shapes. From now on, take ~ to be the category of store shapes. The mor-
phisms of ~ are called expansions. Furthermore, for each phrase type T,
we should require that Mng T be a functor from ~ to 'Ptfom. This will el-
egantly take care of how an expansion1 u E X ~ Y induces a function
Mng T U E Mng T X p;r;;;;i Mng T Y.
Procedural phrase types are a bit tricky. Let T and 9 be phrase types. Recall
that in the simpler setting the predomain of meanings of type T => e was the
set of continuous functions from Mng T to Mng 9. One might hope that in the
more sophisticated setting, where Mng(T => 9) is tobe a functor, the set of
procedural meanings of type T => 9 in the context of a store shape X would be
the set of continuous functions from Mng T X to Mng 9 X; i.e.,
Mng(T=> O)X = MngT X=>MngOX.
Alas, this does not define a functor because => in 'Ptfom is contravariant in
its first argument. Another idea might be to recall that Mng T and Mng e are
objects in a functor category and to try letting Mng( T=> 0) be the set of natural
transformations from Mng T to Mng e. That is plain nonsense, because there
is no way to regard such a set of natural transformations as a functor. We
are, however, getting closer to the heart of the matter: the functor category
~ => 'Ptfom is Cartesian closed. Therefore, the appropriate equation governing
meanings of procedural types is just
Mng(T=> 9) = MngT=> Mng0,
where the heavy arrow on the right is exponentiation in the functor category
~=> 'Ptfom.
The reader may wonder why we did not engineer this discussion so as to
end up with the functor category ~ => 'Dom. Unfortunately, contrary to the
claim in [Rey81], it does not appear that ~=> Vom is Cartesian closed, in spite
of the fact that Vom is Cartesian closed.
This all sounds nice enough, but we have lost somewhere the idea that
phrases of type T should have denotations which are elements of Mng T, be-
cause Mng T does not seem to have any elements if it is a functor. The solution
is to reject, even in the simpler setting where block structure is ignored, the
intuition that a phrase of type T denotes an element of Mng T. Actually, this
is a rather conventional notion. This is where environments enter semantics.
In the simpler setting, complete specification of a language requires not only
a set S of stores, but also a type assignment function A from the set of identi-
fiers to phrase types. The function A has two uses. First, it is used to assign
types to free occurrences of identifiers, enabling the type of the entire phrase
to be determined. Second, A determines a predomain E of environments by
taking E to be the product in 'Pdöm of the Mng(A x) over all identifiers x.
Thus each element of E associates a meaning of the right type to each iden-
tifier. Then, even in the simpler setting, we conceive of the denotation of a
phrase of typeT as being a (continuous) function from E to MngT. Wehave
thus been led to the idea that the semantics of a phrase is a morphism in a
category from an environment object to a meaning object. We will give more
1We use X~ Y to denote the set of morphisms from X to Y in category ~-
Frank]. Oles 7
details shortly, but at least we need not worry that Mng T is a functor rather
than a set of elements.
The idea that each identifier possesses a unique phrase type is workable in
some contexts, but it is always unpalatable because it robs the programmer of
the ability to bind any identifier to any phrase type. This Ieads us to introduce
phrase-type assignments, functions from finite sets of identifiers to phrase
types. Since any phrase f may contain free occurrences of identifiers, a type
can be assigned to f only in the context of a phrase-type assignment oc.
Each phrase-type assignment oc determines an environment object Env oc,
which is a functor in~= 'Pdom, defined by taking the product of the functors
Mng(oc x) over all identifiers x in the domain of oc. If Xis a store shape, then
Env oc X is the product in 'Pdom of the predomains Mng( oc x) X over the same
set of identifiers x, and this is a collection of "conventional environments."
The denotation of a phrase f in the context of a phrase-type assignment oc
will be a morphism (natural transformation) in the functor category ~= 'Pdom
from Envoc to MngT, where T is the type of f in context oc. In particular, the
denotation of f in the context of phrase-type assignment oc and store shape
X is a function from "conventional environments" in Env oc X to "conventional
meanings" in MngT X.
Our final topic in this section is a discussion of how this approach lends it-
self to an explanation of the interactions between procedures and block struc-
ture. However, we must preface this with the definition of the functor
hom:!: E ~op - (~ = 'Pdöm)
The usual hom functor is
hom:!: E ~op x ~ -Set
where Set is the usual category of sets. Let E E Set - 'Pdom be the embed-
ding functor that gives a discrete partial order to each set. By composing, we
get
E o hom:!: E ~op x ~- 'Pdom
Then curry to get
hom:!: E ~op - (~ = 'Pdom)
Thus, for store shapes X and Y, hom:!: X Y is hom:!:(X, Y) =X~ Y, equipped
with a discrete partial order.
Let us Iook at a phrase f, which, in the context of an appropriate type as-
signment, has a procedural type, say T = lJ, where T and lJ are phrase types.
Suppose the procedure f is defined in a program in a block whose store shape
is X. In this context the denotation of the procedure is a function from Env oc X
to (Mng T= Mng O)X. The definition of exponentiation in the functor category
~ = 'Pdom teils us that the predomain (Mng T = Mng O)X is obtained by par-
tially ordering the set of natural transformations from (hom:!: X) x (Mng T)
to Mng e. Then the denotation of the procedure applied to a conventional
environment e existing when f is defined is a natural transformation from
(hom:!: X) x (MngT) to Mng8.
Now, suppose the procedure f is called in an interior block whose store
shape is Y. Thus there is an expansion o- E X~ Y, and the Y component
of the meaning of .f can be applied to this expansion to obtain an element of

the predomain Mng T Y => Mng (} Y, which is a proper collection of conven-
tional meanings at the time of the call. Wehave captured here two important
intuitions about the meanings of procedures.
1. The environment used to determine the meaning of a procedure is not
the environment existing at the moment of the call, but is rather the
environment existing when the procedure in defined, an intuition de-
scribed by other approaches as weil.
2. The meaning of a procedure is alsodependent on the store shape ex-
isting at the moment of call, the store shape existing at the moment of
definition, and the expansion connecting them.
3 A Category of Store Shapes

So far, we have been vague about the structure of ~. the category of store
shapes. Obviously, the semantics of a language can be precisely described
only if ~ is completely specified. There are actually a variety of choices for
~- As one approach, we may posit the existence of a set of "locations" along
with operations for creating and manipulating "stacks of locations," which are
the objects of ~- This approach has a very operational flavour. It has two
drawbacks. First, the details turn out to be very complicated, and, second, we
are uncomfortable with insisting at the outset that stores are "stacks of loca-
tions." Another candidate for ~ is the category of store shapes and expansions
described in [Rey81]. It avoids the drawbacks of the operational approach, but
it does not seem possible to give continuation semantics by using that cate-
gory for ~-
The point of this section is to describe a category for ~ that we feel is
at the proper Ievel of abstraction. There is behind it an accessible intuition.
At the same time we can avoid unnecessary complexities that may almost be
said to be implementation-dependent (i.e., what kind of data type values can
be placed in what locations, and what do we do with values that need several
locations.)
The basic idea is to Iet any set X be an object of ~ (i.e., a store shape).
Then the set of stores corresponding to the store shape X is just X itself. An
expansion in X 7 Y is supposed to go from a "little" Store shape X to a "big"
store shape Y. Part of an expansion is a "forgetting" function2 cp E Y---+ X,
which allows a more complicated store to serve as a less complicated one.
Another part of an expansion is a "replacement" function p EX---+ (Y---+ Y);
it is used when one wishes to overwrite the part of a more complicated store
that corresponds to a less complicated store. Thus an arrow of ~ is an ordered
pair (cf>,p) EX 7 Y, where cf> E Y ---+X and p EX---+ (Y---+ Y).
Furthermore, we require that an arrow (cp, p) E X 7 Y satisfy the follow-
ing three conditions:
2 we use Y---+ X, with an unadorned arrow, to denote the set of all functions from the set Y
to the set X.
Frank]. Oles 9
(~1) cf> (p x y) = x}
(~2) p (cf> y) y = y, and
(B) p X (p x' y) = p X y,
where x,x' E X and y E Y. We may read (D) loosely as replacing x with

y, and then forgetting, gives back x. Condition (~2) says replacing in y with
part of itself gives back y. Finally, (~3) says only the last replacement counts.
We could obtain a larger and simpler category by not imposing these three
conditions on morphisms, and all of the results of this chapter would hold,
with the exception of the theorem on the structure of morphisms. However,
the naturality requirements discussed in Chapters VII and VIII of [Ole82) seem
to require (~1). (~2), and (B) or some similar conditions.
In order to define composition elegantly in ~ we need some notation. Sup-
pose oc E X --.. Y and ß E W --.. Z. Then
oc--+- ß E (Y--+- W) --+- (X--+- Z)
is given by (oc--+- ß) f = ß o f o oc, where f E Y--.. W. (So --.. is just the

ordinary hom functor for Set.) Also, for each set X, define the diagonalization
Dx for X tobe
Dx E (X--+- (X--+- X))--+- (X--+- X),
given by Dx f X = f X X, where f E X--+- (X--+- X) and X E X.
Suppose (cp,p) EX 7 Y and (cf>',p') E Y 7Z. Define
(cf>',p') o (cf>,p) EX 7 Z
by
(cf>',p')o(cf>,p) = (cf>ocf>',Dzo(cf>'--..p')op).
Obtaining a new forgetting function by composing given forgetting functions
is not surprising. The second component on the right-hand side is the fune-
rtonal composition
cf>-p'
X --'-P--+- ( Y --+- Y) (Z--+- (Z--+- Z)) --D=--z---+- (Z--+- Z)
For x EX, z E Z, we have
{Dz o (cf>'--.. p') o p) x z Dz ((cf>' --..p') (px)) z
Dz (p' o (p x) o cf>') z
(p' o (p x) o cf>') zz
p' (p x (cf>' z)) z.
Thus, we have an intuitively satisfying replacement function derived from two
expansions. Given that (cf>, p) and (cf>', p') satisfy the three conditions, it is
3 The use of conventional notation for functional application in this work would result in
vast forests of parentheses, so we denote functional application by juxtaposition, in the style
of Iambda calculus, separating a function and its argument by a space and using parentheses
only when necessary for parsing. Functional application associates to the left. For example, what
we write as q, (p x y) might be written conventionally as tJ>((p(x))(y)).
necessary to check that their composite also satisfies them. Let x, x' E X and
z E Z. For (D), we have
(c/> o cJ>') {(Dz o (c/>'---+- p') o p) x z)
(c/> o cJ>') (p' (p x (c/>' z)) z)
c/> (c/>' (p' (p X ( c/>' Z)) Z))
cp (p x (c/>' z)), by (D) for (c/>',p'),
X, by (D) for (c/>, p).
For (~2), we compute

(Dz o (c/>'---+- p') o p) ((c/> o cJ>') z) z
(Dz o (c/>'---+- p') o p) (cp (c/>' z)) z
p' (p (cp (c/>' z)) (c/>' z)) z
p' (c/>' z) z, by (~2) for (c/>,p),
Z, by (~2) for (c/>',p').
Finally, for (B), we have

(Dz o (c/>'---+- p') o p) x {(Dz o (c/>'---+- p') o p) x' z)
= (Dz o (c/>'---+- p') o p) x (p' (p x' (c/>' z)) z)
= p' (P x (cp' (p' (p x' (c/>' z)) z))) (p' (p x' (c/>' z)) z)
p' (p x (p x' (c/>' z))) (p' (p x' (c/>' z)) z), by (D) for (c/>',p'),
p' (p x (c/>' z)) (p' (p x' (c/>' z)) z), by (B) for (cJ>,p),
p' (p x (c/>' z)) z, by (B) for (c/>',p'),
(Dz o (c/>'---+- p') o p) X z.
Note the curious fact that both (D) and (B) play roles in the last computa-
tion. It can also be verified that composition in ~ is associative.
The identity morphisms for ~ are given by (lx,Ix) E X 7 X, where
lx EX---+- X is the identity function and lx E X---+- (X---+- X) is given by
Ix x x' = x, for all x, x' E X. The computations needed to prove this are very
easy.
The morphisms in ~ have a mysterious quality about them. The following
theorem dispels some of the mystery. If one knows what "split epimorphisms"
are in, say, the category of right modules over a ring, then this theorem can be
interpreted as saying the arrows in~ are "split surjections" in Set.
Theorem 1 A morphism (c/>, p) EX 7 Y induces an equivalence relation-
on Y such that
X cp Y ____1!__.. Y I-
is a product in Set of X and Y I-, where rr E Y ____.. Y I- maps each element of
Y to its equivalence class; in particular, cp is surjective.
Proof: Define - on Y by
Y1 - Y2 iff for all x EX, p x Y1 = p x Y2·
Then - is clearly an equivalence relation.
Frank]. Oles 11
Consider in Set the diagram

z
X
;(]>~
cp Y rr Y/-
Given oc and ß, we must show there exi.sts a unique function ;y making the
diagram commute. Letz E Z. Define ;y by ;y z = p (oc z) y, where y E Y is any
element suchthat rr y = ß z. That ;y is well-defined is immediate from the
definition of -. Compute:
(cp o :y) z = cp (;y z) = cp (p (oc z) y) = oc z, by (~1).
and
(rr o :y) z = rr (:y z) = rr (p (oc z) y) = ß y,
because, for all x E X,
p X (p (OC z) y) = p X y, by (B).
Hence ;y makes the diagram commute. Suppose also that

z
X
;(]>~
cp Y rr Y/-
commutes; we must show ;y = ;y'. Again, letz E Z. Then ;y z- ;y' z, because
rr ()' z) = ß z = rr(y' z). Therefore, ·
;yz p (cp (;y z)} ()' z), by (~2),
p (oc z) (:y z)
p (oc z) (:y' z), since ;y z - ;y' z,
p (cp (;y' z)} (:y' z)
;y' Z, by (~2).
So ;y = ;y', and we are done. I
4 Concluding Remarks
We hope that this work will eventually find application in constructing im-
plementations of languages and in proving correctness of programs. Also it
leads us to speculate that there may be important results to be found relating
classes of languages (with semantic descriptions, of course!) with the "struc-
ture of their implementation," much like results relating formallanguages to
the automata that recognize them.
References
[Ole82] F. j. Oles. A Category-Theoretic Approach to the Semantics of Programming
Languages. Ph.D. thesis, Syracuse University, Syracuse, N.Y., 1982.
[Rey77] j. C. Reynolds. Semantics of the domain of flow diagrams. ]. ACM, 24(3):484-
503, 1977.
[Rey81] J- C. Reynolds. The essence of ALGOL. In j. W. de Bakker and j. C. van Vliet,
editors, Algorithmic Languages, Proceedings of the International Sympo-
sium on Algorithmic Languages, pages 345-372, Amsterdam, October 1981.
North-Holland, Amsterdam. See Chapter 3.
[Sco71] D. S. Scott. The lattice of flow diagrams. In E. Engeler, editor, Sympo-
sium on Semantics of Algorithmic Languages, volume 188 of Lecture Notes
in Mathematics, pages 311-66. Springer-Verlag, Berlin, 1971. Also Technical
Monograph PRG-3, Oxford University Computing Laboratory, Programming
Research Group, Oxford.
Part V
SPECIFICATION LOGIC
Chapter 12
Using Functor Categories to Generate
Intermediate Code
]ohn C. Reynolds
In the early 80's Oles and Reynolds devised a semantic model of ALGOL-
like languages using a category of functors from a category of store
shapes to the category of predomains. Here we will show how a vari-
ant of this idea can be used to define the translation of an ALGOL-like
language to intermediate code in a uniform way that avoids unnecessary
temporary variables, provides control-flow translation of boolean expres-
sions, permits online expansion of procedures, and minimizes the stor-
age overhead of calls of closed procedures. The basic idea is to replace
continuations by instruction sequences and store shapes by descriptions
of the structure of the run-time stack.
Contents
1 Introduction 14
2 Types and Syntax 14
3 Functor-Category Semantics 15
4 Stack Descriptors 18
5 The Intermediate Language 19
6 From Semantics to Compilation 21
7 Commands 22
8 Integer Expressions 23
9 Variable Declarations 25
10 Boolean Expressions and Conditionals 26
11 Open Procedures 27
12 Closed Subroutines 28
13 Compiling Subroutines and their Calls 32
14 Subroutines for Product Types 34
15 Completions and Iteration 35
16 AnExample 36
17 Conclusions 37
Acknowledgements 37
References 37
First appeared in Con(erence Record of POPL '95: 22nd ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages, pages 25-36, San Francisco, January 1995. ACM, New York.
© 1995 Association for Computing Machinery, reprinted by permission.
14 Chapter 12. Using Functor Categories to Generate Intermediate Code
1 Introduction
To construct a compiler for a modern higher-level programming languagel one

needs to structure the translation to a machine-like intermediate language in a
way that reflects the semantics of the language. little is said about such struc-
turing in compiler texts that are intended to cover a wide variety of program-
ming languages. More is said in the Iiterature on semantics-directed compiler
construction [1] but here too the viewpoint is very general (though limited to
1
languages with a finite number of syntactic types). On the other handl there
is a considerable body of work using the continuation-passing transformation
to structure compilers for the specific case of call-by-value languages such as
SCHEME and ML [21 3].
ln this paperl we will describe a method of structuring the translation of
ALGOL-like languages that is based on the functor-category semantics devel-
oped by Reynolds [4] and Oles [51 6].
An alternative approach using category theory to structure compilers is
the early work of F. L. Morris [7]1 which anticipates our treatment of boolean
expressionsl but does not deal with procedures.
2 Types and Syntax
An ALGOL-like language is a typed lambda calculus with an unusual repertoire

of primitive types. Throughout most of this paper we assume that the primi-
tive types are
comm(and) int(eger)exp(ression)
int(eger)acc(eptor) int(eger)var(iable) I
and that the set 8 of types is the least set containing these primitive types and
closed under the binary operation -.
We write :::;; for the least preorder suchthat
intvar s intexp intvar s intacc
If Oi s 01 and 02 s 02 then 01 - 02 s Oi - 02 .
When 0 :::;; 0' 0 is said to be a subtype of 0' •
1
A type assignment is a mapping from some finite set of identifiers into

types; we write 8* for the set of type assignments. Then we write the typing
1T 1- p : 0 to indicate that the phrase p has type 0 under the type assignment
TT.
We omit both the definition of the syntax of phrases and the inference rules
for typingS beyond noting that phrases include identifiers and the lambda-
1
calculus operations of application and abstractionl and the inference rules

include the standard rules for the typed lambda calculus with subtypes.
]ohn C. Reynolds 15
3 Functor-Category Semanlies
The basic assumption that an ALGOL-like language is a species of typed lambda
calculus is captured by using a cartesian closed category to provide its se-
mantics. More specifically, we assume that there is a functor [- ], from 8
(preordered by the subtype relation and viewed as a category) to a cartesian
closed semantic category X, that interprets the type constructor- as the ex-
ponentiation operation of X:
[0- 0'] = [0] 7 [0'].
(If the type system includes type constructors for tuples or records, these will
be interpreted by products in X. Intersection types would be interpreted by
pullbacks, as discussed in [8, 9, 10].)
The functor [-] interprets types as objects of the semantic category X.
In addition, whenever 0 is a subtype of 0' (i.e. 0 s 0'), it maps the unique
morphism from 0 to 0' into an "implicit conversion morphism", which we
denote by [0 s 0'], from the meaning of 0 to the meaning of 0'.
The meaning of type assignments is specified by a functor [- ]*, from 8*
(preordered pointwise and viewed as a category) to X, that maps each type
assignment into an appropriate product in the semantic category:
[rr]* = n X
1edomrr
[TTL].
When rr 1- p: 0, the semantics of the phrase p, with respect to rr and 0, is

a morphism from the meaning of rr to the meaning of 0 that we denote by
[P]rre E [rr]* x [0].
(This redundant use of emphatic brackets is saved from ambiguity by the sub-
scripts, which qualify the semantics of a phrase but not the functorial use of
the brackets.)
Throughout this paper, we will write A c B to denote the set of mor-
phisms from A to B in the category C, and A c> B to denote the exponenti-
ation of B by A in C. When the subscript is omitted, the relevant category is
either that of domains and continuous functions or of predomains and con-
tinuous functions. (Of course, - is also used as the type constructor for pro-
cedural types.)
The semantics [P]rre is specified by giving a semantic equation for each
syntactic construct of the language, plus an equation describing the effect of
implicit conversions:
[P]rre' = [P]rre; [0 s 0'] whenO s 0', (1)
where the semicolon denotes the composition of morphisms in X (in diagram-

marte order).
The above equation is not syntax-directed, i.e. it does not define the se-
mantics of p in terms of the semantics of its subphrases, but rather defines
one semantics of p in terms of another. As discussed in [10], this means that
[P]rre must be defined by structural induction on the proof of the typing
rr 1- p : 0 rather than on the syntactic structure of p. This has the advan-

tage that semantics (and similarly translation) is only defined for type-correct
programs, but it introduces the requirement of coherence, i.e. that different
proofs of the same typing must not lead to different meanings. Fortunately,
the proof of coherence given in [10], for a language using intersection types,
carries over to the much simpler language discussed in this paper.
1f we were defining a purely functional, call-by-name language, we could
take the semantic category X tobe the category of domains (c.p.o.'s with least
elements) and continuous functions. It is less obvious, however, how to pro-
vide a clear semantics of languages that include assignment. In the early 80's,
Frank Oles and I devised such a semantics that makes the block structures of
ALGOL-like languages explicit. Our basic idea was that the meaning of a type
should be a family of domains parameterized by state sets (which Oles called
"store shapes"):
[comm]S = S - Sl.
[intexp]S = s - zl.
[intacc]S = Z- (S- Sl.)
[intvar]S = [intacc]S x [intexp]S.
Similarly, the semantics of a phrase was a family of continuous functions pa-
rameterized by state sets:
[P]rreS E [rr]*S- [O]S.
Consider, for example, the .ALGOL-like program
new x:intvar in (x:= x + 1; ...
new y: intvar in (y := x + y; x := x + 1 ; ... )) .
In the outer block, where only a single variable is declared, the appropriate
set of states is the set of integers, while in the inner block, where a second
variable is declared, the appropriate set of states is the set of pairs of integers.
Thus the semantics of the two occurrences of x := x + 1 are provided by dif-
ferent members of the family [x := x + 1]rr,comm· The member of this family
appropriate to the occurrence in the outer block is
[x :=X+ 1]rr,commZ E [rr]* Z- (Z- Zl.),
which maps an environment appropriate to states that are integers into a
state-transition function on integers. 1f 17 is an environment specifying that
x denotes the integer that is the entire state, then [x := x + 1]rr,commZI7 will be
the function that increases an integer by one.
On the other band, the member of [x := x + 1 Drr,comm that is appropriate to
the occurrence in the inner block is
[x :=X+ Hrr,comm(Z X Z) E [rr]* (Z X Z) - ((Z X Z) - (Z X Z)l.),
which maps an environment appropriate to states that are pairs of integers
into a state-transition function on such pairs. If 17 is an environment specifying
]ohn C. Reynolds 17
that x denotes the first component of the state, then [x:=x+ 1]rr,comm<Z x Z)17
will be the function mapping a pair (x, y) into (x + 1, y).
In both cases, command execution is described by a state transition that
preserves the shape of the state. Indeed, this is generally true since, for any
command c,
[C]rr,commS E [rr]* S- (S - S.d
implies that [c]rr,commS17 preserves the shape S.
From the viewpoint of category-theoretic semantics, parameterization by
state sets is realized by taking the semantic category tobe the functor category
X=PDOM:!:,
where ~ is a category whose objects are state sets and PDOM is the category
of predomains and continuous functions. Of course, this implies that the
meanings of types are functors that act on morphisms of ~ as weil as objects,
and that the semantics of phrases are natural transformations between such
functors. In this brief synopsis, however, we will only remark that a morphism
in S T S', called an "expansion" in [4, 5, 6], shows how a small state in S can
be extracted from a large state in S' and how a small-state transitioninS - S .L
can be extended to a large-state transition in S' - s:.
It is shown in [5, 6] that the functor category PDOM:!: is cartesian closed
(actually for any ~). In particular, exponentiations are functors whose action
on objects of ~ is
(F ==:Jf G)S = hom:!:S x F x G.
(Here pointwise ordering is used to regard the set on the right as a predomain,
hom:!: is the curried hom-functor for the category ~. and hom:!:SS' = S T S' is
regarded as a discretely ordered predomain.)
To see how this exponentiation captures the interaction of procedures and
block structure, suppose
p E [81 - 02]S = ([81] 7 [02])S = hom:!:S x [81] x [82],
is the meaning of a procedure of type lh - 82. Then pisanatural transfor-
mation such that
pS' E (S T S') x [81]S'- [Oz]S'.
Here S is the state set that is appropriate to the point in the program
where the procedure is defined (and that contains states specifying the values
of any variables occurring globally in the procedure). For example, if p were
the meaning of the procedure in
new x: intvar in
Iet silly =.\c:comm. (c ;x := x + 1; c) in
new y:intvar in silly(x := x + y)
then S would be a set of integers specifying the global variable x.
However, as illustrated by the procedure call in the above program, the
procedure with meaning p can be called from an inner block where a set S' of
larger states is appropriate, and these larger states, rather than the members
of S, may be needed to specify variables in the actual parameter of the call.

Thus the state set S' must be given to p as a "hidden" argument, and both the
explicit argument of p (the meaning of the actual parameter) and the result of
p (the meaning of the call) must be appropriate to S'. In addition, p must be
supplied with a further hidden argument, which is a morphism in ~ showing
how a state in S can be expanded to a state in S'.
In the above program, for example, the meaning of the procedure call
would be pS' (L, a), where S' is the set of pairs of integers, L is an expan-
sion identifying the integers in S with one component of the pairs in S', and
a E [comm]S' is the meaning of the actual parameter x := x + y.
For simplicity, we have used direct semantics in this introduction. How-
ever, the method applies even more elegantly to continuation semantics, with-
out any change in the category X. One introduces two new types:
compl(etion) int(eger)compl( etion)
whose meanings are command continuations and integer continuations, re-
spectively. More precisely,
[compl]S = S - 0 [intcompl]S = Z - (S - 0) ,
where 0 is an unspecified domain of "outputs". The remaining types are then
defined by exponentiation and (pointwise) products in X:
[comm] = [compl] 7 [compl]
[intexp] = [intcompl] 7 [compl]
[intacc] = [compl] 7 [intcompl] (2)
[intvar] = [intacc] x [intexp]
[9- 9'] = [ 9 ] ? [9'].
In fact, as one might expect from the prevalence of continuations in compiler
design, it is this continuation semantics that will be the starting point for our
development of an intermediate-code generator. (Strictly, it is a continuation
semantics with respect to the imperative aspects of our illustrative language,
but still a direct semantics with respect to the call-by-name procedural as-
pects.)
4 Stack Descriptors
During program execution, the variables and other information accessible to
the program will lie in a sequence of contiguous blocks, called frames, con-
tained within stack; when this sequence has length n, we will denote its mem-
bers by frame counts between 0 and n - 1, in order of their their position from
the bottom to the top (most recently allocated and highest addressed portion)
of the stack. We assume that the frames are organized as a linked list called
a static chain, specifically that a register SR points to the base of frame n - 1
]ohn C. Reynolds 19
and that the first (least addressed) word in each frame except frame 0 points
to the base of the previous frame.
For simplicity, we also assume that integer variables and pointers both oc-
cupy single words, and that addressing is by words. (In fact, our approach
extends straightforwardly to more complex cases where different kinds of
variables require fields of different sizes, and these fields must be aligned
on different-sized word boundaries.)
During compilation, for each variable the compiler will know the count Sr
of the frame containing the variable, and the displacement Sd, which is the
distance from the base of the containing frame to the location of the variable.
This pair S = (Sr, Sd) of nonnegative integers is called a stack descriptor.
As one would expect, the stack descriptors of variables will be embedded
(implicitly) in a compile-time environment describing the free identifiers of the
phrase to be compiled. However, compilation will also be influenced by more
general information about the stack that is not particular to any variable; in the
simple case considered in this paper this compile-time information consists of
the total number of frames (minus one) and the size of the top frame. We call
this pair of integers, which will depend upon position in the intermediate code
being compiled, the current stack descriptor scurr. Note that the current stack
descriptor describes the beginning of the free portion of the stack, i.e. the
position of the next variable to be allocated.
Stack descriptors are ordered lexicographically:
(Sr,Sd) !> (S(,Sd) iff Sr< S( or (Sr= S( andSd !> Sd).

Thus the effect of pushing the stack, either by enlarging the current top frame
or by adding a new frame, is to increase the current stack descriptor. We also
define the addition or subtraction of a stack descriptor and an integer by
Thus the requirement that a variable described by sv must lie within a frame
in the currently active portion of the stack implies that sv !> scurr - 1.
The key to moving from a functor-category description of semantics to
an analogous description of intermediate-code generation is to replace Oles's
category ~ of store shapes by the ordered set of stack descriptors (viewed as
a category), which we will also denote by ~.
5 The Intermediate I..anguage
The intermediate language into which we translate programs can be described

by an abstract van Wijngaarden grammar with four stack-descriptor-indexed
families of nonterminals: lefthand sides (Ls), simple righthand sides (Ss),
righthand sides (Rs), and instruction sequences Os). The intent of the index-
ing is that a member of Os) is an instruction sequence that can be meaning-
fully executed when the current stack descriptor is S:

(Ls) ::= sv whensv s S -1
I sbrs
(Ss) ::= (Ls) llit (integer)
(Rs) ::= (Ss) I (unary operator)(Ss) I (Ss)(binary operator)(Ss)
(Is) ::= stop
I (Ls+.s> := (Rs) [ö]; (Is+.s> }
I ü (Ss) (relation operator) (Ss) [ö]
whenSd +Ö ~ 0
then (Is+.s> eise (Is+.s>
I adjustdisp [ö]; Os+.s>
I popto S' ; Os•) when S' s S
(Additional forms will be introduced later.) Here sbrs denotes a register used
to communicate the result of function procedures that are implemented by
closed subroutines, and lit (integer) is a constant (or in compiler jargon, a
literal). Notlee that neither a right operand of the assignment operator := nor
a relation following ü can contain more than one operator.
In various instructions here, the bracketed integers ö are displacement ad-
justments, indicating an amount to be added to the current stack descriptor
when the instruction is executed, because of the allocation or deallocation of
either program variables or temporary variables. This adjustment of the cur-
rent stack descriptor is the only effect of the adjustdisp instruction. The final
instruction popto S' causes the current stack descriptor to be reset to S'; it is
used to reduce the number of frames and causes a change in the register SR
during program execution.
Although a change in the frame count of the current stack descriptor
causes a change in the register SR during program execution, adjustments
of the displacement have no effect during program execution, since displace-
ments are not actually computed at run time. However, the compiler must
keep track of these adjustments in translating intermediate code into machine
language.
Strictly speaking, the (ls) are domains of instruction sequences, formed by
completing the sets described by the above grammar in the sense of Scott's
lattice of flow diagrams [ll]. (Equivalently, the (Is) are components of the
carrier of an initial continuous algebra [12] whose many-sorted signature is
specified by the grammar.) Fortunately, the only infinite or partial instruction
sequences that arise during compilation can be represented by data structures
with loops, which can be implemented using references (in the sense of ML).
More generally, references can be used to avoid duplicating code: When-
ever an instruction sequence i may be duplicated by the compiler, it is replaced
by a unique reference whose value is i. For example, an instruction sequence
of the form ü · · · then c; i eise d; i (which might arise from the compilation of
a conditional command followed by another command), would be represented
by ü · · · then c ; r eise d; r where r is a unique reference whose value is i. In
]ohn C. Reynolds 21
the conversion to actual machine code, all but at most one occurrence of such
a reference is replaced by a jump to the code obtained from its value, rather
than a copy of such code.
From the viewpoint of this paper, however, the treatment of loops, the
avoidance of code duplication, and the distinction between instructions and
their addresses are questions of representation. The mathematics of compila-
tion is much cleaner if we abstract away from finite instruction sequences with
references or jumps, to the possibly infinite sequences that they represent.
6 From Semantics to Compilation

To apply functor-category semantics to intermediate code generation, in addi-
tion to taking ~ to be the ordered set of stack descriptors, one must change
the meaning of the basic types. The translation of a phrase of type compl
appropriate to the stack descriptor S is an instruction sequence in (Is). Thus
[compl]S = (Is).
The translation of a phrase of type intcompl is more complex: Roughly speak-
ing, it is a function from righthand sides to instruction sequences (which one
can think of as an instruction sequence containing a hole to be filled by a
righthand side), but more precisely it is an exponential object in the functor
category:
[intcompl] = R 7 [ compl] ,
where R is the functor such that
RS = (Rs).
The remaining types are defined by Equations (2) in exactly the same way as
in the functor-category continuation semantics described earlier.
However, since ~ is a preorder (actually a total order) viewed as a category,
the operation of exponentiation in x~ can be simplified. We have seen that, if
p E (F 7 G)S = hom~s x F x G,
then
pS' E (S T S') x FS'- GS'.
But the morphism set S T S' contains a single morphism when S ::5 S' and is
empty otherwise. Thus a simpler but equivalent condition is that pS' belongs
to FS' - GS' when S ::5 S' and is the empty function otherwise. We indicate
this by
p(S' ~ S) E FS' - GS'
or
p(S' ~ S)(x E FS') E GS'.
We are skirting over the requirement that both the morphisms in X and
the members of (F 7 G)S should be natural transformations. In fact, this
requirement must be relaxed: Where naturality would require pairs of instruc-
tion sequences to be equal, we will only require them to have the same deno-
tational behavior, i.e. to denote the same functional continuation from states
to final outputs. In some cases these instruction sequences will differ opera-
tionally, say by popping the stack at different steps.
A similar Situation holds with regard to coherence. Just as with seman-
tics, the translation [P]rro is defined by structural induction on the proof of
the typing rr 1- p : 0. However, different proofs of the same typing arenot
required to Iead to the same translation, but merely to translations with the
same denotational behavior. Suchtranslations may vary in the points where
implicit conversions are invoked.
Except for completions, which are translated into instruction sequences,
and integer variables, which are translated into acceptor-expression pairs,
each phrase of the input language is translated into a functional value in
the compiler that will be applied at compile-time to produce instruction se-
quences. Moreover, the type of the phrase in the input language will deter-
mine the type of its translation within the Compiler. However, this categorical
type discipline uses dependent function spaces that cannot be expressed in
most languages (such as ML) in which the compiler might be written. In such
languages, one must give translations a singletype (e.g. a recursive functional
data type in ML) that includes all the kinds of translations described above, as
weil as a variety of nonsensical translations that are guaranteed by the cate-
gorical discipline not to occur during any compilation.
7 Commands
If the phrase c has type comm under the type assignment rr, then
[C]rr,comm E [rr]* x [comm],
so that
[c]rr,commS(1J E [rr]* S) E [comm]S = ([compl] 7 [compl])S,
andthus
[C]rr,commS(1] E [rr]*S)(S' ~ S)(K E (Is•)) E (Is•).
Thus the translation of c is a function that accepts an environment 11 appro-
priate to the stack descriptor S and an instruction sequence K appropriate to
a possible larger stack descriptor S', and retums an instruction sequence ap-
propriate to S'. In the absence of jumps, K will describe the computation to
be performed after c, so that the result of this function will be obtained by
prefixing instructions for performing c to the sequence K. We will call K (like
its semantic counterpart) a continuation.
The translation of skip retums its continuation argument K without
change:
[skip]rr,commS1JS' K = K.
On the other hand, the translation of c1 ;cz first prefixes instructions for c2 to K,
and then prefixes instructions for c1. Put the other way round, the translation
of c1 ; c2 is the translation of c1 using a continuation that is the translation of
cz using the continuation K that is tobe performed after c1 ; c2 :
[Cl; Cz]rr,commS1JS' K = [Cl]rr,commS1JS' ([cz]rr,commS1JS' K).
]ohn C. Reynolds 23
The translation of assignment commands is described by an equation that

is formally similar to the previous one:
[a := e]rr,commSTJS' K = [e]rr,intexpSTJS' ([a]rr,intaccSTJS' K)'
except for the typing, since the subphrase [a]S17S' K belongs to [intcompl]
rather than [compl]. The value of this subphrase is an instruction sequence
with a "hole", the result of [e]S17S' ( · · ·) is obtained by filling this hole with a
righthand side that will evaluate to the value of e, and then prefixing any in-
structions needed to set temporary variables appearing in the righthand side.
The close connection between this approach to compilation and functor-
category semantics is exemplified by the fact that all three of the above equa-
tions for command translations are identical to the analogaus semantic equa-
tions in functor-category continuation semantics. This pleasant Situation oc-
curs for a surprising number of language constructs. However, there must
be exceptions - somewhere something must actually compute intermediate-
language instructions. In fact, there are only three kinds of constructs whose
translation is a nontrivial deviation from functor-category semantics: expres-
sions, where temporary variables must be allocated, variable declarations,
where program variables must be allocated, and closed and/or recursive pro-
cedure declarations, where calling sequences must be generated.
A similar Situation holds for implicit conversions. Both the general Equa-
tion (1) for implicit conversions and the specific equations for the conversions
from variables to acceptors and expressions:
[intvar ~ intacc]S (a, e) = a [intvar ~ intexp]S(a,e) = e
are the same for translation as for semantics. However, if we extended our
illustrative language to include a conversion from, say, integer to real expres-
sions, then the corresponding equation for converting translations would ex-
plicitly describe the intermediate code for changing numerical representation.
8 Integer Expressions
If the phrase e has type intexp under the type assignment rr, then
[e]rr,intexpS(TJ E [rr]*S)(S' 2:: S)(ß E [intcompl]S') E Os•),
where ß E [intcompl]S' implies
ß(S" 2:: S')(r E (Rs")) E Os").
In essence, the translation of e must fill the hole in ß by applying ß to a right-
hand side r that will evaluate to the value of e, and then prefix to the resulting
instruction sequence any instructions needed to set up temporary variables in
r.
The translation of a constant, when given an integer continuation ß, simply
fills the "hole" in ß by applying it to an appropriate literal:
[7]rr,mtexpS1JS' ß = ßS' (lit 7).
On the other band, the translation of a unary expressionsuch as -e is ob-

tained by applying the translation of the Subexpression e to an altered integer
continuation /3':
[ -e]rr,intexpS17S' /3 = [e]rr,intexpS17S' ß'.
Here the effect of /3' depends upon whether the righthand side r to which it
is applied is a simple righthand side. If so, then - r is a righthand side that
evaluates to the value of -e and contains the same temporary variables as r,
so that the original ß can be filled with -r:
ß'S"r = ßS"(-r) when r e (Ss") .
Otherwise, however, -r would contain more than one operator, so that a tem-
porary variable must be used instead. Then the effect of ß' is to fill ß with the
negation of the temporary, and to prefix to the resulting instruction sequence
an assignment of r to the temporary:
ß'S"r = sv := r[S;;'- s;n; /3S"'(-Sv) when r rt (Ss"),
where
sv =S' and S"' = sv + 1.
ln the latter case, [ -e]rr,intexpS17S' ß will give an instruction sequence of
the form
instructions
for setting ; sv := r[s;;' - s:;] ; ßS"' (-Sv) .
temporaries in r T T
S' .___ _ _ _ ___, S"
S'"
It is important to understand the roles of the various stack descriptors here:
• S is appropriate to the environment 11 and is simply passed along with
11· It descr. .bes a portion of the stack containing any program variables
that may be accessed during the evaluation of -e.
• S' will be the current stack descriptor before -e is evaluated. It may be
larger than S since the computation to be done after evaluating -e may
refer to variables higher in the stack than the portion described by S.
• sv = S' describes the temporary variable used to store the value of e,
which is placed on the stack immediately above the portion described
byS'.
• S" will be the current stack descriptor just before the assignment
sv := r. It may belarger than S' since the stack at this point may in-
clude temporaries occurring in r.
• S"' = sv + 1 will be the current stack descriptor just after the assignment
sv := r. It is just large enough to include the temporary sv.
Thus, the effect of the displacement increment [s;;'- s;;1 is to deallocate any
temporaries occurring in r and allocate the temporary sv.
]ohn C. Reynolds 25
The equation for [ -e] can be written succinctly as

[ -e]rr,intexpST]S'ß = [e]rr,intexpST]S'(usetmpS'(.\S" . .\r. ßS"(-r))),
where usetmp is a function encapsulating the use of temporary variables:
ßS"r when r E (Ss")
usetmp S' ßS" r = {
sv := r[S:l'- s;;J; ßS"'Sv when r f! (Ss").
Similarly, as the reader may verify, the function usetmp can be used to handle
temporary variables in binary expressions:
[el + ezDrr,intexpSTJS'ß =
[e1 Drr,intexpST]S' (usetmp S' (.\S" . .\r1.
[ezDrr,intexpST]S"(usetmpS"(.\S'" . .\rz. ßS"'(rl + rz))))).
9 Variable Declarations
The other construct for which translation involves storage allocation is the
variable declaration. Suppose c is a command in which free occurrences
of the identifier L have type intvar. Then the translation of the command
new t: intvar in c gives an instruction sequence that allocates a new variable,
initializes it (say, to zero), executes c, deallocates the new variable, and finally
executes the continuation to be done after the whole command. Notice that
the deallocation is done by an adjustdisp instruction prefixed to the continu-
ation:
[new t:intvarinc]rr,commSTJ(S' <': S)(K E (IS')) =
sv := lit 0 [1]; [C][rrlt:intvar],commS"i]S"(adjustdisp[ -1]; K).
Here
sv = S' and S" = sv + 1 ,
so that the new variable is placed just above the stack described by S', and S"
describes the extended stack containing this variable. The environment used
to translate c is
i] = [ [rr]*(S ::s; S")TJ I t: (a,e)],
which is the extension of 1J that maps L into an acceptor-expression pair de-
scribing the new variable. (We will explain shortly why [ rr] * (S ::s; S") 11 occurs
here rather than TJ.)
The expression component e E [intexp]S" fills the hole in ß with the
stack descriptor sv for the new variable:
eS'" ß = ßS"' sv ,
while the acceptor component a E [intacc]S" prefixes to its continuation K'
an assignment of a hole to sv:
aS"' K 1 S"" r = sv := r[S:l' - s;;"] ; K 1
•
Notice that the functor-category discipline insures that S"' is larger than S",
so that the new variable lies within the stack described by S"'. The descriptor
S"" may be stilllarger, since it must include any temporafies occurring in r.
Since the environment fj maps L into (a, e) E [intvar]S", it must belong

to [[rr I t:intvar]]*S". Thus it cannot be an extension of 11 E [rr]*S, but
must be an extension of some related environment in [ rr] *S". In fact, this
environment is obtained by applying the "raising function" [ rr] * (S s S") to
'1·
When F is a functor that is the meaning of a type or type assignment, we
write F(S s S') for the application of the morphism part of F to the unique
morphism in ! from S to a larger stack descriptor S'. In general, such an
application gives a function that serves to "raise" a translation or environment
appropriate to S to a similar entity appropriate to S'. For the type compl, this
operation prefixes an appropriate adjustment of the stack to the instruction
sequence that is its argument:
{
adjustdisp[Sd- S,j] ; K when s;. = Sf
[compl](S s S')(K E (Is)) =
popto S ; K otherwise .
For exponentiations, the function f E (F 7 G)S, whose domain is the set of
stack descriptors greater than S, is restricted to the set of stack descriptors
greater than S':
(F =:Jf G)(S s S')f = fl{S" I S" ~ S'}.
For products, the morphism parts are defined componentwise:
(F xx G) (S s S') (a, e) = (F(S s S')a, G(S s S')e) .
Similarly, the morphism parts of the meanings of type assignments, which
are products of meanings of types over sets of identifiers, are also defined
componentwise:
[rr]*(S s S')I1L = [TTL](S s S')(17t).
10 Boolean Expressionsand Conditionals

It would be Straightforward to translate boolean expressions in the same man-
ner as integer expressions. However, it is more interesting, and in most cases
more efficient, to provide a "control-flow" translation, in which boolean ex-
pressions are compiled into trees of branch instructions.
To describe this approach, we extend our illustrative language with the
new types boolexp and boolcompl. The meaning of boolean expressions is
defined analogously to that of integer expressions:
[boolexp] = [boolcompl] 7 [compl],
but boolean completions are defined quite differently:
[boolcompl] = [compl] x [compl].
The translation of a boolean expression b accepts a pair ( K, i<) of continuations
and produces an instruction sequence that branches to K when b is true or to
i< when b is false.
]ohn C. Reynolds 27
In this approach the translation of constants is trivial:

[true]rr,boolexpSI]S' (K, K) = K [false]rr,boolexpSI]S' (K, K) = K,
while the translation of relations gives rise to test instructions, with temporary
variables being handled in the same way as with binary arithmetic operations:
[el :S: e2]rr,boolexpS1]S' (K, K) =
[el ]rr,lntexpSI]S' (usetmp S' (.\S" . .\r1.
[e2 ]rr,intexpSnS" (usetmp S" (.\S"' . .\r2.
if r1 :S: r2[Sd- s;J'] then K eise i<)))).
On the other hand, the translations of boolean Operations and conditional
commands simply compose or rearrange the trees produced by subexpres-
sions:
[not b]rr,boolexpSI]S' (K, K) = [b]rr,boolexpSI]S' (K, K)
[b1 or b2]rr,boolexpS1]S' (K, K) =
[bl]rr,boolexpSI]S' (K, [b2]rr,boolexpS1]S' (K, i<))
[if b then c1 eise c2]rr,commSnS' K =
[b ]rr,boolexpSI]S' ([Cl ]rr,commSnS' K, [c2 ]rr,commS1JS' K) •
Notlee that the second equation describes "short-circuit" evaluation for or.
11 Open Procedures
The functor-category semantics of the lambda-calculus aspects of ALGOL-like
languages is described by the following semantic equations, which are deter-
mined by the cartesian closed nature of X and the definition of Iet L p in p' =
by the redex (.\L. p')p:
[L]rr,mS1J = 1]L
[PlP2]rre•S1} = [pl]rr,e-e•S1]S([p2]rreS1})
[.\t: 8. P]rr,e-e•SnS' a = [p][rriL:OJ,e'S'[ [rr]* (S s S')n I L: a]
=
[Iet L P in p']rre•Sn = [p'][rriL:OJ.e'S[ 11 I L: [P]rreSn].
There is also an equation for implicit conversion from one procedural type to
another:
[81 - 82 s 8i_ - 82]S(f E [81 - 82]S)(S' ~ S)(a E [8i_]S') =
[82 s 82]S'(fS'([8i_ s 81]S'a)) whenOi_ s 81 and02 s 02.
These equations all carry over to compilation, where they describe the transla-
tion of (nonrecursive) procedures into open or "inline" code. (They have been
written above in the simplified form that is appropriate when ~ is a partial
order.)
Essentially, these equations describe a compiler where the lambda-calculus
aspects of the source language are completely reduced at compile-time, leav-
ing target code that is purely imperative. This is in pleasant contrast with
conventional approaches to compiling conventional languages, where inline
implementation of procedures is notoriously hard to get right.
12 Closed Subroutines
Closed subroutines are necessary for the implementation of procedures, and
other types of phrases, that are defined recursively. (lt would be Straightfor-
ward to also provide a "letclosed" definition for nonrecursive entities that are
to be implemented by closed subroutines.)
We use the term procedure for lambda expressions and their meanings,
and the term subroutine or closed subroutine for instruction sequences that
may be called from several points in the intermediate-code program. It is
important to distinguish these concepts for two reasons: As we have already
seen, a procedure may be implemented by inline expansion rather than by a
subroutine, and on the other hand, because of the use of call by name, a phrase
such as a command or an expression, even though it is not a procedure, will
be implemented by a subroutine if it is defined by a recursive definition or is
a parameter to a procedure that is implemented by a subroutine.
Similarly, we will distinguish between parameters, which are source-
language phrases passed to procedures, and arguments, which are instruction
sequences (actually subroutines) passed to subroutines.
While procedures are classified by types, subroutines are classified by sim-
ple types:
(simple type} ::= compll intcompll (simple type} - (simple type)

The exact connection between types and simple types will be explained in
Section 14. Roughly speaking, however, a simple type is obtained from a type
by replacing
comm by compl - compl
intexp by intcompl - compl
intacc by compl - intcompl.
For example, a procedure of type
lh - ( · · · (On - comm) · · ·)
would be implemented by a subroutine of simple type
cpl - ( · · · (cpn - (compl- compl)) · · ·),
(where each cp 1 is the simple type corresponding to Ot), which would accept
n + 1 arguments. The extra argument of simple type compl plays the role of a
return address.
Thus in the n = 0 case, even a command is implemented by a subrou-
tine accepting a "return address" argument of simple type compl. However,
such an argument, or any other subroutine of simple type compl, accepts no
arguments.
Calling a subroutine is a more complex operation than merely jumping to
an instruction sequence, since it may be necessary to switch context from a
]ohn C. Reynolds 29
frame Iist appropriate to the calling program to a frame Iist appropriate to the
subroutine, and since arguments may be passed by placing them in a vector
accessible from the new frame Iist. In general, to call a subroutine one must
specify
1. the subroutine to be called,
2. the global frame Iist to be used during execution of the subroutine,
3. a Iist of the arguments, which are themselves subroutines.
To execute the call, when there are one or more arguments, one switches con-
text to a frame Iist that is formed by adding a new frame (allocated on top of
the current stack) to the global frame Iist, and then sends control to the sub-
routine. The context switch causes the register SR to increase by an amount ö
that is the current frame displacement srr at the time of the call.
The new frame contains two words: the lower word points to the global
frame Iist, while the upper word points to a call block, which in turn contains
the argument Iist and the quantity ö. The latter is the distance between the
base of the frame pointing to the call block and the old frame Iist, which is in
turn the global frame Iist to be used when calling the arguments.
Notlee that the contents of the call block are the same for all executions of
a particular call, and are known at compile-time. Thus a single copy of the call
block can be placed in code space, rather than placing multiple copies (in the
case of a recursive call) on the stack.
It is important to distinguish the special case when the subroutine being
called takes no arguments, since in this case the information in the new frame
is vacuous, so that it is more efficient simply to take the new frame Iist to be
the global frame Iist. This will remove from the stack everything above the
most recent frame of the global frame Iist, but it is easy to see that this data
is inaccessible (since all pointers in the stack point downward). lndeed this
is the "stack pop" that occurs when a subroutine passes control to its return
address.
The specific method of achieving all this depends upon whether the sub-
routine being called is the result of compiling a definition, or is an argument
to a subroutine containing the call. In the first case, the identity of the sub-
routine being called is known at compile time, and its global frame Iist is a tail
of the current frame Iist. If there are arguments, then the call is performed by
executing the instruction sequence
call i f (ai. ... , an),
where i is the subroutine being called, f is the frame count of the (top frame
of the) global frame Iist, and a1, ... , an are the arguments. This instruction
sequence changes
an
a1
f- ö
SR 7
to
}·
t
and sends control to i. If the subroutine being called takes no arguments,
however, then in place of call i f () one simply resets SR to point to frame f
and sends control to i.
On the other hand, if the Subroutine being called is an argument then it will
occur, say in position j, in a call block pointed to by a frame, say with frame
count f, in the current frame list, and the relevant global frame list will also
be pointed to by the frame f. If the subroutine being called takes arguments,
then the call is performed by the instruction sequence
acall j f (a1, ... , an),
which changes
an
SR +;T
-- a1
ö
aJ
to }· ai
frame
f t '-+- ö'
lt ~ ö'
}·· '-. }··

and sends control to aj. If the subroutine being called takes no arguments,
however, then in place of acall j f () one resets SR to point to frame f and
then executes
ajurnp j'
]ohn C. Reynolds 31
which changes
ai
SR
-- -+-- ö' to
}6'
and sends control to aj.
In summary, three new forms of instruction sequence have been intro-
duced for calling subroutines:
(Is) ::= call (lf+) f ((SRr 1 ), ••• , (SRrn>)
I acall j f ((SRr 1 ), ••• '(SRrn>)
I ajumpj
where 1 f ::s; s,, f+ = (f + 1, 2), n <!:: 1, and j <!:: 1. Here sRr denotes a subroutine
of simple type cp whose global frame list is described by the stack descriptor
S:
(SRr> ::=Os) when cp E {compl,intcompl}
(sRr> ::= Os+> otherwise,
where 1 (Sf,Sd)+ =(Sr+ 1,2).
In passing, we note that the calling conventions described here differ from
those used in traditional ALGOL compilers [13, 14] in that all arguments to
a subroutine are associated with the same global frame list, instead of each
argument having its own global frame list. The advantage of our approach
is that it reduces the amount of stack storage used to call subroutines. The
disadvantage is that, when a recursive call has an actual parameter that is
identical with the corresponding formal parameter, e.g. the parameter x in
letrec p = i\n. i\x. · · · p (n- 1) x · · · in · · · ,
an nth-level evaluation of the parameter will invoke a chain of n subroutines.
However, this inefficiency can be avoided if the programmer (or an optimizing
compiler) eliminates the parameter by using a global identifier.
In any event, although wehavenot pursued the matter, we expect that
more traditional calling conventions should also be expressible within the
functor-category framework.
1To correct an error in the previously published version of this paper, the author has changed
the displacements in the definitions of f+ and s+ from 3 to 2.
13 Compiling Subroutines and their Calls

Subroutines and their calls are compiled by three families of functions indexed
by simple types. The translation of a phrase is mapped into a subroutine by
mk-subrcpS e [cp]S- (SR~) I
while a subroutine is mapped into a call (more precisely into a function that 1
when applied to appropriate arguments yields a call) by

mk-callcpS E (SR~)- [cp]S.
Finallyl there is a family of functions that produce calls of arguments:
mk-argcallcpS e :N- [cp]S I
where :N denotes the set of positive integers. Specifically mk-argcallcpS j 1
gives a call of an argument of simple type cp that is the jth argument in the
call block accessed from the top frame of the frame list described by S.
These three families of functions are defined by mutual induction on sim-
ple typesl reflecting the fact that compiling a subroutine involves compiling
calls of its argumentsl and compiling a call involves compiling subroutines for
arguments:
mk-subrcomp!S K = K
mk-callcomp!S i = i
mk-argcallcomp!S j = ajump j 1
and when cp = 'Pl - ( · · · - (cpn - compl) · · ·) for some n ~ 1:

mk-subrcpS(c e [cp]S) =
c s+ (mk-argcallcp 1 s+ 1) · · · s+ (mk-argcallcp"S+ n)
mk-callcpSiS 1(al E [cp1]S 1) · · ·Sn(an E [cpn]Sn) =
call i Sr
(mk-subrcp 1 Sn([cpi](S 1 :S sn)ai) 1
mk-subrcp"Sn([cpn](Sn :S Sn)an))
mk-argcallcpS j S 1(al E [ 'Pl ]S 1) · · · sn (an E [ 'Pn]Sn) =

acallj Sr
(mk-subrcp 1 Sn([cpl](S 1 :S sn)ai) 1
mk-subrcp"Sn([cpn](Sn :S Sn)an)).
Further equations deal with the cases where cp ends in intcompl rather
than compll which arise when function procedures or expressions are com-
piled into closed subroutines. Here the special register sbrs is used to trans-
mit integer results. Letsaveres e [intcompl] T [compl] be the function
]ohn C. Reynolds 33
suchthat
saveresS ß = sv := sbrs [S~- Sd]; ßS' sv I
where
and S' = sv + 1.
Then mk-subrmtcomp!S ß = saveres S ß
mk-callmtcomp!S i S' r = sbrs := r [Sd- S~]; i
mk-argcallintcomp!S j S' r = sbrs := r [Sd- S~]; ajump j 1
and when cp = cp 1 - ( · · · - (cpn- intcompl) · · ·) for some n ~ 1:

mk-subr<PS(ß E [cp]S) =
saveres s+ (ß s+ (mk-argcall<Pl s+ 1) ... s+ (mk-argcall<Pns+ n))
mk-call<PS i 5 1(a1 E ['PI ]5 1) · · · S" (an E [ 'Pn ]S" )S' (r E (Rs')) =

sbrs := r [51- S~];
call i Sr
(mk-subr<P 1 S"([cpi](S 1 ~ S")ai)I
mk-subr<PnS"([cpn](S" ~ S")an))
mk-argcall<PSjS 1(a 1 E [cpi]S 1) · · · S"(an E [cpn]S")S'(r E (Rs')) =
sbrs := r [S1- S~];

acall j Sr
(mk-subr<P 1 S"([cpi](S 1 ~ S")ai)I
mk-subr<PnS"([<pn](S" ~ S")an)).
Using these functionsl it is Straightforward to translate recursive defini-
tions:
=
[letrec L p in p'Drre'STJ = [p'][rrlt:q>J.O'Sr7' 1
where
rl' = [ TJ I t: mk-c~Si]
i = mk-subr<PS([p][rrlt:q>J.q>STJ').
Here TJ' and i are mutual fixed points. This can be represented in the compiler
by making the instruction sequence i a loopl e.g. by making the i-field of the
call instruction generated by mk-call a reference whose value is eventually set
to i.
The reader may wonder why the contents of the register sbrs is stored in a
temporary variable immediately upon return from a subroutine that produces
a result. The reasonl illustrated by the integer expression
letrec x =··· in letrec y =· ·· in x + y I
is that sbrs may be reset by later calls before its contents is used.
14 Subroutines for Product Types

The method for compiling closed subroutines described in the previous sec-
tion does not deal with integer variables or with boolean expressions. Specif-
ically, the mapping from types to simple types does not apply to types con-
taining intvar, boolcompl, or boolexp.
The key to filling this lacuna is that the meanings of a type such as
BI-(··· (On- intvar) · · ·)
are isomorphic to pairs of meanings of the types

BI-(· .. <Bn- intacc) .. ·) and BI-(· .. <Bn- intexp) .. ·).
Thus a procedure of the first type can be implemented by a pair of subroutines
corresponding to the second and third types.
The general Situation is that a type is mapped into a sequence of simple
types by the function r such that
r compl = compl
r intcompl = intcompl
r comm = compl - compl
r intexp = intcompl - compl
r intacc = compl - intcompl
r intvar = compl - intcompl, intcompl - compl
r boolcompl = compl, compl
r boolexp = compl - compl - compl ,
andif
and r e' =<Pi •... , <P~
then
[(0- 0') =<PI - · · · - <Pm - <Pi, · · · , <PI - · · · - <Pm - <P~ •
Although the details are too tedious to record in this paper, it is Straightfor-
ward to define two functions 4>eS and 'I'eS such that, when f 0 = <P1. ... , <Pn.
4>eS
[O]S [<PI]S X··· X [<Pn]S
'I'eS
is an isomorphism.
When r e = <PI. ... ' <Pn. this isomorphism can be used to define the com-
pilation of a phrase p of type e into a collection of n subroutines of simple
types <PI •... , <Pn· In place of the equations at the end of the previous section,
we have:
=
[letrec L p in p']rre'SI7 = [p'][rrlt:BJ.li'SI7',
where
]ohn C. Reynolds 35
17' = [171 t:'l'eS(mk-callcp 1 Sii.····mk-callcpnSin )]

h = mk-subrcp 1 S a1
in = mk-subrcpnS an
(ai, ... • an)= <I>eS([p][rrlt:8],8SI7').
Here 17' and h, ... , in are mutual fixed points that can be represented in the
compiler by using a reference for each of the instruction sequences i11 ••. , in.
It is clear that the method outlined in this section could also be used to deal
with source language types, such as record or object types, that are defined by
products. To treat binary products, for example, one would take
ne x e'> = (re) o <re'),
where o denotes concatenation of sequences of simple types.
15 Completions and Iteration

Although the type compl plays a major role in our approach to compilation,
it does not occur in the original type structure of the illustrative language.
In contrast, the ALGOL-like language FORSYTHE [9) includes phrases of type
compl (though not intcompl or boolcompl) that provide a capability similar
to goto's and labels in ALGOL 60.
To extend our illustrative language similarly, we introduce the type compl
into the language, as a subtype of comm, with the implicit conversion
[compl :S comm]SKS'K' = [compl](S :S S')K.
A completion can be constructed by joining a command and a completion with
a sequencing operator:
[c,; Cz]rr,comptSI7 = [Ct]rr,commSI7S([Cz]rr,complSI7),
or by joining two completions with a conditional:
[if b then c1 eise Cz]rr,comptSI7 =
[b]rr,boolexpSI7S ([c, ]rr,comptSI7, [cz ]rr,comptSI7) .

We also provide an escape command that binds an identifier to a completion
that causes an exit from the escape command:
[escape L in c]rr,commSI7S' K =
[C][rrlt:compl],commS'[ [rr]* (S :$ S')17 I L: K ]S' K.
All of these equations are the same for translation as for semantics.
Once the language includes completions, various iterative constructs can
be defined a syntactic sugar. A trivial example is a recursive definition of the
completion loop c that repeats the command c ad infinitum (until c executes
an escape):
=
loop c def letrec k c ; k in k ,
where k is an identifier not occuring free in c. By substituting this syntactic

definition into the translation equations, and using the definitions of mk-subr
and mk-call, one obtains the translation
[loop C]rr.compiSI7 = i where i = [C]rr,commSI}Si.
A less trivial example is the wblle command:
wblle b do c def escape einletreck =if b then (c; k) eiseein k,

where e and k are identifiers not occuring free in b or c. This definition leads
to the translation
[wblle b do C]rr,commSI}S' K = i,
where
i = [b]rr,boolexpS' ([rr]* (S ::s S')q)S' ([c]rr,commS' ([rr]* (S ::s; S')q)S'i, K).
This is a correct translation, but

i = [b]rr,boolexpSI}S' ([c]rr,commSI7S'i, K)
gives a simpler translation with the same denotational behavior that some-
times pops the stack sooner.
16 An Example
The following example illustrates many of the aspects of translation discussed
in this paper. Let P be the command
new x: intvar in
letrec pr =.\c: comm. (c; x := x + 1; if x ::s 10 then pr(c; c) eise skip)
in new y: intvar in pr(y := y + x x x) .
Then [P][],comm• applied to appropriate arguments for translating a complete
program, is 2
[P][],comm (0, 0) [] (0, 0) stop =
(0, 0) := lit 0 [1]; (0, 1) := lit 0 [1];
(0,0) (0,1)
call i 0 ( (1, 2) := (0, 0) x (0, 0) [1]; (0, 1) := (0, 1) + (1, 2) [ -1] ;ajump 1,
(0,2) (1,2) (1,3) (1,2)
adjustdisp[ -1] ; adjustdisp[ -1] ; stop) ,

(0,2) (0,1) (0,0)
2To correct errors in the previously published version of this paper, the author has reduced
several displacements in this example.
]ohn C. Reynolds 37
where i is
acall1 1 ( (0, 0) := (0, 0) + lit 1 [0] ;
(1,2) (1,2)
if (0, 0) :s; lit 10 [0] then

(1,2)
call i 0 (acall11 (acall11 (cijump 1)),cijump 2)

(1,2) (2,2) (2,2) (2,2) (1,2)
eise cijump 2) .
(1,2)
Under each instruction sequence in the above displays, we have placed the
stack descriptor that will be current when the sequence begins execution.
17 Conclusions
In the spring of 1994, the basic approach described here was used in an under-
graduate compiling course to construct an intermediate-code generator, writ-
ten in Standard MI.., for a simple ALGOL-like language. In the coming months,
we hope to extend it for use in implementing the language FORSYTHE.
A major research question is to what extent the approach can be extended
to generate more efficient intermediate-langnage code. We suspect that a
richer form of stack descriptor can be devised that will provide information
about the caching of variables in registers and the use of displays (groups of
registers pointing directly to active frames). On the other hand, the approach
depends so heavily on the use of continuations that it may be difficult to vary
evaluation order (say, by interleaving the evaluation of subexpressions) with
sufficient flexibility, especially for RISC machines.
A second question is whether the approach will lend itself to a proof of
compiler correctness. One would expect that the close connections between
functor-category semantics and our approach to code generation would lead
to simple proofs of the relationship between semantics and compilation. How-
ever, wehavenot yet pursued this topic beyond intuitive arguments.
Acknowledgements
This research was sponsored in part by National Science Foundation Grant CCR-
8922109 andin part by a fellowship from the Science and Engineering Research Coun-
cil.
References
[1) jones, N. D. and Schmidt, D. A. Compilergeneration from denotational semantics.
In Semantics·Directed Compiler Generation, Proceedings of a Workshop, Aarhus,
Denmark, January 14-18, edited by N. D. Jones. Lecture Notes in Computer Sci-
ence, vol. 94, Springer-Verlag, Berlin, 1980, pp. 70-93.
[2) Steele Jr., G. L. RABBIT: A Compiler for SCHEME (A Study in Compiler Optimiza-
tion). Report no. AI-TR-474, Massachusetts Institute of Technology, Artificial
Intelligence Laboratory, May 1978, iii+272 pp.
[3) Wand, M. Deriving target code as a representation of continuation seman-
tics. ACM Transactions on Programming Languages and Systems, vol. 4 (1982),
pp. 496-517.
[4] Reynolds, J. C. The essence of ALGOL In Algorithmic Languages, Proceedings
of the International Symposium on Algorithmic Languages, Amsterdam, October
26-29, edited by J. W. de Bakker and J. C. van Vliet. North-Holland, Amsterdam,
1981, pp. 345-372. See Chapter 3.
[5) Oles, F. j. A Category-Theoretic Approach to the Semantics of Programming Lan-
guages, Ph. D. Dissertation. Syracuse University, August 1982, vi+240 pp. See
Chapter 11.
[6) Oles, F. J. Type algebras, functor categories, and block structure. In Algebraic
Methods in Semantics, edited by M. Nivat and J. C. Reynolds. Cambridge University
Press, Cambridge, England, 1985, pp. 543-573. See Chapter 11.
[7) Morris, F. L. Correctness of Translations of Programming Languages-An Alge-
braic Approach, Ph. D. Dissertation. Stanford University, August 1972.
[8) Reynolds, j. C. Conjunctive types and ALGOL-like languages (abstract of invited
lecture). In Proceedings Symposium on Logic in Computer Science, Ithaca, New
York, June 22-25. 1987, p. 119.
[9) Reynolds, j. C. Preliminary Design of the Programming Language FoRSYTHE. Re-
port no. CMU-CS-88-159, Camegie Mellon University, Computer Science Depart-
ment, June 21, 1988. See Chapter 8.
[10) Reynolds, j. C. The coherence of languages with intersection types. In Theoretical
Aspects of Computer Software, International Conference TACS '91, Proceedings,
Sendai, Japan, September 24-27, 1991, edited by T. Ito and A. R. Meyer. Lecture
Notes in Computer Science, vol. 526, Springer-Verlag, Berlin, 1991, pp. 675-700.
[11] Scott, D. S. The lattice of flow diagrams. In Symposium on Semantics of Algo-
rithmic Languages, edited by E. Engeler. Lecture Notes in Mathematics, vol. 188,
Springer-Verlag, Berlin, 1971, pp. 311-366.
[12] Goguen, j. A., Thatcher, J. W., Wagner, E. G., and Wright, j. B. Initial algebra
semantics and continuous algebras .. Journal of the ACM, vol. 24 (1977), pp. 68-
95.
[13) Dijkstra, E. W. Recursive programming. Numerische Mathematik, vol. 2 (1960),
pp. 312-318.
[14) Naur, P. The design ofthe GIERALGOL compiler, part I. BIT, vol. 3 (1963), pp. 124-
140. Reprinted in Goodman, Richard, editor, Annual Review in Automatie Pro-
gramming, Vol. 4, Pergarnon Press, Oxford (1964) 49-85.
Chapter 13
Semantical Analysis of Specification Logic
Robert D. Tennent
The specification logic of J. C. Reynolds is a partial-correctness logic for
ALGOL 60-like languages with procedures. It is interpreted here as an
intuitionistic theory, using a form of possible-world semantics first ap-
plied to programming-language interpretation by Reynolds and F. J. Oles
to give an abstract treatment of stack-oriented storage management. The
model provides a satisfactory solution to all previously-known problems
with the interpretation of specification logic; however, unexpected new
problems have been discovered in doing this work, and these remain un-
solved.
Contents
1 Introduction 41
2 Syntax 44
3 Possible Worlds 47
4 Semantic-domain Functors 48
5 Semantic Valuations 53
6 Formal System and Soundness 58
Appendix 61
Acknowledgements 62
References 62
1 Inttoduction
In the beginning, C. A. R. Hoare (1969) created a programming logic for spec-
ification triples of the form {P} C {Q}. And Hoare's logic is good (for simple
imperative programming languages without procedures or jumps). It is both
sound (Hoare and Lauer, 1974) and, independently of how the vexed ques-
tion of its completeness might be answered (de Bakker and Meertens, 1975,
Cook, 1978, Wand, 1978, Bergstra et al., 1982, Goldblatt, 1982, Clarke, 1984,
Leivant, 1985, Pasztor, 1986, Leivant and Femando, 1987), usable (Reynolds,
1981a), providing a framework for rigorous specification, development, and
verification of practical programs.
Many attempts have been made to extend Hoare's logic to languages with
procedures or jumps (Hoare, 1971, Clint and Hoare, 1972, Arbib and Alagic,
1979, de Bakker et al., 1980, Gries and Levin, 1980, Olderog, 1984, Trakht-
enbrot et al., 1984, Sieber, 1985). The specification logic of J. C. Reynolds
(1981a, 1982) is perhaps the most important of these, because its general-
ity, usability, and coherence have been clearly demonstrated. The aim of the
research described here is to do the same for its soundness.
First appeared in Information and Computation, 85(2):135-162, 1990. Reprinted with the permis-
sion of Academic Press.

42 Chapter 13. Semantical Analysis of Specification Logic
Specification logic is essentially a many-sorted first-order theory, with

Hoare triples as atmnic formulas, and conventional logical connectives, such
as conjunction, implication, and quantification. There are some additional
atomic formulas to permit expression of certain kinds of assumptions about
free identifiers, such as non-inter(erence. A fairly conventional semantics for
specification logic is outlined in (Reynolds, 1981 a); however, it has been known
for some time that this model has two fundamental deficiencies.
The first deficiency is that commands are interpreted in an undesirably
operational way: command meanings are functions from an initial state to the
(possibly infinite) sequence of all states encountered during execution of the
command. This kind of interpretation is undesirable because it distinguishes
between commands whose extemally-observable behaviour is identical. But it
seemed to be necessary in order to interpret non-interference formulas: C # P
asserts that the value of P is invariant throughout any (terminating) execution
of command C.
The second deficiency is that Section 11 of (Reynolds, 1982) proposes two
axioms, Strong Constancy and Leftside Non-interference Composition, which
are intuitively true and seem to be very desirable or essential for verifying
certain kinds of programs, yet which are shown there to be invalid relative to
the interpretation in (Reynolds, 1981a).
This paper describes a new approach to capturing the intended interpreta-
tion of specification logic. We now give an informal (and simplified) presenta-
tion of the model.
The first idea is adapted from the treatment of block-structured storage
management described in (Reynolds, 1981b) and (Oles, 1982, Oles, 1985): the
semantics of a phrase is a suitably-related (amily of environment-to-meaning
functions for different sets of allowable states. For example, the semantics
of a command for some state-set X is a continuous function from environ-
ments appropriate for X to partial functions (or binary relations) on X. For
a control structure such as C1; C2, the meaning for any state-set is expressed
as a function of the meanings oftheimmediate constituents C1 and C2 for
the same state-set. This ensures that "intermediate" states between the exe-
cutions of C1 and C2 will also belong tothat state-set, without requiring that
these intermediate states be explicit in command meanings. A specification
now becomes a predicate about state-sets as well as environments. In logic,
this is known as "possible-world" semantics (Goldblatt, 1979); here, each set
of allowed states is a possible world.
A satisfactory interpretation of C # P for any possible world X is then de-
finable as follows. For any value v that P might have, let Xv be the subset of X
for which the value of P is v; then C # P if and only if, for all v, any terminating
execution of C in X whose initial state is in Xv, is also a terminating execution
of CinXv.
Consider now the proposed axiom of Strong Constancy (Reynolds, 1982),
C#R&({R}~{P}C{Q}) ~ {RandP}C{RandQ}
where C is a command, R, P and Q are assertions, and the static-assertion
specification {R} is equivalent to {true} skip {R}. Intuitively, if R holds before
executing C and C does not interfere with R, then, while reasoning about C,
Robert D. Tennent 43
it should be possible to treat R as if it were a "local" mathematical fact. For

example, if C implements the binary-search algorithm and R asserts that the
array being searched is sorted, then it is obvious by inspection that C#R,
and so it is convenient tobe able to "factor" R out of the specification of C,
provided it is still possible to use R in the verification of C.
Unfortunately, {R} holds just if assertion R is true at all allowable states,
not merely those that might be encountered while executing C, and so Strong
Constancy is invalid according to a conventional interpretation. There is a
similar problern with the proposed axiom scheme of Leftside Non-interference
Composition.
The essence of the solution proposed here is to adopt a non-classical in-
terpretation of specification implication, inspired by Kripke's semanlies for
intuitionistic logic (Kripke, 1965, Dummett, 1977, van Dalen, 1983). The rea-
son for interpreting specification logic as an intuitionistic theory is to take
advantage of what in (McCarty, 1984) is termed axiomatic (reedom,
the recognition that intuitionistic logic allows axioms which are classi-
cally false but mathematically efficient to be consistent with powerful
theories.
In fact, the equivalences, axioms, and rules presented by Reynolds are intu-
itionistically acceptable. (Reductio ad absurdum is not the correct name for
rule RIO in Reynolds, 1981a.) Furthermore, Reynolds has shown that if the
classical but non-intuitionistic law ..., ...,5 ~ S were added to specification logic,
then a formula asserting non-termination of a simple assignment command
would be derivable; this shows that the only models possible for a classical
version of specification logic would be trivial ones in which commands do not
terminate unless they leave the state unchanged. Reynolds's example is repro-
duced in an Appendix to this paper.
The new interpretation of the implication connective is essentially as fol-
lows: define S1 ~ S2 tobe true for X just if, for all subsets X' of X, S2 holds for
X' whenever S1 holds for X'. The implicit quantification over restricted pos-
sible worlds is needed in general to preserve the monotonicity of specification
interpretation in the following sense: if any specification holds for possible
world X, then S holds for any more-restricted possible world X'.
To see how this interpretation of the implication connective helps with
Strong Constancy, let X' be the subset of state-set X for which R holds, and
suppose that execution of C in X can map initial state x0 to final state x1.
where x0 satisfies both R and P. Then assumption C # R ensures that the exe-
cution from x0 to x1 can also take place in X', so that x1 satisfies R. Further-
more, with the new interpretation of implication, assumption {R} ~ {P} C {Q}
ensures that x 1 also satisfies Q, because, by definition, R holds for all states
in X'. This validates Strong Constancy.
Similarly, consider the following form of the axiom scheme of Leftside
Non-interference Composition (Reynolds, 1982):
C#R&(t#R~{P}C{Q}) ~ {P}C{Q}
where L is a command identifier, Cis a command, and P, Q and Rare asser-

tions. Suppose again that execution of C in possible world X can map x0 to XI.
where x0 satisfies P. Let X' be the subset of X for which R has the same value
as it does at x0 • Then assumption C # R ensures that the execution from x0 to
x 1 can also take place in X'. Because-Of examples like (.\C:comm.skip)(C),
it does not in general follow from C#R that t#R, even when t occurs in C;
however, in possible world X' execution oft cannot interfere with R so that,
using the new interpretation of implication, the second assumption ensures
that x1 satisfies Q.
Our interpretation of non-interference also validates certain Non-
interference Decomposition axioms. For example, for any command C and in-
teger expression E, the following is an instance of Rightside Non-interference
Decomposition that is valid in our model.
C#E '* C#(E > 0),
where C # E for an expression E means that any execution of C preserves the
value of E invariant. However, the formal system also indudes "higher-order"
instances of these axioms, such as
G#E '* G#(E > 0),
for G: comm - comm (i.e., G is a procedure whose arguments and calls are
commands). When G: comm- comm and E is an expression-like phrase such
as an expression or an assertion, Reynolds de(ined G # E to be equivalent to
the following formula:
VC:comm.C#E '* G(C)#E
But, consider the following G: comm - comm:
.\C:comm.if i = 1 then (C; if i > 1 then i := 0);
G#i is true using Reynolds's definition, yet G#(i > 0) is false, because, for
example,
(if i > 0 then i := i + 1) #(i > 0)
is true and
G(ifi > Otheni := i + 1)#(i > 0)
is false. Hence, higher-order instances of Rightside Non-interference Decom-
position do not hold in general (using Reynolds's interpretation of higher-
arder non-interference). We will return to this problern in Section 6.
2 Syntax
The type structure for the language to be considered is given in Table I.
For simplicity, we have avoided coercions and conventional variables (but
have retained acceptors, which are the "updating" components of variables;
see (Reynolds, 1980, Reynolds, 1981b). lnformally, a data type T (such as
Boolean or integer) denotes a set [ T] of values appropriate for some accep-
tor or expression, whereas a phrase type )' denotes a set or poset [y] of
meanings appropriate for some kind of phrase. Assertional phrase types and
specifications are distinguished from ordinary phrase types because mean-
ings of "logical" phrases need not be computable. All phrase types except
Metavariables
T data types
(} ordinary phrase types
oc assertional phrase types
ß bindable phrase types
y general phrase types
Productions
(} .. - val[T] values
exp[T] expressions
comm commands
acc[T] acceptors
( } - (}' ordinary procedures
oc .. - assert assertions
ß-oc assertion procedures
ß .. - 91oc
)' .. - ß
spec specifications
Table 1: Phrase types
specifications are bindable; i.e., their meanings are denotable by identifiers.

The phrase types explik.e and commlike that appear in (Reynolds, 1981a,
Reynolds, 1982) can be dispensed with when dealing only with the basic ax-
ioms (rather than the derived rules, such as the rules for procedure declara-
tion).
In a conventional semantics with a fixed set S of states, [val[ T]] would be
the flat domain obtained by "lifting" the set [T] of T-values, [exp[T]] would
be the domain of functions from S to [val[Tl], [comm] would be the domain
of partial functions on S, [ acc [T]] would be the domain of functions from [ T]
to [comm], [0- 0'] would be the domain of continuous functions from [0]
to [0'], [assert] would be the set of functions from S to truth values, [ß- oc]
would be the set of all functions from [ß] to [oc], and [spec] would be the set
of truth values.
The abstract syntax of the basic language of specification logic is given in
Table II. A type assignment, rr, is a function from a finite set of identifiers,
dom (rr), to bindable phrase types. The notation (rr I L ..... ß) denotes the type
assignment rr' suchthat dom(rr') = dom(rr) u {L}, and rr'(L') = ß if L' = L,
and rr(L') otherwise, and similarly for (rr I L1 ..... ß1 I · · · I Ln ..... ßn>· The same
kind of notationwill be used for extending environments.
The phrase-dass meta-variable {rr 1- y) ranges over well-formed phrases
having type y when the types of their free identifiers (at least) are given by
rr. Productions for value phrases, expressions and acceptors (other than
the "generic" ones for identifiers and applications) and more-complex con-
trol structures, such as conditionals, recursion and loops, are omitted merely
to simplify the presentation. Jumps will be discussed briefly in Section 6. A
((rr I L- ß> 1-- ß> ::= L identifier

(rr 1--0- 0') ::= ?it:O.((rr I L- 0) 1-- 0') ordinary abstraction
(rr 1-- 0) ::= (rr 1-- 0'- O){(rr 1-- 0')) ordinary application
(rr 1-- ß- a) ::= ?it: ß. ((rr I L - ß) 1-- a) assertional abstraction
ß- a)( (rr 1-- ß))
(rr 1-- a) ::= (rr 1-- assertional application
(rr 1-- assen) ::= true I false constants
I not (rr 1-- assen) negation
I (rr 1-- assen) and (rr 1-- assen) conjunction
I 'Vt:T. ((rr I t - val[T]) 1-- assen) universal quantification
I DT((rr 1-- exp[T])) definedness
I (rr 1-- exp[T]) =T (rr 1-- exp[T]) equality
I· ..
(rr 1-- comm) ::= sldp null
I (rr 1-- comm) ; (rr 1-- comm) sequencing
I (rr 1-- acc[T]) :=T (rr 1-- exp[T]) assignment
I new[T] t, t' in variable declaration
((rr I L- acc[T] I t'- exp[T]) 1-- comm)
I· ..
(rr 1-- spec) ::= absurd absurdity
I (rr 1-- spec) & (rr 1-- spec) co~unction
I (rr 1-- spec) ". (rr 1-- spec) implication
I V t: ß. ((rr I L- ß) 1-- spec) quantification
I (rr 1-- y) =y (rr 1-- y) equivalence
I { (rr 1-- assen)} (rr 1-- comm) { (rr 1-- assen)} Hoare triple
I (rr 1-- comm) #(rr 1-- assen) non-interference
Table II: Abstract syntax
''variable" declaration binds a pair of (distinct) identifiers to suitably-related

acceptor and expression meanings, respectively; this is simply to avoid the
irrelevant complications that would arise with implicit conversions such as
de-referencing.
Assertions are conventional first-order formulas over the data types, but
non-terminating and partially-defined expressions (not assertions) are al-
lowed, so there are also "definedness" predicates DT ( ·) for each data type T.
The productions for specifications show that the specification language of
Reynolds has been augmented by
(i) a constant absurd, which never holds, even for the null state-set, un-
like the static-assertion specification {false} used for this purpose in
(Reynolds, 198la, Reynolds, 1982), and
(ü) an atomic formula for equivalence of phrases.
There should be no difficulty adding logical operators for disjunction and ex-
istential quantification, but there seems tobe no reason to do so. The negation
of S is definable as S ~absurd, and {P}, the static-assertion form of specifica-
tion, is definable as {true} skip {P}.
Value phrase types val[T] are introduced to allow quantification over val-
ues, as suggested in (Sieber, 1985); for example, if C:comm and E:exp[T],
C#E can be defined tobe Yt:val[T].C#(E =T t), for any L not free in C or
E, assuming the obvious coercion from val[T] to exp[T]. A "good-variable"
specification and non-interference specifications for acceptors and procedures
will be defined later.
3 Possible Worlds
In order to treat procedures and variable declarations conveniently, the model
described formally in the rest of this paper is based on a category-theoretic
formulation of possible-world semantics (Goldblatt, 1979). In this framework,
possible worlds and changes of possible world form a category, X, and seman-
tic domains are replaced by semantic-domain functors from X to either S, the
usual category of sets and functions, for "logical" phrase types, or the cate-
gory D of directed-complete posets and continuous functions for the "compu-
tational" phrase types. Then each phrase, Z, of the language is interpreted as a
natural trans(ormation, [Z], from an appropriate "environment" functor, Env,
to an appropriate semantic-domain functor, D, so that, if x and y are possible
worlds and f: x - y is a change of possible worlds, the following diagram
commutes in S or D:
X Env(x) --=['-Z-=-](-'-x~)- • D (x)
Ellv(f)j JL>(f)
y Env(y) [Z](y) D(y)
In the introduction, changes of possible world were restrictions to subsets.
But if the programming language has variable declarations, it must also be
possible to expand the set of states, as in (Reynolds, 1981b) and (Oles, 1982,
Oles, 1985). The appropriate generalization seems tobe the following cate-
gory: the objects are sets, interpreted as the sets of states allowed in each
possible world, and a morphism from X to Y is a pair f, Q having the follow-
ing properties:
(i) f is a function from Y to X;
(ü) Q is an equivalence relation on Y; and
(ili) f restricted to any Q-equivalence dass is injective; i.e., for all y,y' E Y,
if yQy' and f(y) = f(y') then y = y'.
Intuitively, f extracts the small stack embedded in a larger one, and Q relates
large stacks with identical "extensions." The category described in (Oles, 1982)
is similar, but there the function f is required tobe bijective on equivalence
classes, so that Y ~X x Y /Q.
The identity morphism idx on an object X has as its two components: the
identity function on X, and the universally-true binary relation on X. The com-
position (in diagrammarte order) f, Q; g,R:X- Z of morphisms f, Q:X- Y
and g,R:Y- Z has as its two components: the functional composition of
48 Chapter 13. Semantical Analysis of Specifi.cation Logic
f and 9, and the equivalence relation on Z that relates z0 , ZI e Z just if

they are R-related and Q relates 9(Zo) and 9(zi). We can show that, for
h,S = {, Q; 9,R, the function h e Z -x is injective on S-equivalence classes
as follows. Consider z,z' E Z suchthat zSz' and h(z) = h(z'); then zRz'
and 9(z) Q9(z') by the definition of S, and {(9(z)} by the definition of h. By
the injectivity of f on Q-equivalence classes, 9(z) = 9(z'), and then, by the
injectivity of 9 on R-equivalence classes, z = z'.
For any object X in this category, we need a restriction morphism
rX':X- X' for any subset X' of X, and an expansion morphism
xV:X- X x V for any data type V. The restriction morphism rx' has as its
components: the insertion function from X' into X, and the universally-true
binary relation on X'. The expansion morphism xV has as its components:
the projection function from X x V to X, and the equivalence relation that
relates (xo, vo) and (XI. VI) in X x V only if vo = VI. Our notation for these
morphisms does not make the domain object explicit, but this will always be
evident from context.
4 Semantic-domain Functors
Our aim in this section is to define the semantic-domain functors for our
model. Webegin by defining a number of general constructions in categories
of sets, complete partially-ordered sets, and functors. Let S be the usual
category of sets and functions. Let D be the category of directed-complete
partially-ordered sets and continuous functions (Reynolds, 1977); the objects
of this category will be termed here domains, whether or not they have least
elements. Throughout, "id"" will denote the identity morphism on object x
and ";" will denote composition of morphisms or functors in diagrammatic
order.
For any domains D and D', we define new domains as follows.
(i) Product: D x D' is the Cartesian product of D and D', ordered
component-wise.
(ü) Lifting: D .L is (an isomorphic copy of) D augmented by a new least ele-
ment, denoted .L
(ili) Exponentiation: D - D' is the set of all continuous functions from D to
D', ordered point-wise.
(iv) Partial exponentiation: D -- D' is the set of all continuousi partial func-
tions from D to D', ordered point-wise; i.e., f ~D-D' 9 iff, for all x e D,
if f(x) is defined, then 9(x) is defined and f(x) ~D' 9(x).
We also use exponentiations in category S: if SandS' are sets, S - S'
is the set of all functions from S to S', and S -- S' is the set of all partial
functions from S to S'.
1 We will only use this constructlon with discretely ordered D so that all partial functions are
continuous, but the following is a general definitlon (from Plotkin, 1985): a partial function from
D to D' is continuous just if the inverse image of any Scott-open subset of D' is Scott-open in D,
where a subset U of a domain Dis Scott-open ilJ (i) if u e U and u !;;D d, then d e U, and (ü) for
every directed subset S of D, if US e U then d e U for some d e S.
We now define the same constructions in categories of functors. For any

(small) category X, let X '* D be the category of all functors from X to D, with
all natural transformations as the morphisms, and similarly for X '* S. Let F
and G be functors from X to D, x, y and z be X-objects, and f: x - y and
g: y - z be X-morphisms. Then the four constructions needed are as follows:
(i) Product:
(F x G)(x) = F(x) x G(x)
and
(F x G)(f)((d,d') E F(x) x G(x)) = (F(f)(d), G(f)(d')).
(ü) Lifting:
F1.(x) = (F(x))J.
and
{
_l if d = .l,
Fl.(f)(d E Fj_(x)) = F(f)(d) in Fj_(y), otherwise.
(ili) Exponentiation:
(F- G)(x)
= {m n (F(y)- G(y)) I
E f:x-y
forallf:x-yandg:y-z,}
m(f); G(g) = F(g); m(f; g) '
ordered pointwise, and

(F- G)(f)(m E (F- G)(x)) = m(f; g),
where Drx-y( · · · y · · · ), with a slight abuse of notation, denotes the
set of functions m from the set of X-morphisms with domain x to
the union of the ( · · · y · · ·) for all X-objects y, such that, for every
X-morphism f: x - y, m(f) E ( · · · y · · · );
(iv) Partial exponentiation:
(F- G)(x)
= {m n (F(y) -
E f:x-y G(y)) I for all f: x - y and g: y - z, }
m(f); G(g) s;; F(g); m(f; g) '
ordered pointwise, and

(F - G)(f) (m E (F - G)(x)) = m(f; g),
where the s;; relation on partial functions is graph inclusion.

For functors to S, the - and - constructions are defined in the same way,
but are based on the exponentiations for S, rather than D, and the sets are not
partially-ordered. If X is the trivial (one-object and one-morphism) category,
each of the constructions on functors reduces to the corresponding construc-
tion on domains or sets; however, note that, although A - B is isomorphic to
A - B1. inS and D, in general F - Gis not isomorphic to F - G1. in X'* S
andX'* D.
50 Chapter 13. Semantical Analysis of Specilication Logic
To motivate the exponential constructions, consider that a procedure de-

fined in possible world x might be called in any possible world y accessi-
ble from x using an X-morphism f:x- y, and it is the domain structure
determined by y which should be in effect when the procedure body is exe-
cuted. This suggests that the meaning of a procedure defined in possible world
x must be a suitably-uniform family of functions, indexed by X-morphisms
f: x - y. The uniformity condition is commutativity of all diagrams
F(y) _ _m....:.:(f_:x_-_Y:....;>_..... G(y)
F(g,y-z)j JG(!f.y-z)
F(z) m(f;g:x- z) G(z)
For -, the uniformity condition only requires commutativity when the

result of the partial mapping along the top of the diagram is defined.
We also use some of these constructions on contravariant functors from X
to S or D. The product and lifting operations construct contravariant functors
in the obvious way, and, for the exponentiation constructions, the uniformity
conditions are obtained by reversing the vertical arrows; for example, if F and
G are contravariant functors from X to S,
(F- G)(x)
=
{m E n (F(y)
f:x-y -
G(y))
I form(f;all f:x- y and g:y- z, } ·,
g) ; G(g) s;; F(g) ; m(f)
that is, commutativity of

F(y) _ _m....:.(f_:x_----'y'-)-..... G(y)
F(g,y-z)l IG(g,y-z)
F(z) m(f;g:x- z) G(z)
is required whenever the partial function at the bottom gives a defined result.
We define the morphism part to yield covariant functors; for example,
(F - G)(f) (m E (F - G)(x)) = m(f; g).
These constructions will be used to construct meaning functors [ y] for the
phrase types y of our language from the following "primitive" functors, where
X is now the category of possible worlds defined in Section 3:
(i) S is the contravariant functor from X to D defined as follows: for any
X-object X, S(X) = X, discretely-ordered, and, for any X-morphism
f,Q:X- Y, S(f, Q) is the function f E Y - X. This is the only functor
that depends directly on details of category X.
(ü) For every data typeT, [T] is a constant functor (covariant or contravari-
ant, as appropriate) from X to D such that, for every X-object x, [ T]x is
the discretely-ordered domain of values of type T.
(ili) T is the (contravariant) constant functor from X to S such that, for every
X-object x, T(x) is the set {true,false}.
(iv) 1 is the (covariant) constant functor from X to S such that, for every
X-object x, 1 (x) = A, for some singleton set A.
(v) F is the (covariant) functor from D to S that forgets partial-orderings
and treats continuous functions as arbitrary functions.
(vi) Eis the (covariant) functor from S to D that embeds sets into the cate-
gory of domains by discretely ordering them and treating arbitrary func-
tions as continuous functions.
Note that E and F preserve products, E preserves exponentials, and E; F is the
identity functor on S.
We can now define functors [6]:X- D, and [oc], [spec]:X- S. We
first consider [comm]. In earlier work (Reynolds, 198lb, Oles, 1982, Tennent,
1985), command meanings were, for any possible-world X, partial functions
or binary relations on X. But it turns out tobe simpler to use elements of
(S - S)(X), where S is the states functor defined above. Then, command
meanings are X-morphism-indexed families of partial functions, and it is no
Ionger necessary to depend on the morphism part of the functor to define such
families "implicitly." The uniformity condition for such families allows com-
mand execution to become less-defined in more-restricted possible worlds,
while ensuring that, when such execution is defined, the results are consis-
tent with execution in less-restrictive worlds. However, we shall not define
[comm](X) tobe (all of) (S - S)(X), because this would permit commands
that have been defined non-locally to modify the values of local variables. The
constraint in the following definition precludes this.
For any X-object X,
[comm]X
for allf,Q:X- Y, g,R:Y- Z, andz E Z, }

S( f Z'); c(f, Q; g,R) = c(f, Q; g,R; f Z'); S( f Z'), ,
where Z' = {z' e Z I z' Rz}
ordered pointwise. The condition ensures that, for every change of possible
world g, R: Y - Z, execution of c(f, Q ; g, R) stays within an R-equivalence
dass. For the morphism part of [comm], let X, Y, and Z be X-objects, and
f, Q: X - Y and g, R: Y - Z be X-morphisms; then
[comm](f, Q)(c)(g,R) = c(f, Q; g,R).
The remaining semantic-domain functors are defined in Table m. Note

that assertions must always be properly truth-valued, but expressions may
have value J.. The uniformity condition for - ensures that, if an assertion or
expression is evaluated at some state, all of its sub-expressions are evaluated
at the same state; that is, there can be no "side effects," not even temporary
ones. In particular, we have the following
)' [y] Functionality of [y]

val[T] [T].L X-D
exp[T) S - [val[TJ] X-D
acc[T] [T]- [comm] x-o
6-6' [6]- [6'] x-o
assert (S;F)- T x-s
cx- a' [a] - [a'] x-s
6-a ([a]; F) - [a] x-s
spec 1-1 x-s
Table ID: Semantic-domain Functors
Proposition 1 For any f:X- Y, g: Y - Z, p E [exp[T]- assert]X,

e E [exp[Tl]Y and Z E Z,
p(f) (e)(g)(z) = p(f) (eo)(g)(z),
where e0 E [ exp[ T]] Y is the "constant" expression-meaning such that, for all
h: Y - Wand w E W, eo(h)(w) = e(g)(z).
Proof: We first establish the lemma
[exp[Tl](g; r{z})(e) = [exp[Tl](g; f{z})(eo)
Consider any X-morphism h: {z}- Wand state w E W; then
[exp[Tl](g; f{z})(e)(h)(w)
e(g; f {z} ; h) (W) by the definition of [exp[Tl]
e(g) (S(f {z}; h)(w)) by the definition of -
e(g)(z) by the definition of r{z}
eo(g)(z) by the definition of e0
[exp[Tl] (g; f {z} )(eo)(h)(W) as with e.
Now, we prove the proposition as follows:
p(f) (e) (g) (z)
p(f) (e)(g; r{z} )(z)
by the definition of [assert]
p(f;g; r{z})([exp[Tl](g; f{z})(e))(id{zJ}(Z)
by the definition of [exp[T]- assert]X
p(f;g; f{z})([exp[Tl](g; f{z})(eo))(id{zJ)(Z)
by the lemma
p(f) (eo)(g)(z)
as with e
I
[absurd]xuf = false
[SI &S2]xuf = [SI]xuf and [S2]xuf
[SI=> S2]xuf = for all g:y- z, if[Sdxu(f;g) then [S2]xu(f;g)
['t't:ß.S]xuf
= for all g:y- z and m E [ß]z, [S]z(([rr]; F)(f; g)(u) lt- m) {idz)
[ZI =y Z2]x U f = for all g: Y - Z, ([y](f; g)([ZI]x U) = [y](f; g)([Z2]X u))
Table IV: Specifications
Specification meanings are not conventional truth values, but rather

X-morphism-indexed families of "partial elements," which are either undefined
(identified with false), or defined (identified with true), and the uniformity con-
dition for - ensures that, if t is such a family and t(f: x - y) is true, then so
is t(f; g) for all g: y - z. Thus, t is (the characteristic function oO a "sieve
on x" (Goldblatt, 1979) and [spec] is the subobject classifier in the topos X=>S.
Finally, for any type-assignment rr with rr(t) = ßt for every identifier
t E dom(rr), we define a (covariant) functor [rr]:X- Das the product of
the [ß 1 ] over the domain of rr, where it is understood that, for any of the ß1
that is an assertional (rather than ordinary) phrase type, [ß 1 ]:X- Disfirst
composed with the embedding functor E to obtain a functor from X to D.
5 Semantic Valuations
We may now interpret the phrases of the language as natural transformations
from environment functors to meaning functors:
[(rr 1-- 0)]: [rr]--:... [0]
[ (rr I- IX)]: ([rr]; F) --:... [IX]
[(rr 1-- spec)]: ([rr] ;F)--:... [spec]

where [rr], [O]:X- D, [IX], [spec]:X- S, and F:D- S are the functors
defined in the preceding section.
We begin with the purely logical fragment of the specification language.
The key facts are that (i) the functor category X => S is a topos (this is true
for any small category X), and (ü) intuitionistic logic may be interpreted in
any topos (Goldblatt, 1979). The resulting valuations are given in Table IV,
where, for convenience, the identity function and the undefined partial func-
tion on a singleton set are identified with true and false, respectively. Here,
and throughout this section, x is an X-object, f: x - y is an X-morphism, and
u is a suitable environment; for example, here u E ([rr]; F)(x), where rr is
the type-assignment component of the phrase-dass of the phrase being inter-
preted. Note the "implicit" quantifications over changes of possible world in
the valuations for implication, quantification, and equivalence. These are re-
quired in general to ensure "monotonicity"; i.e., for any specification S, [S]x u f
implies [S]x u(f; g) for every appropriate g.
[true]xufro = true [false]xufro = false

[notP]xufro = ~([P]xufro)
[P1 and P2]xufyo = ([Pdxufro and [P2]xufyo)

['Vt:T.P]xufyo = forall v E [val[Tl]x,[P)x(u I t - v)fYo
[DT(E)]xufro = ([E]xufro * ..L)
[E1 =T E2]xu(yo = ([Edxufro = [E2]xufyo)
Table V: Assertions
In contrast, the logical operators in assertions may be treated "classi-

cally" and "pointwise", as in Table V, where Yo e S(y). "Negative" equal-
ity operators (yielding false if either operand is undefined) can be defined
using the definedness predicates. lt would also be possible to restriet
quantifi.ed identifi.ers to range over non- ..L values only, by relativizing the
quantifi.er laws in the first-order assertionallogic (Scott, 1967, Scott, 1979,
Bendvenga, 1986).
For procedures, the key facts are that (i) the functor categories X ~ S and
X~ D are Cartesian-closed (this is true for any small category X; see Goldblatt,
1979 and Oles, 1982, respectively) and (ü) the typed lambda calculus may
be interpreted in any such category (Lambek, 1980, Scott, 1980, Lambek and
Scott, 1986). The resulting valuations (for ordinary procedures) are
[.\t:O.Z]xuf(m e [O]y) = [Z]y([rr]fu I t- m)
[P(A)]xu = [P]xu(id,,:)([A]xu),
and assertional procedures may be treated in a similar way. For identifi.ers,
[t]X U = U(t).
Valuations for the constructs that involve commands (other than the
variable-declaration block) are given in Table VI. In the equation for sequen-
tial composition, the semi-colon on the right denotes composition of partial
functions (in diagrammatic order). The following proposition illustrates how
non-interference specifications may be "decomposed".
Proposition 2 If rr(C) = comm and rr(Pt) = rr(P2) = assert, then, for any
X-object X and u e [rr]X,
[C#P1 & C#P2 ~ C # (P1 and P2)]Xu(idx).
Proof: Consider any f,Q: X - Y and assume [C#PdXu(f,Q) and

[C#P2]Xu((,Q). Consider any g,R: Y - Z, v e {true,false}, and z 0 e Zv,
where
Zv = {zv E Z I [P1 and P2]Xu((,Q;g,R)zv = v}.
Let v, = [P,]Xu(f,Q; g,R)zo for i = 1,2. By the assumption about P1, if
[C]X u(f, Q; g,R)zo is defined, it is equal to to [C]X u(f, Q; g,R; fZt>zo E Z1o
where
Z1 = {z1 e z I [PdX u(f, Q; g,R)zl = vt} ,
[skip]xuf = ids(y)
[Cl; C2]xu{ = [Cdxuf; [C2]xu{
rA ._ E] f _ { [A]xufv(idy)Yo. if [E]xufy0 = v E [T]y;
l ·-T x u Yo - undefined, otherwise
[{P}C{Q}]xuf
= for all Yo.YI E S(y), if [P]xufyo and [C]xufyo = Yl then [Q]xufyl
[C#P]xuf
= for all g:y- z and v E {true,false},
S<r Zv); [C]x u(f; g) = [C]x u(f; g; rzv); S(r Zv)
where Zv = {zv E S(z) I [P]x u(f; g)zv = v}
Table VI: Commands
and, by the assumption ab out P2, if [ C]X u(f, Q ; g, R ; r Z 1) zo is defined, it is

equal to [C]X u(f, Q; g, R; rZ1; r Z2)zo E Z2, where
Z2 = {Z2EZII[P2]Xu(f,Q;g,R;rZ dz2=v2}.
But z2 = {Z2 E zl I [P2]Xu(f,Q;g,R)Z2 = V2} bythe definitionof [assert]X,
and so Z2 s;; Zv. Then, by the definition of -, if [C]Xu(f,Q ;g,R; rz1; rz2)Zo
is defined, it is equal to [C]X u(f, Q; g,R; r Zv)Zo. I
For new-variable declarations, we first define a functor expandT: X- X for
each data type T as follows:
expandT (X) = X X [T ]X
expandT(f, Q:X- Y) = fT, QT
where fT(x, v) = (f(x), v) and (xo, Vo) QT (x1, v1) iff xoQx1. For any
X-morphism f, Q: X - Y, the following diagram commutes:
X([T]X) _ _ expandT (X)
X _ _____:..::..___.::____:..
f, Q j
x([T]Y)
jexpand, (f, QJ
Y _ _____:..=--='--'----+- expandT ( Y)
We can now define the acceptor and expression components
aT(X) E ([T]- [comm])(expandT(X))
and
eT (X) E [ exp[ T] ]( expandT (X))
of a "new" variable of data typeT in an expanded possible world expandT (X).
For X-morphisms f, Q: expandT(X)- Y and g,R: Y - Z, and v1 E [T]Y,
aT(X)(f,Q)(vi)(g,R)(zo E Z) = Z1 E Z suchthat
(i) f(g(zd) = (x, v1) where (x, vo) = f(g(zo)), and
(ü) zoRz1 and g(zo)Qg(zl ),
and eT(X) (f, Q)(yo E Y) = v, where (x, v) = f(Yo). In the definition of aT, a
state ZI satisfying the two conditions might not exist and then the result is un-
defined; however, if such a state does exist, it must be unique by the injectivity
property of X-morphism f, Q; g, R. Intuitively, the effect of assigning a value
VI to the acceptor is to replace the old value vo in the appropriate component
of the stack by vi, without changing more-local components (condition (ü)) or
more-global components (i.e., the x in condition (i)).
The semantic equation for block commands is then
[new[T] t, t' in C]x u f Yo
YI, if [C] (expandT (x)) (u') (expandT(f)) (yo, vT)
{ = (YI. v) E S(y) X [T]y,
where u' = ([rr]{x([T]x))(u) I t - aT(x) I t'- eT(x))
undefined, otherwise,
where vT is a "standard" initial value for variables of type T. The following
three propositions show, respectively, that
(i) assignments to a local variable do not affect non-locally-defined asser-
tions;
(ü) a local variable is not affected by non-locally-defi.ned commands; and
(üi) a declared variable is a "good" variable, that is to say, immediately after

an assignment to it, its value is the value just assigned.
Throughout, u E [rr]X, X'= expandT(X), rr' = (rr I A- acc[T] I E- exp[T])
and u' = ([rr](x([T]X))(u) I A- aT(X) I E- eT(X)).
Proposition 3 If P is an identifier (different (rom A and E) with

rr' (P) = assert, then [A#P]X' u' (idx· ),
where, for any A:acc[T] and P:assert, A#P - 't'EI:exp[T]. (A :=T Ed#P
for any identifier EI not free in A or P.
Proof: Consider any f,Q:X' - Y and ei E [exp[Tl]Y, and let u" =
([rr](f,Q)u' I EI-ei). Consider any g,R:Y- Z and v E {true,false} and
Iet Zv = {z E Z I [P]Yu"(g,R)z = v}. We must now show that
S<rZv); ([A :=T EdYu"(g,R)) = ([A :=T EdYu"(g,R; rzv)) ;S<rZv).
Consider any zo E Zv and suppose [EdYu"(g,R)zo = vi; then
[A :=T EdYu" (g, R)(zo)

[A]Yu" (g, R) (VI) (idz) (zo)
by the equation for :=
[acc[Tl] (f, Q) (aT (X)) (g, R)(vi) (idz )(zo)
by the definition of u"
aT ({, Q; g, R)(vi) (idz) (zo)
by the definition of [acc[Tl]
and, if this is defined, it is a state z1 E Z suchthat f(g(zd) = (x, v1) and

f(g(z0 )) = (x, v0 ) for some x EX and vo E [T]Z. But then, if p = u(P),
[P]Yu" (g, R)z1 p(x([T]X); {, Q; g,R)zl

p(idx) (S(x([T]X); f, Q; g,R)zl)
p(idx)(x)
[P]Yu" (g, R)zo
V
and so Zl E Zv and [A :=T EdYu"(g,R; rzvHZo) = Zl as weil. I

Proposition 4 If Co is an identi(ier (different from A and E) with
rr' (Co) = comm, then [Co# E]X' u' (idx').
Proof: Consider any X-morphism f,Q:X'- Y, v E [val[T]]Y, and y 0 E Yv,
where Yv = {y E Y I [E]X'u'(f,Q)y = v}. Let Co= u(Co), g,R:X- Y
be x[T]X; f,Q, and Y' = {y' E Y I y'Ryo}. Then, by the definition of
eT(X), Y' ~ Yv and Yo E Y', and so, if co(g,R)(yo) is defined, it is equal to
co(g,R; rY')(yo), by the definition of [comm]. But then, by the definition of
s- s, it is also equal to Co(g,R; rYvHYo). I
Proposition 5 [gvT(A, E) ]X' u' (idx'),

where, for any A:acc[T] and E:exp[T],
gvT(A,E) = VEo:exp[T]. VP:exp[T]- assert.
A#P => {P(Eo} A :=T Eo {P(E)}
for any identifiers Eo and P not free in A or E, where, for any A:acc[T] and
P:exp[T']- assert,
A#P = VE1:exp[T'].A#E1 => A#P(Ed
for any identifier E1 not free in A or P, where, for any A:acc[T], E1:exp[T']
and Q:assert,
and
A#Q - VE2:exp[T]. (A :=T E2)#Q
for any identifier E2 not free in A, E1. or Q.
Proof: Consider any X-morphism f:X' - Y, eo E [exp[T]]Y,
p E [exp[T]- assert]Y, and let rr" be
(rr' I Eo .... exp[T] I P .... exp[T]- assert)

and u" E [rr"]Ybe
( [ rr' ]f u' I Eo .... eo I P .... P) .
Consider any g:Y - Z and assume [A#P]Yu" g. We must show
that [{P(Eo)}A :=T Eo{P(E)}]Yu"g. Consider zo,ZI E Z suchthat
aT(X)(f)(v)(g)(zo) = Z1. where v = eo(g)(zo). Then, by the definitions of
aT and eT1 eT(X)(f; g)(zt) = v. Let ev E [exp[T]]Y be the constant expres-

sion meaning whose value is always v.
We now use the assumption that [A#P]Yu" g; i.e.l that
[YE1:exp[T].A#E1 Q A#(P(Et)]Yu" g I
to derive that
[A#E1 QA#P(Et)]Z([rr"]gu" I E1 ..... e~)(idz)
where e~ = [exp[T]]gev. But the value of E1 is e~~ a constant expression

meaningl and so
[YE2:exp[T]. (A :=T E2)#P(E1)]Z([rr"]gu" I E1 ..... e~)(idz)
But then
[(A :=T E2)#P(EI))Z([rr"]gu" I E1 ..... e~ I E2 ..... [exp[T]]geo)(idz)
and1since execution of the assignment preserves the value of P(E1)1
[exp[T]- assert](g)(p)(idz )(e~)(idz Hzo)
= [exp[T]- assert](g)(p)(idz)(e~)(idz)(zt)
i.e. 1p(g)([exp[T]]gev)(idz)(zo) = p(g)([exp[T]]gev)(idz)(zt)
i.e.1 [assert]g(p(idz Hev)) (idz )(zo) = [assert]g(p(idz Hev)) (idz Hz1)
i.e.1p(idy)(ev)(g)(z0 ) = p(idy)(ev)(g)(zt)
and thenl by using Proposition 1 twicel we get that
p(idy )(eo)(g)(zo) = p(idy) ([ exp[Tl] (f) (eT (X))) (g)(zi) I
which is sufficient to prove the desired result. I
6 Fonnal System and Soundness

The purely-logical part of the formal system presented in (Reynoldsl 1982)
is essentially (the negative fragment of) many-sorted intuitionistic predicate
logic with equality; howeverl occurrences of the static-assertion specification
{false} should be replaced by the new constant absurd to allow for the possi-
ble world in which the set of states is empty.
The non-logical axioms relevant to the fragment interpreted here are
• the 011ß~ and T1 laws of the typed Iambda calculus;
• Hoare-like axiomsl such as
{P} Co {Q} & {Q} C1 {R} Q {P} Co; C1 {R} ;
• command equivalencesl such as

(Co; Ct); Cz =comm Co; (C1; C2) ;
• non-interference decomposition axiomsl such as

C#P1 & C#P2 Q C # (P1 andP2);
RobertD. Tennent 59
• variable-declaration axioms, of the form

(YA:acc[T). VE:exp[T].
gvT(A,E)&···&A#Et&···&CJ#E&··· ~ {P}H(A)(E){Ql)
~ {P} new[T] A,E inH(A)(E){Q} ,
where P and Q are assertion identifiers, H is an identifier of type
acc[T]- (exp[T]- comm), and the Et and c1 are expression-like and
command-like identifiers, respectively;
• the axioms of Strong Constancy and Leftside Non-interference Compo-
sition (Reynolds, 1982).
The only significant modifications necessary to the presentation in (Reynolds,
1982) are that variables must be separated into their acceptor and expression
components, as in the variable-declaration axiom above, and assertions must
be distinguished from Boolean expressions.
The result desired is as follows:
For S E ( rr 1-- spec), [S]x u f = true for all X-objects x, environ-
ments u E [rr]x and X-morphisms f:x- y whenever S :: rr is
derivable.
Validity of the axioms for procedures and for the purely logical fragment
of specification logic follows from the general category-theoretic considera-
tions mentioned earlier. The axioms of Strong Constancy and Leftside Non-
interference Composition can be treated essentially as discussed in the in-
troductory section. Most of the remaining axioms can be straightforwardly
validated from the definitions or the propositions proved earlier.
Difficulties arise with axioms dealing with non-interference for higher-
arder phrases. An example was given in the lntroduction of a failure of
Rightside Non-interference Decomposition with a higher-order command-like
phrase. Another problern is that non-local command-like procedural meanings
in our model can interfere with the value of a local variable, and it is therefore
not possible to validate variable-declaration axioms involving higher-order c1.
Possible approaches to solution of these problems will be discussed in the
Concluding Remarks.
The author does not yet know whether comparable difficulties arise with
higher-order expression-like phrases on the right-hand side of #, but he has
not succeeded in validating Leftside Non-interference Decomposition axioms
with higher-order phrases on the right, or showing that non-local higher-order
expression-like phrases are not interfered with by assignments to local vari-
ables.
It should be Straightforward to extend the interpretation to control struc-
tures such as conditionals and loops, and to allow for coercions and generic
operators. Hoare-like axioms that would normally use Boolean expressions as
assertions must be slightly modified; for example, the while axiom would be
{P and E = true} C {P} ~ {P} while E do C {P and E = false} ,
where true and false are Boolean constants. Recursion per se should not be
problematical, but the introduction of non-terminating expressions may com-
plicate the derived rules for function-definition blocks, and the definition of
a dass of predicates admissible for fixed-point induction in (Reynolds, 1982)

may require modification.
Jumps require a form of continuation semantics for commands, and
then the Hoare-triple form of specification must be re-interpreted along the
lines described in Section 4.2.3 of (Reynolds, 1981a), and similarly for non-
interference specifications. This will be explained in detail in a sequel to this
work.
Specification logic is an ALGOL-like (Reynolds, 1981b) programming logic. It
is statically-typed. It avoids making references explicit. It treats substitution,
binding and scope correctly. It includes the laws of the (typed) Iambda calculus
as a sub-system. It requires expressionstobe side-effect-free. It distinguishes
between the logic for data types and the logic for phrase types. It provides
"generic" facilities such as quantification and non-interference uniformly for
all relevant phrase types. And, finally, we have shown here that it "obeys
a stack discipline" (though this operational terminology is inappropriate for
logical phrase types) in that "local" changes to storage structure, such as state-
set expansions and restrictions, can be allowed for by using possible-world
semantics without making the worlds explicit in the logicallanguage.
The difficulties with non-interference for higher-order phrases appear tobe
fundamental. One possible approach, suggested to the author by P. O'Hearn,
is to re-interpret G#P for higher-order G to capture the intuition that G(C)
can interfere with P only by using C; with Reynolds' interpretation, G ( C) is
unconstrained when C interferes with P. A satisfactory interpretation along
these lines would be most welcome because it would necessitate only very
minor changes to the formal system of specification logic. Further evidence
that the problems may arise from Reynolds's definitions of higher-order non-
interference is the fact that when both operands of # are higher-order, the
reductions are applicable in two ways, and the results do not seem to be equiv-
alent.
Another direction that could be explored is suggested by the realization
that a kind of "weak converse" of Non-interference Decomposition is needed,
along the lines of Non-interference Composition. Since non-interference for-
mulas are typically used as assumptions for Hoare-triple formulas, this might
be feasible, but would require significant modifications to the logic.
The most drastic "solution" to the problems of non-interference might be
to avoid them completely by adopting a syntactic method of interference con-
trol, along the lines of (Reynolds, 1978). In fact, the most unsatisfactory as-
pect of specification logic in practice is the inconvenience of having to deal
explicitly with non-interference and good-variable assumptions. Syntactic con-
straints to achieve interference control would restriet expressivity somewhat,
but would be helpful to language implementers as weil as program verifiers.
Specification logic, in its present state of development, also seems inade-
quate to deal with Situations in which representational abstraction is involved,
as in Chapter 5 of (Reynolds, 1981a). For example, in the absence of concur-
rency it should be possible to allow for "benevolent" side effects (Hoare, 1972)
in which the representation of an abstract object is changed but its abstract

properties are preserved.
Refinements of the model to more closely approach the ideal of full ab-
straction (Stoughton, 1988, Meyer and Sieber, 1988) are also possible. For
example, the equivalence
new[T] A,E in C =comm C ·,
where C is a command identifier, falls in our model 2 only because the local
component of a command meaning can be less-defined than its non-local com-
ponent. But such a command is not expressible, and so it is only necessary
to further constrain elements c of [ comm] as follows: for any f, Q: X - Y,
g,R:Y- Z and R-equivalence dass Z', if gZ' = Y then S(g,R); c(f,Q) =
c(f, Q ;g,R) ;S(g,R); this ensures that, whenever g,R: Y - Z isapure expan-
sion, execution in Z is not less defined than execution in Y. It would also be
desirable to establish an "adequacy" correspondence between the denotational
model and an appropriate operational semantics.
Appendix
The following example, from a personal communication to the author by
J. C. Reynolds, demonstrates the undesirable consequences of adopting full classi-
cal (rather than intuitionistic) logic as the logical basis for specification logic. From
the rules for assignment, skip , and statement compounding, one derives
gv(x) => {x = 3} skip; x := 4 {x = 4}
By mathematical-fact introduction, static implication, and consequent weakening:
gv(x) & {x = 3} => {x = 3} skip; x := 4 {false} .
LetS be the formula {x = 3} skip; x := 4 {false}. Then,
gv(x) & ~s & {x = 3} .. absurd
and, since absurd implies anything,
gv(x) & ~s & {x = 3} => {true} skip {false} .
Now, Strong Constancy gives us
skip#(x = 3) & ( {x = 3} => {true} skip {false}) => {x = 3} skip {false}
and so, since skip#(x = 3), we get
gv(x) & •S => {x = 3} skip {false}
However, by assignment, gv(x) => {false} x := 4 {false} so that statement compounding
gives us
gv(x) & •S => {x = 3} skip; x := 4 {false} ;
i.e., gv(x) & •S => S, so that gv(x) => ••S. Finally, with classicallogic, we get gv(x) => S,
which asserts that the assignment x := 4 does not terminate if x initially has a value
other than 4.
2 Editors' note: the assertion is incorrect. In fact, this particular equivalence does hold in the
model; see Chapter 14 in this volume.
Acknowledgements
I am extremely grateful to John Reynolds for bis many contributions to tbis work. I
am also grateful to Gordon Plotkin, Eugenio Moggi, David McCarty, Kevin Tobin, and
Peter O'Hearn for tecbnical discussions, and to Robin Milner for bis hospitality during
a productive sabbatical year at the University of Edinburgh. A preliminary report on
tbis work appeared as (Tennent, 1985).
References
ARBIB, M. A. AND ALAGIC, S. (1979). Proof rules for gotos. Acta In{ormatica, 11:139-
148.
BENCIVENGA, E. (1986). Free logics. In Handbook of Philosophical Logic, vol. m: Alter-
natives in Classical Logic (D. Gabbay and F. Guenthner, editors), number 166 in
Synthese Ubrary, pages 373-426, D. Reidel, Dordrecht, Holland.
BERGSTRA, j. A., TIURYN, j., AND TUCKER, j. (1982). Floyd's principle, correctness the-
ories, and program equivalence. Theoretical Computer Science, 17:129-147.
CLARKE, JR., E. M. AND KOZEN, D., editors (1984). Logics o{Programs 1983, volume 164
of Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1984.
CLARKE, jR., E. M. (1984). The characterization problern for Hoare logics. In Mathe-
matical Logic and Programming Languages (C. A. R. Hoare and j. C. Shepherdson,
editors), pages 89-106, Prentice-Hall International.
CLINT, M. AND HaARE, C. A. R. (1972). Program proving: jumps and functions. Acta
In{ormatica, 1:214-224.
CooK, S. A. (1978). Soundness and completeness of an axiomatic system for program
verification. SIAM]. on Computing, 7:70-90. Corrigendum, 10:612 (1981).
DE BAKKER, J. W. AND MEERTENS, L. G. L. T. (1975). On the completeness of the inductive
assertion method. ]. Comput. Sys. Sei., 11:323-357.
DE BAKKER, j. W., DE BRUIN, A., AND ZUCKER, j. I. (1980). Mathematical Theory of
Program Correctness. Prentice-Hall International, London.
DUMMETT, M. (1977). Elements of lntuitionism. Oxford University Press.
GoLDBLATT, R. (1979). Topoi, The Categorial Analysis of Logic. North-Holland, Ams-
terdam.
GoLDBLATT, R. (1982). Axiomatising the Logic of Computer Programming, volume 193
of Lecture Notes in Computer Science. Springer-Verlag, Berlin.
GRIES, D. AND LEVIN, G. (1980). Assignment and procedure call proof rules. ACM
Trans. on Programming Languages and Systems, 2(4):564-579.
GRIES, D., editor (1978). Programming Methodology, A Collection of Articles by IFIP
WG 2.3. Springer-Verlag, New York.
HaARE, C. A. R. AND LAUER, P. E. (1974). Consistent and complementary formal theories
of the semantics of programming languages. Acta Informatica, 3(2):135-153.
HaARE, C. A. R. (1969). An axiomarte basis for computer programming. Comm. ACM,
12(10):576-580 and 583.
HaARE, C. A. R. (1971). Procedures and parameters: an axiomatic approach. In Sym-
posium on Semantics of Algorithmic Languages (E. Engeler, editor), volume 188 of
Lecture Notes in Mathematics, pages 102-116, Springer-Verlag, Berlin.
HaARE, C. A. R. (1972). Proof of correctness of data representations. Acta Informatica,
1:271-281. Reprinted in (Gries, 1978), pages 269-281.
KRIPKE, S. A. (1965). Semantical analysis of intuitionistic logic I. In Formal Systemsand

Recursive Functions U. N. Crossley and M. A. E. Dummett, editors), pages 92-130,
North-Holland, Amsterdam.
LAMBEK, J. AND Scorr, P. J. (1986). Introducdon to Higher-Order Categorical Logic.
Cambridge University Press, Cambridge, England.
LAMBEK, J. (1980). From lambda-calculus to cartesian-closed categories. In (Seldin and
Hindley, 1980), pages 375-402.
LEIVANT, D. AND FERNANDO, T. (1987). Skinny and fleshy failures of relative complete-
ness. In Conf. Record 14th ACM Symp. on Prindples of Programming Languages,
pages 246-252, ACM, New York.
LEIVANT, D. (1985). Logical and mathematical reasoning about imperative programs.
In Con(. Record 12th ACM Symp. on Principles of Programming Languages, pages
132-140, ACM, NewYork.
McCARTY, C. (1984). Information systems, continuity, and realizability. In (Clarke and
Kozen, 1984), pages 341-359.
MEYER, A. R. AND SIEBER, K. (1988). Towards fully abstract semantics for local vari-
ables: preliminary report. In Con(erence Record of the Fi(teenth Annual ACM Sym-
posium on Prindples o( Programming Languages, pages 191-203, ACM, New York.
See Chapter 7.
OLDEROG, E. (1984). Hoare's logic for programs with procedures: what has been
achieved? In (Clarke and Kozen, 1984), pages 383-395.
OLES, F. J. (1982). A Category-Theoretic Approach to the Semantics of Programming
Languages. Ph.D. thesis, Syracuse University, Syracuse, N.Y. See Chapter 11.
OLES, F. J. (1985). Type algebras, functor categories and block structure. In Algebraic
Methods in Semantics (M. Nivat and J. C. Reynolds, editors), pages 543-573, Cam-
bridge University Press, Cambridge, England.
PARIKH, R., editor (1985). Logics of Programs 1985, volume 193 of Lecture Notes in
Computer Science, Springer-Verlag, Berlin.
PASZTOR, A. (1986). Non-standard algorithmic and dynamic logic. ]. Symbolic Compu-
tation, 2:59-81.
PLOTKIN, G. D. (1985). Typesand partial functions. Lecture notes, Computer Science
Department, University of Edinburgh.
REYNOLDS, J. C. (1977). Semantics of the domain of flow diagrams. ]. ACM, 24(3):484-
503.
REYNOLDS, J. C. (1978). Syntactic control of interference. In Con(erence Record o(
the Fi(th Annual ACM Symposium on Prindples o( Programming Languages, pages
39-46, ACM, New York. See Chapter 10.
REYNOLDS, J. C. (1980). Using category theory to design implicit conversions and
generic operators. In Semantics-Directed Compiler Generation (N. D. Jones, editor),
volume 94 of Lecture Notes in Computer Sdence, pages 211-258, Springer-Verlag,
Berlin.
REYNOLDS, J. C. (1981a). The Cra(t o( Programming. Prentice-Hall International, Lon-
don.
REYNOLDS, J. C. (1981b). The essence of ALGOL. InAlgorithmic Languages, Proceedings
of the International Symposium on Algorithmic Languages U. W. de Bakker and
J. C. van Vliet, editors), pages 345-372, North-Holland, Amsterdam. See Chapter 3.
REYNOLDS, J. C. (1982). IDEALIZED ALGOL and its specification logic. In Tools and No-
tions {or Program Construction (0. Neel, editor), pages 121-161, Cambridge Uni-
versity Press, Cambridge, 1982. See Chapter 6.
Scorr, D. S. (1967). Existence and description in formallogic. In Bertrand Russell,
Philosopher of the Century (R. Schönmann, editor), pages 181-200, Allen & Unwin,
London.
Scorr, D. S. (1979). Identity and existence in intuitionistic logic. In Applications of
Sheaves (M. P. Fourman, C. V. Mulvey, and D. S. Scott, editors), volume 735 of
Leerure Notes in Mathematics, pages 660-696, Springer-Verlag, Berlin.
Scorr, D. S. (1980). Relating theories of the Iambda calculus. In (Seldin and Hindley,
1980), pages 403-450.
SELDIN, J. P. AND HINDLEY, J. R., editors (1980). To H. B. Curry: Essays in Combinatory
Logic, Lambda Calculus and Formalism. Academic Press.
SIEBER, K. (1985). A partial correctness logic for procedures (in an ALGOL-like lan-
guage). In (Parikh, 1985), pages 320-342.
STOUGHTON, A. (1988). Fully Abstract Models of Programming Languages. Research
Notes in Theoretical Computer Science, Pitman, London, and Wiley, New York.
TENNENT, R. D. (1985). Semantical analysis of specification logic (preliminary report).
In (Parikh, 1985), pages 373-386.
TRAI<HTENBROT, B. A, HAI.PERN, J. Y., AND MEYER, A. R. (1983). From denotational to
operational and axiomatic semantics for ALGOL-like languages: an overview. In
(Clarke and Kozen, 1984), pages 474-500.
VANDALEN, D. (1983). Logic and Structure. Springer, Berlin, second edition.
WAND, M. (1978). A new incompleteness result for Hoare's system. ]. ACM, 25:168-
175.
Part VI
PROCEDURES AND LOCAL VARIABLES

Chapter 14
Semantical Analysis of Specification Logic, 2
The "specification logic" of J. C. Reynolds (1982) is a formal system for
proving partial-correctness properties of programs in an ALGOL-like lan-
guage with higher-order procedures. In a previous publication (Tennent,
1990), a model was presented that validates all axioms of the system ex-
cept those involving non-interference formulas for procedural phrases.
Following Reynolds, non-interference for procedural phrases was there
defined syntactica/ly, by induction on types.
Here, we present a new semantic interpretation of non-interference
(for phrases of arbitrary type) which is equivalent to the interpretation
given earlier for phrases of basic type. This interpretation provides the
first model for a/1 of Reynolds's axioms (except the equivalences formerly
used to define procedural non-interference). A slightly more refined
model is used to validate also a new axiom which formalizes a method
used by Reynolds (1981a) to reason about programs with multiple Ievels
of abstraction.
Contents
1 lntroduction 65
2 Categories and Functors 71
3 Semantics of Non-lnterference 74
4 Non-lnterference Decomposition 76
4.1 Leftside Decomposition 76
4.2 Rightside Decomposition 77
4.3 Passive and Chaste Types 78
5 Local-Variable Declarations 81
6 Non-lnterference Abstraction 85
Acknowledgements 91
References 91
1 Introduction
Specification logic (Reynolds, 198la, Reynolds, 1982) is a formal system
for proving partial-correctness properties of programs in ALGOL-like lan-
guages (Reynolds, 198lb) with higher-order procedures. It is essentially a
many-sorted first-order theory with phrase types such as comm (command),
exp[int] (integer expressions), var[int] (integer variables), and assert (asser-
tions) as the sorts, and Hoare triples {P} C {Q} as atomic formulas. (The
"top-level" formulas, such as Hoare triples, are termed specifications, whereas
the pre and post-condition formulas P and Q in the Hoare-triple specification
{P} C {Q} are termed assertions.)
First appeared in Information and Computation, 107(1):25-57, 1993. Reprinted with the permis·
sion of Academic Press.
66 Chapter 14. Semantical Analysis of Specification Logic, 2
The use of conjunction (&) and implication (.,.) as specification connectives

and quantifiers (V) at the Ievel of specifications greatly clarifies the treatment
of procedures, especially higher-order procedures and phrases with free pro-
cedure identifiers, because it is possible to write specifications about free pro-
cedure identifiers. Some related approaches are described in (Hoare, 1971,
Damm and Josko, 1983, Olderog, 1984a, Olderog, 1984b, Sieber, 1985,
German et al., 1989).
The most distinctive feature of the system is the use of non-interference
specifications. Informally, C # E asserts that every way of using C preserves
any value obtained by using E. Notice that this notion of non-interference
is asymmetric: C is a possibly interfering phrase, and E is a phrase possibly
interfered with. For example, if C is a command and E is an expression, C # E
means that the value of E is invariant throughout any (terminating) execution
of C; if C is a variable, C # E means that no assignment to C can interfere with
E; and if C is a procedure, C # E means that no call of C can interfere with E
other than by using an argument that interferes with E. The main contribution
of this paper is to provide a uniform and rigorous semantic interpretation of
C#E for arbitrary phrases C and E.
Before addressing the semantics of non-interference in detail, we discuss
the role of non-interference formulas in the formal system of specification
logic. The most fundamental application is to permit Hoare-like reasoning
about assignments in languages with aliasing, non-local variables in proce-
dures, and variable phrases containing expressions. As is well-known, the
familiar substitution-based axiom proposed in (Hoare, 1969) is not sound in
general in such languages. For example,
{x = 1} y := y + 1 {x = 1}
falls if variable identifiers x and y are aliased, that is to say, denote the same
storage variable. (In our examples, assignment commands will have variable
phrases of type var[T] for some data typeT on the left and the correspond-
ing phrase on the right will then be of type exp[T], and we assume a "de-
referencing" coercion from var[T] to exp[T], as is usual in ALGOL-like lan-
guages. Without the coercion, we would have to write the assignment above as
y := contents y + 1 using an explicit de-referencing operator contents.) Less
obviously,
{f(2) = 1} y := y + 1 {f(2) = 1}
can fail if y is a non-local variable in the definition of expression procedure f.
Finally, if a is an array variable,
{true} a[a[i]] := 0 {a[a[i]] = 0}
*
may fail when a[i] = i 0 because the assignment changes the value of a[i],
and then the value of a[a[i]] need not be the value (0) just assigned to it; such
a variable phrase is termed a bad variable.
Reynolds proposed that, in the absence of syntactic restrictions that pre-
clude such anomalies (Reynolds, 1978), assignments can be soundly reasoned
about by requiring that appropriate hypotheses about the variable and the pre
and post-condition assertions be proved in the formal system. The law for
assignment commands in specification logic is as follows:
Peter W. O'Hearn and Robert D. Tennent 67
Assignment:
gv(V} & V#P => {P(E)} V:= E {P(V)}
where gv(V) is a specification asserting that V:var[T] is a good variable,
P:exp[T]- assert (i.e., a procedure whose arguments are expressions for
T values and whose calls are assertions), and E: exp[ T] (i.e., an expression for
values of data type T). The consequent here is essentially like Hoare's axiom,
but the good-variable and non-interference hypotheses prevent unsound infer-
ences when V is a bad variable or when assignments to V can indirectly affect
the truth value of the pre and post-conditions. For example, theinvalid spec-
ifications discussed above are not derivable because, respectively, y#x falls
(when x and y are aliased), y#f(2) falls (when y is a non-local variable in the
definition of f), and gv(a[a[i]]) falls.
In fact, Reynolds defined the specification gv(V) as follows:
Vp:exp[T]- assert. Ve:exp[T].
V#p => {p(e)} V:= e {p(V)}
(where identifiers p and e are not free in V). In effect, this defines a good
variable to be one for which Hoare-style reasoning is possible whenever there
is no inappropriate interference.
A second role for non-interference formulas is to allow reasoning about
invariance properties of phrases, as in the following axiom:
Constancy:
C#R & ({R} => {P}C{Q}) => {PandR}C{QandR}
where Cis a command, P, Q, and Rareassertionsand {R} is an abbreviation

for the Hoare triple {true} skip {R}, where skip is the null command that does
not change states; i.e., R is true in all states. This axiom asserts that, if no
execution of C interferes with assertion R and if R holds before an execution of
C, then R will continue to hold throughout the execution, and so it is possible
to treat R as a "local" mathematical fact in partial-correctness reasoning about
c.
For example, suppose that C is a binary-search algorithm and R asserts
that the array being searched is sorted; it is obvious by inspection that C # R,
and so the axiom justifies "factoring" R out of the pre and post-conditions for
the algorithm and also assuming R whenever necessary in the verification of
c.
Notice that this axiom requires a "strong" interpretation of C # R : the value
of R must remain constant throughout any execution of C. With a weaker
definition of non-interference, such as
C#R = {R}C{R} & {notR}C{notR},
only the following weaker form of Constancy would be valid:
C#R & {P}C{Q} => {PandR}C{QandR},
and R could not be used as an assumption in reasoning about C.
Similarly, the following axiom requires a strong interpretation of non-
interference:
Non-Interference Composition:
C#E & (X#E • {P} C {Q}) • {P} C {Q}
where C is a command, and P and Q are assertions. It asserts that, if C does

not interfere with E, then it is possible to assume that no phrase interferes
with E in partial-correctness reasoning about C. An example that demon-
strates use of this axiom is discussed in (Reynolds, 1982).
In Section 6, we will discuss a new axiom we term Non-Interference Ab-
straction that formalizes a method of reasoning with "general invariants" used
informally in (Reynolds, 1981a). In this axiom also, a non-interference assump-
tion is essential.
Of course, the formal system must provide ways of discharging non-
interference assumptions. The following axiom is a basic tool that allows "de-
composing" non-interference assumptions about arbitrary phrases into non-
interference assumptions about their free identifiers:
Non-Interference Decomposition:
.. ·& Ct#€j &· ..... C#E
where {... , c,, .. .} includes all identifiers with free occurrences in C, and
{... , eJ. ... } includes all identifiers with free occurrences in E. Essentially, this
axiom asserts that all channels of interference are named by identifiers; in
particular, C#E when either C or Eis closed.
This decomposition can be refined by taking into account that all phrases
of certain types are passive, in that they cannot interfere with anything, and
that all phrases of some types are chaste, in that they cannot be interfered
with. Then, C # E whenever C is a phrase of passive type or E is a phrase of
chaste type.
Finally, there is a way to discharge good-variable and non-interference as-
sumptions about locally declared variables; for clarity, we present it as an
inference rule (Reynolds, 1981a), but in natural-deduction format:
Local-Variable Declaration:
[ v#E~~~:~#Em ]
C1#v, ... ,Cn#v
{P} C {Q}
{P} new[T] v. C {Q}
where the bound variable identifier v is not free in assertions P or Q, in

phrases E1 or c1, or in uncancelled assumptions. Essentially, this states that
the identifier declared by a local-variable declaration denotes a variable that
• is a good variable;
• cannot interfere with non-local entities (the E1); and
• cannot be interfered with by non-local entities (the C1).
To illustrate how non-interference and good-variable assumptions intro-

duced by the Assignment axiom are discharged by the Local-Variable rule, we
will consider the following block:
new[int] x.
ü f(l) = 2 then
(x := 1; ü f(x) = 2 then diverge)
where diverge is the everywhere-undefined command and f is an expression-
procedure identifier of type exp[int] - exp[int]. If f(l) = 2 on entry to
the block, it should diverge because the assignment to the local variable x
should not affect the value returned by the non-local procedure f. Therefore,
the test f(x) = 2 should succeed, leading to the execution of diverge. Of
course, this is not a very realistic block, but it illustrates that local variables
(x) do not interfere with non-local entities (f), and it is similar to examples
in (Meyer and Sieber, 1988) showing weaknesses of "marked-store" models of
variable allocation. We arenot assuming that we have the definition of f at
our disposal.
We will derive {f(1) = 2} B {false}, where Bistheblock above. For simplic-
ity, we are assuming that f (1) = 2 is an assertion, as well as an expression; see,
e.g., (Tennent, 1987, Barringer et al., 1984). We can use the following instance
of the Assignment axiom
gv(x) & x#f ~ {f(1) = 2} x := 1 {f(x) = 2},
the axiom {true} diverge {false}, and the usual axioms for ü and sequencing
to derive
gv(x) & x#f ~ {f(1) = 2}
ü f(l) = 2 then
(x := 1; ü f(x) = 2 then diverge)
{false}
and then the desired specification follows by use of the Local-Variable rule.
We may now turn to an informal consideration of the semantics of non-
interference. A satisfactory interpretation of C # E was presented in (Tennent,
1990) for the cases when Cis a variable or command and Eis an expression or
assertion; however, procedural phrases were problematical. Reynolds treated
procedural phrases by interpreting C # E syntactically, using an induction on
types. Consider the following procedure-calllaws, which can be derived from
Non-lnterference Decomposition: if C: (}- (}' and identifier cisnot free in C
orE,
C#E ~ (Vc: 9. c#E ~ C(c)#E),
and, if E: (}- (}' and identifier eisnot free in C or E,
C#E ~ (Ve: 9. C#e ~ C#E(e) ).
Essentially, these assert that if a procedure does not interfere with (or, re-
spectively, is not interfered with by) a phrase, no call of the procedure will do
so unless the argument does. Reynolds replaced the main ~ connective by
= and adopted the resulting equivalences as definitions of procedural non-

interference.
However, as pointed out in (Tennent, 1990), this approach to procedural
non-interference is not satisfactory, essentially because the procedure is unre-
stricted when its argument does interfere with (or, respectively, is interfered
with by) the other phrase. For example, consider the following procedural
phrase P of type comm- comm:
i\c:comm.if i = 1 then (c; if i > 1 then i := 0)
where i is a non-local integer-variable identifier. According to Reynolds's defi-
nition, P # i because the assignment to i in the procedure body is only executed
if c has already interfered with i. Intuitively, however, this procedure does in-
terfere with i; for example, P#(i > 0) is false because
(if i > 0 then i := i + 1) # (i > 0)
is true and
P(if i > 0 then i := i + 1) # (i > 0)
is false. In short, non-interference is not a "logical" relation (Plotkin, 1980,
Statman, 1985); nevertheless, weshall show that a very satisfactory interpre-
tation is possible.
The interpretation of C#E in (Tennent, 1990) (for the case that C:comm
and E: exp[ T]) is based on comparing
• executions of C that are restricted to subsets of the set of states for which
the value of E is invariant, with
• unrestricted executions of C.
If the restricted executions are less defined than the corresponding unre-
stricted executions, this difference is attributable to C interfering with E. The
new approach to be presented in detail in this paper generalizes this to arbi-
trary phrases C by comparing
• uses of C constrained to remain within the equivalence classes of states

for which the value of E is invariant, with
• unconstrained uses of C.
This is equivalent to the approach used previously if C is a command or a vari-

able, but if C is a procedural phrase, its use can be constrained to remaining
within an equivalence class without the parameter being so constrained, and
so examples such as P above are correctly treated.
The further generalization to allow for procedural E is then Straightfor-
ward using the fact, proved in (Tennent, 1990), that, if a phrase produces a
value at some state, the value depends only on the values that can be pro-
duced by the meanings of the free identifiers of the phrase at the same state.
2 Categories and Functors

To realize the intuitive concept of "execution locally constrained to stay
within an equivalence dass of states," we adopt a category-theoretic form
of possible-world semantics, as in (Reynolds, 1981b, Oles, 1982, Oles, 1985,
Tennent, 1986, Tennent, 1990). Each phrase type 8 is interpreted as a func-
tor [8] from a (small) category X of "possible worlds" to either D, the cate-
gory of directed-complete partial orders and continuous functions (for "com-
putational" phrase types), or S, the category of sets and arbitrary functions
(for "logical" phrase types), and similarly for every phrase-type assignment
rr. Then, for any phrase X that is well-formed and of type 8 in the context
of phrase-type assignment rr (notation: rr 1- X: 8), we interpret X as a natu-
ral transformation [X]rre: [rr] -:... [8]; i.e., the right-hand side of the following
diagram commutes for all f: x 2- y:
X [rr]x _..::..[X_]::.::rr..::..e.:....<x..:....)- [8]x
[rr]fj j[O]f
y [rr]y [X]rre(y) [ 8 ]y
The category X of possible worlds used in (Tennent, 1990) is appropriate

here as well. It is defined as follows.
• The objects are sets, thought of as sets of states. We assume that the
set of all worlds (i.e., X-objects) is dosedunder the following:
- if VT is the set of values appropriate to a data type T, VT is a world;
- if X and Y are worlds, so is X x Y; and
- if X is a world, so is any Y c X.
• A morphism from X to Y is a pair (f, Q), where Q is an equivalence
relation on Y and f is a function from Y to X whose restriction to each
Q-equivalence dass is an injection.
The composition (in diagrammarte order) (f, Q); (g, R): X 2- Z of morphisms
(f,Q):X 2- Y and (g,R):Y 2- Z is the unique morphism (h,P) where
h = g ;f, and zP z' iff zRz' and g(z) Qg(z').
Here are descriptions of some X-morphisms.
• The identity morphism on world X, idx: X 2- X, is Ux, Tx) where Ix is

the identity function on X and Tx is the everywhere-true binary relation
onX.
• For any world X, there is a unique morphism !x: X 2- 0 from X to the
empty set 0, the terminal object in X.
• If R is an equivalence relation on a world X, the state-change constraint
endomorphism lR:X 2- Xis Ux,R).
• If X' is a subset of a world X, the state-set restriction morphism

rX': X ...!_. X' is (f, Tx'), where f is the inclusion function from X' to
X and Tx' is the everywhere-true relation on X'.
• If {so} and {sd are singleton worlds, so - s1 denotes the unique mor-
phism from {so} to {sd; i.e., (f, Q) where f is the only function from
{sd to {so} and Q is the identity relation on {sd. This morphism is in
fact an isomorphism in X.
• If X and Y are worlds, the expansion morphism x Y: X ...!... Xx Y is (f, Q),
where f is the projection function from X x Y to X, and (x, y) Q (x', y')
iff y = y'.
• If X and Y are worlds, X - Y: XxY ...!... YxX is the isomorphism
(f, Tyxx ), where f(y, x) = (x, y).
We refer the reader to (Tennent, 1990) for complete definitions of the func-
tors [6] for all of the various phrase types 6, and [rr] for any phrase-type as-
signment rr. In the following, 1, x, and- refer, respectively, to the specified
terminal object, product, and exponentiation in the cartesian-closed functor
category D". The terminal object and products can be defined "pointwise,"
and the key facts about exponentials are as follows.
For any world X, p E [6- 6']X is a family p( ·) of functions, indexed
by X-morphisms with domain X, such that p(f: X ...!... Y) is a function from
[6]Y to [6']Y and the family satisfies the following uniformity condition: for
all f:X...!... Y and g: Y...!... Z,
p(f); [6']g = [6]g; p(f; g)
i.e., the following diagram commutes:
[6]Y _ __,_P..:.:.<f..:...)- - + - [6']Y
[9]gj 1[9']g
[6]Z p(f; g) [6']Z
The morphism part of [6- 6'] is defined as follows: for any f:X ...!... Y,
p E [6- 6']X, and g: Y ...!_. Z,
[6- 6']fpg = p(f ;g).
S is the contravariant functor from X to D suchthat S(X) =X, discretely-
ordered, and S(f, Q) = f. The functors for types exp[T] and assert are es-
sentially of the form S-V, for appropriate constant functors V, but the
contravariance of S forces minor modifications as follows. For any world X,
e E [exp[Tl]X is a family e( ·) of functions, indexed by X-morphisms, such
that e(f:X...!... Y) is a function from S(Y) to the flat domain of T-values, and
the family satisfies the following uniformity condition: for all f: X ...!... Y and
g:Y...!... Z,
e(f; g) = S(g) ; e(f),
which is commutativity of
e(f)
S(Y) v~
S(g) 1 lidv,
e(f; g)
S(Z) v~
where v~ is the "lifted" domain of T-values. Notice the reversal in the direction
of the vertical arrows; however, the morphism part of [exp[T]] is defined
to make it covariant as follows: for any f:X ....!... Y, e E [exp[T]]X, and
g:Y ....!_. Z,
[exp(T]]feg = e(f;g).
The definition of [assert] is similar, but with the set {true, false} of truth val-
ues replacing V~.
For any world X, c E [comm]X is a family of partial functions, indexed
by X-morphisms with domain X, so that c(f:X....!... Y) is a partial function
on S(Y). The uniformity condition on the family is the following "semi-
commutativity" requirement: for all f:X....!... Y and g: Y....!... Z,
c(f; g); S(g) s;; S(g); c(f),
where the s;; relation is graph inclusion of partial functions:
_;__ _ _ y
_ _ _c(f)
y
S(g)1 2 1 S(g)
--
z - - -c(f; g)
--z
The semi-commutativity allows command meanings to become less-defined in
more-restricted worlds; however, the family must also satisfy the following
commutativity requirement arising from the equivalence-class component of
X-morphisms. For any (f, Q):X....!... Y and y E S(Y), Iet
Y' = {y' E S(Y) I y Qy'}
(the set of states Q-reachable from y); then
c(f, Q) _
y _ ___;:_...:_:c;__ _.. y
S([Y') 1 1s([Y')
c( (f, Q); rY')
Y' --------'---+- Y'
must commute (and not just semi-commute). This ensures that, when it is
defined, c(f, Q) preserves the Q-equivalence dass of its argument. Of course,
this is also the case when Y =X and (f, Q) is an endomorphism, such as lR
for any equivalence relation R on X.
The morphism part of [comm] is defined as follows: for any f:X 2.... Y,
c E [comm]X, and g: Y 2.... Z,
[comm]fcg = c(f;g).
Finally, we define [var[TJ] tobe ([T]- [comm]) x [exp[Tl]; the first

component is used for left-hand sides of assignments and the second compo-
nent for right-hand sides.
3 Semantics of Non-lnterference
In this section, we define relations # ~ C(X) x E(X) for arbitrary functors
C,E:X- D and world X, and then use these to interpret non-interference
specifications in specification logic.
Two key ideas underlie our new treatment of non-interference. The first
is that the use of state-change constraint endomorphisms in X allows us to
constrain semantical entities to executing within equivalence classes of states
(without changing worlds). If c E C(X) and R is an equivalence relation on
X, C( lR) (c) is a restriction of c such that, when c causes a state change from
so to s1 for which so R s1 falls, C (l R )( c) diverges. Because C (l R )( c) and c are
both elements of C(X), they can be compared for equality.
For example, if R; is the equivalence relation on X that relates states for
which variable i has the same value, and u is any appropriate environment (in
which i denotes a good variable),
[comm] ( lR;) ([i := O]Xu) [ü i * 0 then diverge]Xu
* [i := O]Xu.
An attempt to change the value of i in an execution constrained by R; leads to
divergence.
As an example of the effect obtained with procedural phrases, consider
again
P = .\c:comm.ü i = 1 then (c; ü i > 1 then i := 0).
Let fJ = comm- comm; by naturality of [P], we have the commutativity of
[ rr ]X _....;:[:.....P..::.c]rr"-'e_X_ _.. [ fJ]X
[rr](IR,)j j[O](IR;)
X [rr]X [P]rreX [fJ]X

for any phrase-type assignment rr suchthat rr(i) = var[int], and so, for any
appropriate u E [rr]X, it follows that [fJ](lR;)([P]Xu) is equal to
[.\c:comm.ü i = 1 then (c; ü i > 1 then diverge)]Xu.
The state-change constraint allows us to (semantically) replace the interfer-
ence with i in the assignment i := 0 by divergence; however, interference with
i that comes from an argument c is unaffected because the identifier c is lo-
cally bound in P.
The second key idea is that, for any functor E: X - D, world X, and
e E E(X), we can define an equivalence relation [e] s;; X x X such that, in-
tuitively, s[e]s' if and only if the effect of using ein an expression evaluated
at state s is equivalent to the effect of using e in that expression evaluated at
s'. This is possible because of a result in (Tennent, 1990) which shows that,
in keeping with the principles of ALGOL-like languages in (Reynolds, 198lb),
expressions do not cause side-effects, not even "temporary" ones: the value
of e' E [exp[T]]X at a state s is equal to the value of [exp(T]](f{s})(e') at
s. (The map f {s} precludes side-effects because there are no other states in
{s} to change to!) This means that whenever an arbitrary e E E(X) is used in
an expression evaluated at s, only the restricted part E(f{s})(e) E E({s}) is
relevant.
To define the desired equivalence relation, we should compare trans-
formed meanings of the form E(f{s})(e) and E(f{s'})(e). To obtain mean-
ings in the same domain, we note that, in the category X of possible worlds,
there is exactly one morphism s' ...... s from the world {s'} to {s}, and it is an
isomorphism. Therefore, the map
E({s'}) E(s' ...... s) E({s})
is an isomorphism, and E(f {s'}; s' ...... s) (e) is a meaning at the world {s}, but
the values of (non-local) variables are evaluated as if the state were s'.
We therefore define the relation [e] as follows:
s[e]s' = E(f{s})(e) = E(f{s'} ;s' ...... s)(e)
In the case that X = 0, [e] is the empty binary relation. It is Straightforward
to verify that [e] is an equivalence relation, and the following can be proved
by a routine calculation.
Proposition 1 Forany(unctorE:X-D, morphismf:X 2... Y, andex E E(X),
l[ex] ; f = f; l[ey] = l[ex] ; f; l[ey ],
where ey = E(f)(ex).
The above definition of (e] is fairly abstract. A more concrete definition
could be used to interpret specification logic; we illustrate this with two sam-
ple cases.
• IfE=[exp[T]],s[e]s'ifandonlyife(idx)(s) = e(idx)(s').
• If E = [exp[T]- exp[T]], s[e]s' if and only if, for all a E [exp[T]]X,
s[e(idx) (a) ]s' whenever s[a]s'.
We will work with the abstract definition because it leads to simpler and more
general proofs without induction on types.
We may finally define # s;; C(X) x E(X) for any functors C,E:X- D and
world X as follows:
c#e =
C(l[e])(c) = c
The notations c#e and [e] do not explicitly indicate the relevant functors
(C, E) or object (X), but thesewill always be clear from context.
Proposition 2 ForanyC,E:X- D, f:X 2... Y, c E C(X), and e E E(X),

ifc#e then C(f)(c)#E(f)(e).
Proof:
c(! [E(f)(e>]) (C(f)(c))
c(f; l[E(f)(e>])<c> (functoriality of C)
C(l[e] ;f)(c) (Proposition 1)
C(f) ( C(! [e]) (c)) (functoriality of C)
C(f) (c) (c#e)
I
We can now apply our definition of non-interference to the interpretation
of specification logic. We first introduce the following syntax rule:
Non-Inter(erence Sped{ication:
TT f- C: (} TT f- E: (}'
rr r- C#E:spec
where rr is a phrase-type assignment and (} and (}' are arbitrary phrase types
(other than spec). This syntax rule assumes there are no coercions. If a
de-referencing coercion were allowed, it would be necessary to use type sub-
scripts on # to disambiguate cases when the C or E could be either a variable
or an expression.
Now, for any worlds X and Y, environment u E [rr]X, and morphism
f:X2...Y,
[C#E]Xuf = ([9](f)([C]Xu) # [9'](f)([E]Xu))
Proposition 2 may be used to prove that [C#E]Xu E [spec]X, and it is then
routine to show that [C#E] is a natural transformation from [rr] to [spec].
In the following sections, we use this interpretation to show the validity of the
axioms discussed in Section 1.
4 Non-lnterference Decomposition
We first consider separately the left and right operands of the # operator, and
then account for phrases that, because of their types, either cannot interfere
with, or cannot be interfered with by, any phrase.
4.1 Leftside Decomposition

Our aim here is to prove the validity of
... & Ct#E &· ..... C#E
where {... , c1, •• • } includes all identifiers with free occurrences in C.

Proposition 3
(a) For any E:X- D, world X, and e E E(X),
ifc E l(X) then c#e.
(c) ForanyC,C',E:X- D, 17:C-:.... C', worldX, c E C(X), ande E E(X),
ifc#e then 17(X)(c) #e.

X
Proof: (a) For any constant functor C:X- D and f:X- Y, C(f) = Ic(x),
and so
l(He])(c) = /t(xJ(C) = c.
(b)
(Cl XCz) (! [e]) (CI, Cz)
( C1 (He]) (ci), Cz (He]) (cz)) (definition of x)
(c)
C' (! [e]) (17(X) (c)) 11 (X)( C (l [ e]) (c)) (naturality of 11)
17(X) (c) (c#e)
I
We can show the validity of the leftside-decomposition axiom above as
follows. Assurne that, for some environment u E [ rr ]X, u (c;) # e for all c; free
in C, where e = [E]Xu. Let rr' be the restriction of rr to the c; and u' E [rr']X
be the similar restriction of u. lf Cis closed, u' E 1 (X) and so u' # e by part (a)
of the proposition; otherwise, u' # e by repeated use of part (b). By part (c)
and naturality of [C], it follows that ([C]Xu') #e. By the usual "coherence"
property of valuations, we have that [ C]Xu = [ C]Xu', and we are done.
4.2 Rightside Decomposition

The development here parallels that in the preceding sub-section. We show
the validity of the axiom
· · · & C # e; & · · · => C # E
where {... , e;, ... } includes all identifiers with free occurrences in E.
Proposition 4
(a) For any C:X- D, world X, and c E C(X).
ife E l(X) then c#e.
(b) For any C,E1.Ez:X- D, world X, (e1, ez) E (EIXEz)(X), and c E C(X),
i{c#e1 andc#ez thenc#(ei,ez).
(c) ForanyC,E,E':X- D, 17:E....:... E', worldX, c E C(X), and e E E(X),

if c # e then c #(IJ(X) (e)).
Proof:
(a) For any constant functor E: X - D,
s[e]s' = E(Us})(e) = E(Us'} ;s' ,_ s)(e)

= h<xJ(e) = h<xJ(e),
so that He] = idx, and so C( He]) (c) = Ic<Xl (c) = c.
(b) s[(e1,e2)]s' = s[eds' and s[e2]s', and so l[e1,e2]
Hence,
C(l[ed; He2])(c)
C( l [e2]) ( C( l [e1]) (c)) (functoriality of C)
c
(c) We first prove the following lemma: if s[e]s' then S[IJ(X)(e) ]s'.
E'(Us})(IJ(X)(e))
IJ({s})(E(Us})(e)) (naturality of 17)
IJ({s})(E(f{s'} ;s' ..... s)(e)) (s[e]s')
E' (f {s'}; s' ,_ s) (IJ(X)(e)) (naturality of IJ)
Then
C( l[IJ(X)(e)]) (c)
C( l [17(X) (e)]) (C( l [e]) (c)) (c#e)
C( l[e]; l[IJ(X)(e)]) (c) (functoriality of C)
c( l([e] n [17(X)(e)])) (c) (composition in X)
C(l [e]) (c) (lemma)
c (c#e)
I
Validation of the rightside decomposition axiom follows the same pattern as
that for leftside decomposition in the preceding sub-section, and is omitted.
4.3 Passive and Chaste Types
The decomposition axioms in (Reynolds, 1982) take into account the fact that
certain phrases are not "command-like" and cannot cause interference, or are
not "expression-like" and cannot be interfered with. Our treatment of these
issues here is closer to the approach used in (Reynolds, 1978).
A phrase type 8 is termed passive just if c # e for every functor E: X - D,
world X, c E [O]X, and e E E(X). Intuitively, a phrase having a passive type
cannot interfere with anything.
Proposition 5
(a) val[T] (Tennent, 1990), exp[T], and assert are passive.
(b) If (}' is passive, so is (} - (}' for every phrase type (}.
Proof:
(a) val[T] is passive because [val[Tl] is a constant functor. We prove the
result for exp[T]; the proof for assert is similar. For any f:X .....!.. Y,
e E E(X), and c E [exp[T]]X,
[exp[T]]( He]) (c)(f)
c(l [e]; f) (morphism part of [exp[TJ])
c(f; l[E(f) (e)]) (Proposition 1)
c(f) (uniformity for [exp[TJ])
(b) Consider any worlds X and Y, p E [0- (}']X, g:X .....!.. Y, a E [O]Y,
and ex E E(X). Let ey = E(g)(ex ); then
[0- O'](t[ex])(p)(g)(a)
p(Hex] ;g)(a) (morphism part of [0- (}'])
p(g; l[ey ])(a) (Proposition 1)
[0']( l[ey]) (p(g; t [ey])a) ((}' is passive)
p(g; l[ey]; t[ey ])([O]( t[ey ])a) (uniformity for [ (} - (}'])
p(g; t[ey])([O](t[ey])a) (Proposition 1 with f = idy)
[0']( t[ey]) (p(g)(a)) (uniformity for [ (} - (}'])
p(g)(a) ((}' is passive)
I
Similarly, a phrase type (} is termed chaste just if c # e for every functor
C:X- D, world X, c E C(X), and e E [O]X. Intuitively, a phrase having a
chaste type cannot be interfered with by anything.
Proposition 6
(a) If[O] is (isomorphic to) a constant functor, then (} is chaste.
(b) I{ B:X- D is (isomorphic to) a (covariant) constant functor, then so is

A-B for every (covariant) functor A:X- D.
Proof: We will use the following fact: a functor F:X- Dis isomorphic to a
constant functor iff F (f) is an isomorphism and F{f) = F (f'), for all worlds
X
X, Y and maps f,f':X - Y. (This fact depends on X being a connected
category.)
(a) If e E [O]X and S1, s 2 EX then

[O](r{si})(e) = [O](r{sz} ;sz ..... si)(e),
by the fact above. Therefore [e] is the everywhere-true binary relation
on X, and so l[e] is the identity on X. Thus, c#e whenever C:X- D
and c E C(X), and so 6 is chaste.
(b) We will show that (A- B)(f) = (A- B)(f') for any f,f':X ....!_. Y.
Consider any p E (A-B)(X), 9: Y ....!_. Z, and a E A(Z). Let !z: Z ....!_. 0
be the unique X-morphism from Z to 0, k = B(!z ), and k- 1 be the inverse
isomorphism of k; the existence of k- 1 is assured by the above remark
about functors constant up to isomorphism. Note that f; 9; !z = f' ;9; !z
because 0 is the terminal object in X. Then
(A -B)(p9a
p(f; 9)(a) morphism part of A-B
k- 1(k(p(f; 9) (a))) k ; k- 1 is an identity
k- 1(p(f; 9; !z) (A(!z) (a))) uniformity for A - B
k- 1(p(f'; 9; !z) (A(!z) (a))) f ; 9; !z = f' ; 9; !z
k- 1(k(p(f' ;9)(a))) uniformity for A - B
p(f'; 9Ha) k; k- 1 is an identity
(A-B)f'p9a morphism part of A - B
To show that (A- B)(f) is an isomorphism, where f:X 2.... Y, we

constru.ct its inverse isomorphism q: (A- B)(Y)- (A- B)(X). For
any p E (A- B)(Y), and f':X ....!_. Y', we let
q(p)(f') = A(!y,);p(!y);B(!y')-1
where !y: Y 2.... 0 and !y': Y' ....!_. 0 are the unique morphisms with
co-domain 0, and B(!y' )- 1 is the inverse of the isomorphism B(!y' ); this
defines q. That q and (A-B) (f) areinverse isomorphisms can then be
proved by a Straightforward calculation. 1
Because [val[Tl] is a constant functor, the proposition shows that val[T] and
all phrase types of the form 61 - ( Oz - · · · - (On - val[ T]) · · ·) are chaste.
1t can be proved that these are the only chaste types according to the interpre-
tation of types given in (Tennent, 1990), but we have not been able to prove
the conjecture that 6 - 6' is chaste for any interpretation of types such that
6' is chaste.
Note that if the states functor S were covariant, [exp[Tl] = S - [val[T]]
would be a constant functor and exp[T] would be chaste! But the proposition
only applies to covariant functors, and S is contravariant In fact, [ exp[ T]] is
not constant and, as expected, exp[ T] is not chaste. This discussion perhaps
gives a partialjustification for the contravariance of the states functor in (Oles,
1982) and (Tennent, 1990).
The definitions of passive and chaste types justify the following axiom: if
rr 1- C: e and rr 1- E: 0', C # E whenever e is passive or (}' is chaste. We can
now use the rule of free substitution to derive the following "practical" form
of Non-Interference Decomposition:
· · · & c; # ei & · · · => C # E
where {... , c;, ... } is the set of identifiers having at least one free occurrence
in C that is outside of any sub-pbrase of passive type, and {... , ei, .. .} is the
set of identifiers having at least one free occurrence in E that is outside of any
sub-pbrase of chaste type. Identifier occurrences are themselves sub-pbrases
and so no c; has passive type and no ei has chaste type. Also, C and E are sub-
pbrases of themselves, and so this includes the special case that C # E when C
has a passive type or E has a chaste type.
In (Reynolds, 1982) commands are regarded as pbrases that cannot be
interfered with, whereas comrn is not, in our terminology, chaste. But, to
prove that pbrases of type comrn cannot be interfered with, a tedious struc-
tural induction over the entire language is necessary; if, for example, a block-
expression form, as in (Tennent, 1986), were added to the language, the result
would fail. Our definitions of passivity and chastity are expressed in terms of
general properties of (the semantics of) types themselves, rather than merely
capturing properties of pbrases in a specific language.
5 Local-Variable Declarations
If an identifier of pbrase type e is free in the block
new[T] x.C
then its meaning c' E [O](XxV) in the body oftheblock is [O](xV)(c) for
some c E [O]X, where xV:X-...!.. XxVisanexpansion morphism. That is, c'
comes from a non-local world X, so it should be independent of the V-valued
component of XxV used to hold the value of the local variable.
On the other hand, the meaning v' of identifier x in C is concemed entirely
with the V-valued component, and should be independent of X. One way to
view this is to consider v' as coming from the world V, just as c' comes from
X, and so v' should not depend on X at all. That is, v' E [var[TJ](XxV)
arises from some meaning v E [var[TJ]V as
v' = [var[T]](xX;V-X)(v)
where xX: V -...!.. VxX ; note the exchange resulting from use of
V ......... X: VxX __!_. XxV.
The local variables described in (Tennent, 1990) can in fact be obtained in

this way (although they are not presented as such there). Therefore, to show
that local variables don't interfere with non-local entities, and vice versa, it
is sufficient to show that c' # v' and v' # c' whenever c' and v' arise in this
manner.
Proposition 7 Foranynon-emptyw orldsX, Y, functorsC, V:X-D, meanings

c E C(X), andv E V(Y), letc' = C(xY)(c), andv' = V(xX;Y -X)(v), where
X X
xY: X____. XxY and xX: Y ____. YxX; then c' #v' andv' #c'.
Proof: We will show c' #v'; the proof of v' #c' is similar. Let the equivalence
relation R s;; (Xx Y) x (Xx Y) be defined by (x, y) R (x', y') if and only if y = y',
and let g: Y __!_.. XxY be defined by
g= xX;Y-X.
Firstly, we show that

(1) COR)(c') = c'
as follows:
COR)(c') C(lR)(C(xY)(c)) (definition of c')
C(xY; lR)(c) (functoriality of C)
C(xY)(c) (xY = xY; lR)
c' (definition of c')
Secondly, we show that

(2) R s;; [v']
as follows. Suppose that (x, y) R (x', y); then
VO {(x, y)}) (v')
V(g; f{(x,y)}}(v) (definitionofv')
= V(g; f{(x',y)}; (x',y) ..... (x,y))(v)
= V( f { (x', y)}; (x', y) ..... (x, y)) (v') (definition of v')
where the intermediate step follows from the fact that

g; f{(x,y)} = g; f{(x',y)}; (x',y) ..... (x,y).
Finally, to show that c' #v':
C( l [v']) (c') C(l[v'])(C(lR)(c')) (by 1)

C ( l R ; l[ v']) (c') (functoriality of C)
C(lR)(c') (by 2)
c' (by 1)
I
In the empty world, c # v trivially, because the only endomorphism on the
empty set is the identity.
Wehave shown that local variables (however these might be defined, so
long as they are truly local) do not interfere with non-local entities, and vice
versa. To validate the Local-Variable Declaration axiom, it remains only to
show that a local variable is a good variable; a proof of this may be found
in (Tennent, 1990), and the proof is still valid for our new interpretation of
non-interference.
Similarly, the remaining axioms of the system described in (Reynolds,
1982) were validated in (Tennent, 1990) and remain valid with our new in-
terpretation of non-interference because of the following result, which shows
that, at base types, our new interpretation of # is equivalent to that in (Ten-
nent, 1990).
Proposition 8 If rr f- C: comm and rr f- E: 9, then, for all worlds X and Y,
u E [rr]X and f:X 2.... Y, [C#E]Xuf if and only if, for all g: Y 2.... Z and
Z E Z,
if[C]Xu(f; g)z = z' then [C]Xu(f; g; f Ze)z = z'
where Ze = {ze E Z I Ze[e]z} fore = [O](f;g)([E]Xu).
Proof: Let c' = [comm](f)([C]Xu) and e' = [O](f)([E]Xu).

Suppose c'#e' and c(idz)z = z', where c = [comm](g)c'; then c#e, by
Proposition 2. The following deduction now shows the only-if part:
z' c(idz)z
[comm](l[e])(c)(idz)z (c#e)
c( l [e])z (morphism part of [comm])
c( l [e]; f Ze)Z (commutativity for [comm])
[comm]( l[e]) (c)( f Ze)Z (morphism part of [comm])
c<fZe)Z (c#e)
Conversely, consider arbitrary g: Y 2.... Z and z E Z. If c'(g)z is defined

then
c'(g)z c'(g; fZe)Z (assumption)
c'(g; l[e]; fZe)Z (l[e]; fZe = fZe)
c'(l[e'] ;g; fZe)Z (Proposition 1)
[comm]( l[e']) (c') (g; f Ze)Z (morphism part of [comm])
[comm] ( l [e']) (c') (g)z (uniformity for [comm])
In the case that c' (g)z is undefined, c' (g; l[e]) is also undefined by the uni-
formity condition for [comm]. Note also that c' (g ; l [e]) = c' ( l [e'] ; g), by
Proposition 1, and [ comm]( l[ e']) (c' )(g) = c' 0 [ e'] ; g), by the definition of
[comm] on morphisms, so [comm](l[e'])(c')(g)z must also be undefined.
Thus, we may conclude that [ comm] ( l[ e']) c' = c', and hence c' # e', as re-
quired. I
We conclude our treatment of local-variable declarations by briefly consid-
ering some semantic equivalences. The first two are from (Meyer and Sieber,
1988), and are also validated by the models presented there and in (Oles,
1982).
Examplel
Consider the block new[T] x.C, where Cis a free identifier of type comm.
This block is equivalent to C in our model, (without additional constraints
on command meanings, contrary to the remark in (Tennent, 1990). To show
the equivalence, consider the X-morphism f = (g, Tx):X x VT ....!.. X such
that g(x) = (x, vT) for each x e X, where vT is the initial value for T-valued
variables. Let c e [comm]X and s e X. If c(idx)(s) is defined and equal tos',
then c(xVT; f)(s) = s' because xVT; f = idx. The uniformity condition on
elements of [comm]X then implies that c(xVT)(s, vT) = (s', vT):
c(idx)
x---~;:..;._--..x
S(xVTll 2 fs(xVTl
c(xVT)
X X VT ---'-.:...:.....--...X X VT
X
·I 2
c(xVT ;f)
X------'--'----+- X
I·
i.e., c(xVT )(s, vT) has the same effect on the X-valued component of the stack
as does c(idx). In the case that c(idx)(s) is undefined, the uniformity condi-
tion guarantees that c(xVT)(s, vT) is also undefined. The desired equivalence
follows.
Example2
The following blocks are equivalent:
new[int] x.x := 0;
new[int] y.y := 0;
Q(x)(y)
and
new[int] x. x := 0;
new[int] y.y := 0;
Q(y)(x) •
where Q is a free identifier of phrasetype var[int]- (var[int]- comm).
The equivalence can be shown by a Straightforward calculation using an en-
domorphism that exchanges the two V -valued components in a world of the
form XxVxV, thus exchanging the declared variables.
Example3
Our final equivalence is subtler than the previous two; the only model known
to us which validates it is the one presented here.
The block
new[int] x.x := 1;
P(x) ,
where P is a free identifier of phrase type exp[int] - comm, is equivalent to

P(1). The idea isthat P doesn't have write access to x, so that whenever x is
evaluated as a result of the call P(x), it must produce 1.
We sketch a proof of the equivalence. Let e E [exp[intl](XxV) be
the expression meaning obtained by de-referencing the meaning of variable-
identifier x and p E [exp[int]- comm](XxV) be the denotation of P in the
body of the block. Since P is non-local, we know that p # e. Using the passivity
of exp[int] and procedure-calllaws derived from Non-lnterference Decompo-
sition (Section 1), we obtain p(idxxv) (e) # e. By Proposition 8, any application
p(idxxv )(e)(idxxv )(s) is defined and equal tos' iff p(idxxv )(e) <rYe)(s) = s',
where Ye = {s' E XxV I s[e]s'}:
I
p(idxxv) (e) (idxxv)
X X V _ __:_:.__:.:..:..:..:._.:__:.__.:__:._-=..:::..:.:...:._._ X xV
S([Y,) fs([Y,)
p(idxxv) (e) ( rYe)
Ye Ye
In particular, if s is astatein which e evaluates to 1, then Ye is the set of states
in which e evaluates to 1. In the restricted world Ye, the meaning of expression
1 is equal to e-both are (families of) functions that return 1 in any state-so
e can be replaced by 1 in the call top. The equivalence follows.
A further equivalence for local-variable declarations is discussed in the
following Section.
6 Non-Interference Abstraction
When writing a program P ( C) in which there is used an operation C that ma-
nipulates instances of an abstract type, it is often convenient to view the pro-
gram from the level of abstraction where C is considered as an indivisible
action. If R is an invariant of C and P doesn't affect R except by using C, then,
at this Ievel of abstraction, R is true throughout execution of P(C) if it is true
initially. In (Reynolds, 1981a), this is the intuitive justification for a method of
reasoning in which invariant relationships, like R, are used as "local" mathe-
matical facts when reasoning about an abstract program.
This kind of reasoning is similar to that provided by the Constancy axiom,
in that an assertion is factored out by treating it as a local mathematical fact;
however, Constancy would require a hypothesis of the form P(C) #R, which
would not be justified:
• at the level of the implementation of C, R might be false at an interme-
diate state because we only assume {R} C {R}; and
• even if C were indivisible, we would not necessarily have P(C)#R, be-
cause C is required to preserve only the truth, and not the falsity, of
R.
In this section we present a new axiom that also uses a local assumption, but
in a way that does not require it to be true at the level of concrete operations.
The new axiom is as follows.
86 Chapter 14. Semantical Analysis of Specitication Logic, 2
Non-Inter(erence Abstraction:
P#R & {R}C{R} & {Q}C{D} &
(Vt:comm. {R} & {Q}L{D} ~ {A}P(t){B})
~{R andA} P(C) {R andB}
where P: comm - comm, C: comm, and L is not free in P or in the assertions
A,B,R,D, or Q. The idea isthat if P#R, {R} C {R}, andR is true before execut-
ing P(C), then, throughout the execution of P(C), R should hold continuously
at the Ievel o( abstraction at which C is considered to be an indecomposable
action. When treating R as a mathematical fact, it is essential to confine all rea-
soning about P(C) tobe at this same level of abstraction, because R might ac-
tually be false at an intermediate state of the execution of C. Non-lnterference
Abstraction ensures that reasoning is carried out at this level by using an iden-
tifier L which, unlike C, doesn't have any "parts" to give us information about
intermediate states. Furthermore, the meaning of L is arbitrary and, for all we
know, could be that of an indivisible action because it is universally quantified.
The specification {R} is essentially a local "atomicity" assumption.
A number of examples of reasoning that can be formalized by this axiom,
or minor variations thereof, can be found in Chapter 5 of (Reynolds, 198la).
Typically, the assertion R describes an invariant relationship between the con-
crete values of a representation and the abstract values being represented,
and C is an operation that manipulates the values in a way that preserves the
invariant.
We will use a special case of the axiom to show that the following block is
equivalent to diverge:
new[int] x.
x:= 0;
p(x := x + 2);
if evenx then diverge
where p is an identifier of type comm - comm. This example is from (Meyer
and Sieber, 1988). Intuitively, the block diverges because the only access to
x that can result from the call to p must come from using the argument
x := x + 2. This argument preserves the evenness of x and x is even before
the call, so it should be even on termination. Therefore, the test in the condi-
tional will succeed (if the call to p terminates) and the blockwill diverge; if the
call does not terminate, neither will the block, and so in every case the block
diverges.
We will derive {true} C {false}, where Cis the block above. First, note that
the following scheme is a special case of Non-Interference Abstraction:
P#R & {R} C {R} ~ {R} P(C) {R}
An instance of this is
p#evenx & {evenx} x := x + 2 {evenx}
~ {evenx} p(x := x + 2) {evenx}
Using Rightside Decomposition on p#evenx and the assignment axiom, we

derive
gv(x) & p#x ~ {evenx} p(x := x + 2) {evenx}
Using the usual axioms and mathematical facts about numbers, we can then
derive
gv(x) & p # x .,. {true}
x:= 0;
p(x := x + 2);
if even x then diverge
{false}
and the desired specification follows from the Local-Variable rule.
Notice that this development would continue to go through if we were to
replace x := x + 2 with x := x + 1 ; x := x + 1, even though this latter command
does interfere with evenx. The reason is that Non-Interference Abstraction
requires only {R} C {R}, and not C#R.
The derived axiom used in this derivation is related to the principle
of "preservation of invariants" discussed in (Meyer and Sieber, 1988). It
says essentially that R is a "higher-order invariant" of P whenever P#R.
This axiom can be generalized to P's whose arguments are procedures
that accept "expression-like" parameters, but we have been unable to val-
idate further generalizations to procedures of higher-order types such as
(comm- comm) - comm.
To validate Non-Interference Abstraction, we adopt a slight refinement
of our model. Consider the modified category of worlds X' in which maps
X'
(f,R): X - Y aresuchthat
• R is a reflexive and transitive (but not necessarily symmetric) relation on
Y,and
• f e Y - Xis a function such that, for each s e Y, the restriction of
f to the set Ys = {s' E Y I s R s'} of states reachable from s via R is an
injection.
The injectivity requirement on morphisms is needed for the definition of local
variables, as in (Tennent, 1990). The definition of composition of X-morphisms
given earlier also works in X'.
The definition of command meanings needs to be modified slightly:
c( ·) e [comm]X is again a suitably uniform family of partial functions, but
the additional commutativity requirement is that, for all (f,R): X ..l!!..... Y and
s E Y,
c(f,R)(s) = c((f,R); rYs)(s),
where Ys = {s' e Y I s R s'}, so that the following diagram commutes:
c(f,R)
~y y
tsl Js([Ys)
~)
S(r {s} Ys
c((f,R); rYs)
Ys
[comm]X is ordered pointwise; i.e., c1 !;;;; c2 if and only if, for all f:X ..l!!..... Y
and s e Y, c1 (f) (s) = c2 (f) (s) whenever c1 (f) (s) is defined. All of our other
definitions and results go through as before.
The refined category allows us to define the following weak variation on

non-interference: for C:X'- D, X a world, c E C(X), andrE [assert]X,
c#r = C(Hr))(c) = c
where, for all SI, Sz E X,
SI (r}sz = r(idx )(sd = false or r(idx )(sz) = true
lntuitively, c # r means that any use of c preserves the truth, but not neces-
sarily the falsity, of r. Notice that the relation (r) is reflexive and transitive,
but not symmetric.
Let {q} c {r} be the semantical counterpart of the Hoare triple; that is, for
q, r E [assert]X and c E [comm]X, {q} c {r} if and only if, for all SI, s 2 EX,
q(idx)(sd = true and c(idx)(si) = Sz implies r(idx)(sz) = true.
Proposition 9
(a) For all worlds X, c E [comm]X, and q, d, r E [assert]X, if {r} c {r}
and {q} c {d}, there exists c' E [comm]X suchthat c !;;; c', c' # r, and
{q} c' {d}.
(b) For all worlds X, functors C:X'- D, c E C(X), andrE [assert]X,
if c # r then c # r.
(c) For all worlds X, r E [assert]X, p E [8- B']X, and c E [B]X,
ifp # r and c # r then p(idx )(c) # r.
Proof: (a) Define c' E [ comm]X by

if sRs' and c(idx)(f(s)) = f(s')
c'(f,R)(s) = { ~defined, if no such s' exists
X'
for (f,R):X Y and s E Y. The injectivity requirement on
X' -morphisms guarantees that s' in the definition is unique, if it exists.
One can easily verify that c' has the required properties.
(b) Note that [r] !;;; (r), and so l [r] = l[r]; l (r).
C(Hr))(c) C(l(r))(C(l[r])(c)) (c#r)

C(l[r]; Hr))(c) (functoriality of C)
C( l [r]) (c) (l[r] = l[r]; Hr))
c (c#r)
In fact, it is possible to prove that c # r iff c # r and c # -.r.

(c) [O'](l(r)}(p(idx)(c)}
p(! (r)) ([0] (! (r)) (c)) (uniformity for [0- 0']
p(l (r) }(c) (c # r)
[0- 0'] ( l (r)) (p) (idx) (c) (morphism part of [0- 0'])
p(idx )(c) (p # r)
I
We can now validate Non-lnterference Abstraction. Let c E [comm]X,
p E [comm- comm]X, and q,r,a,b,d E [assert]Xbe the meanings of C, P,
Q, R, A, B, and D, respectively, in an environment u E [rr]X. Suppose
p(idx)(c)(idx)(sl) = s2.
If the conditions in the antecedent of Non-lnterference Abstraction hold, then,
by Proposition 9(a), there exists c' E [comm]X suchthat
(1) p(idx)(c')(idx)(si) = s2, by monotonicity of p(idx),
(2) c' # r, and

(3) {q} c' {d}.
Assuming that
r(idx )(si) = a(idx )(si) true,
we need to show that
r(idx)(s2) = b(idx)(s2) = true.
Let Xr = {s E X I r(idx)(s) = true}. Notice that this set is equal to
{s E X I si(r)s2}, since r(idx)sl = true by assumption. Thus, given any
m E [comm]X, we can use the (revised) commutativity condition for [comm]
to get the equality
m(l(r)}sl = m(!(r); rx,)sl.
(2) and Proposition 9(b) and (c) yield p(idx) (c') # r. Using this and the just-
noted facts about X,, the equality
(4) p(idxHc')(rX,}(si) = s2
is established with the following deduction.
s2 p(idx )(c' )(idx )s1 (1)
[comm](l(r)}(p(idx)c'}(idx)sl (p(idx)c' # r)
p(idx) (c') (! (r) )s1 (morphism part of [ comm])
p(idx)(c'}(l(r); rXr}Sl (commutativity for [comm])
[comm) ( l (r)) (p(idx )c') ( rXr)Sl (morphism part of [comm])
p(idx )(c')( rXr )SI (p(idx )c' # r)
The specification {R} is true at the world Xr, i.e., for all s E Xr, r( rx,) (s)
true. Therefore, using (3), ifwe bind L to c', {R} & {Q} L {D} is true at X,; more
precisely,
[{R} & {Q} L {D}]Xr([rr](rX,}(u I L .... c')}(idx,).
Thus, using the assumption

Yt:comm. {R} & {Q}L{D} ~ {A}P(i){B},
equation (4) implies that bUXrHsz) = true, and the unifonnity condition on
[assert] yields b(idxHs2) = true. Finally, r(idx)(s2) = true follows from (4)
and the definition of Xr.
The main contribution of the work described here has been to provide a uni-
form semantic definition of Reynolds's concept of non-interference for higher-
arder imperative programming languages. This has been used to validate all
of the axioms proposed by Reynolds (except of course the unsatisfactory syn-
tactic definitions of procedural non-interference which our semantic interpre-
tation replaces), and also a new axiom formalizing a method of reasoning used
in (Reynolds, 1981a). Furthermore, the interpretation of local-variable deda-
rations in our model has been shown to validate a number of equivalences
proposed by Meyer and Sieher (1988), as well as an additional equivalence
which seems to fall in other models.
These results vindicate virtually all of Reynolds's intuitions about local-
variable declarations and non-interference, and also, we believe, provide a
decisive demonstration of the usefulness of the functor-category form of
possible-world semantics for imposing "local" constraints on semantic enti-
ties in a systematic way. Further evidence of this may be found in (O'Hearn,
1990) where the "symmetric" form of non-interference from (Reynolds, 1978)
is also treated using possible worlds.
However, we should mention that the category-theoretic credentials of
the "contra-exponentiation" (used to define covariant functors from the con-
travariant states functor) are undear at present. Also, we do not believe that
all of the principles underlying local-variable declarations have been uncov-
ered.
For example, the following variant of Example 7 from (Meyer and Sieber,
1988) fails in all models known to us:
new[int] x.
x:=O;
P(x :=X+ 1)
should be equivalent to P(skip) for any identifier P: comm- comm, because

P cannot read the value of x. A counter-example in our model is provided by
p E [comm-comm]X defined as follows: for any f:X 2.... Y, c E [comm]Y,
g: Y 2_ Z, and s E S(Z),
s,
{ undefined, ifcgs=s
Pf c9 s = otherwise;
Then
p(idx)([skip]Xu)(idx)(s) = s,
Peter W. O'Heam and Robert D. Tennent 91
whereas
p(xV)([x := x + 1](X x V)(u'))(idxxvHs,O)
is undefined, where u and u' are the appropriate non-local and local environ-
ments, respectively.
Our definition of non-interference can also be applied with continuation
semantics, as in (Tennent and Tobin, 1991). The procedural instances of
the Non-lnterference Decomposition and Variable-Declaration axioms take on
added importance in the continuation framework because commands them-
selves become higher-order objects mapping continuations to continuations.
The proofs given here for these axioms continue to go through, as they don't
depend on the interpretations of base types (such as comm). However, it
should be noted that our treatment of Non-Interference Abstraction is much
less uniform-the proof of its validity relies on the structure of [comm]-and
the status of this axiom in continuation semantics is unresolved at present.
The fixed-point induction axiom for recursive "command-like" procedures
from (Reynolds, 1982) is valid here with minor changes to the syntactical for-
mulation of admissible predicates; our interpretation of C # E is admissible
in C, but is not continuous (for truth-values ordered by true !;;;; false), and so
admissibility clauses for implication and quantification need to be adjusted.
A more difficult problern is presented by recursive "expression-like" proce-
dures. We speculate that a version of Scott's "logic for computable functions,"
(Scott, 1969, Milner, 1972, Milner et al., 1975, Statman, 1990), could be used in
the assertion language, so that assertional quantification could coexist with the
continuity properties needed for computational types. Boolean expressions
would be three-valued, whereas assertions would be properly two-valued. This
proposal seems similar to (Goerdt, 1985), but is in a richer semantical frame-
work that allows a form of side-effect-free block expression (Tennent, 1986).
It must be admitted that the functor-category form of interpretation ap-
pears somewhat remote from computational realities, and it would be desir-
able to show the "computational adequacy" of the denotational model rela-
tive to a suitable operational semantics. We believe this would be a relatively
Straightforward exercise along the lines followed for the symmetric form of
non-interference in (O'Heam, 1990). A more interesting and ambitious project
might be to develop a form of operational semantics that could be systemati-
cally derived from denotational possible-world models.
Acknowledgements
We would like to thank Prakash Panangaden, Edmund Robinson, and John Reynolds
for helpful technical discussions, Steve Brookes for his careful reading and comments
on an earlier version of this work (O'Hearn, 1990), and the referees for their comments.
References
BARRINGER, H., CHENG, ]. H., AND }ONES, C. B. (1984). A logic covering undefinedness
in program proofs. Acta Informatica, 21:251-269.
DAMM, W. AND ]OSKO, B. (1983). Asound and relatively*-complete Hoare-logic for a
language with higher-type procedures. Acta Informatica, 20:63-92.
GERMAN, S. M., CLARKE, E. M., AND liALPERN, J. Y. (1989). Reasoning about procedures
as parameters in the language 1..4. Information and Computation, 83:265-359.
GoERDT, A. (1985). A Hoare calculus for functions defined by recursion on higher
types. In (Parikh, 1985), pages 106-117.
HOARE, C. A. R. (1969). An axiomatic basis for computer programming. Comm. ACM,
12(10):576-580 and 583.
HOARE, C. A. R. (1971). Procedures and parameters: an axiomatic approach. In Sym-
posium on Semantics of Algorithmic Languages (E. Engeler, editor), volume 188 of
Lecture Notes in Mathematics, pages 102-116, Springer-Verlag, Berlin.
MEYER, A. R. AND SIEBER, K. (1988). Towards fully abstract semantics for local vari-
ables: preliininary report. In Conference Record of the Fifteenth Annual ACM Sym-
posium on Principles of Programming Languages, pages 191-203, ACM, New York.
See Chapter 7.
MILNER, R., MORRIS, L., AND NEWEY, M. (1975). A logic for computable functions with
reflexive and polymorphic types. In Proving and Improving Programs (G. Huet and
G. Kahn, editors), pages 371-394, INRIA, Rocquencourt, France.
MILNER, R. (1972). Implementation and applications of Scott's logic for computable
functions. In Proc. of an ACM Con(erence on Proving Assertions About Programs,
SIGPLAN Notices, 7(1) and SIGACT News, no. 14, pages 1-6, ACM, NewYork.
O'HEARN, P. W. (1990). The Semantics of Non-lnter(erence: A Natural Approach. Ph.D.
thesis, Queen's University, Kingston, Canada.
OLDEROG, E. (1984a). Hoare's logic for programs with procedures: what has been
achieved? In Logics of Programs 1983 (E. M. Clarke, Jr. and D. Kozen, editors),
volume 164 of Lecture Notes in Computer Science, pages 383-395, Springer-Verlag,
Berlin, 1984.
OLDEROG, E. (1984b). Correctness of programs with PASCAL-like procedures without
global variables. Theoretical Computer Science, 30:49-90.
OLEs, F. J. (1982). A Category-Theoretic Approach to the Semantics of Programming
OLES, F. J. (1985). Type algebras, functor categories and block structure. In Algebrate
Methods in Semantics (M. Nivat and J. C. Reynolds, editors), pages 543-573, Cam-
bridge University Press, Cambridge, England. See Chapter 11.
PARIKH, R., editor (1985). Logics of Programs 1985, volume 193 of Lecture Notes in
Computer Science, Springer-Verlag, Berlin.
PLOTKIN, G. D. (1980). Lambda-definability in the full type hierarchy. In To H. B. Curry:
Essays in Combinatory Logic, Lambda Calculus and Formalism U. P. Seldin and J. R.
Hindley, editors), pages 363-373, Acadeinic Press.
REYNOLDS, J. C. (1978). Syntactic control of interference. In Conference Record of
the Fifth Annual ACM Symposium on Principles of Programming Languages, pages
39-46, ACM, New York. See Chapter 10.
REYNOLDS, J. C. (1981a). The Craft of Programming. Prentice-Hall International, Lon-
don.
REYNOLDS, J. C. (1981b). The essence of ALGOL.lnAlgorithmic Languages, Proceedings
of the International Symposium on Algorithlnic Languages U. W. de Bakker and
J. C. van Vliet, editors), pages 345-372, North-Holland, Amsterdam. See Chapter 3.
REYNOLDS, J. C. (1982). IDEALIZED ALGOL and its specification logic. In Tools and Na-
tions for Program Construction (D. Neel, editor), pages 121-161, Cambridge Uni-
versity Press, Cambridge, 1982. See Chapter 6.
SCOTI, 0. S. (1969). A type-theoretical alternative to CUCH, ISWIM, ÜWHY. Privately

circulated memo, Oxford University. Published in Theoretical Computer Science,
121(1/2):411-440, 1993.
SIEBER, K. (1985). A partial correctness logic for procedures (in an ALGOL-like lan-
guage). In (Parikh, 1985), pages 320-342.
STATMAN, R. (1985). Logical relations and the typed ,\-calculus. Information and Com-
putation, 65:85-97.
STATMAN, R. (1990). Some models of Scott's theory LCF based on a notion of rate of
convergence. In Logic and Computation (W. Sieg, editor), volume 106 of Contem-
porary Mathematics, pages 263-80, American Mathematical Society, Providence,
Rhode Island.
TENNENT, R. D. AND TOBIN, J. K. (1991). Continuations in possible-world semantics.
Theoretical Computer Science, 85(2):283-303.
TENNENT, R. D. (1986). Functor-category semantics of programming languages and
logics. In Category Theory and Computer Programming (D. Pitt, S. Abramsky,
A. Poigne, and D. Rydeheard, editors), volume 240 of Leerure Notes in Computer
Science, pages 206-224, Springer-Verlag, Berlin (1986).
TENNENT, R. D. (1987). A note on undefined expression values in programming logics.
In(. Proc. Letters, 24:331-333.
TENNENT, R. D. (1990). Semantical analysis of specification logic. Information and
Computation, 85(2):135-162. See Chapter 13.
Chapter 15
Full Abstraction for the Second-Order Subset of
an ALGOL-Iike Language
Kurt Sieber
We present a denotational semantics for an ALGOL-like language, ALG,
which is fully abstract for the second-order subset. This constitutes
the first significant full-abstraction result for a block-structured lan-
guage with local variables. As all the published 'test equivalences'
[MS88, Len93, OT95] for ALGOL-like languages are contained in the
second-order subset, they can all be validated (easily) in our denotational
model.
Contents
1 lntroduction 97
2 Syntax of the Language ALG 98
3 A Cartesian Closed Category 99
4 The Denotational Model 101
5 Reasoning About Local Variables 103
6 Fuß Abstraction 104
7 Conclusion 106
References 106
1 Introduction
This paper solves a long-standing open problern concerning the semantics of
local variables. We present a denotational model for an ALGOL-like language,
ALG, which is fully abstract for the second-order subset of ALG. This means in
particular that all the problematic observational congruences for ALGOL-like
languages that have been presented in the Iiterature [MS88, Len93, OT95] can
be validated in our model. (The latter is also true for the parametric-functor
model in [OT95], but no full-abstraction result has been proved for it.)
The general technique which we use for our model construction has al-
ready been developed in [MS88], namely 'relationally structured locally com-
plete partial orders' with 'relation-preserving locally continuous functions'.
Our partiewar model differs from the one in [MS88] by having the 'finest pos-
sible relation structure', an idea which we have used in [Sie92] to construct a
fully abstract model for the second-order subset of PCF [Plo77]. The overall
structure of our full-abstraction proof is also taken from [Sie92]. The first step
is to show that, for every function fand every finite set B of arguments for f,
there is a definable function which coincides with f on B (Theorem 11). This
yields a sequence of definable functions which 'approximate' f in the sense
that they coincide with f on more and more arguments. But for proving full
First appeared in Mathematical Foundations of Computer Science, volume 841 of Leerure Notes
in Computer Science, pages 608-617, Kösice, Slovakia, August 1994. Springer-Verlag, Berlin.
Reprinted with the permission of Springer-Verlag.

98 Chapter 15. Full Abstraction for the Second-Order Subset
abstraction (Theorem 14), we must find approximations in the Scott topology;

i.e., we must show that f is the least upper bound of a sequence of definable
functions (Theorem 13). Bridging the gap between these two notions of 'ap-
proximation' turned out to be the most difficult part of our full-abstraction
proof, for which we had to develop completely new techniques (Definition 12
and Theorem 15).
Our ALGOL-like language ALG contains two unusual features, namely (a) a
parallel conditional operator on the integers and (b) the so-called snap-back
effect, which goes back to a suggestion of J. C. Reynolds: inside the bodies of
function procedures, assignments to global variables are allowed, but after
each call of a function procedure the store 'snaps back' to the contents which
it had before the call; i.e., only a temporary side effect is caused by such an
assignment.
The parallel conditional does not really play a role in our full-abstraction
proof. If we remove it from ALG, then we can use the very same techniques as
before to obtain a fully abstract model for the restricted language (cf. Conclu-
sion). This 'smaller' model allows us to reason not only about local variables
but also about sequentiality. On the other hand the parallel conditional is
needed for Conjecture 16; i.e., it may allow us to simplify our model consider-
ably.
The snap-back effect is more important than the parallel conditional: if
function procedures have either permanent side effects [WF93] or no side
effects at all [Len93], then it is not clear how to determine the above men-
tioned 'finest possible relation structure' for the construction of a fully ab-
stract model. Hence our techniques cannot be immediately transferred to the
languages in [Len93, WF93].
Finally one may wonder whether similar techniques are applicable to call-
by-value (i.e., ML-like as opposed to ALGOL-like) languages [PS93]. This is a
question that we have not yet investigated. Observations in [PS93] indicate
that additional problems might come up in the call-by-value setting, but we
hope that our main ideas will still be helpful.
2 Syntax of the Language ALG

We define the language ALG as a subset of a simply typed .\-calculus. Its types,
T, are
T ::= loc I u with u ::= (} I T-u, (} ::= iexp I cmd
The types u(* loc) are called procedure types. The order ord(T) of a typeT is
defined by
• ord(loc) = 0
• ord((}) = 1, and
• ord(T- u) = max(ord(T) + 1,ord(u)).
Elements of type iexp (='integer expresssion') and cmd (= 'command') will be
functions that have the current store as an implicit parameter; in particular pa-
rameters of type iexp will be thunks in terms of ALGOL jargon. Thus we follow
Kurt Sieber 99
the view that call by name should be the main parameter passing mechanism
for ALGOL-like languages [Rey81]. Besides that, we have parameters of type
loc (= 'location') which may be considered as reference parameters. They have
been added as a mere convenience, because we anyways need identifiers of
type loc as local variables.
The set of ALG-constants c and the type of each constant are
n: iexp for every n E 7L (numerals)
succ: iexp- iexp (successor)
pred: iexp- iexp (predecessor)
cont: loc- iexp (dereferencing)
asgn: loc - iexp - cmd (assignment)
skip: cmd (empty command)
conde: iexp-0-0-0 (conditional with zero test)
seq6 : cmd-0-0 (sequencing)
newe: (loc- 0)- 0 (new-operator)
Yu: (0"- 0")- 0" (fixed point operator)
pcond: iexp - iexp - iexp - iexp (parallel conditional with zero test)
We assume that there is an infinite set IdT of identifiers xT, yT, zT, ... for each
typeT; identifiers of type loc are called variables. Expressions M,N,P, ... are
just the well-typed .\-expressions over the ALG-constants with the restriction
that the body of a .\-abstraction must not be of type loc. A block with a local
variable x has the form new x in M and is considered as syntactic sugar for
new6 (.\x 1oc.M) where 0 is the type of M. As further syntactic sugar we use
! _, _ := _, if _ then _eise _, and _; _ instead of cont, asgn, conde and seq6 • A
program is defined to be a closed expression of type iexp.
For purely technical reasons we introduce so-called generalized expres-
sions. Let Loc be an infinite set whose elements 1 are called locations. General-
ized expressions may contain (besides the other ALG-constants) locations 1 as
constants of type loc. We use the samemetavariables M,N,P, ... for them as
for ordinary expressions. We let locns(M) denote the set of locations which
occur in M, and for every finite set L !:;;; Loc we let Expi denote the set of closed
generalized expressions with locns(M) !:;;; L.
3 A Cartesian Closed Category

Notation: By a dcpo (directed complete partial order) we mean a partial order
(D, !;;;; ) in which every directed set ß has a least upper bound U ß. lf D, E are
dcpos, then (D ..S E) denotes the set of continuous functions from D to E.
The category of dcpos and continuous functions is denoted DCPO.
In this section we define the general framework for our denotational se-
mantics. The intuition is that every element in the denotational model should
only have access to finitely many locations. Hence we would like to identify,
for every type T and every finite set L !:;;; Loc, a dcpo [ T]r of 'elements of type
T which only have access to LI and then define [ T] as the union of these dcpos
[T]r. This motivates the following definition.
Definition 1 Let (W s) be a directed set (of worlds w ).
I
(a) A W-locally complete partial order (W-lcpo) isapartial order (D1 ~) to-
gether with a family of subsets (Dw )wew such that D = Uwew Dw andl
forallvl w E W,
• V S W => Dv !;;;; Dw
• if 6 !;;;; Dw is directedl then Uv 6 exists and is contained in Dw ( hence
it is also the lub in Dw, i.e., (Dw 1 ~) is a dcpo)
(b) A function f: D- E between W-lcpos D and E is called locally continuous
if(f I Dw) E (Dw ...E... Ew) (or everyw E W.
W-lcpos and locally continuous functions form a Cartesian closed categoryl
which can be considered as a full subcategory of the functor category
(W => OCPO). But this is not yet the category that we need for our model
construction; we must still add 'relation structure to the W-lcpos.
1
Definition 2 A W-sorted (relation) signature is a (amily ~ = (~:;')wew,neN of

sets ~:;' such that, for all ml n E N and v w E W,
I
m * n => ~~ n ~:;' = 0 and v s w => ~~ 2 ~:;'

We use the abbreviations ~n = Uwew ~:;', ~w = UneN ~:;' and ~ = UneN ~n·
We introduce some shorthand notation for tuples and relations: a vector J
stands for a tuple (d1 , ••• dn) E vn where D and n are known from the con-
I I
text. A term T(d, el ... ) containing vectors Jl el ... of the same length n stands
for (T(dt. e1o ... ), ... , T<dn. en •... ) ). This notation is generalized as usual to
sets of tuplesl i.e.l relations: if Rl S are relations of the same arity nl then
T(RI SI ... ) Stands for {T(d, el ... ) I JE Rl e E SI ... }. Finallyl onD denotes the
diagonal {(dl··· ld) I d E D}!;;;; vn.
Definition 3 Let~ be a W-sorted signature.
(a) A W-~-lcpo isapair (DII), where D is a W-lcpo and I is a function that
maps every r E ~n to a relation I(r) !;;;; vn such that, for all w E W,
• r E ~w => onDw!;;;; I(r)
• I(r) n v: is closed under lubs of directed sets.
(b) A function f:D- E between W-~-lcpos W~I0 ) and (E 1 1E) is called a
~-homomorphism iff(J0 (r)) !;;;; IE(r) for all r E ~.
Theorem 4 The category W-~-LCPO of W-~-lcpos and locally continuous
~-homomorphisms is Cartesian closed. The terminal object and product are
defined worldwise, and the exponentiation (D - E) of two W-~-lcpos D and E is
given by
(D -E)w = {f:D -EI 'Vv ~ w.(f IDv) E (Dv ...E... Ev)
1\ 't/r E ~w.f(J0 (r))!;;;; JE(r)}
(D - E) = Uwew (D - E)w with the pointwise order on functions

J<D-El(r) = {(I (UD(r))!;;;; IE(r)}
Kurt Sieber 101
This is the category in which we will define our denotational model. It has
a certain similarity to the category of 'parametric functors and (parametric)
natural transformations' as defined in [OT95]. One difference is that we use
relations of arbitrary arity, and not only binary ones as in [OT95]. But-on the
one hand-the parametric-functor model can be extended to contain relations
of arbitrary arity and-on the other hand-binary relations might be sufficient
for reasoning about local variables (Conjecture 16). Thus our full-abstraction
proof may well be transferable to (an appropriate extension oO the model in
[OT95].
4 The Denotational Model

We will now use the results of Section 3 to define a denotational semantics for
ALG. Let
(W, ::5) = ('Pr(Loc), <;;;)
where 'Pr(Loc) denotes the set of allfinite sets L <;;; Loc. The main question is
how to define the W-sorted signature ~. The basic idea is the same as for PCF
in [Sie92]: in order to achieve full abstraction, we must keep the denotational
model 'as small as possible' and to this end we try to make the signature
as large as possible. For PCF this was easy to achieve. We started from a flat
ground type of integers and defined ~ tobe the set of all ground-type relations
that are preserved by the (intended) meanings of the first-order constants.
This worked out because all relations on a flat dcpo are closed under lubs
of directed sets. For ALG the Situation is more difficult, because the ground
types [iexp] and [cmd] will certainly not be flat. Thus, in order to adapt the
ideas of [Sie92] to the ALG setting, we introduce an additional semantic layer
of flat dcpos below [iexp] and [cmd], and on this new layer we define certain
auxiliary functions, which are 'closely related' to the intended meanings of the
ALG-constants.
Let ß = {loc, int, sto}, where int (='integer') and sto (= 'store') are auxiliary
symbols. We use sto ~ int and sto ~ sto as alternative notation for iexp and
cmd. For every 8 E ß we define a dcpo Dli by
D 10c = Loc (discrete dcpo) vtnr = ~.1. D 510 = Stores.L (flat dcpos)
where Stores is the set of stores s, defined by
Stores= Urew Storesr with Storesr = {s: Loc- ~I "i/l E Loc \ L.s l = 0}
The set AUX of auxiliary functions consists of Succ, Pred, Cont, Asgn, Constn
(n E 1"::1), Condli (8 * loc) and Pcond, where e.g.,
Cont: v1oc _ vsro _ vtnt Asgn: Dloc _ vtnt _ vsro _ vsro
{
.L ifs=.L {
1. if d = 1. or s = 1.
Cont 1s = s l otherwise Asgn 1d s = s[d/1] otherwise
The signature contains so-called ground relations. By a ground relation of

arity n we mean a triple R = (Rli)liet>. suchthat Rli <;;; (Dli)n for every 8 E ß.
We let GReln denote the set of all ground relations of arity n, and we say that
f: D 6I - • · · - D 6k - D 6 preserves R E GReln if f R6I • • • R6k s;; R 6. Then we

let ~ = (~~hew,neN with
~~ = {R E GReln I (.L, ... , .L) E R 5 ro, every f E AUX preserves R
and 3L' E W.L n L' = 0 1\ 8"(Loc \ L') s;; R 1oc}
Finally we associate a W-~-lcpo [ T] = (DT, JT) with each type T by

• Dfoc = L
D 1oc = Loc (as before)
1/oc(R) = Rloc
• Df0=> 6 = {f: vsto - D 6 I f preserves all R E ~L}

vst0=> 6 = Urew Dft0=> 6 with the pointwise order on functions
JSto=>6(R) = {{ E (DSC0=>6)n 1 (Rsro s;; R6} if RE ~n
• [T-a]= ([T]- [a]) as defined in Theorem 4

We use [T] also as a notation for DT; hence, [T]r stands for D[. Moreover, we
use RT as an abbreviation for JT (R).
To conclude the definition of the denotational semantics we must assign
meanings [c] to the ALG-constants c. Some interesting cases are
[cont]: [loc]- vsto- Dint
[cont] = Cont
[asgn]: [loc]- [iexp]- vsro- vsto

[asgn]l f s = Asgn l(fs)s
[seqsro=6]: [cmd]- [sto => 8]- vsro- D6

[seqsto=6]fgs =g(fs)
[newcmd]: [loc- cmd]- vsto- vsto

[newcmd]( s = Asgnl(Contl s) (fl(Asgn I Os)) with I= next(supp(f))
where next: Pr(Loc) - Loc is an arbitrary function with next(L) f/:. L for every
L E Pr(Loc) and supp(d) is defined tobe the set {LId E [T]r} for every n
d E [T]. The functions [c] are indeed contained in the model; more precisely,
Proposition 5 Jf c is a constant of type a, then [ c] E [ a] 0.
Theorem 4 and Proposition 5 allow us to define the meaning of ALG expres-

sions in the style of the simply typed .\-calculus. Thus, for every M : T, we
obtain a function [M]:Env- [T] where Envis the set of environments (=type-
preserving functions 11: UT IdT - UT [ T ]). The meaning function is extended to
generalized expressions by defining [I] = I for every I E Loc, and this leads to
Proposition 6 Let M : T be a generalized expression, Iet 11 E Env and Iet L E W
besuchthat locns(M) s;; Land 1JxT' E [T']r for all free identifiers xT' in M.
Then [M]TJ E [T]r. In particular [M] E [T]r whenever ME Expi.
Kurt Sieber 103
The latter Statement captures our intuition that a closed generalized expres-
sion has only access to those locations that explicitly occur in it, and not to
those that are temporarily bound to its local variables.
We finally remark that the particular choice of l in the clause for [newcmd]
does not play a role; i.e., instead of next(supp(f)) we can use any other loca-
tion l E Loc \ supp(f). Thus we obtain for every l E Loc \ supp([.\x.M]'1)
[newx in M]11 s
_ {([M](I1[l/x])(s[O/l]))[s lfl], if [M]('1[l/x])(s[O/l]) * .L
- .L, otherwise
This possibility to choose the new location l freely from an infinite set is an
important 'reasoning principle' which we will use in the following.
5 Reasoning About Local Variables

Notation: If A and B are sets, then (A ..!..... B) denotes the set of total functions
from A toB. If f, g E (A ..!..... B) and C !;;;; A, then f I C denotes the restriction of
f to C and f =c g stands for f I C = g I C.
In this section we will illustrate how to prove general properties of our
semantic domains (Proposition 9) as well as particular semantic equivalences
(Example 10). The following set of ground relations will be useful for both
purposes.
Definition 7 Let L E W. An n-ary ground relation R is called L-definable if
there is a relation RL !;;;; (L ..!..... Z)" such that
• Rsto = {.L}" u {.f E Stores" I (.fl L) E RL 1\ s(Loc \ L) !;;;; 8"Z}
• Rlnt = 8"Dint
• Rloc = {f E (Dioc)n 1 Cont fRsto !;;;; Rint 1\ AsgnfRint Rsto !;;;; Rsto}
Note that an L-definable ground relation is uniquely determined by Rsro or even
by RL. We let DEF~ denote the set of L-definable ground relations of arity n
and OUT~= ULEW ALnL'=e> DEF~' the set of those which are 'definable outside
L'.
Theorem 8 OUT~ !;;;; ~~-
Proposition 9 Let f E [ cmd]L, l E Loc \ L and s, SI, s2 E Stores. Then
(a) f .L = .L
(b) fs * .L ~ fs l = s l
(c) SI =L s2 ~ (fsi = .L = fs2 v (fsi,fs2 E Stores A fsi =L fs2))
Proof: Each of the three properties is proved by choosing an appropriate
RE ~Land exploiting the fact that fRsto!;;;; Rsco. For (a), we take RE DEF~ with
Rsto = {.L}; for (b), we take R E DEFfll with Rsto = {.L} u {t E Stores I t l = s l};
and for (c), we choose some L' E W with Ln L' = 0 and SI =Loc\L' s2 and take
RE DEFf with Rsto = {.L} 2 u {f E Stores 2 I ti =Loc\L' t2}. I
Example 10 [ycmd-cmdzcmd] = [newx inx := O;y(x := !x + 1;z)]

The intuition for this example is that the local variable x counts the procedure
calls of z during the computation of y z. The equivalence shows that adding
such a counter does not change the behavior of the program in which the
procedure call y z is contained, no matter how the procedures y and z are
declared.
The typical approach for proving such an equivalence between two expres-
sions is to find some R E ~ which relates corresponding states of their compu-
tations. The precise argumentation for Example 10 is as follows: Let 17 E Env
and s E Stores. Furtherlet LEW with '7 y E [cmd- cmd]r and '7 z E [cmd]f.
We may assume that the new location I is not in L. We define R E DEF~ l
by Rsto = {1.} 2 u {f E Storei I t1 =Loc\{1) t2}. Then (s,s[0/1]) E Rsto and
(17z, [x := !x + 1; Z](17[1/x])) E Rcmd, because-by part (c) of Proposition 9-
tt =Loc\!ll t2 implies 11 z t1 =Loc\{ll 11 z t2 =Loc\{1} [x :=! x + 1; z](17[1/x])t2. Thus,
we obtain
([yZ]17 s, [y(x := ! x + 1; z) Hl7[1/x])(s[O/l])) E '7 y RcmdRsto ~ RcmdRsto ~ Rsto
and this implies [yz]17 s = [newx in x := 0; y(x := ! x + 1; z) ]17 s.
6 Full Abstraction
Notation: lf u = T t - · • · - Tk- sto => 8 (k ~ 0) and f E [u], then we let fd
denote the completely decurried version of f, i.e.,
fd: [TI] X · · · X [Tk] X Dsto- D 6 with fd (dt, ... , dk, S) = fdt · · · dk S
and ü p E ([u]...!.... [u]), then we let pD denote the corresponding function on
the completely decurried versions, i.e.,
pD: [u]d - [u]d with pDfd = (pf)d
The first step towards full abstraction is
Theorem 11 Letu = T t - · · · -Tk- (} (k ~ 0) with ord(u) :s; 2. Letf E [u]r
and Iet B ~ [ T 1 ] x · · · x [Tk] x vsro be finite. Then there is some M E Expf. with
[M]d =s fd.
From Theorem 11 we can obtain a sequence of definable functions that 'ap-
proximate' f in the sense that they coincide with f on more and more argu-
ment tuples. But for a full-abstraction proof we need approximations 'from
below'.
Definition 12
(a) Let D,E be sets, F ~ (D ...!.... E) and p E (F ...!.... F); B ~ D is called a
determining set for p, if p f is uniquely determined l1y f I B; i.e., if f = B g
implies p f = p 9 for all f, 9 E F; p is called finitely determined if it has a
finite determinin9 set.
(b) Let u be a procedure type and Iet L E W; an L-FD-sequence on u is a
sequence of expressions Pn E Expf-u such that [Pn ]D I ( [u 1L )d is finitely
determined for every n E ~ and ([Pn])neN is an w-chain whose lub is the
identity on [u]; u is called an L-FD-type if an L-FD-sequence exists on u.
Kurt Sieber 105
If we can show that every procedure type of order 1 or 2 is an L-ID-type for

every L e W, then we easily obtain
Theorem 13 Let ord(a) ::!> 2 and L e W; then every f e [a]L is the lub of an
w -chain o( functions that are definable by expressions in Expf..
Proof: Let (Pn)neN be an L-FD-sequence on a and, for every n e ~. let Bn

be a finite determining set for ([Pn])D I ([a]L}d. By Theorem 11, there are
expressions Mn e Expf. with [Mn]d =Bn fd; hence [PnMn]d = [Pn]D[Mn]d =
[Pn]Dfd = ([Pn]f>d for every n e ~- This implies f = UneNlPn]f =
UneN[PnMn]. I
From Theorem 13 one obtains full abstraction with the usual argumentation
[Plo77).
Theorem 14 (Full Abstraction) Let ord(a) ::!> 3 and M1,M2 e Exp~. Then
[Md = [M2] i(f, (or every program context C[ ], [C[Md] = [C[M2]].
Wehave formulated Theorem 14 for closed expressions of order ::!> 3. Instead,
we could have used open expressions of order ::!> 2 whose only free identifiers
are of order ::!> 2; that is why we speak of 'full abstraction for the second-order
subset'.
The main challenge is of course to prove
Theorem 15 Let ord(a) ::!> 2 and L e W. Then a is an L-FD-type.
Proof Sketch: The case ord(a) = 1 is simple; we consider a = cmd. Let
PJro - if ÄieL abs(! l) ::!> n then skip eise n (e Expf"'d)
Clearly, ([P~md])neN is an w-chain (of idempotent functions) whose lub is the

identity on [cmd]. Let B = [PJr0 ]Storest and let f e [cmd]L. Bis finite, and by
Proposition 9, [P~md]f E [cmd]L is uniquely determined by its restriction to
StoresL, hence also by f I Bor even by ([PJr0 ] of) I B. The former shows that Bis
a determining set for [p~md] I [cmd]L, i.e., (P~d)neN is an L-FD-sequence, and
the latter shows that [P~d][cmd]t is finite (i.e., [cmd]t is an SFP-domain).
The case ord(a) = 2 is much more sophisticated; we only present the
L-FD-sequences (without prooO for a = cmd - cmd. The first idea which
comes to mind is to define PJ{ e Expy-u completely analogaus to p~md,
namely
PJ{ = J..yU.J..zcmd.p~d(y(P~dz)}
If the elements of [a]t were just functions from [cmd]t to [cmd]t, then
we could prove-by a similar argumentation as above-that [p~md][cmd]t x
[PJr0 ]StoresL is a (finite) determining set for [PJ[]D 1 ([a]L)d. But of course
this assumption is wrong and indeed it can be shown that [PJ[]D 1 ([a]L)d
does not have any finite determining set. Somewhat to our own surprise, a
slight modification of the expressions PJ{ suffices to solve this problem. Let
Pg = J..yU.J..zcmd.
newx inx := O;P~d(y (if !x < n then x := !x + 1;P~dz else !l))
Pg differs from Pg by using a local variable x to count the procedure calls

of y's parameter P~ z, and as soon as the number of these procedure calls
exceeds n, it enforces divergence. lt is easy to see that ([PgnneN is an w-chain
with
UneN[Pg] = [.\y. .\z.newxinx:=O;y(x:=!x+l;z)]
and, byExample 10, the right-hand side equals the identity [.\y•.\z.yz]. Hence
it 'only' remains tobe shown that the functions [Pg]n I ([u]L)d are finitely
determined. This is the hardest part of the proof; for details the reader may
consult the full version [Sie96] of the present paper. 1
7 Conclusion
Wehave already mentioned that the parallel conditional is irrelevant for our
full-abstraction proof: we obtain an analogous full-abstraction result for se-
quential ALG if we remove the function Pcond from AUX and then proceed as
before. The resulting model allows us to prove additional semantic equiva-
lences like
[y skip 0. + y 0. skip] = [y 0. 0. + y 0. 0.] (with y: cmd - cmd - iexp)
which is a variant of the famous PCF-equivalence [Plo77, Sie92]. For the proof
of this equivalence one needs a ternary relation as in [Sie92] (no binary relation
suffices), and similar examples show that even relations of arbitrary arity n
are needed. The situation for ALG itself (with pcond) seems to be different.
Although we have used relations of arbitrary arity n in our full-abstraction
proof, there is strong evidence that (even very particular) binary relations are
sufficient:
Conjecture 16 Theorem 14 remains valid, ifwe use a smaller signature! for
our model construction, namely !~ = OUT~ and !~ = 0 (n * 2).
Finally the question arises, whether our result can be generalized to types
of order ~ 3. We conjecture that neither our model nor the model in [OT95]
are fully abstract for these higher types: reasoning about local variables is
closely related to the question of .\-definability (intuitively a global procedure
acts on a local variable like a pure .\-term), and it follows from [Loa93] that-at
least over finite ground types-.\-definability for functions of order ~ 3 cannot
be characterized with the aid of (logical) relations. As all the above models are
based on relations, it seems unlikely that one of them be fully abstract for
types of order ~ 3. Hence our result seems the best one may expect in the
current state of the art.
References
[Len93] Arthur F. Lent. The category of functors from state shapes to bottomless
cpos is adequate for block structure. In Proc. ACM SIGPIAN Workshop on
State in Programming Languages, Copenhagen, Denmark, pages 101-119,
Technical report YALEU/DCS/RR-968, Department of Computer Science, Yale
University, 1993.
[Loa93] Ralph Loader. The undecidability of .\-definability. Mathematical Institute,
Oxford University, June 1993.
Kurt Sieber 107
[MS88] Albert R. Meyer and Kurt Sieber. Towards fully abstract semantics for local
variables: Preliminary report. In Proc. 15th Annual ACM Symp. on Princi-
ples o( Programming Languages, San Diego, pages 191-203, ACM, 1988. See
Chapter 7.
[OT95] Peter W. O'Hearn and Robert D. Tennent. Parametricity and local variables.
Journal ofthe ACM, 42(3):658-709, 1995. See Chapter 16.
[Plo77] Gordon D. Plotkin. LCF considered as a programming language. Theoretical
Computer Science, 5:223-256, 1977.
[PS93] Andrew M. Pitts and Ian D. B. Stark. Observable properties of higher order
functions that dynarnically create local names, or: What's new? In Andrzej M.
Borzyszkowski and Stefan Sokolowski, editors, Proc. 18th International Sym-
posium on Mathematical Foundations o( Computer Science, Lecture Notes in
Computer Science, volume 711, pages 122-141, Springer, 1993.
[Rey81] John C. Reynolds. The essence of ALGOL. In J. deBakker and van Vliet, editors,
Int'l. Symp. Algorithmic Languages, pages 345-372. North-Holland, 1981. See
Chapter 3.
[Sie92] Kurt Sieber. Reasoning about sequential functions via logical relations. In
M. P. Fourman, P. T. Johnstone, and A. M. Pitts, editors, Applications o( Cate-
gories in Computer Science, London Mathematical Society Lecture Note Series
177, pages 2 58-269. Cambridge University Press, 1992.
[Sie96] Kurt Sieber. Full abstraction for the second order subset of an ALGOL-like
language. Theoretical Computer Science, 1996. To appear.
[WF93] Stephen Weeks and Mattbias Felleisen. On the orthogonality of assignments
and procedures in ALGOL. In Proc. 20th Annual ACM Symposium on Princi-
ples of Programming Languages, Charleston, pages 57-70, ACM, 1993. See
Chapter 5.
Chapter 16
Parametricity and Local Variables
We propose that the phenomenon of local state may be understood in
terms of Strachey's concept of parametric (i.e., uniform) polymorphism.
The intuitive basis for our proposal is the following analogy: a non-local
procedure is independent of locally-declared variables in the same way
that a parametrically polymorphic function is independent of types to
which it is instantiated.
A connection between parametricity and representational abstraction
was first suggested by J. C. Reynolds. Reynolds used logical relations
to formalize this connection in languages with type variables and user-
defined types. We use relational parametricity to construct a model for
an ALGOL-like language in which interactions between local and non-local
entities satisfy certain relational criteria. Reasoning about local variables
essentially involves proving properties of polymorphic functions. The
new model supports Straightforward validations of all the test equiva-
lences that have been proposed in the literature for local-variable seman-
tics, and encompasses standard methods of reasoning about data repre-
sentations. It is not known whether our techniques yield fully abstract
semantics. A model based on partial equivalence relations on the natural
numbers is also briefly examined.
Contents
1 lntroduction 110
2 Types 116
2.1 Syntax 116
2.2 Semantics 117
2.3 Recursion 119
3 Properties of Types 120
3.1 Basic Properties 120
3.2 Expansions 122
4 Valuations 123
5 Examples of Reasoning 128
6 Algebraic Aspects of First-Order Types 131
7 Relations and Reflexive Graphs 134
8 Parametrie Functors and Natural Transformations 139
9 When Parametricity lmplies Naturality 143
10 The PER Model 148
10.1 Store Shapes 149
10.2 Realizable Functors and Natural Transformations 150
10.3 Naturality and the Groupoid Interpretation 152
11 Conclusion 156
Acknowledgements 159
References 160
Appeared in]. ACM, 42(3):658-709, May 1995. © 1995 Association for Computing Machinery,
reprinted with the permission of the ACM. A preliminary version appeared in Con{erence Record
of the Twentieth Annual ACM SIGPLAN-SIGACT Symposium on Principles o{ Programming Lan-
guages, pages 171-184, Charleston, South Carolina, 1993. ACM, New York.

110 Chapter 16. Parametricity and Local Variables
1 Introduction
One of the first things most programmers learn is how to "declare" a new
assignable local variable, arid facilities to support this have been available in
programming languages for over thirty years [Naur et al., 1963]. It might be
thought that there would by now be a satisfactory semantic interpretation for
so fundamental and apparently elementary a mechanism. But existing models
arenot completely satisfactory [Meyer and Sieber, 1988; O'Hearn and Tennent,
1992]. The problems arise when block bodies can contain calls of non-local
procedures, and the difficulty is in defining precisely the sense in which non-
local entities are "independent" of a locally-declared variable.
For example, consider the following (ALGOL 60) block [Meyer and Sieber,
1988]:
begin
integer z;
procedure inc; z := z + 1;
P(inc)
end
Although the unknown non-local procedure P can use its argument to change
the value of z, this value can never be read, and so the block should be equiva-
lent to P(skip), where skip does nothing, for every possible meaning of P. But
this equivalence falls in all previous denotational models of local variables!
The reader's reaction to this example might be that it is contrived, and that
it has no practical significance; after all, who would ever write such a program?
But consider the following slightly more complicated example:
begin
integer z;
integer procedure val; val := z;
z:= 0;
P(inc, val)
end
The local variable, the two procedure declarations, and the initialization
can be considered as constituting the concrete representation of an abstract
"counter" object. Procedure P, the "client," is passed only the capabilities
for incrementing and evaluating the counter, and cannot access the counter
representation in any other way. A more modern language would provide a
"sugared" syntax, and one could write something like
module counter(expons inc, val);
begin
integer z;
invariant z <::: 0;
z:= 0
end counter;
... counter. inc; ... counter. val . ..
but the unsugared form shows that, even without additional features, the com-
bination of local variables and procedures in ALGOL-like languages supports
a form of representational abstraction, which is one of the main themes of
modern programming methodology. (In fact, the same example is used in the
Appendix of [Reynolds, 1978) to make the same point.) See [Reynolds, 1981b;
Tennent, 1991) for discussion of ALGOL-like languages, and [Reynolds, 1975;
Cook, 1991) for camparisans of linguistic approaches to representational ab-
straction.
To a certain extent, the relevance of representational abstraction to the
semantics of local variables has already been exploited. The models described
in [Meyer and Sieber, 1988; O'Heam and Tennent, 1993b) support validation of
invariance principles often used for reasoning about data representations, as
in [Haare, 1972). For example, these models validate the following equivalence:
begin
integer z;
diverge
z := 0;
P(inc, val);
ü z ~ 0 then diverge
end
where diverge is a statement whose execution (in any state) never terminates.
Because P can be any procedure (of the appropriate type), the equivalence
demonstrates that z ~ 0 is an invariant of the counter representation; i.e.,
z ~ 0 is true before and after every call of inc from P.
But there is more to representational abstraction than preservation of this
kind of representation invariant. Consider the following block, which uses a
"non-standard" representation of a counter:
begin
integer z;
procedure inc; z := z- 1;
integer procedure val; val := -z;
z := 0;
P(inc, val)
end
This block should be equivalent to the block that uses the "standard" repre-
sentation. The equivalence illustrates the principle of representation indepen-
dence: one concrete representation of a data abstraction should be replaceable
by another, provided the relevant abstract properties are preserved; see, for
example, [Mitchell, 1986). It is clearly important to be able to validate changes
of representation; but existing semantic models of local variables almost al-
ways fall on such equivalences!
This failure is especially surprising because standard informal methods
for demonstrating correctness of data representations [Haare, 1972)[Reynolds,
1981a, Chapter 5) can easily be adapted to proving such equivalences. For our
example, consider the relation R between states for the two implementations
such that, if z 0 and Zt are the values of the variable z in the standard and non-
standard implementations, respectively, R holds if and only if -z1 = z0 ~ 0
and all other variables have the same values. 1t can be shown that
• R is initially established by executing the two initializations (with iden-
tical non-local states);
• executions of (the two implementations of) inc preserve R; and
• evaluations of (the two implementations of) val in R-related states yield
the same result.
The conclusion is that R holds after execution of the calls toP, and so the
blocks have been "proved" to have equivalent effects on non-local variables.
But, although there is no reason to think these methods are invalid, they have
never been rigorously verified for a language with local-variable declarations!
This discussion of data abstraction motivates our link with the concept of
parametricity, introduced by Strachey [1967] in the following remarks:
There seem tobe two main classes [of polymorphism], which can be
called ad hoc polymorphism and parametric polymorphism.
In ad hoc polymorphism there is no single systematic way of deter-
mining the type of the result from the type of the arguments. There may
be several rules of limited extent which reduce the number of cases, but
these are themselves ad hoc both in scope and content. All the ordinary
arithmetic Operators and functions come into this category. It seems,
moreover, that the automatic insertion of transfer functions by the com-
piling system is limited to this dass.
Parametrie polymorphism is more regular and may be illustrated by
an example. Suppose f is a function whose argument is of type or and
whose result is of type ß (so that the type of f might be written or -. ß),
and that L is a list whose elements are all of type or (so that the type of
L is or list). We can imagine a function, say Map, which applies f in turn
to each member of L and makes a list of the results. Thus Map[f, L] will
produce a ßlist. We would like Map to work on all types of list provided
f was a suitable function, so that Map would have to be polymorphic.
However its polymorphism is of a particularly simple parametric type
which could be written
(or ". ß, oclist) ". ßlist
where oc and ß stand for any types.
Although a complete understanding of the ramifications of this notion of
parametricity is not yet available (cf., [Freyd et al., 1992b; Plotkin and Abadi,
1993)), Reynolds [1974, 1983] has emphasized the close relationship with rep-
resentational abstraction. The idea is that a parametric polymorphic function
must work in a way that is independent of the types to which it is instanti-
ated. For instance, (in the absence of recursion) the only parametric elements
of type Voc. oc - oc- oc are the two functions with two arguments that return
either the first argument or the second argument, respectively. On the other
band, a function that would return its first argument when instantiated to a
function on integers, and its second otherwise, is not parametric because it
works differently at different types. Intuitively, a parametric function cannot
make use of knowledge about the types to which it is instantiated, which is to

say that type variables are treated "abstractly."
We propose that the independence of non-local entities and local variables
is in essence similar to the sense in which a parametric function is independent
of the specific types to which it is instantiated. Stated in terms of abstraction,
the principle that a non-local procedure cannot access a local variable (except
through using arguments that access the variable) is analogous to the principle
that the representation of an abstract type cannot be directly accessed by pro-
grams that use it (except through the provided operations of the type). We will
define a semantics for an ALGOL-like language in which non-local procedures
are modeled as parametric functions that can be instantiated with pieces of
local state. The independence of the procedure itself from a local variable will
then be explained in terms of the independence of a polymorphic function
from type arguments, which here play the role of local state.
The approach to representational abstraction that we will follow is based
on the work of Reynolds [1983), where the technique of "logical" relations
[Plotkin, 1980; Mitchell, 1990) was used to give a rigorous formulation of ab-
straction that is appropriate for functional languages with higher-order and
polymorphic procedures and programmer-defined types. We can illustrate the
representation-independence property provable using logical relations as fol-
lows. Suppose
• e is a type expression with (say) one free type variable, and rr is a typing
context, i.e., a finite list of types over the same type variable;
• Wo and W1 are sets, regarded as alternative "representations" of the type
variable;
• [ fJ]Wo is the set of meanings of typee when Wo is assigned as the mean-
ing of the type variable, and similarly for [fJ]W1;
• [rr]Wo is the set of rr-compatible environments when Wo is assigned as
the meaning of the type variable, and similarly for [rr]W1;
• R ~ Wo x W1 is any relation on Wo and w~. regarded as relating repre-
sentations of abstract values;
• [fJ]R ~ [fJ]Wo x [fJ]W1 is the relation on fJ-meanings "logically" induced
by R, and similarly for [rr]R ~ [rr]Wo x [rr]W1;
• P is any phrase of type e in context rr;
• [P]Wo is a function which is the meaning of P when Wo is assigned as
the meaning of the type variable, and similarly for [P]W1.
Then it can be proved that ([P]Wo, [P]WI) is a relation-preserving pair of func-
tions; i.e., for all uo E [rr]Wo and u1 E [rr]W1,
if uo[[rr]R]ul then [P]Wouo [[fJ]R] [P]W1u1.
lntuitively, this says that relations between different representations of a type
variable are respected by programs that use it. We will refer to this kind of
uniformity as relational parametricity, after [Strachey, 1967] and [Reynolds,

1983], and portray it diagrammatically as follows:
I I
[rr]Wo --=-[P.....::]:......W.-"-
0 -+- [O]Wo
[rr ]R (8]R
[rr]Wt [P]Wt [O]Wt
Notice that double-headed arrows - - - are used here for (binary) relations,
and that this is not a conventional commutative diagram.
The connection between logical relations and polymorphic functions em-
phasized by Reynolds is that if the above relation-preservation property is to
hold in a polymorphic language, then values of V-types must be constrained
so as to satisfy similar relation-preservation conditions. 1n our model for local
variables, function typeswill themselves have a polymorphic flavour, and will
be constrained by such a parametricity condition.
Relational parametricity is commonly thought to prescribe necessary prop-
erlies that parametric functions must satisfy. What is less dear is whether,
particularly in the binary-relation form, it is sufficient to characterize the in-
tuitive concept. Another appealing approach to parametricity, possessing
a fairly coherent conceptual basis, uses partial equivalence relations (PERs);
e.g., [Longo and Moggi, 1991]. 1n the PER approach, polymorphic types are
interpreted as infinitary intersections, so that a (realizer for a) polymorphic
function is an untyped meaning that is type-correct for all instantiations of a
type variable. This captures, to a certain (not completely understood) degree,
the intuition that a polymorphic function is given by a uniform algorithm. On
the other hand, the relational approach captures, to a certain (not completely
understood) degree, intuitions about representation independence.
The larger part of our effort in this paper will be directed toward examin-
ing the relational approach of Reynolds. The semantic model we define will
represent quite directly the informal reasoning about local variables and data
abstraction alluded to above. However, we will also briefly outline how PERs
can be used to treat variable declarations. A comparison of the two models
will be given in Section 11.
Our method of incorporating parametricity builds on the functor-category
approach to local variables pioneered by Reynolds [1981b] and Oles [1982,
1985]. 1n the remainder of this lntroduction, we will briefly review the basic
elements of this approach, and indicate how relational parametricity will enter
the picture. (The expository article (O'Hearn and Tennent, 1992] and textbook
[Tennent, 1991] contain introductions to this approach.)
The key insight of the Reynolds-Oles work is that, in a language with local-
variable declarations, the concept of state is not constant-represented by a
single set of states-but rather varies as storage variables are allocated and
de-allocated. That is, there are different possible sets of states depending on
the "shape" of the run-time stack; i.e., the nurober and type of variables that
have been allocated.
To account for this, the semantics is parameterized by abstract "store

shapes," effectively building the variance in the concept of state into the
semantics in a way that logically precedes any assignment of meanings to
phrases. In general, the meaning of a type is not a single domain, but a whole
family of domains. For example, the type of commands is often interpreted
as S - S .1, where S is a set of states. But in a language with variable dec-
larations S itself varies, and so there is a domain X - X.1 for each possible
set X of states. In particular, a local-variable declaration changes the set of
states from X to X x Y, where Y is the set of values the new variable may
hold; the Y -valued component of each element of X x Y represents the new
variable. Similarly, if the the domain of command meanings prior to a variable
declaration is X - x.L. then, after declaration, it becomes X X y - (X X Y).L.
The semantic set-up can be elegantly described using basic concepts of
category theory. The variance in the concept of state is modeled using a cate-
gory of "possible worlds." Each possible world determines the set of storage
states needed to represent the values of currently available variables, and a
morphism of worlds "expands" the current state by allocating space for addi-
tionalstoragevariables (the Y-valued component above). This variance in the
concept of state induces a similar variance into types, which is represented by
interpreting types as functors from the category of possible worlds to a cate-
gory of domains and continuous functions. Phrases are interpreted as natural
transformations of these functors. The naturality condition on the meaning of
any phrase P is portrayed by the following commutative diagram:
[P]Wo
Wo [ TT] Wo --=---='----"--- [ 8] Wo
rj [ rr lfj j[9]f
[ TT ]W1 1 - - [ 8] W1
--=-[P-::]:-W-
where f: Wo- W1 is a morphism of possible worlds, and [ 8] and [ rr] are type
and environment functors.
Notice that, in many respects, this is similar to the relational-parametricity
picture discussed earlier. Parameterization by possible worlds is roughly anal-
ogous to abstraction on a type variable. In fact, if we think of the possible
worlds as certain kinds of types, then [P] is a family of functions indexed
by these types and so is, in a certain sense, polymorphic. It is therefore cer-
tainly conceivable to require a family of this form to satisfy a parametricity
constraint.
This analogy between possible worlds and type variables suggests how
relational parametricity can be incorporated. We consider binary relations
between worlds, regarded as relating different "representations" of the store
shape, and the semantics of types is then arranged so that each such relation
induces a relation between the meanings of a type at different store shapes.
The meanings of terms are then families of maps satisfying a relational-
parametricity constraint.
The naturality requirements of Reynolds and Oles will not be abandoned.
However, to make the presentation more accessible, we will begin with a
116 Chapter 16. Parametridty and Local Variables
"category-free" description of our model. The naturality conditions are im-

plicit in this presentation, but willlater be shown to be implied by relational
parametridty.
This category-free description has the advantage of being quite simple, and
it also puts the role of parametricity clearly on display. But a consideration
of relevant category-theoretic issues is crucial for a deeper understanding of
the model. The category-free presentation appears very ad hoc in some re-
spects; a fully satisfactory justification for some of the definitions will come
from categorical considerations. Further, while we will show that in certain
circumstances naturality is implied by relational parametricity, it must be em-
phasized that, in general, these are different kinds of uniformity, with neither
being stronger than the other. It will be seen, in fact, that the connection
between these two concepts is somewhat delicate. (In Section 9, we show an
example where "parametridty implies naturality" is not stable under Currying
isomorphisms; this, for us, came as a surprise.)
To study this combination of relational parametricity and naturality, we
will define a suitable cartesian closed category of "relation-preserving" func-
tors and natural transformations. The key technical notion underlying this
construction is that of a reflexive graph, which is essentially an arbitrary cat-
egory equipped with assignments of (abstract) "relations" to its objects and
morphisms. This will be taken up in Sections 7-9. The earlier parts of the
paper are devoted to the category-free presentation of the model.
2 Types
2.1 Syntax
Our language is an ALGOL-like language in the sense of [Reynolds, 198lb].
The language does not include jumps or subtypes, but it raises the key issues
related to variable allocation. The types are as follows:
ö ::= int I booll · · · (data types)
ß ::= comm I exp[ö] I var[ö] (primitive phrase types)
o ::= ß I ö- ß (phrase types)
Data types are the types of values that can be stored, while phrase types
consist of meanings that can be denoted by identifiers and, more generally,
program phrases, but that cannot be stored. This distinction allows variable
declarations to obey a stack discipline.
Comm is the type of commands. Executing a command causes a state
change, but does not return a value. Var[ö] is the type of storagevariables that
accept ö-typed values. Exp[ö] is the type of expressions that return values of
type ö. Expressionsare "read only," in that they are state dependent but do
not cause side effects. So all state changes are concentrated in the type comm.
In particular, procedures use by-name parameters and can only change the
state indirectly, when used within a phrase of type comm.
In procedure types, Öis a non-empty vector of phrase types. This "uncur-
ried" formulation of the syntax of procedure types is not essential, but is most
amenable to a category-free description of the model.
2.2 Semanlies
We will regard a binary relation R as a triple (Wo, W1, S) where Wo and W1 are
sets (the domains of R) and S s;; Wo x W1 (the graph of R). Although we will
work exclusively with binary relations, our definitions (though not all of our
notation) generalize straightforwardly to n-ary relations for any n. We will use
Wo
the notations R: Wo - W1 and R 1to mean that R is a binary relation with

w1
domains Wo and Wt. and wo[R]wl to mean (wo, w1) E graphR.
If W is any set,
• ~w: W - W is the diagonal relation on W; i.e., w[~w ]w' = w = w'.
We use W - X and W x X for the function space and product of sets. If Wo,
Wt. Xo, and X1 are sets and R: Wo - W1 and S: Xo ...... X1,
• R X S: Wo X Xo - - wl X xl is defined by (Wo,Xo)[R X S](wl,Xt) =

wo[R]wl and xo[S]xl;
• R - S: Wo - Xo ...- W1 - X1 is defined by fo[R- Slf1 for all =

wo E Wo, w1 E Wt. if wo[R]wl then fo(wo)[S]ft(wt). We often use the
diagrammatic notation
fo
Wo~Xo
R!w1-r;-x1!s
to indicate that fo[R - S]fi· Notice that this notation makes the do-
mains of the relations, and the domains and codomains of the functions,
evident.
The collection ~ of "store shapes" is a set of sets that includes desired
data types, such as 2 = {true,false} and Z = { ... ,-2,-1,0,1,2, ... }, and all
finite (set) products of these. We won't be more specific about ~. except to
emphasize that it must be a small collection. Foreach data type ö, we assume
a set [ö] in~. with [int] = Z and [bool] = 2.
Following [Reynolds, 1983], we define a "twin" semantics of phrase types,
where each (} determines two functions
[0]: ~-Sets
[0]: rel(~) - rel(Sets).

Here, Sets stands for the dass of sets, rel(Sets) for the dass of binary rela-
tions between sets, and rel(~) for the set of binary relations between store
shapes. The relational component of the semantics will be used to enforce
parametricity constraints.
The interpretation of the command type is as follows:

• for every store shape W in ~~
[comm]W = W- W ; and
• for every R: Wo - W1 in rel(~)~
[comm]R = R - R.
For expressions:
[exp[«5]]W = W- [«5] ;and
• for every relation R: Wo - W1 in rel(~)~
(exp[«51]R = R - .:::\[61·
For variables:
[var[«51]W = ([«5]- [comm]W) x [exp[«5]]W ; and
• for every relation R: Wo - W1 in rel(~)~
[var[«51]R = (.:\l6l- [comm]R) x [exp[o]]R .
The two components of a variable allow forl respectively updating and ac-
1
cessing its contents. This "object-oriented" approach to variables is from

[Reynoldsl 198lb).
For vectors Ö= lh1 ... I On:
• for every store shape W in~~ [Ö]W = [OdW x · · · x [O]W; and
• for every R: Wo- W1 in rel(~)~ [Ö]R = [lJdR x · · · x [O]R
Officiallyl meanings for types [ 0] and vectors [ Ö] are defined by a simultane-
ous induction.
For procedure types one might expect to use a pointwise definitionl where
[Ö- ß]W = [Ö]W- [ß]WI and similarly for the relation part. Howeverl a
pointwise definition is not appropriate in the present context. The reason is
that we think of the sets in ~ as "store shapes which can grow between the
1"
point of definition of a procedure and the point of call. For example if the 1
store shape is W when a procedure identifier P is bound and P is called after

1
an integer variable is declaredl then the shape of the stack for the call will be
wxz~notW.
binding of P · · · begin integer x; · · · P ( · · · x · · ·) · · · end

Thus a procedure meaning at store shape W must be applicable at an ex-
1
panded shape W x X I where X corresponds to additional variables that have

been allocated. This is accounted for in [Reynoldsl 198lb; Oles 1982) by defin-
1
ing a procedure meaning to be a family of functionsl indexed by extra compo-

nents X representing pieces of local state that can be added to the stack. We
will follow the same route herel except that these families of functions will be
subject to parametricity conditions.
A procedure type Ö- ß is interpreted as follows.
• For every store shape W in ~.

[Ö-ß]W = VX.[Ö](WxX)-[ß](WxX);
that is, p E [Ö- ß]W is a family of functions
p[-]: [Ö](W X - ) - [ß](W X-)
indexed by store shapes X, satisfying the following parametricity con-
straint: for all relations R: Xo - X1 between Store shapes,
[ Ö] (W x Xo) --'p'-[_X-'-o]'---+- [ß] (W x Xo)
[Ö](6w X R) 1 1 [ß](6w X R)
[Ö](W X X1) [ß](W X XI)

p[Xd
Function p[X] models the behaviour of the procedure instantiated at
the "expanded" store shape W x X.
• For everyrelationR:X0 -X1 inrel(~). p[[Ö-ß]R]q iff, for allrelations
S: Yo- Y1 in rel(~).
- Po[Yo]
[6 ](Xo X Yo) ---=----::...:.......:..:;___.. [ß](Xo X Yo)
[Ö](R X S) 1 1[ß](R X S)
[Ö](Xl X YI) [ß](Xl X YI)

PI[Yd
Notice how the relational and domain-theoretic semantics become inter-
twined at this point. This is motivated by the use of a relational condition to
constrain values of V types in [Reynolds, 1983]. The identity relation 6w plays
the same role as the identity relations there. (Of course, the foundational diffi-
culties described in [Reynolds, 1983; Reynolds and Plotkin, 1993] do not arise
here, because the source collection ~. over which indexing is done, is small.)
2.3 Recursion
The presentation thus far is for a recursion-free dialect of ALGOL. Recursion
can be dealt with by using domains in place of sets, as follows. (We still use
sets, or discretely-ordered predomains, for the store shapes.)
If D and E are partially ordered sets and R: D - E (i.e., R is a relation on
the underlying sets),
• R.1:D.1- E.1 is defined by d[R.1Je ~ d = e = .L or d[R]e, where D.1
is obtained from D by adding a new least element .L.
If D and E are directed-complete partially-ordered sets then a relation
R:D .......... Eis
• complete, if its graph is a directed-complete subset of the pointwise-
ordered product of the domains of the relation; and
• pointed, if D and E are pointed and R relates their least elements.
The semantics can then be defined by mapping store shapes to domains,

and relations on store shapes to pointed complete relations on domains. For
the command type:
• for every store shape W in ~.
[comm]W w-w.L; and
• for every R: Wo - W1 in rel(~).

[comm]R = R - R.L.
Here, the - acts on (pre)domains as the continuous-function space construc-

tor, and on complete relations by producing the evident complete relation on
the function spaces. The definitions of the other base types can be modified in
a similar fashion, and procedure types are exactly as before, but with the -
in the definition understood as constructing the continuous-function space,
and the families p[-] ordered component-wise.
The restriction to complete relations is standard. It is needed for the fixed-
point operator to satisfy the appropriate parametricity constraints, and also
for domain-theoretic structure to be respected when using parametricity to
constrain procedure types. As the consideration of recursion would add little
to our discussion of locality, we will for simplicity concentrate on the set-
theoretic semantics in the remainder of the paper.
3 Properlies of Types
3.1 Basic Properties
We now turn to some basii:: properties satisfied by this semantics. Theseare
all essentially consequences of the polymorphic view of phrase types sketched
in the previous section.
First, as in [Reynolds, 1983], each [8] preserves identity relations.
Lemma 1 (Identity Extension) For each phrase type 8 and store shape W,
[O]~w = ~l91W·
Proof: By induction on types. For base types this is immediate.

We will consider the function type in some detail to indicate how the proofs
go. For 6- ß, if p E [B- ß]W then, by definition, p[[B- ß]~w]P iff, for
all R:Xo- X1o
[B](W x Xo) --=-p-=-[X.....:o..:...]- [ß](W x Xo)
[B](~w x R) 1 1[ß](~w x R)
[B](W X XI) [ß](W X XI)

p[Xd
As this is none other than the parametricity constraint on procedure mean-
ings, we may conclude that [B- ß]~w contains the diagonal.
Conversely, if p[[Ö- ß]Llw ]q then, for R: Xo- X1.
[B](W x Xo) _ _.:p_.:['-X..:....:o]'--..... [ß](W x Xo)
[O](Llw X R) 1 1[ß](Llw x R)
[B](W X Xr) [ß](W X Xr)

q[Xd
In particul~, taking R as a diagonal Llx and applying the induction h)j>othesis
(both for 8 and for ß) gives that p[X]a = q[X]a for all X and a E [8 ]X, and
so p = q. (We are using the fact that the identity property can be seen to hold
for [ §] whenever it holds for each element of the vector.) I
A further related property, emphasized in [Freyd et al., 1992b), is that
each [8] is functorial on isomorphisms. We say that a relation in rel(~) (re-
spectively, rel(Sets)) is an isomorphism iff it is the graph of a bijection. (In
a domain-theoretic model, we would consider continuous isomorphisms, i.e.,
continuous, order-reflecting bijections.)
It will be well, for future reference, to have an explicit description of func-
tional isomorphisms induced by bijections between store shapes (even though
these isomorphisms could alternatively be read off from the semantics of
types, using a relational isomorphism). If f: W - X is a bijection between
store shapes then the isomorphism fe: [8]W- [8]X is defined as follows.
fcomm = r-l - f
{exp[Ö] p - l - id[ö]
fvar[Ö] (id[ö] -+ fcomm) X {exp[ö]
fe-ß = .\pAY. (f- 1 X Y) 0 ; p[Y) ; (f X Y)p

Hereweare using the action of exponentiation- and product x (in the cat-
egory of sets) on morphisms, and id is an identity. In the last equation, the
right-hand side denotes the function that takes p E [Ö- ß]W and a store
shape Y to the bottom of the following diagram
[B](X X Y) p[Y) [ß](X X Y)
<f- 1 x nef 1<f x Y)p
[O](X X Y) - -...... [ß](X X Y)

where fe for vectors is defined in the obvious component-wise way.
Lemma 2 (Isomorphism Functoriality) Each [0] is functorial on isomor-

phisms. That is, for all isomorphisms R: W- X in rel(~).
1. i(R is an isomorphism then so is the induced relation [8]R, and
2. if R: X- Y and S: Y - W are isomorphisms, then [ 8]R; [ O]S = [ 8] (R ;S)
where semicolon is relational composition.
(Preservation o( identities is the identity extension Iemma.) Furthermore, if

f: W - X is a bijection between store shapes and Rr: W - X is the relation
with the same graph as f then the relation [ 9]Rr and the (unction fe have the
samegraph.
Proof: First, showing that fe is iso follows by a Straightforward argument,
where the function type case is much as in the proof of the identity extension
lemma. Second, that [9]Rf and the function fe have the same graph can be
shown by induction on types, where the function-type case follows immedi-
ately from the induction hypothesis. It is then not difficult to show that ( · )e
preserves identities and composites, when applied to bijections. I
Of course, relational composition is not preserved for all relations.
In the following, much use will be made of the canonical unity and as-
sociativity isomorphisms between store shapes. (Here, 1 is a singleton store
shape.)
unl: W x 1 - W unr: W- W x 1
assl: W X (X X Y) - (W X X) X Y
assr: (W X X) X Y - W X (X X Y).
These isomorphisms satisfy a special parametricity property.
Lemma 3 (Canonical-Isomorphism Parametridty) I( R;: X; - Y; are relations
between store shapes, (or i = 1, 2, 3, then, (or all types 9,
unl[[9](Rt x ßt)- [9]Rt]unl unr[[9]Rt- [9](Rt x ßt)]unr
assl([9](Rt x (R2 XR3)}- [9]((Rt xR2) XR3}]assl
assr([9]((Rt XR2) XR3}- [9](Rt X (R2 XR3)}]assr
Proof: A routine induction on 9. I
Notlee that the notation for these canonical isomorphisms does not make the
domains and codomains explicit. Perhaps we could write, e.g., asslx1 x 2 x 3 e;
however, no ambiguity will arise as the relevant information will always be
clear from context.
3.2 Expansions
There is further structure in the semantics that derives from the conception of
elements of I: as representing "shapes" of the run-time stack. Specifically, the
expansion of store shapes caused by variable declarations is accompanied by
mappings that convert semantic entities at a shape W to any expanded shape
WxX.
If W and X are store shapes, for each type 9 we define a function
expand8 (W,X): [9]W- [9](W x X)
This goes by induction on types.
expandcomm<W,X) c (w,x) = (cw ,x)
expandexpc 61 (W,X) e (w,x) = ew
expandvar[5J(W,X) = (id[c51- expandcomm<W,X))

x expandexp[c5J(W,X)
expandö-ß(W,X) p Y = assrö; p[X x Y]; asslß
This treatment of expand maps would surely benefit from a dose of category
theory. For now we will push on and complete the concrete description of the
model,leaving the tidying up of categorical matters to Sections 7-9.
There is a special uniformity property that the expansion functions satisfy.
It states that expansions preserve relations on non-local states, and also pro-
duce meanings at expanded shapes that satisfy all relations on the local part
of a store shape.
Lemma 4 (Expansion Parametridty) If R: Wo - W1 and S: Xo - X1, then
expand8 (Wo,Xo)
[9]Wo _........:..._....::....;._.:..:.........:...-[9](Wo x Xo)
[9]Rl 1[9](RxS)
[9]WI expande(WI.Xd [9](Wl x X1)

Proof: By induction on 9. Basetypesare immediate. We will indicate the proof
for the function type.
Suppose Po[[Ö- ß]R]PI· For any S: Yo- Y1, the definition of [Ö- ß]R
implies
Po[Xo X YoJ[[Ö](R X (S X Q))- [ß](R X (S X Q)) ]P1[X1 X YI].
By the Canonical-lsomorphism Parametricity Lemma we get that

assr; Po[Xo x Yo]; assl
is ([Ö]((R X S) X Q)- [ß]((R X S) X Q) )-related to
assr; P1 [X1 x Yd; assl
and, by the definition of expand, this is just what we wanted to show. I
4 Valuations
Whereas the category-free semantics of types is quite simple, the semantic
equations for terms will turn out to be comparatively complex. This is a pre-
sentation trade-off: the valuations in the categorical semantics given later are
much simpler, but require a more sophisticated interpretation of types.
A type assignment rr is a finite function from (an unspecified set of) iden-
tifiers to phrase types. Some typing rules are in Table 1. The rules are in a nat-
ural deduction format. The rules for abstraction and application are for the
uncurried syntax of types. The pairing construct uses the "object-oriented"
approach to variables. We write write rr 1- M : 9 to indicate that M : 9 is
derivable from (undischarged) assumptions rr.
The example blocks in the Introduction can easily be desugared into this
language. A block begin öx; C end is rendered as new5 (.\x:var[ö).C). We
will arrange matters so new always assigns an initial value to the variable
[x: 6]
skip:comm
M:Ö-ß M:6,Ö-ß N:6

.\x:6.M: 6,9- ß (MN): 0-ß
V: var[ö] V: var[ö] E: exp[ö]
derefV: exp[ö] V:=E:comm
A: exp[ö] - comm E: exp[ö) B : exp[bool] M : 6 N : 6

(A,E) : var[ö] ifBthenMelseN: 6
C1 :comm C2:comm C: comm E: exp[ö]

C1;C2:comm doc5 CresultE: exp[ö)
newc5 : (var[ö] - comm) - comm
Table 1: Typing Rules
created. Of course, we could alternatively Iet the programmer supply this

value, in which case the type of newc5 would be
(exp[ö], (var[ö] - comm)) - comm.
If rr is a type assignment then the rr-compatible environments, and rela-
tions between them, are as follows.
• for each store shape W, [rr]W = Il"edom(rr)[rr(x)]W; and
• for each relation R: Wo - W1 between store shapes,
uo[[rr]R]ul = Vx E dom (rr). uo(x)[[rr(x)]R]ul (x).
The meaning function associated with a judgement 1T 1- p : e- ß will be a

family of functions [P]rr<B-Il>W:[rr]W- [Ö]W- [ß]W indexed by store
e
shapes w. ln the case of base types ß, we will simply omit the argument and
have [P]rrßW: [rr]W- [ß]W. (The functionality of these valuations derives
from categorical considerations on the model.)
We begin with identifiers. If rr 1- x : ß then the valuation is, as usual:
[x]Wu = u(x). ln the case of function types rr 1- x: 0--+ ß, given d E [O]W
we must produce [x]Wu d E [ß]W. We can apply the meaning of x at the store
shape 1 to obtain a function u(x)[1]: [6](W x 1)- [ß](W x 1), and then we
can apply unity isomorphisms to get a function of type [6](W)- [ß](W). So
we define [x]Wu = uni; u(x)[1]; unr.
Readers familiar with functor categories will notice that this valuation
for identifiers is similar to what one obtains by uncurrying a projection
[.\x:O.M] Wud,d [M]W(u I x- d)d
[derefV]Wu snd([V]Wu)
[V:= E]Wuw fst([V]Wu) ([E]Wuw)
[skip]Wus s
[(P,E)]Wus (.\v .\w. [P]Wu(.\s. v)w, [E]Wu}
[C2]Wu ([CdWus)
[do.s CresultE]W us [E]Wu ([C]Wus)
[ift BthenM elseN]Wus { [M]Wus, if [B]Wus = true

[N]Wus, if [B]Wus = false
Table 2: Valuations
A x (B ~ C) - (B ~ C), where B ~ C is the functor exponent. ln general, all

of the valuations in the category-free semantics are obtained by uncurrying
maps in the more standard category-theoretic presentation.
Most of the valuations for the language are in Table 2. ln each equation
u is an environment in [rr]W for the appropriate rr and store shape W, and
d E [ Ö] is an appropriately typed vector of arguments. It is understood that
this vector is omitted when the term in question is of base type. In the equa-
tion for if, t is either comm or of the form exp[ö]. The conditional extends
to other types in the usual inductive fashion. The rules for abstraction and
application are for the uncurried form of types.
We will not give denotations, or syntax rules, for ordinary arith-
metic and logical operations. These can be defined by lifting a function
f: [öd x · · · x [Ön]- [ö] to an interpretation for a combinator of type
exp[öd x · · · x exp[Ön]- exp[ö] in the evident fashion.
The block expression do C result E warrants some explanation; it returns
the value of expression E in the state that results after executing C. For exam-
ple,in
x := 2; y := (dox := 1resultderef x)
the final value of y is 1 whereas the final value of x is 2. Reynolds calls this
"snapback semantics," because the state change caused by x := 1 is temporary:
the state snaps back to its initial value on termination of the expression eval-
uation. There is a problern with snapback semantics: it violates what is often
called the "single-threaded" nature of state in imperative languages [Schmidt,
1985]. lntuitively, if a state change occurs, the old state is no Ionger available,
so there is no way to backtrack to an earlier state. We will discuss this issue

further in the Conclusion.
We now turn our attention to the key cases of new and application.
For store shape W, p E [var[ö]- comm]W and state w E W,
[new,dWupw = fst(p[[ö]](a,e) (w,8)}
where 8 E [ö] is a standard initial value of new variables of type ö, and
(a, e) E [var](W x [ö]) is the new variable, defined as follows: e(w, x} = x
and a(y}(w,x} = (w,y). The "acceptor" a overwrites the [ö]-valued com-
ponent of the state. The intuition behind this definition is that procedure p
is executed in an expanded store shape, where the additional [ö]-valued com-
ponent holds the value of the new variable. The argument (a, e) provides the
capability for updating and accessing this variable. The final value of the vari-
able is discarded using the projection fst. This is as in [Reynolds, 1981b; Oles,
1982].
The semantics of new is where the parametricity constraints in the model
come into play. Because of the definition of procedure types, a call to p at an
expanded store shape W x [ö] is required to satisfy uniformity conditions
induced by relations involving [ö]. In the next section we will consider a
number of examples showing these parametricity conditions at work.
Next, we consider application. Suppose that we are given rr f- M: 9, Ö- ß
and rr f- N : 9. If 9 = ß' is a primitive type then the semantics is simple,
obtained by prepending the meaning of N onto a suitable vector.
[M N]Wud = [M]Wu ([N]Wu,d}
1t is clear that when Ö is empty this is the obvious application.

The case when 9 is not a primitive type is more complex. If 9 = Ö' - ß'
then we need to prepend an element of [Ö'- ß']W onto a vector. Recall that
a meaning of this type is a family of functions indexed by store shapes: we
need to obtain such a family from the meaning of N.
Fora fixed environment u E [rr]W, define g as follows; for all X,
g[X] = [N](W x X)(expandrr(W,X) u)
where expansion maps are extended to type assignments pointwise:
expandrr(W,X)(u)(x E domrr) = expandrr<x>u(x).
Notlee that g[X]: [Ö'](W x X) - [ß'](W x X), sog is certainly of the right
formtobe in [Ö' - ß']W. It will be shown to satisfy the necessary para-
metricity constraints in the course of proving the Abstraction Theorem below.
The semantics of application is
[M N]Wud = [M]Wug,d
The reader familiar with semantics in functor categories will notice that
expansions come into this uncurried style of presentation in the case of appli-
cation, whereas they appear when treating .\-abstraction when the semantics
is presented in a more conventional curried form.
Theorem 5 (Abstraction) Suppose rr r- P : ii- ß and R: Wo ....... W1 is a relation

between store shapes; ifu 0 [[rr]R]ul and d~[[Ö]R]dl then
[P]Wo uo do [ [ß]R] [P]W1 u1 d1

(This statement applies to terms of primitive type by omittin9 various vectors.)
Proof: The Abstraction Theorem and the well-definedness of [P] are proven
simultaneously by structural induction on P. Well-definedness is immediate
in all cases except application (which is the only case where the simultaneity
is used in a non-trivial way).
For the well-definedness of application, suppose rr r- M : fJ, ii- ß and
rr r- N : fJ. If fJ = ß' is a primitive type then the result is immediate, so
suppose fJ = Ö' - ß'. Well-definedness will be assured if we can show that
the family of functions
9[-]: [Ö'](W X - ) - [ß'](W X-)
satisfies the parametricity condition for [Ö' - ß']W. For S:X0 ....... X1 and
u E [rr]W define u 1 = expand1T(W,X1) u. By the IdentityExtensionLemma and
the Expansion Parametricity Lemma, u0 [ [ rr] (Llw x S)] u 1. (The evident version
of the expansion lemma for type assignments is a corollary of the one for
types.) By the Abstraction Theorem for N (induction hypothesis),
[N](W X Xo) uo[ [Ö'](Llw X S)- [ß'](Llw X S) ][N](W X XI) U1
and so
9[Xo] [ [Ö'](Llw X S)- [ß'](Llw X S) ]9[Xd .
This shows that 9 E [Ö'- ß']W, as desired.
For the Abstraction Theorem, we will consider application and new; all
other cases are routine.
For application we have rr r- M : fJ, ii- ß and rr r- N : fJ. Suppose
uo[[rr]R]ul and do[[Ö]R]d1. If fJ = ß' is primitive then the Abstraction The-
orem for N (induction hypothesis) guarantees that [N]Wo uo[[ß']R][N]Wl u1
and then the Abstraction Theorem for M implies that
[M]Wo uo ([N]Wouo),do[ [ß]R ][M]W1 u1 ([N]W1ud,dl.
In the case that fJ = Ö' - ß' we reason in the same manner, but use
9o [ [ Ö' - ß' ]R] 91. where 91 is the meaning determined by the environment
u,, as in the definition of application. This last property follows from the
Abstraction Theorem for N, with a proof similar to the well-definedness of 9
above using R in place of Llw.
For new, suppose Po[[var[ö] -comm]R]Pl and w0 [R]w1. We must show
that
fst(po[[ö]] (ao, eo) (wo, 8)) [ R ]fst(pl[[ö]] (a~. e1) (w~. 8)) .
The key property is (ao, eo) [ [var[ö]](R x Llr.sJ)] (a1, e1) for the new variables
(ao,eo) E [var[ö]](Wo x [6]) and (a1,e1) E [var[öl](W1 x [6]). This is
Straightforward to verify. The assumption that Po and P1 are related then

implies
Po[[ö]) (ao,eo) (wo, v>[R x ~[c5J]PI[[ö]) (altel) (wlt v)
for any v E [ö], and this ensures that the first components of the
Pt [[öl) (a,, e,) (w,, v) are R-related. I
5 Examples of Reasoning
In each of the examples that follow, an unknown non-local procedure is passed
a limited capability for accessing a local variable, in much the same way that an
abstract type gives to its "clients" a limited capability for accessing its repre-
sentation. The reasoning method employed involves choosing a relation that
is satisfied by different arguments to the procedure, and then applying the
parametricity property to infer a relational property that pairs of procedure
calls must satisfy.
For the sake of readability, we continue to use sugared notation for code
in the examples. The desugarings into the language of the previous sections
should be clear.
We begin by describing a dass of relations that can be used in several
examples. Suppose W is any store shape and E s;; Z, where, as before, Z is the
set of integers; we can then define RE: W ---- W x Z by
w[RE)(w',z) <= w = w' and z E E.
Consider any c E [comm](W x Z) such that skip[[comm]RE]c,

where skip e [comm]W is defined by skip(w) = w. Then, if
p e [comm- comm]W, parametricity implies that
p*(skip)[[comm]RE]p[Z](c) (*)
where p* = unl; p[l] ; unr: [comm]W- [comm]W. Hence, p* (skip) is the

semantics of an isolated procedure call P(skip). We can use this condition
whenever we have a command c that does not change the values of non-local
variables and preserves property E of the local variable.
For example, consider the relation Rz; i.e.,
w[Rz](w',z) <= w = w'.
Intuitively, entities will be Rz-related if they "work the same way" on the W
part of the stack. This is a property of z := z + 1 and skip; more precisely, if
we define inc E [comm](W x Z) by
inc(w,z) = (w,z + 1),
then
skip[ [comm]Rz] inc.
Then we can use the property (*) to conclude
p*(skip)w[ (Rzh ]p[Z](inc)(w, z) .
This means that the first component of p [ Z] ( inc) (w, z} is equal to p * (skip) w.
Clearly, then, the semantics of variable declarations ensures the first equiva-
lence considered in the Introduction:
begin
integer z;
procedure inc; z := z + 1; P(skip)
P(inc)
end
1t is important here that w = w' when w[RE](w', z): the parametricity prop-
erty always acts as the identity relation on non-local variables. This is where
the identity extension lemma and the use of identities in the parametricity
constraint on procedure types come into play.
We would like to emphasize that the reasoning method in this example is
simply an instance of reasoning about polymorphic functions using Reynolds
parametricity [Reynolds, 1983); seealso [Wadler, 1989) for numerous exam-
ples of this form of reasoning. The equivalence reduces to the following prop-
erty
fst(p[l](.\x.x)) fst(p[Z](.\y. (fsty, (sndy) + 1))}
for a polymorphic function p: 'Vy. (oc x y - oc x y ) - (oc x y - oc x y). This is
what we mean when we say that reasoning about local variables often amounts
to proving properties of polymorphic functions. Of course, it is fairly signif-
icant that the polymorphism that we are concemed with is predicative in na-
ture; but the point remains that the reasoning method we employ is exactly as
in [Reynolds, 1983; Wadler, 1989). These methods will be seen below to lead
to remarkably Straightforward validations of previously troublesome equiva-
lences.
Before continuing, it is worth pausing to explain why typical counterexam-
ples to this equivalence, which exist in previous models, are not present here.
Let W = {true, false}. One counterexample is essentially a family of functions
p[X]: [comm](W x X) - [comm](W x X)
suchthat
[X]( )(b x) = { (--.b,x}, if c(b,~} =1= (b,x}
P c ' (b,x), othel'Wlse
Such a p would break the equivalence, because the left-hand block would
negate the state (which consists of a single boolean), whereas P(skip) would
leave the state unchanged. However, this p falls to satisfy the parametricity
condition, for though skip[[comm]Rz]inc and w[R](w,z), it is not the case
that
p* (skip)(b) [ Rz ]p[Z](inc)(b, z} ,
as p* (skip)b is b, while p[Z](inc)(w, z) is (--.b, x}. The equality test on states
is the culprit in the definition of p: any two states (w,z) and {w,z'} are "in-
distinguishable" from the point of view of the second domain of the relation
Rz, so branching on the equality test violates parametricity.
Our second example demonstrates that the invariant-preserving properties
of the models described in [Meyer and Sieber, 1988; O'Heam and Tennent,
1993b] are encompassed by parametricity. If ze is the set of nonnegative

integers, we again get skip[[comm]Rz• ]inc. The property (*) now ensures
that z is non-negative when p[Z](inc)(w,O) = (w',z). This can be used to
verify that the value of local variable z is still nonnegative on termination of
the procedure call in
begin
integer z;
z:=O;
P(z := z + 1);
end
Our last example using relations of the form RE is
begin
integerz;
z:= 0; P(O)
P(z)
end
where P: exp[int] - comm; we have left the de-referencing coercion (deref)
from var[int] to exp[int] implicit in the argument of the call. The intuition
here is that the value of z will be 0 each time it is used during execution of the
call P(z), because P cannot write to z. Therefore, this should be equivalent to
simply supplying 0 as an argument instead of z.
To validate this we can use RIO)· The denotation of 0 is the constantly 0
function in [exp](W x Z), and the denotation of z, as an expression, is the
projection W x Z - Z. Thesedenotations are then related by [exp]R{o!; i.e.,
w -----=0=----- z
R1oJ! !~z
Wxz-----"z--Z
because if argument states are related, the Z-valued component is always 0.
We can then use the parametricity of P, as in the other examples, to conclude
that (the denotations of) the calls P(O) and P(z) are [comm]R 1o1-related, and
the equivalence follows from the valuation for variable declarations.
Next we consider a relation that does not fit into the RE pattem: the rela-
tion ~w x R, where R: Z - Z is defined by
Zo[R]ZI = -Zl = Zo ~ 0.
This can be used to validate the equivalence between blocks that use non-
negative and non-positive implementations of a counter in exactly the manner
discussed in the lntroduction. The representations of the procedures inc and
val are directly related by ~w x R, and we can use the parametricity property
of procedures to conclude that the calls to non-local procedure P are related.
This implies the desired equivalence because the semanlies of new disposes
of the Z -valued component of W x Z on termination, and we are left with
~w-related results.
We should mention that this last equivalence is in factvalid in the models

of [Oles, 1982; Tennent, 1990]. Thesemodels can typically handle represen-
tation independence when the different representations being considered are
isomorphic. Our final example shows how non-isomorphic representations
can be dealt with. The example involves a simple abstract "switch." A switch
will have two associated operations:
flick, which turns the switch on; and
on, a predicate that tests whether the switch has been flicked on.
The switch is initially off, but remains on after it has been flicked for the first
time.
One representation of the switch will be the evident one using a boolean
variable. In the other, 0 will correspond to the switch being off, and
the on position will be represented by any positive integer. These rep-
resentations are given in the following two blocks, where P is of type
(comm,exp[bool])- comm.
begin begin
Booleanz; integer z;
procedure flick; z := true; procedure flick; z := z + 1;
Boolean procedure on; Boolean procedure on;
on:= z; on:= z ~ 1;
z := false; z:=O;
P(flick, on) P(flick, on)
end end
A typical counterexample, which exists (in one form or another) in the
models of [Oles, 1982; Meyer and Sieber, 1988; O'Hearn and Tennent, 1993b],
is p such that
[X] { ) {b ) _ { (-,b, z), if c(c(b, z)) = c(b, z)

P c,e ,x - (b,z), otherwise
The equality test on states is once again the culprit.
This equivalence can be validated in our semantics using a relation of the
form ~w x R, where R: [bool] ........ [int] is the least relation suchthat
false[R]O 1\ (n ~ 1 '* true[R]n) .
6 Algebraic Aspects of First-Order Types

A standard test for the parametricity of models of polymorphism involves
connections between free algebras and the denotations of certain lower-order
polymorphic types [Reynolds, 1983]. For example, in a modelthat is "suf-
ficiently parametric," the type 'Vy. ( y - y ) - ( y - y) of Church numerals
will (in the absence of recursion) in fact denote a natural numbers object, and
the type 'Vy. (oc x y - y) x y - y will be isomorphic to the type list[oc] of
finite lists over oc. These representations supply a very clear picture of low-
order polymorphic types, and are an indication of the constraining effect of
the parametricity conditions under consideration. Our purpose in this section
is to describe how our parametric semantics yields similar representations of

first-order ALGOL types.
To begin, we consider [comm- comm]l. We can use an argument
of Plotkin [1980] to characterize precisely the elements in this set. If
p E [ comm - comm] 1 then there is a number n such that
p[N] (idl*l x succ) (*,0) = (*,n)
where N is the set of natural numbers and succ is the successor function. Then
for any X, c:X -x andx EX, we can setup arelationR:N -Xwhere O[R]x
and m[R]x',.. m+1[R]c(x'). The functions succand c are thenrelated by R-
R and we can use parametricity to conclude that p[N] (idl*l x succ) (*,0) and
p[X] (id 1*1 x c) (*,x) are R-related and, in particular, the latter is (*,c"(x)),
where c0 = skip and cn+l = c; c". Thus, p is the n-th Church numeral.
In an ALGOL-like language, the n-th Church numeral is defined by
.\c: comm. c". From this we can immediately see two interesting facts. First,
every element of [comm - comm] 1 is definable by a closed term. Second,
up to semantic equivalence, the local-variable declarator new does not figure
into closed terms of this type at all, for any closed term of this type will be
equivalent to one that doesn't use new. One has to go up to closed terms of
second-order type, or to open terms of first-order, for new to make a differ-
ence.
What we have done here is to follow the analogy between type variables
and store shapes. [ comm - comm] 1 corresponds to
'V)'. (1 X )'- 1 X )') - (1 X ) ' - 1 X )')
and, as 1 x y ;;;;; y, this should in turn be the Church numerals. The reader
familiar with [Reynolds, 1983] will then be able to see how similar represen-
tations can be obtained for other first-order ALGOL types. We collect a few
examples into the following proposition.
Proposition 6 (Reynolds) We have the following isomorphisms, where cx is a
store shape.
[exp[ö] - exp[ö'l]cx ;;;;; (cx- [ö])- (cx- [ö'])
[exp[ö]- comm]cx ;;;;; (cx- [ö])- (cx- cx)
[comm- exp[ö]]cx ;;;;; (cx x list[cx]- cx)- (cx- [ö])
[comm- comm]cx ;;;;; (cx x list[cx] - cx) - (cx- cx x list[cx])
Proof: These isomorphisms are based on observations in [Reynolds, 1983].
We will outline the proof of the last isomorphism to indicate that these argu-
ments do go through for our semantics of ALGOL types.
Any c: cx x z- cx x Z, for some store shape Z, can be decomposed into two
functionsc 1 :cxxZ-cxandc2:cxxz-z. Forafixedinitialstate (s,z) e cxxZ,
let R: Z -list[cx] be the smallest relationsuchthat
z[R)€ z' [R].f ,.. c2 (a, z' )[R]cons(a, .f)
where E" is the empty Iist. One can then define a suitable ci suchthat
Ct[~a X R - ~alci
and wehave
{c1, c2}[[comm]ßoc x R]{ci, cons}
where here we are using {f,g} : A-B x C to denote the tupling function
obtained from f :A-B and g : A - C. Then if p E [comm- comm]oc we
get that
p[Z] c (s, z) [ ßoc x R ]p[list[oc)] {ci, cons} (s, €) ,
and so p is completely determined by the action of the function p[list[oc]].

Furthermore, the arguments to this function can be taken to be of the form
{f, cons} and (s, €) so, as cons and € are fixed, this is determined by a func-
tion of type (oc x list[oc] - oc) - (oc- oc x list[oc]). Conversely, it is easy,
using this R, to see how any function ofthistype determines an element of
[comm- comm]oc. I
Notlee that function types with exp[c5] in a contravariant position are rep-
resented in a pointwise fashion. A meaning at such a type can be applied at
a "later stage," after local variables have been added to the stack, but such a
function is completely determined by its behaviour at the "present stage." The
reason is that expressions may read from, but not write to, local variables. lf
we pass an argument e E [exp[c51](oc x ;y) and evaluate the resulting function
call in state (s, n), then parametricity can be used to show that this is equiv-
alent to passing the evident corresponding expression e' E [exp[c51]oc x {n}.
The pointwise exponentiation arises because oc x {n} ::: oc. (This principle was
at work in the example from the previous section involving P(O) and P(z)). Of
course, not all elements of these types will be definable; for example, defin-
ability of all elements of exp[int] - exp[int] is not possible for computability
reasons.
For the types with comm in a contravariant position, changes to a local
variable by a command argument are mirrored by cons: a Iist of oc's records
non-local states when a command argument is executed. The representation
of comm- exp[c5] illustrates the non-single-threaded nature of the seman-
tics. In a semantics that captured single-threading properly we expect that
the occurrences of list[oc] would disappear, because single-threading should
mandate that commands cannot be executed within expressions.
These representations are limited to first-order types: we do not know of
characterizations of level-two types such as, for example,
(comm- comm) - comm
A similar phenomenon occurs in models of polymorphism: much is known
about level-two polymorphic types, but considerably less for level three. (Here
our understanding breaks down at level two because these types correspond
semantically to level-three functional types.)
The situation in the presence of recursion is more complex due to Iifting,
and we do not have a clear general picture, given by a clean scheme like the one
in [Reynolds, 1983], of the denotations of all first-order types in the presence
of recursion. Characterizations of certain specific types have been obtained,
however; weillustrate with [comm- comm]l.
Let Vnat be the vertical natural numbers, i.e., the natural numbers with the
usual "less than" order, and with an extra top element oo. VnafP is the vertical
naturals with the ordering reversed. Then
[comm-comm]l _ N.J. ® VnafP
where ® is the smash product.
An outline of the proof of this isomorphism is as follows. Using the iso-
morphism 1 x oc ~ oc, a meaning in [comm- comm]l will be a family of
continuous functions
p[oc]: (oc- oc.J.)- (oc- oc.J_)
satisfying the parametricity condition. If p[N] succ 0 = .L then p corresponds
to (.L, oo). If p[N] succ 0 = n then there will be a smallest m such that
p[N] (succ[n + m]) 0 = n, where (succ[k)) a = a + 1 if a < k and .L oth-
erwise. In this case p corresponds to (n, m). The desired isomorphism can
then be shown using parametricity with an argument similar to the one used
by Plotkin for the Church numerals: we define an appropriate relation that
relates an argument in oc- oc.J. to a succ[k].
As before, every element of this domain can be defined by a closed term,
with the appropriate boolean tests and a term diverge: comm that denotes the
constantly-.L function. Specifically, (.L, oo) is defined by diverge, and (n, m) is
defined by
.\c: comm. if (do cn+m result 1) = 1 then c" else skip
The test (do cn+m result 1) = 1 will converge, and return true, iff cn+m con-
verges. The skip branch never gets executed.
It is now possible to appreciate the role of VnafP. lt concems "lookahead,"
in the sense that we look to see if n + m executions of c will converge and, if so,
we execute c n times. This illustrates how a semantics that properly captures
single threading could perhaps lead to simpler representations. For example,
the closed terms of type comm - comm definable without do - result - are,
semantically, in correspondence with N.J., which is considerably simpler than
N.J. ® VnafP.
7 Relations and Reßexive Graphs

The category-free presentation, though quite elementary, is also rather ad hoc
in some respects. In the next few sections we will endeavour to place the model
into a categorical context, providing some justification for the definitions.
A first attempt would be to say that the model lives in a category of
"relators" [Abramsky and Jensen, 1991; Mitehen and Scedrov, 1992; Ma and
Reynolds, 1991]. The objects map store shapes and relations between them to
sets and relations between them in a way that preserves identity relations, and
the morphisms are families of functions, indexed by store shapes, satisfying
a parametricity constraint. While it is true that each type in our model deter-
mines a relator, the relator viewpoint is not quite satisfactory. The appropriate
notion of exponentiation for relators is pointwise: (A-B) (X) = A(X)-B(X)
for X a store shape or relation. A better categorical explanation of the model
would connect our interpretation of procedure types with exponentiation, and

our interpretation is not pointwise.
This is the point at which we must bring out the functor-category structure,
which shows up in the category-free presentation in the use of expansion func-
tions. 1t will be seen that each type determines a functor from the category of
store shapes used in [Oles, 1982] to the category of sets. The interpretation of
procedure types then has some of the flavour of a functor-category exponen-
tial, but with additional parametricity constraints. A suitable category will be
obtained by considering both the relator and functor aspects of types, along
with naturality and parametricity conditions on morphisms.
The reader might have noticed that naturality properties were never used
in proving any of our results in previous sections, nor in reasoning about
example equivalences. The place where naturality does come in is in trying
to prove the validity of the laws of the typed ,\-calculus. It would have tobe
accounted for if we were to validate these laws directly in the category-free
semantics; in the categorical semantics it will be crucial to get a Cartesian
closed category.
In the following, we will need functor-like maps that preserve a certain
kind of relational structure. There is a fundamental difficulty, however. We
do not want to insist on relations being composable, and so the structure that
must be preserved is not really "categorical." One reason for not requiring
composability is that, as is well known, composition is not preserved by logical
relations at higher types. Another is that we want to be able to generalize to
n-ary relations for n > 2, and then there is no evident notion of composition.
We propose that the appropriate way to describe the relational structure
that is needed is to use the notion of a reflexive graph. A reflexive graph is con-
ventionally a set of vertices with (oriented) edges between them; furthermore,
for any vertex v, there is a distinguished edge from v to itself, the identity on
v. Notlee that a reflexive graph is more structured than a set (because there are
edges as well as vertices), but less structured than most categories (because
edges need not be composable).
We will actually consider a generalization, familiar to category theorists,
where categories of vertices and edges are allowed [Barr and Wells, 1990; Law-
vere, 1989; Johnstone, 1989]; the conventional notion of reflexive graph be-
comes the special case in which the vertex and edge categories are small and
discrete. In some examples, the edge objects will be relations over pairs of
vertex objects, and the edge morphisms will be relation-preserving pairs of
vertex morphisms; however, in general, edges arenot required tobe any of
the usual categorical forms of relation [Ma and Reynolds, 1991; Mitehen and
Scedrov, 1992].
Here is a precise definition: a reflexive graph 9 consists of two categories,
9v (vertices) and 9e (edges), and three functors between them as follows:
9c5o
suchthat 91 ; 9 151 = 1 9 v for i = 0, 1, where; denotes composition in diagram-

marte order and 19 v is the identity functor on 9v· Intuitively, 9.51 specifies the
i'th domain for each edge and edge morphism, and 91 specifies the identity
edge for each vertex and vertex morphism.
An equivalent and more elegant presentation is as follows: a reflexive
graph is a functor 9: G - CAT, where CAT is the meta-category of all cat-
egories and functors between them [Mac Lane, 1971], and Gis the two-object
category whose (non-identity) morphisms are as follows:
8o
{ I
v ---='---e
\_~_8.;;_1~)
with I; 8; = idv for i = 0, 1, where idv is the identity morphism on v. (More
generally, reflexive graphs with n-ary edges would be generated by the two-
object category having non-identity morphisms I: v - e and 8;: e - v for
i = 0, 1, ... , n- 1, with a similar commutativity requirement.)
As our first example, we define a reflexive graph S (sets) as follows.
• The "vertex" category, Sv, is the usual category of sets and functions.
• The "edge" category, Se, has binary relations on sets as objects and
relation-preserving pairs of functions as morphisms; i.e., a morphism
with domain R: Wo ........ W1 and co-domain S:Xo ........ X1 is a quadru-
ple (R, ( 0 , (1, S) such that fo [R - S)f1 . We will use the relational-
fo
R! !s
Wo---Xo
parametricity diagram to depict such a morphism. The
w1-----r;--x1
fo 9o
R! !S S! !
Wo---Xo Xo-Yo
composite of and T is then defined as
fo;go
!T,
Wo-~..:::..::..-Yo
R! and the identity morphism on a relation R: Wo ........ W

1
w1 ---=---
f1;91
Y1
idw0
Wo-Wo
is R! !R.
w1 --=----d
1 w1
w1
• Functors S151: Se - Sv for i = 0, 1 are defined by S151 (R: Wo ........ W1) = W;

and
S6; ( R! !s
Wo .J!!._ Xo )
= (; .
w1AX1
• Functor S1:Sv - Se is such that S1(W) = ßw and SI(f: W - X)
w_t_x
ßw! !ßx
w~x
Category Se is the category of relations over sets presented in [Ma and
Reynolds, 1991]. Furthermore, the S6; are similar to the forgetful functor U
used there in a categorical treatment of the (first-order) "abstraction theorem,"
and S 1 is similar to the functor J used there in a categorical treatment of the
"identity extension lemma." Hence, some of the key entities introduced in [Ma
and Reynolds, 1991] are incorporated in the reflexive graph S.
As our second example, we define a reflexive graph 2> (domains) as follows.
• 2>v is the category of directed-complete partially-ordered sets and con-
tinuous functions.
• 2>e has complete binary relations as objects, and relation-preserving
pairs of continuous functions as morphisms. Composites and identities
are evident.
• The functors 2>6;:2>e -2>v for i = 0,1 and 2>1:2>v -Ve are defined
exactly as for S.
Finally, we define a reflexive graph W (worlds) having the small category
l: of "state shapes" described in [Oles, 1982] as its vertex category Wv. The
category l: is as follows.
• The objects are (certain) sets, including desired data types, such as
{true, false} and {-2, -1, 0, 1, 2, ... }, and allfinite (set) products of these.
• The morphisms from W to X are all pairs 4>, p such that
- 4> is a function from X to W;
- p is a function from W x X to X, where the x here (and throughout
this example) is the set-theoretic Cartesian product;
- for all X E X,
p(4>(x),x) = x;
- for all XE X and W E W,
4>(p(w,x)) w;
- for all XE X and W, w' E W,
p(w,p(w',x)) p(w,x).
For example, there is an "expansion" morphism (cJ>, p ): W- X suchthat

X= W x Y for some data type Y with cJ>(w,y) =wand p(w, (w,y)} =
(w, y); i.e., cJ> "projects" a large stack into the small stack it contains,
and p "replaces" the small stack contained in a large stack by a new
small stack, leaving unchanged local variables on the large stack. In fact,
Oles [1982] shows that any ( cJ>, p): W - X induces a set isomorphism
X::: W x Y for some non-empty set Y; that is, up to isomorphism, every
morphism is an expansion.
• The composite of morphisms (cJ>,p):W- X and (cJ>',p'):X- Y is
morphism (cJ>",p"):W- Y suchthat cJ>" = cJ>'; cJ> and p"(w,y) =
p' (p(w, cJ>' (y) ), y).
• The identity morphism on W is (cJ>, p) such that cJ> (w) = w and
p(w,w') = w.
A category W e of relations over :!: can be defined as follows.
• The objects are relations R: W- X, where Wand X are :!:-objects.
• A morphism with domain R: Wo - WI and co-domain S: Xo - XI
is a quadruple (R, (c/>o.Po), (cJ>~.pi),S) suchthat cJ>o[S- R]c/>I and
Po[R x S - S]PI· Again, we use diagrams of the form
(cJ>o, Po)
Wo Xo
R! !s
WI (cJ>I,Pd XI
to depict morphisms in W e·
• Composition and identities are defined straightforwardly in terms of
those in :!:.
We can now complete the definition of W by using diagonal relations for
the identities, and defining the domain functors in the evident fashion.
The definition of "related" :!:-morphisms above is particularly noteworthy:
Wo (c/>o. Po) Xo Xo ~Wo
R! !s is a morphism in We iff both s! !R and

wi <cJ>I.Pd xi xi~wi
Po
Wo x Xo ---=c.....:........ xo
R x s! !s are morphisms in Se. This definition ensures that ap-
WI XXI PI XI
propriate relations will be preserved by variable de-allocation (using the "pro-
jections" c/>1) and by state changes in larger worlds induced by changes at
smaller ones (using the "replacements" p;). Notice that We is not a category
of relations over:!: in the sense of [Ma and Reynolds, 1991]; in fact,:!: does not
even have a terminal object.
8 Parametrie Functors and Natural Transformations

Next we describe a category of "parametric" functors and natural transforma-
tions. The description will be highly tailored to the specific definitions of W
and S, but at the end of the section we sketch a more general setting for the
definitions.
A parametric functor from W to S consists of
• a mapping Fo from Wv-objects to Sv-objects;
• a mapping F1 from Wv-morphisms to Sv-morphisms; and
• a mapping F2 from We-objects to Se-objects
suchthat
• if f:w- x in Wv then FI(f):Fo(w)- Fo(x) in Sv;
• F1 Odw) = idFo<w> for every Wv-object w;

• F1 (f; g) = F1 (f) ; F1 (g) for all composable Wv-morphisms fand g;
• if R:w- x in We then F2(R):Fo(w)- Fo(x) in Se;
Wo
~
______2__... Xo
A<fu>
Fo(wo) ----=-.:....::..:...-Fo(xo)
• if R! !s in We, then (R)1

F2 1 (S) in Se.
F2
wl - f i xl Fo(wt) Fo(xt)
F1(f1)
The first three conditions say that F0 and F1 constitute a conventional functor
from Wv to Sv; the next two conditions say that Fo and F2 constitute a "re-
lator" [Mitchell and Scedrov, 1992; Abramsky and Jensen, 1991]; and the last
condition is a parametricity constraint. This last condition is closely related to
the Expansion Parametricity Lemma and is crucial for function types to behave
properly; e.g., for currying to satisfy relevant parametricity conditions. We will
adopt the usual notational abuse of using a single symbol such as F to denote
all three mappings.
If F and G are parametric functors from W to S, 11 is a parametric natural
transformation from F to G if it maps Wv-objects to Sv-morphisms such that
• for every Wv-object w, 17(w):F(w)- G(w);
l l
F(w) I7(W) G(w)
• for every Wv-morphism f: w- x, F(f) G(f) commutes;
F(x) - 17-,-(x-,-)-+- G(x)

and
F(wo) I1(Wo) G(wo)
• for every R: Wo- W1 in We, F(R) 1 1G(R) in Se.

F(wi) - (- ) G(wi)
11 WI
The first two conditions say that 11 is a conventional natural transformation
from F to G, and the last condition is a parametricity constraint.
Parametrie natural transformations compose in the obvious point-wise way
(like "vertical" composition of natural transformations). The category having
a1l parametric functors from W to S as objects and a1l parametric natural
transformations of these as morphisms will be denoted sw.
Theorem 7 sw is cartesian closed.
Proof: Products can be defined pointwise:
(F x G)(w) = F(w) X G(w)
(F x G)(f) = F(f) X G(f)
(F x G)(R) = F(R) x G(R)

with the obvious (parametric) projections. A terminal object 1 has 1 (X) = { *},
1(c/>,p) = id{*l and 1(R) = ß{*l
For exponentiation, we first define the analogue of "representable" func-
tors [Mac Lane, 1971; Lambek and Scott, 1986]. If X and Y are store
shapes then hx(Y) = Homwv(X, Y), and for fand g maps in~. hf(g) =
Homwv(f,g),sothathfg(h) = f;h;g. IfR:Xo-XIandS:Yo-YI.then
hR S: hxo Yo - hX1 Y1 is such that
g
Xo-Yo
g[hRS]f iff R! !s in We.
x1---y-Y1
We write hx (-) for the parametric functor that sends Y to hxY, f to hidx fand
Rto hAx(R).
Exponentiation is then defined on store shapes as follows:
GF X= Hom8 w(hx xF,G);
on morphisms,
(GF f p)[Z](g, a) = p [Z](f; g, a) ;
and on relations, p[GFR]q iff
VS:Wo- W1.p[Wol[hRS x G(S)- F(S) ]q[Wtl
lt is not difficult to show that GF satisfies the functor and relator requirements,
and the condition that a parametric functor send related Wv-morphisms to
related Sv-morphisms.
The application and currying maps are exactly as in presheaf categories.
The application map app:F x GF....:.... Gis app[W] {a,p) = p[W]{idw,a). Nat-
urality follows as usual. To see that it is parametric, assume p 0 [(GF)R]p1 and
idw0
Wo---Wo
ao[F(R)]ai. As Rl !R, we have that (idw0 ,ao)[hRR x F(R)](idw11 ai),
w1 --:----+-d
1 Wt
w1
and the definition of GF(R) implies (p 0 [W0 ](id,a0 ))[G(R))(p 1 [Wd(id,ai)).

The Currying map curry:Hom(F x G,H)- Hom(F,Hc) is
currymWa(f,b) = mX(F(f)a,b)
where f: W- X in Wv. The naturality of curry m is shown as usual, and
parametricity is proved using the condition that F send related W v-morphisms
to related Sv-morphisms. That curry and app have the required properties of
exponentiation is straightforward; this is where the naturality requirements
are crucial. I
We now show how to interpret types as parametric functors from W to S.
We use the angled brackets « ·)) to distinguish the parametric-functor seman-
tics from [ · ].
For expressions:
• for every Wv-object W,
«exp[ö]))W = W- [8],
• for every Wv-morphism (<j>,p):W- X and e E «exp[ö]))W,
«exp[ö]))(<j>,p) e = <j>;e,
and
• for every R: Wo - W1,
«exp[ö]))R R -ß[8J.
For commands:
• for every Wv-object W,
«comm))W = w-w;
• for every Wv-morphism (<j>,p):W- X, x EX, and c E «comm))W,
«comm))(<j>,p) c x = p(c(<j>(x)},x),
and
• for every R: Wo ........ W1,
«comm))R = R -R.
For the morphism part what we do is execute c on the small part of the stack,
i.e., c(<j>(x)), and then use p to replace the small part of x with the resulting
final state.
The parametricity conditions on these functors are easily verified. It is
noteworthy that these pointwise definitions are actually isomorphic to what
is obtained by introducing the obvious contravariant "states" functor S and
defining
(exp[Ö]) = S - D[Ö)
(comm) = s-s
using a parametric version of "contra-exponentiation" [O'Hearn and Tennent,
1992], where o D is the constant functor whose object, morphism, and relation
parts always yield D, idn, and lln, respectively. This is an indication of the
effectiveness of the parametricity constraints.
For storage variables:
(var[ö])X ([ö] - (comm)X) x (exp)X
(var[ö])(cp, p) (idr.sJ- (comm)(cp,p)) x (exp)(cp,p)
(var[ö])R (llr61 - (comm)R) x (exp)R .

For procedures we use exponentiation in sw:
(Ö- ß) = (ß)CÖ).
Here, (Ö) is the product of (Oi) for the components of the vector. Of course,
as sw is a ccc we could ignore vectors and interpret procedure types in a
curried syntax: (0- O') = (O')CB).
The interpretations of terms can be given exactly as in [Oles, 1982]. We
have already seen the application and currying maps in the proof of Proposi-
tion 7, and these are exactly as in functor categories. We will define
new: (var- comm) ...:.. (comm)
to indicate how variable declarations are treated. For Wv-object W,
p E (var-comm)W and w E W,
new.s W p w = fst(p[W x [ö]](f, (a,e)}(w,8))
where f: W - W x (ö) is an "expansion" morphism in Wv, 8 E (ö) is the
standard initial value of new variables, and (a, e) E (var)(W x Z) is the new
variable, defined as follows: a(z')(w,z) = (w,z') and e(w,z) = z.
We conclude this section by sketching a more general context for these def-
initions; it can be skipped without loss of continuity. A morphism M: 9 - :K
of reflexive graphs is a pair of functors Me and Mv that map edges to edges
and vertices to vertices in a way that preserves domains and identities; i.e.,
commutes for i = 0, 1.
component-wise.
Notice that a morphism of reflexive graphs is nothing other than a nat-
ural transformation between graphs viewed as functors. Furthermore, what
Peter W. O'Heam and Robert D. Tennent 143
we called a "parametric" natural transformation above is an instance of the

concept of modi(ication [Kelly and Street, 1974]. (More precisely, the category
sw is equivalent to the category having natural transformations between the
graphs W and S (viewed as functors) as objects and modifications as mor-
phisms.) This gives some assurance of the appropriateness of the various
conditions in the definition sw, which uses simplifications that depend on
specific structure in W and S.
Another perspective on our model can be given in terms of internal cate-
gories. As is weil known, reflexive graphs in CAT can be equivalently viewed as
intemal categories in a category of (large enough) reflexive graphs. Paramet-
rie functors then correspond to intemal functors between intemal categories,
and parametric natural transformations to intemal natural transformations.
We gave the "reflexive graphs in CAT" presentation here because we felt that
it might be (slightly) more accessible.
However, the intemal category viewpoint perhaps shows more directly the
connection to [Reynolds, 1981b; Oles, 1982]: our semantics could be consid-
ered as essentially that of [Oles, 1982], but re-cast in a context where terms
like "functor" must be understood as pertaining to categories that live in an-
other category. This is the reason why the definitions of currying, application,
new, etc., for (the categorical presentation of) our model are just like those
given by Oles. Of course, the interest in our model derives more from the se-
mantics of types than of valuations. The uniformity conditions arising from
relational parametricity give us stronger reasoning principles than in a stan-
dard functor-category framework.
9 When Parametricity Implies Naturality

We now undertake to explain the connection between the category-free and
parametric-functor presentations of our semantics, and also to uncover why
an "uncurried" treatment of types is used in the category-free version.
First, we need a result from [Oles, 1982] about morphisms in the category
Wv of store shapes.
Lemma 8 (Expansion Factorization (Oles)) Every Wv-morphism W- X can

be factared into an expansion followed by an isomorphism:
w...!:...wxy....!....x.
Recall that the Isomorphism Functoriality Lemma played an important role in
the category-free semantics. A condition analogaus to it was not needed in the
definition of reflexive graph because of the following result which, it should
be noted, applies to any parametric functor (and not just definable ones).
Lemma 9 (Isomorphism Correspondence) For every parametric fu.nctor A, if

(4>, p): W- Xis an isomorphism then the fu.nction A(p, 4>> and relation A(R)
have the same graph, where R: W - X is the relation having the same graph
as 4>-1.
144 Chapter 16. Parametridty and Local Variables
Proof: Let f = (c/>, p). From the definition of related Wv morphisms we have
w~w w~w
ßw! !R and R! !ßw.
w-r-x x~w
As A is a parametric functor, we obtain
A(idw) A(idw)
A(W) A(W) A(W) A(W)
A(ßw)1 1 A(R) and A(R)1 1 A(ßw).

A(W) A(X) A(X) A(W)
A(f) A(f- 1)
If a e A(W) then the left-hand diagram implies that a[A(R)]A(f)a, using the
fact that A preserves diagonal relations and identity morphisms. Conversely, if
a[A (R) ]b then the right-hand diagram implies that A(f)a = b, and the graphs
of A(f) and A(R) are therefore equal. I
We are now in a position to give (sufficient) conditions under which the
naturality requirements are superfluous.
Theorem 10 (Naturality) Suppose A: W - S is a parametric functor and
p[ -]:A( - ) - «ß»< -) is a familyoffunctions satisfying the following parametric-
ity condition: for all R:Xo ...... X1,
p[Xo]
A(Xo) (ßHXo)
A(R) 1 1 (ß)(R) .
A (X1) -p-:[c:cX:-:I]=-- ( ß)(X1)

Then p is automatically natural: {or all g: X - Y in Wv.
A(X) __...:P....:.[X-']:.....- (ß)(X)
A(g) 1 1(ß)(g).
A(Y) p[Y] (ß)(Y)
Proof: Consider any g. By the Expansion Factorization Lemma it can be fac-
toredinto acomposite e;i, where e:X-XxWis anexpansionand i:XxW-Y
is an isomorphism. The result will follow if we can show commutativity of
A(X) -----=p-=[_X.:....]- - - (ß) (X)
A(e)J l«ßHe)
p[Xx W]
A(X X W) (ß)(X X W)
A(i) I 1«ß> (i)

A(Y) p[Y] (ß)(Y)
The commutativity of the bottom part follows immediately from the Isomor-
phism Correspondence Lemma and the parametricity property for p. We will
show the commutativity of the top part for ß = comm; the other base types
are treated similarly.
Consider anyw E W. DefineRw:X -XxWby x[Rw](x', w') iffx = x' and
l l
X idx X
w = w'. Clearly we have Ax Rw. Thus, as A is a parametric
X e XxW
functor, for any a E A(X) we have that a[A(Rw)]A(e)(a), and so, using the
parametricity of p, we get
p[X] ax [Rw] p[X x W](A(e)a) {x, w)
for any x EX. From the definition of Rw. and of (comm) on morphisms, this
implies that
(comm)(e) (p[X] a) {x, w) = p[X x W](A(e)a) {x, w).
As this argument works for any w E W, the commutativity of the top part of
the diagram follows. I
Note that the naturality constraints in (Ö- ß)X arealso superfluous by this
result, taking A = hx x ( Ö).
We are finally in a position to see where the category-free semantics of
types given earlier comes from. First, in a type Ö - ß we can do away with
all naturality constraints, as these are implied by parametricity. Second, by
the Expansion Factorization Lemma any Wv·morphlsm factors into a "true
expansion" followed by an isomorphism. Further, by the Isomorphism Cor-
respondence Lemma the action of a procedure meaning on the isomorphism
part of such a factor is completely determined by the action of parametric
functors on relations. Thus, when defining a procedure meaning p at store
shape W we do not need to consider all Wv·morphisms out of W, but only the
"true expansions" of the form W- W x X. (An analogous property for certain
functor categories has been observed by I. Stark.)
Theorem 11 (Representation) Suppose A: W - S is a parametric functor.

Then ( (ß)A) W is isomorphic to the collection of those families
p[ -]:A(W X - ) - (ß)(W X-)
satisfying the following parametricity condition: for all R:Xo ...... X1,
p[Xo]
A(W X Xo) _......:.....::........::..::...__..... (ß)(W X Xo)
A(Aw X R) l 1 (ß)(Aw X R)
A(W x XI) p[Xd (ß)(W x XI)

Proof: Let D denote the collection of p's satisfying parametricity. We will set
up an isomorphism f: (ß)AW - D with inverse g. First we have f m [X] =
m[W x X]{e, ·), where e:W- W x Xis the expansion. Conversely, if we
have a map (cf>, p): W - Z then this factors into an expansion followed by an
isomorphism W ...!. W x Y ....!..... Z. Then we set
gp[Z]((cf>,p),a) = (ß)(i) (p[Y](A(r 1 )a))
where ;- 1 is the inverse of the iso i.

(In this definition of g, the factors e and i are not uniquely determined;
however, it is easy to show, using parametricity on isomorphisms, that
(ß)(i) (p[Y](A(i- 1 )a)) is uniquely determined for any factorizations. ln any
case, Oles has shown how a canonical choice of factors is possible.)
That f m satisfies parametricity is immediate from the parametricity of m,
l l~w
W e WxX
using the fact that ~w x R, for any R, and for e the expan-
W e WxX
sion. That g p satisfies the parametricity condition for (ß)A W follows from
the parametricity condition on p, together with the Isomorphism Correspon-
dence Lemma and the Isomorphism Factorization Lemma. Naturality is then a
result of the Naturality Theorem. Thus we see that f and g are well-defined.
We can show that they areinverse as follows.
g(fm) [Z] ((cf>,p),a) (ß) i (f m [Y] (A(i- 1 )a))
«ß» i (m [W x Y] (e, (AW 1 )a)))
m [Z] ((e; i), a)
m[Z] ((cf>,p),a)
where the second-last step uses naturality of m and the fact that i and ;- 1 are
inverse isos. Conversely, the definitions of f and g give us
f (gp)[X] a = gp [W X X]((e:W- W X X),a)
= «ß> i (p[X]a)
and in the factorization of e (in the last step) we can take i as the identity
(because e; id = e), so f (g p)[X]a = p[X]a. I
Thus we see that the calculation of (the object part of) function types in the
category-free semantics is isomorphic to what is obtained from exponentiation
in the parametric-functor semantics. It is also not diffi.cult to see that the
relation parts of the two semantics are isomorphic, and that the expand maps
correspond to the morphism parts of parametric functors. Furthermore, the
semantics of .\-abstraction and application that were given are precisely those
obtained (after suitable uncurrying) from the Cartesian closed structure of S w.
The details of these aspects of the correspondence should be abundantly clear
to a reader who has followed so far, and are sufficiently routine to warrant
omission.
There is one final matter that we must clear up. We have thus far stead-
fastly adhered to an "uncurried" presentation of the semantics of types,
whereas in the ccc Sw this is of course not necessary. The uncurried presen-
tation is needed, however, for the category-free semantics to work properly.
The reason is that parametricity does not imply naturality in general, but only
for parametric functors of a specific form.
lt will be simpler if we discuss this relationship between parametricity and
naturality first in the context of the category-free semantics, and then translate
to the categorical one. Consider the type comm - comm, and the family of
elements m [-] E [ comm - comm][-] defined by
m[X][Y] c (x,y} = (x,y'), where c(x,y} = (x',y'}.
This family of elements is "parametric" in the following sense: for all relations
R: X - X' between store shapes, m[X] [[comm-comm]R]m[X']. Following
the analogy with polymorphism, m is essentially an element of
V ()("i/}'. (()(.X}'-+()(. X}'}-+ (()(.X}'-+()(. X}')
For m to be natural with respect to expansions we would need that

if m[X x Y][Z]c((x,y},z} = ((xl,yl},zl}
and m[X][Y x Z]c* (x, (y, z}} = (x2, (y2, z2}}
then xl = x2, yl = y2, and zl = z2
where c* is obtained from c by the evident associativity isomorphism. From
the definition of m, if c((x,y},z} = ((x,y'},z}, so c*(x, (y,z}} = (x, (y',z}},
we get that
m[X x Y][Z]c((x,y},z} = ((x,y},z}
while
m[X][Y x Z]c*(x, (y,z}} = (x, (y',z}}.
The naturality property falls because y and y' need not be equal, as c can
certainly change this component.
Expressing this argument more categorically, we can define a family of
functions
m[-]: 1 (-) - «comm- comm}} (-)
that satisfies parametricity, but not naturality. The definition is
m[X](*)[Z]((cp,p),c}s = p(cp(s),c(s)}.
This clearly satisfies parametricity, but the naturality diagram
m[X]
{*} _ _ _..::........;:...._.._ _.. «comm- comm}}X
id l l «comm- comm}}e
{*} m[X x Y] «comm- comm}}(X x Y)
falls, for e an expansion, using essentially the same counterexample as above.
That is, for
e': X X Y -+ (X X Y) X Z
the state m[X](*)[(X x Y) x Z]((e; e'),c} ((x,y},z} will not necessarily be
equal to the state m[X x Y](*)[(X x Y) x Z](e',c} ((x,y},z}.
From this we see a curious property. While parametricity implies naturality

for all families of maps in the correct position to qualify as a transformation
from (comm) to (comm), the analogous property does not hold for maps
from 1 to (comm- comm). Thus, we see the reason for the uncurried
presentation of types that we gave in the category-free semantics: the property
that relational parametricity implies naturality is not stable under currying and
uncurrying isomorphisms.
At this point it is worth mentioning that these Observations are not at all
at odds with the result of [Plotkin and Abadi, 1993] that relational parametric-
ity implies (di)naturality. This result applies under assumptions that are not
met here. (For instance, in [Plotkin and Abadi, 1993] the source and target
categories are the same, while here the source Wv is different from the target
Sv.)
10 The PER Model

In presenting a model based on partial equivalence relations we are taking
the opposite tack to the one taken with the relational model. Webegin with
a presentation based on functors and natural transformations, and work our
way back towards a functor-free description.
Once the decision has been made to re-cast the ideas of [Reynolds, 1981b;
Oles, 1982] in a realizability setting, the definition of the modelfalls out al-
most immediately. We work with a category of "realizable" functors PER1:,
where PER is the usual category of partial equivalence relations and ~ is a
suitable version of Oles's category of store shapes. As most of the definitions
are essentially as in [Oles, 1982], we will move fairly quickly over the mate-
rial in this section. The point of the development is to show how this simple
re-casting of the Reynolds-Oles ideas gives us good uniformity conditions for
reasoning about local variables.
We will be working with categories equipped with a notion of realizability.
These structures can be viewed elegantly as intemal categories in the effective
topos, or in the category of w-sets (see [Hyland, 1988; Hyland et al., 1989;
Longo and Moggi, 1991]). To simplify the presentation we will keep intemal-
category aspects of the model in the background (though this viewpoint cer-
tainly guides the definitions).
We use m · n to denote Kleene application on w, the natural numbers
(i.e., the application of the m'th partial recursive function to n). (-, -) is a
recursive bijection from wxw to w, and fst and snd arenumberssuch that
fst · (m, n) = m and snd · (m, n) = n. We let pid denote a code for the identity
function on w, and pcomp a realizer for composition in diagrammarte order,
so pcomp · m · n · a = n · (m · a). (We adopt the convention that Kleene
application associates to the left.)
A per A is a partial equivalence relation (transitive, symmetric) on the
natural numbers. The equivalence dass of n is [n]A = {m I n[A]m}. The
set of equivalence classes is Q(A) = {[p]A I p[A]p}. The domain of A is
dom(A) = {n I n[A]n}.
A morphism f: A - B of pers is a function from Q (A) to Q (B) such that

3n. Vp.p[A]p implies f([p]A) = [n · P]B
(This assumes that n · p is defined.) We say that n realizes f (notation: n 1= f),

and often write lni:A- B to indicate a map that n realizes. Composition is
just composition of functions. This defines the category PER.
Ob(PER) and Mor(PER) are the sets of objects and morphisms of PER.
There is no notion of realizability for objects of PER, or rather this notion
is trivial:
VA E Ob(PER) Vn. n I= A.
PER is cartesian closed. A terminal object 1 is the per that relates all natural
numbers, so it has one equivalence dass. lf A and B are pers, then the pers
AxB and A ,.. B are defined by
(a, b) [AxB] (a', b') iff a[A]a' A b[B]b',
m[A,..B]n iff Va,a'.a[A]a'implies(m·a)[B](n·a')

Again we will ignore recursion in this semantics. It could be incorporated
using one of the PER categories that possess domain-theoretic structure [Ama-
dio, 1989; Freyd et al., 1990; Phoa, 1990].
10.1 Store Shapes

Oles's construction of the category of store shapes can be carried out starting
from any category C with finite products, by expressing the equational con-
straints on morphisms as commutative diagrams. The resulting category ~(C)
is as follows. (The proof that this is indeed a category follows routinely as in
[Oles, 1982].)
OBJECTS. The objects are those of C.
MORPHISMS. A ~(C)-morphism from W to Xis a pair of maps cJ>: X - W
and p: W x X - X in C such that the following three diagrams com-
mute:
cJ> X id
XxX--'----WxX
diagl lp
X id X
fst x (snd; snd)

W X (W X X) ---'-----......;._----'--- W X X
tdxpl lp
WxX p X
IDENTITIES. The identity on X is (idx, fst), where fst is the first projec-
tion.
COMPOSITION. If cp,p:X- Y and cp',p':Y- Z, their composite is

cp", p" where cp" = cp' ; cp and p" is ( ( (id x cp') ; p), snd) ; p'. (Here
( ·, ·) is the pairing associated with the Cartesian structure in C, not the
recursive pairing bijection on w.)
For example, ~(C) is Oles's category of store shapes for a suitable small
cartesian subcategory C of the category of sets. More interestingly (as pointed
out by A. Pitts), the category W e of relations between store shapes from Sec-
tion 7 is also a category of the form ~(C), for Ca suitable (small) subcategory
of the category Se of binary relations and relation-preserving pairs of func-
tions. This is further justification for the definition of related Wv-morphisms.
We are going to work with ~(PER) as our category of store shapes; in this
section, we simply call this ~- As with PER, there will be no realizability relation
for objects. For morphisms, if (cp,p):W- X in~ then (m,n) 1= (cp,p) ifi
m 1= cp: X - W and n 1= p: W x X - W as PER maps. Note that here (m, n) is
not a pair, but a number produced by the pairing bijection. We again use the
notation Im I: X - Y for a morphism in~ realized by m. (The ambiguity in the
notations 1= and I · I, which are used both for PER and ~. is always resolved by
the context.)
The expansion maps X - XxV are realized by expand = (fst, overwrite)
where
overwrite · (x', (x, v)) = (x', v).
We will often rely on equations such as the one for overwrite to define a
realizer implicitly. This will be more readable than using .\ and projections
everywhere, as in
overwrite = .\y. (snd · y, snd · (fst · y)) .
The identity on a ~-object Xis given by the realizer wid = (pid, fst). For
composition, suppose l(f,g)I:X- Y and l(f',g')l: Y - Z. A realizer (r,q)
for their composite is as follows: r is pcomp · f' · f, and
q · (z,x) = g' · (z,g · (f' · z,x))
From this definition it is clear that there exists a number wcomp such that
wcomp · h · i realizes the composite lhl; Ii I in~. Notlee that expansions, com-
position and identities are given uniformly, by a single realizer for each.
10.2 Realizable Functors and Natural Transformations
A functor F from ~ to PER is realizable ifi there is a number n such that
Vh E Mor(~) Vm.if m 1= h then n · m 1= F(h).
We say that n realizes F. There is no condition on how Facts on objects.
As F is a functor it preserves identities and composites. Notice, however,
that the explicitly-specified realizers for identities and composites need not
be preserved. For example, m · wid = pid need not hold; m · wid must simply
be a realizer for the identity on F(A), for each PER A.
Suppose F and G are realizable functors from ~ to PER. A natural trans-
formation 17: F ..:. G is realizable ifi for some n,
VX E Ob(~).n I= 17X.
For a natural transformation to be realizable all of its components must be

given by the same code. Realizable natural transformations compose in the
usual componentwise (vertical) fashion. We let PERl: denote this category of
realizable functors and realizable natural transformations.
Proposition 12 (Freyd-Robinson-Rosolini) PERl: is Cartesian closed.
Proof: ~ and PER, together with their notions of realizability, can be viewed as
internal categories in the category of w-sets, or the ...,...,_separated presheaves
in the effective topos. As such a category, PER is "complete" and Cartesian
closed (see [Robinson, 1989] for a discussion of various notions of complete-
ness). By the result of [Freyd et al., 1992b] this means that the internal cate-
gory of functors ~ - PER is (internally) Cartesian closed, which implies that
the external category PERl: of realizable functors is Cartesian closed. I
The exponential in this functor category can be described using the appro-
priate analogues of Yoneda functors. If X and Y are ~ objects, then the PER
hxY is suchthat m[hXY]n iff Im I = lni:X- Y as ~ maps. The realizer for
the morphism part of hx ( ·) is
'Af.ll.g. wcomp · g · f
If F and G are realizable functors, then the PER GF (X) is
m[GF(X)]n iff lml=lnl:hXxF..:...G.
A realizer for the morphism part of GF is h where
h ·f · m · (a, b) = m · ((wcomp · f · a), b).
The semantics of base types goes as follows. (We assume that there is a
PER [ö] associated with each data type ö.)
For expressions,
[exp[öl]A = A '* [8]
On ~-morphisms, when l(f,g)I:A- B, we want
[exp[öl] l(f,g)l: (A '* [ö])- (B '* [ö])
A realizer of this map is m such that
m ·e·s = e· (f · s).
Arealizerfor [exp[öl]:Mor(~) -Mor(PER) is then ll.hll.ell.s.e · (fst· h · s). To
see that this is a good definition, notice that, from the relation-preservation
property of PER maps, if s[B]s', e[A '* N]e' and f[BxA '* B]f', then e · (f · s) =
e' · (f' · s'). Notice also that this realizer is completely independent of ö. It is
as if the realizer were parametrically polymorphic in ö.
For commands:
[comm]A = A => A
and a realizer for
[comm] I(f, g) I: (A '* A)- (B => B)
is m such that
m·C·S = g· (S,C· (f·S)).
For variables,
[var[ö]]A = ([<5] ~ [comm]A) x [exp[ö]]A
and
[var[ö]] l<f,g)l = {(id[oJ~([comm] l<f,g)l), ([exp[ö]] l<f,g>l>}
where we are using ~ on morphisms in the usual way and {·, ·} is the pairing
associated with the Cartesian structure of PER; the required realizer should be
evident.
Procedure types are defined using the exponential in PER~: [0- 0'] =
[0']1111.
These definitions of types are almost exactly as in [Oles, 1982). The seman-
tics of terms is also essentially similar. Weillustrate by defining the semantics
of new. First we define the standard local variable locvar.
We need a realizer acc for the acceptor part of a local variable. It is given
by
acc · n · (s, m) = (s, n)
The number (s, m) is thought of as a state, where s is the non-local part of the
stack.
The expression part of a local variable should map (s, m) to m, so it is
simply snd. We then define
locvar = ( acc, snd ).
Notice that locvar E dom ([var]XxY), for any ~-objects X and Y. The Stan-
dard local variable is "uniformly given" for all worlds.
For new.5, we need a realizable natural transformation of type
[var[ö]- comm]....:.. [comm].lts realizer new0 is as follows:
newo · p · s = fst · (p · (expand, locvar) · (s, 8))
Once again, 8 is a standard initial value for variables of type <5. We could, of
course, do away with this standard value by accepting the initialization as an
argument to a new block. Then the realizer for new would be independent of
<5 altogether.
10.3 Naturality and the Groupoid Interpretation

Our aim is to obtain results analogous to the Naturality Theorem and Rep-
resentation Theorem, but using uniform realizability in PERs in place of
Reynolds parametricity. This will be done in the context of the groupoid inter-
pretation of polymorphism from [Freyd et al., 1992b; Phoa, 1991).
In the usual Moggi-Hyland interpretation of polymorphism, a type
with, say, one free type variable is interpreted as (internally) a function
F: Ob(C) - Ob(C) where Cis an internal category and the V quantifier is in-
terpreted as an internal product. In the case that C is PER, the product VF is
the intersection nxeOb(PER) F(X). The groupoid interpretationmodifies this by
interpreting a type as a funetor F: C180 - C, where C is the groupoid of iso-

morphisms in C. Then VFis taken tobe a Iimit of the funetor F. In the ease of
PER, the groupoid interpretation of V F ean be ealeulated as follows: m[V F]n
iff m[nxF(X)]n and (f · i · m)[F(Y)](f · j · n) whenever lil = lji:X- Y is an
isomorphism and f is a realizer for F.
We will eontinue to work extemally. One point that should be noted, how-
ever, is that by PER180 we aetually mean the eategory of isomorphism pairs from
PER. This is needed to allow effeetive eomputation of inverses.
Lemma 13 (Expansion Faetorization for PER) Every ~-morphism ( cp, p) from
W to X can be factored into an expansion followed by an isomorphism
e t
W - W x Y - X. Furthermore, Y can always be taken to be a super-per of X,
and realizers for i and its inverse can be effectively calculated (rom a realizer
for (cp,p).
Proof: Suppose I(f, 9) 1: W- X. Define the PER Y by
Y1[Yly2 iff w1[W]w2 implies (9 · (wi.yi))[X](9 · (w2.Y2))
Notlee that Xis a sub-per of Y. The isomorphism i is eoded by ((',9') where
f' = 'Ax. (f · x,x)
9' = pcomp · 9 · fst
Clearly, f' and 9' are obtained effeetively from f and 9 and the inverse of
l(f',9')1 is
(9, pcomp · f' · fst)
That these maps have the required properties ean be shown straightforwardly
using the definition of Y and the diagrammarte eonditions on maps in ~- 1
We ean then show that, for transformations into a base type, naturality
on all maps is assured if we assume naturality with respeet to isomorphisms
only.
Theorem 14 (Naturality for PER) Suppose A: ~ - PER is a realizable functor
and lni:A(-)- [ß](-) is natural with respect to isomorphisms in~- Then lnl
is natural on all maps in ~-
Proof: As any ~-map faetors into an expansion followed by an isomorphism,

the result will follow if we ean show
A(W) ----'-ln....:..l_ _ _ [ß](W)
A(lexpandl) I 1
[ß](lexpandl)
A(W X X) lnl [ß](W X X)
We will give the proof for ß = comm.

Consider any x E dom (X), and let R}( be the PER with domain {x}. Then
Iexpandl: W- W x R}(
is an isomorphism in~. and the assumption of naturality on isomorphisms im-
plies that (n· (h· expand·a 1 ) • (WI.X) )[WxR}(]((n·a2 ·w2), x) when a 1 [A(X)]a 2
154 Chapter 16, Parametricity and Local Variables
and w1 [W]w2, where h is a realizer for A. If the PERXis non-empty, we have

Rl( !;;;; X and, since expand also realizes the expansion W - W x X,
(n · (p · expand · a1) · (w1,x))[W x X]((n · a2 · w2),x)
as required. If X is the empty PER, then commutativity is assured trivially. I
We are now ready to relate suitably uncurried function types to the
groupoid interpretation of polymorphism. First, note that there is an obvi·
ous embedding functor E: PER180 - ~- 1t is the identity on objects, and on
morphisms takes an isomorphism pair l(i,j)I:X- W in PER180 to the map
l(j, (pcomp · fst · 0)1. The requirement that a morphism in PER180 consist of
both an isomorphism and its inverse is important here for the functor E to be
realizable. Composing with E then takes a functor ~ - PER to PER180 - PER.
For F:PER180 - PER and X aPER, let F(X x -) be the (realizable) functor
that takes Y to F(X x Y) and an isomorphism i to F(X x i).
Theorem 15 (Representation for PER) Suppose A: ~ - PER is a realizable
functor. Then ([ß]A)W is isomorphic to
v((<E;A) => <E; [ß]))<W x ->).
where V' is as in the groupoid interpretation and (-) => (-) is the evident bifunctor
PER180 x PER180 - PER.

Proof: The only non-trivial part of the proof is to set up the isomorphism
from the PER V' ( ( (E; A) => (E; [ß])}(W x -)) to ([ß]A)W. Let hA amd hp be
realizers for A and [ß]. Recall from Lemma 13 that, given a realizer r for a map
W - X in ~. we can effectively calculate a realizer r1 for i in the factorization
W __!... W x Y..!.. X tagether with a realizer r,- 1 for its inverse iso. (Recall also
from the proof of 13 that the calculation of r, and r,- 1 is independent of W, X,
and Y.) The isomorphism that we want is realized by j suchthat
j · m · (r, a) = hp • r; · (m · (expand, (hA · r,- 1 • a)))
Lemma 13 and Theorem 14 can then be used to show that j codes a well-
defined map and that it is an isomorphism whose inverse is realized by k
where k · p · a = p · (expand, a). I
Using known facts about PERmodels [Hyland et al., 1989; Freyd et al., 1992a]
we immediately obtain that, for example, [ conun - conun] 1 is isomorphic to
the PER N that relates each natural number to itself.
We do not know if this theorem goes through for the Moggi-Hyland in·
terpretation of polymorphism with PERs. 1t does whenever A is a product of
ALGOL base types, but what happens at higher-order ALGOL·definable types is
not clear to us.
If we try to generalize the result by allowing [ß] to be an arbitrary real-
izable functor then we run into the same problern as in the relational model.
Specifically, if
m · n · ((f, g), c) · s = 9 · (f · s, c · s)
then lml: 1(-)- [conun- conun](-) is natural on isomorphisms, but not
on all maps. lt is interesting to compare this to the result of Freyd, Robinson
and Rosolini [1993). They show that any realizable natural transformation
between realizable functors PER1·so - I PER - F PER and PER1·so - I PER - G PER,
where I is the embedding, determines a natural transformation between F and
G. Our counterexample simply shows that the analogous property does not
hold for composites PERiso _E. ~ ll PER.
We conclude the section with an example of reasoning about local variables
using PERs. Recall the abstract "switch" from the end of Section 5:
begin begin
Boolean z; integer z;
procedure flick; z := true; procedure flick; z := z + 1;
Boolean procedure on; Boolean procedure on;
on:= z; on:= z ~ 1;
z := false; z := 0;
P(flick, on) P(flick, on)
end end
Let 2 be aPER of booleans: its equivalence classes are {0}, regarded as false,
and {1}, regarded as true. By the semantics of new and the Representation
Theorem for PERs, we can show the following equivalence of polymorphic
functions:
fst (p[N) ((id x .\n. n + 1), .\s. snd(s)(~ 1)) (s, 0))
- fst (p[2) ((id x .\n.1), .\s. snd(s)( = 1)) (s, 0))
for p: Vy. (0< X y--+ 0< X y) X (0< X y--+ 2)--+ 0< X y--+ 0< X y). Here, ~1 and =1
are the obvious functions that return 0 or 1 depending on the values of their
arguments.
To reason about these functions we consider a number of realizers. Let
flickl besuchthat flickl · (w, n) = (w, n + 1). Similarly, flick2 · (w, n) = (w, 1),
onl · (w, n) = ifn ~ 1 then 1 else 0 and on2 · (w, n) = ifn = 1 then 1 else 0. lf
m is a realizer for p then
m · (flickl, onl) E dom (W x N => W x N)
and
m · (flick2, on2) E dom (W x 2 => W x 2).
Consider the PER N+ that relates 0 to itself and all positive numbers to one
another. Then flickl[W x N+ => W x N+]flick2 and onl[W x N+ => 2]on2. Since
m E dom((WxN+ => WxN+) x (WxN+ =>2) => WxN+ => WxN+))
we may conclude that

(m · (flickl, onl)) [W x N+ => W x N+] (m · (flick2, on2))
This means that
fst· (m · (flickl,onl) · (w1,0)) [W] fst· (m · (flick2,on2) · (w2,0))
whenever wi[W]w2, so the results are "equal" (in the same W-equivalence
dass), which is what we wanted to show.
The pertinent aspects of PERs that we have used here are that the same
number realizes instantiations of p at different types, and that realizers in
instantiations 2 and N for different arguments to p are "equivalent" in the
PER N+. All of the examples from Section 5 can be validated using similar
reasoning.
11 Conclusion
In this work we have argued that the phenomenon of local state is intimately
linked to Strachey's notion of parametric polymorphism, and we have shown
that reasoning about local variables often amounts to proving properties of
polymorphic functions. The Straightforward treatment of a number of test ex-
amples, and representations of first-order types obtained from parametricity,
lend a measure of support to our position. However, as is the case with mod-
els of polymorphism, little is known about the semantics at higher types, and
we do not know ü full abstraction can be achieved using our methods.
No previous model of local variables correctly handles all of the test equiv-
alences that we have demonstrated here. However, Sieher [1993] (building on
the earlier paper [Meyer and Sieber, 1988]) has recently constructed a model
which also treats all of them correctly. Sieber's model is similar in many re-
spects to our relational-parametricity model: it also is based on functors and
logical relations; however, the exact connection between the models is not
clear to us. Firstly, Sieber's approach is tightly tied to locations. Our approach
can also be applied with a location-oriented semantics (as we did in the pre-
liminary version [O'Hearn and Tennent, 1993a]), but a location-free semantics
is much cleaner, as predicted in [Reynolds, 1981b]. A more substantive differ-
ence has to do with identity relations. Sieher allows for non-identity relations
on the set of natural numbers; this ties up with the treatment of sequentiality
in [Sieber, 1992]. And there is also some question concerning the respective
roles of identities in treating function types.
Our identification of parametricity as the central notion connected to lo-
cality provides, in our opinion, a sonnder conceptual basis for explaining why
and how this form of uniformity arises in local-variable semantics. In the
Sieher and Meyer-Sieber work, logical relations appear primarily as an ad hoc
method of cutting down a model. The fact that many of the subtleties in local-
variable semantics involve the form of data abstraction that can be achieved
with procedures and local variables gives a fairly coherent explanation as to
why parametricity and logical relations should be relevant. And, as we have
seen, reasoning about local variables often amounts to proving properties of
polymorphic functions. The PER model serves to further underscore our posi-
tion.
But, independently of this, we would like to acknowledge the influence
of [Meyer and Sieber, 1988] on this work. For one, contemplation of their
equivalences-which incidentally are primarily responsible for a wider under-
standing of the subtleties involved in local-variable semantics-played a part
in leading us to propose parametricity as a central theme. For another, their
use of functors and logical relations certainly had an influence, albeit indi-
rectly, on our development of the relational-parametricity model.
Honsell, Mason, Smith and Talcott [1995] have developed a logic for rea-
soning about state based on operational, rather than denotational, semantics;
see also the earlier paper [Mason and Talcott, 1992]. Once again, we feel that
the conceptual principles underlying their formal rules for reasoning about
local state are not as clear as, and lack the coherence of, our parametricity-
locality connection. Their logic appears tobe quite powerful, however, and
many of the subtle local-variable equivalences can be proven in the logic. It
would be interesting to see if a suitable representation-independence property
for local state could be derived in their logic, or if such a property could be
formulated in a way that could be added to their reasoning framework.
Wehave used the framework of reflexive graphs mainly to examine the
specific structure of our model, but it may have more general interest. Re-
flexive graphs could conceivably be of use in studying the connection between
relational parametricity and naturality in a more general context, or in clari-
fying the mathematical significance of using diagonal relations as "identities."
It may be that our Cartesian closure result can be considered as an instance
of a reflexive-graph version of the usual result that the functor category cx is
Cartesian closed whenever C is Cartesian closed and complete (the results of
[Freyd et al., 1992b] could be relevant here). Similar kinds of structure have
been used by Pitts [1993] in bis study of relations and recursive domain equa-
tions, and by Pitts and Stark [1993a, 1993b] in their study of dynamic alloca-
tion. Dynamic allocation poses challenging problems beyond those considered
here, where we have considered variable declarations that obey a stack disci-
pline. (Some examples from [Pitts and Stark, 1993b] suggest that parametric-
ity, by itself, might not be sufficient for understanding dynamic allocation.)
The problern of single threading is deserving of further attention. It is
interesting that most work on the semantics of state, including that of the au-
thors, has concentrated on local variables. In our opinion, the single-threaded
nature of state is at least as fundamental an issue as the nature of local vari-
ables. In this paper, the main aim was to examine the phenomenon of locality,
and we feel that it is reasonable to study this in isolation from single thread-
ing. However, ideally a semantics of state should exclude the kind of state
backtracking found in the block expression.
(A. Meyer has pointed out that the "single threading" terminology can be
misleading. The issue does not concem single versus multiple threads of exe-
cution, but rather "backtracking within a single thread." Since the term "single
threading" is now used extensively in the functional programming community,
we continue to use it here to avoid needless terminological differences. The
reader should be warned, however, of the possible confusion that may arise if
one thinks of the more common programming usage of the term "thread.")
A simple equivalence which illustrates the problern is the following:
if x = 0 then f(O) eise 1 if x = 0 then f(x) eise 1.
This equivalence falls in our model because of the phenomenon of temporary

side effects; an f that distinguishes these terms is
.\y: exp[int]. domt x := 3 result y
This particular equivalence is given only to illustrate the problem, and is

not itself a serious challenge for semantics: we have known for some time
how this and similar examples of temporary side-effect can be eliminated. One
method is to use the state-set restrictions of [Tennent, 1991]. Another, which
is somewhat less "intensional," is to interpret a function type for expressions
so that the state argument appears only at the outermost Ievel; i.e., we would
define
(exp[ö]- exp[ö'J]W = W- ([c5]- [ö'])
(this is as in [Goerdt, 1985]). But these must be regarded as limited partial
solutions. What we do not have is a general semantic explanation of single
threading that encompasses such special cases.
The first thing that comes to mind when considering single threading is to
try and apply ideas from linear logic; however, naive attempts we have made
along these lines have failed. One difficulty is that linearity captures only one
aspect of state: that a state change destroys the old state. It does not capture
the intuition that there may be multiple readers of a variable in a context
where the variable is not assigned to. A more serious difficulty is that an
ALGOL program is single-threaded only in the state, not in phrase types, and
it is not obvious how to reconcile this with the interpretation of procedure
types. A less naive use of linear logic, which involves non-trivial extensions to
the basic framework, appears in preliminary work of Reddy [1993]. It will be
interesting to see if the single-threaded nature of state can be made precise in
this setting. (Reddy's semanlies also appears to handle local variables well.)
One of the problems we faced in this work was that parametricity is a con-
cept whose rigorous formulation is still undergoing development, e.g., [Wadler,
1989;MaandReynolds, 199l;Freydetal., 1992b;PlotkinandAbadi, 1993]. We
illustrated our ideas with two of the more appealing approaches, those based
on PERs and logical relations, but it may be expected that our understanding
of locality will improve with that of parametricity (or possibly vice versa).
An interesting possibility might be to bypass models altogether by exam-
ining a syntactic translation from (a recursion-free dialect of) ALGOL into the
polymorphic .\-calculus. Such a translation is implicit in, or can easily be ob-
tained from, the category-free presentation of our semanlies (consider espe-
cially the PER model). One could ask which Poly-i\ theory is generated by
this translation, where we equate all Poly-i\ terms that are the translations of
observationally equivalent ALGOL terms (and close up under the equational
rules of the polymorphic calculus). A related question is whether there is a
Poly-.\ theory for which this translation is fully abstract (in that equivalence is
preserved and reflected); we conjecture that the maximum consistent Poly-i\
theory of Moggi [1988] and Statman is one such example. One can also ask
whether there is a unique such theory.
We do not know if there is there is any difference between the equational
theories generated by our PER and relational-parametricity models; this is of
course related to outstanding questions about the PER model of the polymor-
phic i\-calculus. Nevertheless, there are advantages to each model.
In the case of PERs the model construction is smoother in some respects
that the relational one: it is simply a re-casting of the ideas of [Reynolds,
1981b; Oles, 1982] in a realizability setting. Once the decision is made to

work with PERs it is quite obvious how to proceed. We work with a category
of "realizable" functors PERl: for ~ a suitable version of Oles's category of
store shapes. Certain properties, like Cartesian closure, are then immediate
from known results [Freyd et al., 1992b]. In contrast, a proper categorical
understanding of the relational model required considerably more work, the
framework itself (of reflexive graphs) not being a priori obvious.
On the other hand, the PER model can be criticized for its reliance on an
underlying model of the untyped .\-calculus; after all, there is nothing impred-
icative about ALGOL! In this respect, the relational model, which is completely
predicative, is more satisfactory. Furthermore, the relational model provides
a very direct codification of common informal techniques for reasoning about
data abstraction in imperative languages.
Of course, the corresponding advantage of the PER-based model is that
it extends to an interpretation of a polymorphic variant of ALGOL. A direc-
tion for future work would be to give a model for such a language in which
data abstraction using local variables is combined with that obtained from
user-defined types. The design and semantics of such a language is not as
Straightforward as it may seem. There are subtleties in interpreting polymor-
phic conditionals, due to the state dependence of the boolean type; this is
related to problems discussed in [Tennent, 1989]. We expect that quantifiers
would have to range over appropriate state-dependent objects. Also, as men-
tioned in [Reynolds, 1983], close attention should be paid to the distinction
between data types and phrase types. For example, the assignment operation
should be thought of as a parametric polymorphic function, for polymorphism
over data types, while, e.g., a fixed-point operator should be parametrically
polymorphic over phrase types.
ADDENDUM Oanuary 1995) Since the work described in the body of
this paper was done, there have been several developments. First, Robin-
son and Rosolini [1994) have given an elegant construction of parametric
models of second-order .\-calculus utilizing reflexive graphs in the set-
ting of internal-category models of polymorphism. Second, Sieher [1994)
has used bis methods to give a full abstraction result for closed terms
of up to second-order type, in a language containing a snapback com-
binator. Third, Reddy's development has matured considerably, and ac-
counts to a very good (but not completely understood) degree for both
locality and single threading, in the context of syntactic control of inter-
ference [Reddy, 1994; Reddy, 1996). Finally, this "object-based" approach
of Reddy has been merged with functor categories [O'Heam and Reddy,
1995) to produce a model of a language without snapback combinators
that is fully abstract for closed terms of up to second-order type. This fi-
nal direction appears to have important Connections with the parametric-
ity viewpoint expressed here; the details await further development.
Acknowledgements
Some of this research was carried out at the Labaratory for Foundations of Computer
Science, Department of Computer Science, University of Edinburgh. A preliminary re-
port on some of this work appeared as [O'Hearn and Tennent, 1993a). The realization
that parametricity implies naturality in certain circumstances followed from a conver-

sation with John Reynolds. We are grateful to Andy Pitts, Edmund Robinson, John
Power and Barry Jay for advice on categorical matters, and to Benli Pierce, Phil Wadler
and QingMing Ma for comments. John Reynolds's macros were used for diagrams.
References
ABRAMSKY, S. AND }ENSEN, T. P. 1991. A relational approach to strictness analysis for
higher-order polymorphic functions. In Conference Record of the Eighteenth ACM
Symposium on Principles of Programming Languages, Orlando, Florida. ACM, New
York, pages 49-54 .
.AMADio, R. M. 1989. Recursion over realizability structures. Information and Compu-
tation, 91:55-85.
BARR, M. AND WELLS, C. 1990. Category Theory for Computing Science. Prentice-Hall
International, London.
CooK, W. 1991. Object-oriented programming versus abstract data types. In Pounda-
tions ofObject-Oriented Languages, J. W. de Bakker, W. P. de Roever, and G. Rozen-
berg, editors, volume 489 of Lecture Notes in Computer Science. Springer-Verlag,
Berlin, pages 151-178.
FOURMAN, M. P., jOHNSTONE, P. T., AND PITTS, AM., editors, 1992. Applications ofCat-
egories in Computer Science, volume 177 of London Mathematical Society Lecture
Note Series. Cambridge University Press, Cambridge, England.
FREYD, P. j., MULRY, P., ROSOLINI, G., AND SCOTT, D. S. 1990. Extensional PERs. In [UCS,
1990], pages 346-354.
FREYD, P. j., ROBINSON, E. P., AND ROSOLINI, G. 1992a. Dinaturality for free. In [Fourman
et al., 1992], pages 107-118.
FREYD, P. j., ROBINSON, E. P., AND ROSOLINI, G. 1992b. Funetarial parametricity. In
[UCS, 1992], pages 444-452.
GoERDT, A 1985. A Hoare calculus for functions defined by recursion on higher types.
In Logics ofPrograms 1985, R. Parikh, editor, volume 193 of Lecture Notes in Com-
puter Science, Brooklyn, N.Y. Springer-Verlag, Berlin, pages 106-117.
GRIES, D., editor, 1978. Programming Methodology, A Collection of Articles by lFIP
WG 2.3. Springer-Verlag, New York.
HOARE, C. A. R. 1972. Proof of correctness of data representations. Acta Informatica,
1:271-281. Reprinted in [Gries, 1978], pages 269-281.
HONSELL, F., MASON, I. A, SMITH, S., AND TALCOTT, C. 1995. A variable typed logic of
effects. Information and Computation, 119(1):55-90.
HYLAND, j., ROBINSON, E. P., AND ROSOLINI, G. 1989. Algebraic types in PER models.
In Mathematical Foundations of Programming Semantics, Proceedings of the 5th
International Conference, M. MaiD et al., editors, volume 442 of Lecture Notes in
Computer Science, Tulane University, New Orleans. Springer~Verlag, Berlin, 1990,
pages 333-350.
HYLAND, J. M. E. 1988. A small complete category. Annals of Pure and Applied Logic,
40:135-165.
JOHNSTONE, P. T. 1989. Affine categories and naturally Mal'cev categories. Journal of
Pure and Applied Algebra, 61:251-256.
KELLY, G. M. AND STREET, R. H. 1974. Review of the basic elements of 2-categories.
In Category Seminar: Proceedings Sydney Category Theory Seminar, 1972/1973,
G. M. Kelly, editor, volume 420 of Lecture Notes in Mathematics. Springer-Verlag,
LAMBEK, J. AND Scorr, P. J. 1986. Introduction to Higher-Order Categorical Logic.

Cambridge University Press, Cambridge, England.
LAWVERE, F. W. 1989. Qualitative distinctions between some toposes of generalized
graphs. In Categories in Computer Science and Logic, j. W. Gray and A. Scedrov,
editors, volume 92 of Contemporary Mathematics. American Mathematical Society,
pages 261-300.
UCS 1990. Proceedings, Fifth Annual IEEE Symposium on Logic in Computer Science,
Philadelphia, PA. IEEE Computer Society Press, Los Alamitos, California.
UCS 1992. Proceedings, 7th Annual IEEE Symposium on Logic in Computer Science,
Santa Cruz, California. IEEE Computer Society Press, Los Alamitos, California.
UCS 1994. Proceedings, Ninth Annual IEEE Symposium on Logic in Computer Science,
Paris, France. IEEE Computer Society Press, Los Alamitos, California.
LONGO, G. AND MaGGI, E. 1991. Constructive natural deduction and its "w-set" inter-
pretation. Mathematical Structures in Computer Science, 1(2):215-254.
MA, Q. AND REYNOLDS, J, C. 1991. Types, abstraction, and parametric polymorphism,
part 2. In Mathematical Foundations of Programming Semantics, Proceedings of
the 7th International Con(erence, S. Brookes et al., editors, volume 598 of Lecture
Notes in Computer Science, Pittsburgh, PA. Springer-Verlag, Berlin, 1992, pages
1-40.
MAc LANE, S. 1971. Categories (or the Working Mathematician. Springer-Verlag, New
York.
MASON, I. A. AND TALCOTT, C. L. 1992. References, local variables, and operational
reasoning. In [UCS, 1992], pages 186-197.
MEYER, A. R. AND SIEBER, K. 1988. Towards fully abstract semantics for local vari-
ables: preliminary report. In Con(erence Record of the Fifteenth Annual ACM Sym-
posium on Principles of Programming Languages, San Diego, California. ACM, New
York, pages 191-203. See Chapter 7.
MITCHELL, J. AND SCEDROV, A. 1992. Notes on sconing and relators. In Computer
Science Logic: 6th Workshop, CSL '92: Selected Papers, E. Boerger et al., editors,
volume 702 of Lecture Notes in Computer Science, San Miniato, Italy. Springer-
Verlag, Berlin, 1993, pages 352-378.
MITCHELL, J, C. 1986. Representation independence and data abstraction. In Con-
(erence Record 13th Annua/ ACM Symposium on Principles of Programming Lan-
guages, St. Petersburg, Florida. ACM, New York, pages 263-276.
MITCHELL, J, C. 1990. Type systems for programming languages. In Handbook of The-
oretical Computer Science, J. van Leeuwen, editor, volume B. Elsevier, Amsterdam,
and The MIT Press, Cambridge, Mass., pages 365-458.
MaGGI, E. 1988. The maximum consistent theory of the second-order ßTJlambda cal-
culus. Unpublished note.
NAUR, P., BACKUS, J. W., ET AL. 1963. Revised report on the algorithmic language
ALGOL 6o. Comm. ACM, 6(1):1-17. Also The Computer Journal 5:349-67, and
Numerische Mathematik 4:420-52. See Chapter 1.
O'HEARN, P. W. AND REDDY, U. S. 1995. Objects, interference, and the Yoneda embed-
ding. In Mathematica/ Foundations of Programming Semantics, Eleventh Annua/
Con(erence, S. Brookes, M. Main, A. Melton, and M. Mislove, editors, volume 1 of
Electronic Notes in Theoretical Computer Science, Tulane University, New Orleans,
Louisiana. Elsevier Science.
O'HEARN, P. W. AND TENNENT, R. D. 1992. Semantics of local variables. In [Fourman

et al., 1992], pages 217-238.
O'HEARN, P. W. AND TENNENT, R. D. 1993a. Relational parametricity and local variables.
In Con(erence Record of the Twentieth Annual ACM SIGPLAN-SIGACT Symposium
on Principles of Programming Languages, Charleston, South Carolina. ACM, New
York, pages 171-184.
O'HEARN, P. W. AND TENNENT, R. D. 1993b. Semantical analysis of specification logic, 2.
Information and Computation, 107(1):25-57. See Chapter 14.
OLES, F. J. 1982. A Category-Theoretic Approach to the Semantics o( Programming
OLES, F. J. 1985. Type algebras, functor categories and block structure. In Algebraic
Methods in Semantics, M. Nivat and J. C. Reynolds, editors. Cambridge University
Press, Cambridge, England, pages 543-573. See Chapter 11.
PHOA, W. 1990. Effective domains and intrinsic structure. In [UCS, 1990], pages 366-
377.
PHOA, W. 1991. Two results on set-theoretic polymorphism. In Category Theory and
Computer Science, D. H. Pitt et al., editors, volume 530 of Leerure Notes in Com-
puter Science, Paris, France. Springer-Verlag, Berlin, pages 219-235.
PITTS, A. AND STARK, I. 1993a. Observable properties of higher order functions that
dynamically create local names, or: What's new? In Mathematical Foundations of
Computer Science, A. M. Borzyszkowski and S. Sokolowski, editors, volume 711 of
Leerure Notes in Computer Science, Gdansk, Poland. Springer-Verlag, Berlin, pages
122-140.
PITTS, A. AND STARK, I. 1993b. On the observable properties of higher order functions
that dynamically create local names (preliminary report). In [SIPL, 1993], pages
31-45.
PITTS, A. M. 199 3. Relational properties of recursively defined domains. In Proceedings,
8th Annual IEEE Symposium on Logic in Computer Science, Montreal, Canada. IEEE
Computer Society Press, Los Alamitos, California, pages 86-97.
PLOTKIN, G. AND ABADI, M. 1993. A logic for parametric polymorphism. In Typed
Lambda Calculi and Applications, M. Bezen and J. F. Groote, editors, volume 664
of Leerure Notes in Computer Science, Utrecht, The Netherlands. Springer-Verlag,
PLOTKIN, G. D. 1980. Lambda-definability in the full type hierarchy. In To H. B. Curry:
Essays in Combinatory Logic, Lambda Calculus and Formalism, J. P. Seldin and J. R.
Hindley, editors. Acadeinic Press, pages 363-373.
REDDY, U. S. 1993. Global state considered unnecessary: semantics ofinterference-free
imperative programining. In [SIPL, 1993], pages 120-135.
REDDY, U. S. 1994. Passivity and independence. In [UCS, 1994], pages 342-352.
REDDY, U. S. 1996. Global state considered unnecessary: Introduction to object-based
semantics. LisP and Symbolic Computation, 9(1):7-76, 1996. See Chapter 19.
REYNOLDS, J. C. 1974. Towards a theory of type structure. In Proc. Colloque sur Ia
Programmation, volume 19 of Leerure Notes in Computer Science, Berlin. Springer-
Verlag, pages 408-425.
REYNOLDS, J. C. 1975. User-defined types and procedural data structures as comple-
mentary approaches to data abstraction. In New Advances in Algorithmic Lan-
guages 1975, S. A. Schuman, editor, Rocquencourt, France. Inst. de Reserche
d'Informatique et d'Automatique, pages 157-168. Reprinted in [Gries, 1978],
pages 309-317.
Peter W. O'Heain and Robert D. Tennent 163
REYNOLDS, J. C. 1978. Syntactic control of interference. In Conference Record of the

Fifth Annual ACM Symposium on Principles of Programming Languages, Tucson,
Arizona. ACM, New York, pages 39-46. See Chapter 10.
REYNOLDS, J. C. 1981a. The Cra(t ofProgramming. Prentice-Hall International, London.
REYNOLDS, J. C. 1981b. The essence of ALGOL. In Algorithmic Languages, J. W.
de Bakker and J. C. van Vliet, editors, Amsterdam. North-Holland, Amsterdam,
pages 345-372. See Chapter 3.
REYNOLDS, J. C. 1983. Types, abstraction and parametric polymorphism. In Informa-
tion Processing 83, R. E. A. Mason, editor. North-Holland, Amsterdam, Paris, France,
pages 513-523.
REYNOLDS, J. C. AND PLOTKIN, G. D. 1993. On functors expressible in the polymorphic
typed lambda calculus. Information and Computation, 105(1):1-29.
ROBINSON, E. P. 1989. How complete is PER? In Proceedings, Fourth Annual Symposium
on Logic in Computer Sdence, Pacific Grove, California. IEEE Computer Society
Press, pages 106-111.
ROBINSON, E. P. AND ROSOUNI, G. 1994. Reflexive graphs and parametric polymor-
phism. In [UCS, 1994], pages 364-371.
SCHMIDT, D. A. 1985. Detecting global variables in denotational specifications. ACM
Trans. on Programming Languages and Systems, 7(3):299-310.
SIEBER, K. 1992. Reasoning about sequential functions via logical relations. In [Four-
man et al., 1992], pages 258-269.
SIEBER, K.. 1993. New steps towards full abstraction for local variables. In [SlPL, 1993],
pages 88-100.
SIEBER, K. 1994. Full abstraction for the second order subset of an ALGOL-like lan-
guage. In Mathematical Foundations of Computer Sdence, volume 841 of Lecture
Notes in Computer Sdence, Kösice, Slovakia. Springer-Verlag, Berlin, pages 608-
617. See Chapter 15.
SlPL 1993. ACM SIGPLAN Workshop on State in Programming Languages, Copenhagen,
Denmark, June 12. Technical report RR-968, Department of Computer Science,
Yale University.
STRACHEY, C. 1967. Fundamental Concepts in Programming Languages. Unpublished
lecture notes, International Summer School in Computer Programming, Copen-
hagen.
TENNENT, R. D. 1989. Elementary data structures in ALGOL-like languages. Sdence of
Computer Programming, 13:73-110.
TENNENT, R. D. 1990. Semantical analysis of specification logic. Information and Com-
putation, 85(2):135-162. See Chapter 13.
TENNENT, R. D. 1991. Semantics of Programming Languages. International Series in
Computer Science. Prentice-Hall International.
WADLER, P. 1989. Theorems for free! In Functional Programming Languages and
Computer Architecture, 4th International Symposium, Imperial College, London.
ACM, NewYork, pages 347-359.
Chapter 17
Reasoning About Local Variables with
Operationally-Based Logical Relations
Andrew M. Pitts
A parametric logical relation between the phrases of an ALGOL-like lan-

guage is presented. Its definition involves the structural operational se-
mantics of the language, but was inspired by denotationally-based work
of O'Hearn and Reynolds on translating ALGOL into a predicatively poly-
morphic linear lambda calculus. The logical relation yields an applicative
characterisation of contextual equivalence for the language and provides
a useful (and complete) method for proving equivalences. Its utility is
illustrated by giving simple and direct proofs of some contextual equiva-
lences, including an interesting equivalence due to O'Hearn which hinges
upon the undefinability of 'snapback' operations (and which goes beyond
the standard suite of 'Meyer-Sieber' examples). Whilst some of the math-
ematical intricacies of denotational semantics are avoided, the hard work
in this operational approach lies in establishing the 'fundamental prop-
erty' for the logical relation-the proof of which makes use of a compact-
ness property of fixpoint recursion with respect to evaluation of phrases.
But once this property has been established, the logical relation provides
a verification method with an attractively low mathematical overhead.
Contents
1 Introduction 165
2 ldealized ALGOL 168
3 The Parametrie Logical Relation 173
4 Example Equivalences 179
5 Related and Further Work 182
References 184
1 Introd.uction
The Observable properties of sequentially executed imperative programs in-
volving higher order procedures and locally declared state can be quite subtle.
This is so even when the use of local state is quite severely constrained, as it is
in languages which are ALGOL-like in the sense of Reynolds [Rey81]-i.e., when
the state just consists of variables storing first order values (as opposed to
function closures, for example) and local-variable declarations are only permit-
ted in comm.ands (not in expressions), are statically scoped, and are executed
using a stack discipline. The subtleties of the extemally observable behaviour
of such locally declared state are such that, despite the considerable efforts
of a nurober of researchers [MS88, Ole85, OT95, Red95, OR95a, Sie95a], no
concrete denotational model of ALGOL has yet been constructed which exactly
First appeared in Proceedings Eleventh Annual IEEE Symposium on Logic in Computer Sdence,
Brunswick, New Jersey, July 1996, pp. 152-163. ©1996 IEEE, reprinted with permission.

166 Chapter 17. Operationally-Based Reasoning About Local Variables
captures observational equivalence for n-th order procedures beyond n = 2 or

3 (depending upon how one counts orders).
Nevertheless, useful semantical ideas and techniques have emerged from
the effort to construct such 'fully abstract' models. The one that we
focus on here concems the parametric logical relationsoccurring in the
work of O'Heam-Tennent [OT95], Sieher [Sie95a, Sie95b], and O'Heam-
Reynolds [OR95b]. Suchrelationsare used for two intertwined purposes. First,
they can be used to identify 'junk' in a model-elements that cannot possibly
be meanings of program phrases. Secondly, they can be used to prove that two
program phrases are observationally equivalent. The work described in this
paperwas motivated by the desire to extract the essence of this second aspect
of the use of logical relations from the mathematical structures used to model
an ALGOL-like language, and to apply that essence directly to the language it-
self equipped with the commonly used notion of operational equivalence-a
Morris-style contextual equivalence.
Recall that two program phrases M1 and M2 are contextually equiva-
lent,written M1 ~ M2, ü occurrences of the phrases in any complete program
can be interchanged without affecting the observable effects of executing the
program. More precisely, M 1 ~ M 2 holds ü for allprogram contexts P[- ],
the programs P[Md and P[M2J have equal observable effects. Although this
is a reasonable notion of semantic equality for program phrases, the quan-
tification over all contexts P[-] which occurs in its definition makes it hard
to work with directly-because the ways in which a context can make use of
its 'hole' can be complicated. One therefore seeks to develop general proper-
ties of contextual equivalence. For example, one might hope to establish the
familiar functional extensionality property for contextual equivalence
F ~ F' : u - u' = 'r/ A: u (FA ~ F' A : u'). (1)
This serves to reduce contextual equivalence at the function type u - u'

to that at the structurally simpler type u'. In languages like SCHEME or ML
this kind of functional extensionality falls, due to the complicated interac-
tions possible between call-by-value function application and locally declared
state in expressions of function type, permitting 'leakage' of private names
out of the textual scope of local declarations; see Pitts and Stark [PS93, Sta94]
for examples. By contrast, ALGOL-like languages, by virtue of having call-by-
name function application and having local-variable declarations restricted to
commands, do satisfy (1). This is part of the ALGOL Operational Extensionality
Theoremwhich we shall prove (Theorem 2.5). It is a generalisation to ALGOL of
Milner's Context Lemma [Mil77] for the purely functionallanguage PCF. The
properties of ALGOL contextual equivalence it expresses will come as no sur-
prise to a connoisseur of the language, but the author was unable to locate
any formal statement or proof of these properties in the literature-mainly
because most existing work concems itself solely with denotational semantics
of ALGOL.
There are several ways to prove the Operational Extensionality Theorem.
For example, one can deduce it via an extension to imperative languages of the
methods developed by Howe [How89, How96] for pure functional languages
(cf. [RP95]). Herewe deduce it from the existence of a certain kind of logical
Andrew M. Pitts 167
relation, whose definition and properties are the main teehnieal eontribution
of this paper. This takes the form of a parametrie family of relations between
closed ALGOL terms of equal type. Roughly speaking, the parameter ranges
over relations between states (whieh in this ease are just assignments of inte-
ger values to global variables). The definition of the logieal relation proeeeds
by induetion on the strueture of types and involves the struetural operational
semanties of the language. Eaeh clause embodies both extensionality prop-
erties and the kind of relational parametrieity eonsidered in a denotational
setting by O'Hearn and Tennent [OT95].
The Operational Extensionality Theorem follows from the faet that eon-
textual equivalenee coincides with the parametrie logieal relation when its pa-
rameter is instantiated to the identity relation on states. This faet is in turn
derived from the logieal relation's 'Fundamental Property' (cf. [Mit90]), namely
that it is preserved by the various term-forming operations of ALGOL. The
proof of the Fundamental Property (Theorem 3.11) is non-trivial beeause of
the presenee of reeursively defined terms in the language. At this point in a
denotational development one ean use the familiar eharaeterisation of least
fixed points (used to model reeursive terms) as least upper bounds of eertain
aseending ehains and apply Seott lnduetion [Seo93, Seetion 3]. Here we de-
velop an operational analogue of this method. This is similar to the approaeh
taken by Smith et al [MST],exeept that we have to deal with an imperative lan-
guage and we use a struetural operational semanties based upon an evaluation
(or 'big-step') relation, rather than a transition (or 'small-step') relation. At the
heart of the proof is a eertain 'eompaetness' property of evaluation with re-
speet to the eanonieal sequenee of approximations to a reeursive term (see the
proof of Proposition 3.7).
The pay-off from the development of the operationally-based parametrie

logical relation is not only a proof of the extensionality properties of ALGOL
eontextual equivalenee, but also a usefw and mathematieally lightweight tool
for proving partiewar equivalenees. We demoostrate this by example. As
well as dealing with the well-known Meyer-Sieber examples [MS88], we prove a
rather subtle equivalenee due to O'Hearn (Example 4.1). It illustrates the eon-
sequenees for eontextual equivalenee of the inability of the partiewar ALGOL-
like language under eonsideration to 'snap-baek' the state to some previous
point in the thread of eomputation. We said above that, roughly speaking, the
logieal relation is parameterized by relations between states. More preeisely,
the parameter is a binary relation on the flat epo of states-in other words
some states get related to a formal, undefined state. This level of generality
is not needed to establish the operational Extensionality Theorem-binary re-
lations on the set of states wowd be enough (see Remark 3.13). Rather, the
generalisation involving undefined states is needed to eope with O'Hearn's ex-
ample, and was adopted from the reeent denotationally-based work of O'Hearn
and Reynolds [OR95b]. The preeise definition of the logieal relation and the
extensionality reswts are given in Seetion 3, and the applieation to proving
equivalenees is given in Seetion 4. In the final seetion we diseuss some related,
operationally-based work and further direetions of researeh.
2 ldealized ALGOL
We will define the parametric logical relation for 'Idealized ALGOL' (IA), a
small ALGOL-like language which has been used by several authors for il-
lustrative purposes. It is a simply typed lambda calculus over ground
types bool (booleans), int (integers), var (variables for storing integers), and
cmd (commands for changing state). It contains terms (of the appropri-
ate types) for lambda abstraction (Ax: u. M), application (FA), conditionals
(if B then M1 eise M2), fixpoint recursion (fixx: u. M), integer and boolean
constants (n, b), and some arithmetic operations and relations (NI * N2). We
choose to make dereferencing explicit in the syntax: !V is the IA term of
type int denoting the contents of a term V of type var. In addition to de-
numerable sets of identifiers of each type (xa), there is a denumerable set of
global variables(.v), each of which is an IA term of type var. Finally, IA con-
tains cmd-building constructs for no-op (skip), integer assignment (V := N),
sequencing (CI; C2), and local-variable blocks (new x := N in C end), in addi-
tion to the conditional and fixpoint constructs which are available at all types
(and which permit one to define various recursive control structures, such as
while - do - ). We write M: u to indicate that the IA term M has type u.
Remark 2.1 (Binding and substitution) The IA terms for A-abstraction, fix-
point recursion, and local-variable blocks are all identifier-binding constructs:
free occurrences of xa in the term M become bound in Ax: u. M and in
fixx: u.M; and free occurrences of xvar in the command C become bound
in new x := N in C end. Henceforward, we will identify IA terms up to
oc-conversion of their bound identifiers.Then M[M' ;xa] will denote the result
(well-defined up to oc-equivalence) of substituting a term M' of type u for all
free occurrences of the identifier xa in the term M. Similarly, M[v' /v] will
denote the result of substituting the global variable v' for all occurrences of
the global variable v in M. We write fi(M) for the finite set of free identifiers
of M, and gv(M) for its finite set of global variables. Let
IAa(W) def {M:ulfi(M)=0 & gv(M)~w}
denote the set of closed IA terms of type u with global variables in the set w.
We specify the operational semantics of IA in terms of an inductively de-
fined evaluation relation of the form
w 1- s;M ~a s';R. (2)
Here w is a finite set of global variables-we call such sets worlds,because
they are an operational trace of the Kripke-style 'possible world' seman-
tics of block structure using functor categories introduced by Reynolds and
Oles [Ole85]. In (2), M and R are elements of IAa(w), and s,s' are statesof
world w-i.e., functions assigning integers to the global variables in w. We
write States(w) for the set of all such states. The intended meaning of (2) is
that given the initial assignment s of values to the relevant global variables,
evaluation of M yields the final result R and state s'. The rules for inductively
generating the evaluation relation are given in Figure 1. They are quite stan-
dard, apart from some notational choices: wv denotes the set w augmented
Andrew M. Pitts 169
w f- s;R ~a s;R, where R ::=bIn I v I skip I ?l.x: a.M
w s;B ~bool S 1 ;b w f- S 1 ;Mb ~a s";R

f-
w f- s; (üB then Mtrue eise MtaJse) ~a s";R
w f- s;NI ~int S1 ;DI w f- S1 ;Nz ~int s";nz if _

w f- s; (NI * Nz} ~type(*) s" ;c c- DI * nz
w f- s;F ~a-a 1 S 1 ;A.x:a.M w f- S 1 ;M[A!xa] ~a~ s";R
w f- s; (FA) ~a 1 s";R
w f- s;M[fixx: a.M jxa] ~a S 1 ;R

w f- s;fixx:a.M ~a S 1 ;R
w f- s;V ~varS 1 ;V . 1
1 Ifn=s (v)
s; .V ~ int s ; n
1
w f-
w f-s;V ~var S 1 ;v w f- S 1 ;N ~int s";n

w f- s;V:= N ~cmd (s";v:=n);skip
w f- s;CI ~cmdS 1 ;skip w f- S 1 ;Cz ~cmds";skip

w f- s; (CI; Cz} ~cmds";skip
w f- s;N ~int S1 ;n wv f- (S 1 ® v:= n); C[v/x] ~cmd (s" ® v := D1 );skip

w f- s; (new x := N in C end) ~cmd s"; skip
Figure 1: lA evaluation rules
by a new element v ti w, and then s ® v := n E States(wv) denotes the state

properly extending the function s by mapping v to the integer n. On the other
hand, if v E w and s E States( w), then s; v := n E States( w) denotes the state
mapping v to n and otherwise acting like s.
The rules in Figure 1 appear more general than they really are when it
comes to sequential state change, because lA evaluation does have the familiar
and desirable property of an ALGOL-like language that evaluation of terms of
non-command type is state dependent, but not state changing.This is the first of
a number of important, but quite Straightforward properties of the evaluation
relation given by the following lemma. Each property can easily be proved by
induction on the derivation of evaluations from the rules in Figure 1.
Lemma2.2
(Side-effect free expressions) I( (2) holds and 0' f. cmd, then s = S 1•
(Equivariance). Given a bijection rr: w = W write M[ rr] (or the result of re- 1
,
placing each v E w by rr(v) in M; and (or each state s E States(w),

write s[rr] for the element of States(w 1 ) which maps each V E W 1 to 1
s(rr-I(V 1((2) holds, then W 1- s[rr];M[rr] ~a S [TT];R[rr].

1
)).
1 1
(Determinacy) Ifw f- s; M ~ u s;; Ri holds for i = 1, 2, then R1 = Rz and s~ = s;.

(Recall that we are identifying IA terms up to oc-equivalence.)
(Weakening and Strengthening) Suppose that w = w1 u wz with w 1 n wz = 0,

and that Si E States(wd for i = 1,2. Given M E IAu(WI), then
w f- s1 ® sz;M ~u s';R holds if and only if R E IAu(WI) and s' = s~ ® Sz
{or some s~ with w1 f- s1;M ~u s~;R.
In view of the first part of the lemma, when a -! cmd we abbreviate (2) to
Wf-S;M~uR. (3)
Similarly, since the only result term of type cmd is skip, when a = cmd we
abbreviate (2) to
w f- s;M ~ s'. (4)
Finally, we write
w f- s;M il'u (5)
to indicate that w f- s; M ~u s'; R does not hold for any s' and R.
Having fixed the syntax and operational semantics of our ALGOL-like lan-
guage, we can give the formal definition of contextual equivalence. As usual, a
contextC[ -u] is a term in which a Subexpression of type a has been replaced
by a 'hole', -u· The expression resulting from filling the hole with an expres-
sion M: a will be denoted by C[M]. Since -u may occur within the scope
of identifier-binding constructs, free identifiers of M may become bound in
C[M]. We write traps(C[ -u]) for the set of identifiers that occur in C[ -u]
associated to binders containing the hole -u within their scope. This 'capture'
of identifiers in fi(M) n traps(C[ -u]) means that although the operation of
substituting M for -u in C[ -u] respects oc-conversion of bound identifiers in
M, it does not necessarily respect oc-conversion of bound identifiers in C[ -u ].
Therefore we do not identify contexts up to oc-conversion. As for terms, so
for contexts we write C[ -u ]: a' to indicate that a' is the type of the context;
fl(C[ -u ]) and gv(C[ -u]) denote the finite sets of free identifiers and global
variables of the context. A closedcontext is one with no free identifiers.
Definition 2.3 (lA contextual equivalence) If M1 and Mz are lA terms of type
a with free identifiers contained in a set r of identifiers, and global variables
contained in a set w of global variables, we write
w,r f- M1 =u Mz
to indicate that the terms are contextually equivalent.By definition this
means that for all worlds w' 2 w, all closed contexts C[ -u ]: cmd with
gv(C[ -u ]) ~ w' and r ~ traps(C[ -u ]), and all states s, s' E States(w'),
w' f- C[MI],s ~ s' = w' f- C[Mz],s ~ s'.
(In case r = 0, i.e., when the Mi are closed terms, we just write w f- M1 =u Mz
for w, 0 f- M1 =u Mz.)
Thus two terms are contextually equivalent if occurrences of them in some
closed command can be interchanged without affecting the meaning of the
Andrew M. Pitts 171
command as a partial function from states to states. This is a reasonable no-

tion of program equivalence for lA, given that it is primarily a language for
defining state-changing algorithms. It is immediate from the definition that
contextual equivalence is a congruencefor lA, i.e., itis an equivalence relation
and is respected by the various term-forming operations. However, the quan-
tification over all contexts that occurs in the definition of contextual equiv-
alence makes it hard to establish further properties directly from 2.3. For
example, it is not immediately obvious that two closed commands are contex-
tually equivalent if they determine the same partial function from states to
states. This is one of a number of useful 'extensionality' properties of lA that
are summed up by the Operational Extensionality Theorem for lA given below.
In order to state it we introduce the notion of extensional equivalence.
Definition 2.4 (Extensional equivalence) If M1 and Mz are closed lA terms of

type a with global variables contained in a set w, we write
w 1- M1 ::::~1 Mz
to indicate that the terms are extensionally equivalent.This notion is defined
by induction on the structure of a, as follows.
• If a = bool, int, then w 1- M1 ==~1 Mz is defined to hold if, for
all s E States(w) and all constants c, w 1- M1. s ~a- c if and only if
w 1- Mz,S ~a- c.
• w 1- C1 ==~d Cz is defined to hold if, for all s,s' E States(w),
w 1- C1.s ~ s' if and onlyif w 1- C2 ,s ~ s'.
• w 1- V1 ==~~~ Vz is defined to hold if w 1- !V1 ==f~f !Vz and, for all n,
w 1- (VI:= n) ==~d (Vz := n).
• w 1- F1 ==~/-a-2 Fz is defined to hold if, for all w' 2 w and all
A E L4a-1 (w'), w' 1- F 1 A ::~1 F 2 A.
We extend extensional equivalence to open terms via closed instantiations:
given terms M1, M2 : a with free identifiers in r = {xa-1 , ••• , x~n} and global
variables in w, we write
w,r 1- M1 ==~1 Mz
to mean that w' 1- M1 [Ä/x] ==~ 1 M1 [Ä/x] holds for all w' 2 w and all
Ai E L4a-; (w') (i = 1, ... , n).
Theorem 2.5 (Operational Extensionality) L4 contextual equivalence coin-

cides with extensional equivalence:
w,ft-M1 :=a-Mz = w,ft-M1 :=lfi1 Mz.

We will prove this theorem in the next section as a corollary of the properties
of the parametric logical relation for lA.
We finish this section with some applications of the theorem to proving
general properties of lA contextual equivalence from corresponding properties
of the evaluation relation.
Example 2.6 (Meyer-Sieber [MS88, Example I]) If C: cmd has its free identi-
fiers contained in r and its global variables contained in w, and if xvar rf. r,
then
W, [ 1-- (new X:= n in C end) ~cmd C.
Proof: According to Theorem 2.5, it suffices to show for all worlds w,
all closed commands C E IAcmd(w), and all states s, s' E States(w) that
w 1-- s; C Us' holds if and only if w 1-- s; (new x := n in C end) U s'. Because
of the structural nature of the rules in Figure 1, the only way that the second
evaluation can be deduced is from
wv 1-- (s ® v:= n);C[v/x] U s' ®V:= n' (6)
for some v rf. w and some n'. Since Cis closed, C[v/x] = C; in particular
gv(C[v/x]) = gv(C) s;; wand so by the 'Weakening and Strengthening' prop-
erty of U (Lemma 2.2), (6) holds if and only if w 1-- s; C U s', as required. I
Example 2.7 (Meyer-Sieber [MS88, Example 3]) Suppose C: cmd has free
identifiers in rxyarx~ar and global variables in w. Define:
CI2 def
= new XI := ni in C2I def
= new X2 := n2 in
new X2 := n2 in new XI := ni in
c C[x2,XI/XI,X2]
end end
end end
Then w,f 1-- C12 ~cmd C2I·
Proof: The argument is similar to that for the previous example, but using the
'Equivariance' property of U given in Lemma 2.2. I
Recall that in logics of partially defined terms, two partial terms are often
called 'Kleene equivalent' if whenever one term is defined so is the other and
in that case they are equal. following a suggestion of Harper, we adopt this
terminology for programming language expressions that may diverge. For IA
this Ieads to the following, rather strong notion of equivalence.
Definition 2.8 (Kleene equivalence) Closed terms MI,M2 E IAu(w) are said
to be Kleene equivalent,and we write
w 1-- MI~~ M2
if, for all s,s' and R, w 1-- s;MI Uu s';R holds if and only if w 1-- s;M2 Uu s';R.
The following Iemma is easily proved by induction on cr.
Lemma 2.9 Ifw 1-- MI ~~ M2 then w 1-- MI ~~ M2.
Thus in view of Theorem 2.5, any Kleene equivalent IA terms are contextually
equivalent.Here are a number of examples, singled out because they will be
needed later.
Examples 2.10 The following pairs of terms are Kleene equivalent and hence
also contextually equivalent. In (vii)-(x), .Lu is an abbreviation for fixx: cr. x.
(i) !(if B then VI eise V2) and if B then !VI eise !V2.
Andrew M. Pitts 173
(ü) (if B then VI eise Vz) := N and if B then VI:= N eise V2 := N.

(iü) V:= (if B then NI eise Nz) and if B then V:= NI eise V:= N 2 •
(iv) (if B then FI eise Fz) A and if B then (FI A) else (F2 A).
(v) (.\.x: a.M) A and M[A/xu].
(vi) fixx:a.M and M[fixx:a.M/xu].
(vü) .Lint and !(.Lvar).
(vüi) .Lcmd and (.Lvar := N), or (V:= .Lind·
(ix) .Lcmd and (.Lcmd; C), or (C; .Lcmd).
(X) .Lu• and (.Lu-u' A).
3 The Parametrie Logical Relation

If Xis a set, the Iift ofX,(XJ., :::;), is the so-called flatpartially ordered set whose
set of elements is Xu {.Lx} (where .Lx 1/:. X) and whose only non-trivial ordering
is .Lx :::; x (any x E X). We need this construct in case X = States(w) is the
set of states at world w. We refer to the elements of States(w)J. as lifted
states,and denote its least element by .L (for all w). It is convenient to extend
the evaluation and divergence relations to lifted states by declaring that w f-
.L;M .U.u s';R does not hold for any M,R E L4u(w), s' E States(w), butthat
W f- .L;M 'fl'u
always holds for any ME .L4u(w).
We will be working with binary reiations between lifted states that relate .L
to itself. For each finite set w of global variables we define
Rel(w) def {R s;;; States(w)J. x States(w)J. I (.L, .L) ER}.
Definition 3.1 The identity relation,1dw E Rel(w), is defined tobe {(s,s) I
s E States(w)J_}. If WI and w2 are disjoint sets of global variables, we write
wiwz for their union. The smash productRI ® Rz E Rel(wiw2 ) of relations
Ri E Rel(wj} is defined tobe {(si ®sz, si ® s~) I (SI, si) E RI & (sz, s~) E Rz},
where
de( { SI U Sz if SI ,fo .L ,fo Sz
SI® Sz -- .L if SI = .L, or Sz = .L
where SI u sz E States(wiwz) is the state mapping v to Si(v) if v E Wi (for
i = 1, 2).
Note that the smash product operation on relations is associative, commu-
tative, and has identity relations as units:
RI ® Rz = Rz ® RI,
1dw®R = R.
Armed with these notions we can give the principal definition of the paper.
Definition 3.2 (Parametric logical relation) For each finite set w of global
variables, each type er, and each relation 'RE Rel(w), we define a binary rela-
tion between closed lA terms of type er with global variables in w, denoted
(M1,M2EIAu(w))
WI-M1'RuM2
The relations are defined simultaneously, for all w and 'R, by induction on the
structure of er as follows. (In giving the clauses, we make use of the extension
of the evaluation and divergence relations to lifted states mentioned above.)
• If er = bool (respectively er = int), then w 1- M1 'Ru M2 is defined
to hold if, for all boolean (respectively integer) constants c1, c 2 and all
(SI, S2) E 'R,
W 1- S1;M1 ~u C1 & W 1- S2;M2 ~u C2 => C1 = C2,
W 1- S1;M1 ~u C1 & W 1- s2;M2 1l'u => (SI, J.) E 'R,

and
S1;M1 1l'u & W 1- s2;M2 ~u C2 => (J.,S2) E 'R.
W 1-
• If er = cmd, then w 1- C1 'Rcmd C2 is defined to hold if, for all states

s~, s~ E States( w) and all (s1. s2) E 'R,
w 1- s1;C1 ~ s~ & w 1- s2;C2 ~ s~ => (s~.s~) E 'R,

w 1- s1; C1 ~ s~ &w 1- s2; C2 1l' cmd => (s~, J.) E 'R,
and
W 1- s1;C1 1l'cmd & W 1- s2;C2 ~ Sz => (J.,Sz) E 'R.
• If = var, then w 1- vl 'Rvar v2 is defined to hold if, for all global

(T
variables v1, v2 E w and all (s1. s2) E 'R,

W 1- S1;V1 .f.l.varVl & W 1- Sz;Vz .f.l.varVz =>
Vn((s1;v1:=n),(s2;v2:=n)) E'R & sr<v1) =s2(v2),
W 1- S1; V1 ~var VI & W 1- S2; V2 1l'var => Vn ((s1;v1 := n), J.) E 'R,
and
W 1- S1; V1 1l'var & W 1- S2; V2 ~var V2 => Vn (J., (s2;v2 := n)) E 'R.
• If er = CT1 - cr2, then w 1- F1 'Ru1 -u2 F2 is defined to hold if, for all
'R' E Rel(w') with w' disjoint from wand all A1,A2 E IAu1 (ww'),
ww' 1- A1 ('R ® 'R')u1 A2 => ww' 1- (F1 A1) ('R ® 'R')u2 (F2 A2).
Remark 3.3 The last clause in this definition is an operational version of the
kind of relational parametricity for functions used previously by O'Hearn and
Tennent (see [OT95, Sect. 2.2]); it also embodies the typical feature of 'logical
relations'-that related functions map related arguments to related results.
The way the logical relation takes account of divergence in the clauses for
bool, int, cmd, and var reflects recent work of O'Hearn and Reynolds [OR95b],
and is crucial for Example 4.1. There is a more elegant formulation of those
clauses, given below. We chose to take the more concrete form in Defini-
tion 3.2, because it is useful for calculations.
The proof of the following two properties is a tedious, but essentially
Straightforward case analysis (making use of the determinacy of evaluation,
Lemma 2.2).
Andrew M. Pitts 175
(i) Let Vala(w) denote the set of closed syntactic valuesof type u with
global variables in the set w-i.e., theset of those IA terms R appear-
ing on the right-hand side of evaluations (2). (For example, Valcmd(w)
is just {skip}.) For each s E States(w).l. and M E IAa(w), let
s ®ME (States(w) x Vala(w)) .L be defined by
M def { (s',R) if w f- s;M JJ.a s';R

s® = .L otherwise
Given R E Rel(w), let R ® 1d be the binary relation on

(States(w) x Vala(w)}.L given by
R®1d def {(.L,.L)} u {(SI ®R,s2 ®R) I (s1,s2) ER & RE Vala(w)}.
Then when u = bool, int, or cmd, w r- M1 Ra M2 holds if and only if,

for all (s1,s2) ER,
(ü) w r- V1 Rvar V2 holds if and only if w r- !V1 R;nr !V2 and, moreover, for
all n, w f- <V1 := n) Rcmd <V2 := n).
Lemma 3.4 The parametric logical relation respects extensional equivalence

(Definition 2.4), in the sense that, if w r- M 1 Ra M 2 and w r- M; ~:;.xt M;
(i = 1, 2), then w f- Mi Ra M~.
Proof: This follows directly from Definitions 2.4 and 3.2, by induction on the
structure of u. I
Definition 3.5 Extend the parametric logical relation to open terms as fol-
lows. Given R E Rel(w) and terms M 1,M2: u with free identifiers in
r = {xa1, ... , x:i"} and global variables in w, write
w,r r- M1 Ra M2
to mean that, for all R' E Rel(w') with w' disjoint from w and for all closed
terms An, A;2 E IAa; ( ww') (i = 1, ... , n),
"i/i (ww' f- An (R ® R')a; A;2) ~ M1[ÄI!x] (R ® R')a M2[Ä2Jx].
This definition reduces to the one in Definition 3.2 in the case that r = 0,
because of the following weakening property of the parametric logical relation.
Lemma 3.6
(i) I{R E Rel(w) and R' E Rel(w') with w n w' = 0, and if r and [' are
disjoint sets of identifiers, then
(ii) w, 0 r- M1 Ra M2 (i.e., ther = 0 case of 3.5) holds if and only if

w r- M1 Ra M2.
Proof: Part (i) reduces (using the associativity of ®) to proving the correspond-
ing property of the relation between closed terms:
w 1- Mt Xu M2 => ww' 1- Mt (X® X')u M2.
This is proved by induction on u, using the corresponding weakening property
of evaluation (Lemma 2.2). Part (ü) follows immediately from this property too.
I
Proposition 3.7 The parametric logical relation preserves the term-forming
operations of IA:
(i) For c
= b, n, and skip one has 0 1- c (1d 0 ) u c (where u = bool, int, and
cmd respecttvely).
(ii) Ifv E w, then w 1- V (1dw)var v.
(iii) Ifw,r 1- Bt Xboo1 B2, w,r 1- Mt Xu M2, andw,r 1- Mi Xu M~. then
w,r 1- (üBt thenM1 eise Mi> Xu (ü B2 thenM2 eise M~).
(tv) Ifw,r 1- Nt Xtnt N2 and w,r 1- Ni Xtnt N~. then

w,f 1- (Nt* Ni) Xrype<*> (N2 * N~).
(v) Ifw,r 1- F1 Xu-u' F2 andw,r 1- At Xu A2, then
w,r 1- (Ft At) Xu' (F2 A2) .
(vi) Ifw,f 1- Yt Xvar V2, then w,r 1- !V1 Xtnt !V2.

(vii) Ifw,f 1- Vt1{var V2 andw,f 1- Nt1{tnt N2, then
w,f 1- (Vt :=Nt) Xcnui <V2 := N2).
(viii) Ifw,f 1- Ct1{crnd C2 andw,f 1- Ci 1{cmd C~, then
w,f 1- (Ct; Ci) Xcrnd (C2; C~).
(ix) lfw,rxu 1- Mt Xu• M2, then w,r 1- 'Ax:u.M Xu-u' 'Ax: u.M2.
(x.) If w,r 1- Nt Xtnt N2 and for some v ~ w it is the case that
wv,f 1- Ct[V/Xvar] (X® 1dtv})crnd C2[v{xvar], then
w,r 1- (new x :=Nt in Ct end) Xcrnd (new x :=Nt in C1 end).
(xi) Ifw,rxu 1- Mt Xu M2, then w,r 1- fixx: u.M1 Xu fixx: u.M2.

Proof: The properlies (i)-(x) follow from Definitions 3.2 and 3.5 by rela-
tively Straightforward arguments, using closure under extensional equiva-
lence (Lemma 3.4) combined with the particular Kleene, hence extensional (by
Lemma 2.9) equivalences of Example 2.10. For part (iü), one has to argue by
induction on the structure of u.
However, the proof of property (xi) requires more work. First, one can show
by induction on u that w 1- .Lu Xu .Lu (where .Lu def fixx: u. x). The proof of
this uses the fact that (.L, .L) E X (by definition of Rel(w)) tagether with the
Andrew M. Pitts 177
properties of l.u given in Example 2.10. Then from w,rxu 1- Mt Xu Mz one

deduces by induction on n that
w,r 1- fix<n>x:u.Mt Xu fix<n>x:u.Mz
where in general
fix< 01 x: u.M l.u
fix(n+I>x:u.M M[fix<n>x: u.M /x].
Therefore property (xi) follows once one proves that the relations Xu satisfy
an operational version of chain-completeness. Since such a property is proved
by induction on u, to make that induction go through easily it is convenient
to use the following, contextual form of operational chain-completeness:
Proposition 3.8 (Operational chain-completeness) The relations Xu have the
property that, for all contexts C[- u]: u',
w,r 1- C[fixx:u.MdXu•C[fixx:u.Mz]
holds if, for all m ~ 0, there is some n ~ m such that
w,r 1- C[fix<n>x: u.MtlXu•C[fix<n>x: u.Mz].
The proof of this property follows from a (simple form of a) compactness
property of evaluation with respect to the approximations tix<n>x: u.M to
fixx:u.M, namely:
Proposition 3.9 (Compactness of evaluation) If
w 1- s;C[fixx:u.M] .U.u s';R
then w 1- C[fix<n>x: u.M],s .U.u R',s' holds for some n and R'.
There are several methods for proving this proposition. Our preferred one
is a generalisation to lA of [Pit, Sect. 5], because that approach yields a more
involved form of compactness of evaluation which is useful for establishing
operational chain-completeness properties in the presence of more compli-
cated data types (such as lazy lists). We omit the details here. I
Remark 3.10 (Contraction) The syntactic form of IA's new - := - in - end
construct suggests the second hypothesis of part (x) of Proposition 3.7 should
justbe
rather than
wv,r 1- Ct[V/Xvar] (X® 1d{vj)crnd Cz[V/xvar].
The latter is a weaker assumption than the former, and so (x) as stated is a
stronger form of preservation than one might expect. It reflects the fact that
new - :=N in C[-] end is really a binding operation on variables rather than
identifiers. From a metalogical point of view, the difference between 'variables'
and 'identifiers' (which a metalogician might well prefer to call 'constants' and
'variables' respectively) lies in the structural rules satisfied by the judgements
ofthe form
178 Cbapter 17. Operationally-Based Reasoning About Local Variables
with which we formulate the various notions of equivalence of lA terms con-

sidered in this paper. In particular, the two zones of the 'context' (in type
theory parlance) on the left-hand side of 1- have different properties with re-
spect to substitution:
w,rxu 1- Mt =u' M2 .
w,r 1- Mt[M/xu] =u' M2[M!xu] (ifw,r 1- M:u)
wv, f 1- Mt =u' M2
wv',r 1- Mt[V' /v] =u' M2[v' /V]
In combination with weakening properties (such as Lemma 3.6(i)), this means
that the •r-zone' satisfies contraction
w,rxrx~ 1- Mt =u' M2
w,rxu 1- Mt[xu,xu txr.xn =u' M2[xu,xu txr,xn
whereas the 'w-zone' does not. For example
VtV2, 0 1- (Vt := 1; V2 := 2) ~cmd (V2 := 2; Vt := 1)
holds, but of course the contracted form
v,0 1- (v:= 1 ;v:= 2) ~cmd (v:= 2 ;v:= 1)
does not.
Theorem 3.11 (Fundamental Property)
(i) For any JA term M: u with free identifiers contained in r and global vari-
ables contained in w, it is the case that w, r 1- M (1dw) u M.
(ii) If w, ff' 1- Mt (1dw )u M2, then for all worlds w' 2 w and contexts
C[-u]:u' with gv(C[-u]) ~ w' and r ~ traps(C[-u]), it is the case
thatw',f' 1- C[Mt] (1dw')u• C(M2].
Proof: Both parts are proved by induction on the structure of M and C[ -u ],
using Proposition 3.7 and Lemma 3.6. I
Corollary 3.12 The parametric logical relation in case ~ = 1d coincides with
extensional equivalence:
w,r 1- Mt (1dw)u M2 ~ w,r 1- Mt ~~r M2.
Proof: By Theorem 3.ll(i), w,r 1- Mt (1dw)u Mt. So if w,r 1- Mt ~~ M2, then
by Lemma 3.4 we have that w,r 1- Mt (1dw)u M2. This is half of the required
bi-implication. The other half can be proved directly from Definitions 3.2 and
2.4, by induction on the structure of u. 1
We are now in a position to prove the Operational Extensionality Theo-
rem 2.5.
Proof of Theorem 2.5: We split the proof into three parts:
w,r 1- Mt~~ M2 ~ w,r 1- Mt ~u M2 (7)
w,rxu 1- Mt ~u' M2 ~ w',r 1- Mt[A/xu] ~u' M2[A!xu] (8)
Andrew M. Pitts 179
for any A: CT with free identifiers in r and global variables in w' 2 w, and
w 1- M1 :=u Mz ~ w 1- M1 ::lfit Mz (9)
Repeated use of (8) reduces the converse of (7) to the special case when r = 0,
which is (9). Thus together these properties yield the required bi-implication.
Proof of (7).Suppose that w,r 1- M1 :=lfi1 Mz and hence by the above Corol-
lary that w,r 1- M1 (1dw)u Mz. We wish to show that w,r 1- M1 ==u Mz,
i.e., thatfor all w' 2 w, all closed contexts C[ -u ]: cmd with gv(C[ -u]) s;; w'
and r s;; traps(C[ -u ]), and all states s, s' E States(w'),
w' 1- C[MI],s ~ s' = w' 1- C[Mz],s ~ s'.
But given such a context, by Theorem 3.11(ii) (and Lemma 3.6(ii)) we have
w' 1- C[Md (1dw•)cmd C[Mz]. Since (s,s) E 1dw•. it follows from the definition
of the parametric logical relation at type cmd and from the definition of 1dw'
that the above bi-implication holds.
Proof of (B).If w, rxu 1- M1 ==u• Mz, then straight from the definition of contex-
tual equivalence we get w',f 1- (.\x:CT.MI)A ==u-u' (.\x:CT.Mz)A The result
follows by transitivity of :: together with the fact that ß-conversion (Exam-
ple 2.10(v)) isavalid Kleene equivalence, hence isavalid extensional equiva-
lence (by Lemma 2.9) and so isavalid contextual equivalence, by (7).
Proof of (9).1t is Straightforward to show that ==u satisfies the defining clauses
for :=lfi1 in Definition 2.4, by induction on the structure of CT. I
Remark 3.13 (Doing without J.) Wehave developed a logical relation param-
eterised by relations between liftedstates, because that seems necessary for
proving some contextual equivalences (specifically, Example 4.1). However,
many examples and the operational Extensionality Theorem itself, can be de-
duced using a simpler logical relation, call it w 1- - 'Ru -, which is parame-
terised merely by binary relations on states, R s;; States(w) x States(w). The
defining clause at type cmd is: w 1- C1 'Rcmd Cz holds if and only if for all
(si,Sz) E 'Rand s~.s; E States(w)
WI-S1;Cl~Si ~ 3s~(WI-Sz;Cz~S~ & (si,s~)E'R)
w 1- sz; Cz ~ s~ ~ 3si (w 1- s1; C1 ~ si & (si, s;) E 'R).
The defining clause at types CT = bool, int is: w 1- M1 'Ru Mz holds if and only
if for all (s1, sz) E 'R and constants c
w 1- s1;M1 ~u C = w 1- Sz;Mz ~u C.
At type var we can define 'Rvar as in Remark 3.3(ii). Finally, the definition
of 'Ru 1 -u2 is the same as for 'Ru1 -u2 (except that one is quantifying over a
different kind of state-relation).
4 Example Equivalences
The Fundamental Property of the parametric logical relation (Theorem 3.11)
and its relationship to contextual equivalence (Corollary 3.12 plus Theo-
rem 2.5) enable one to use the definition of the logical relation at function
types to reason about properties of procedures with respect to local variables.
Here are some examples.
Example 4.1 (O'Hearn [OR95a, 2.3]) Let

C1 def newx:=Oin
p (X:= 1);
if !x = 1 then l.cmd eise skip
end
def
where l.cmd = fixe: cmd.c. Then p: cmd- cmd 1- C1 2i!cmd C2.
Proof: By the Operartanal Extensionality Theorem 2.5 it suffices to prove for
all worlds w, all terms PE lAcmd-cmd(w), and all states s,s' E States(w), that
w 1- s; C1[P /p] Us' if and only if w 1- s; C2[P /p] Us'. From the rules in Figure 1
it follows that w 1- s; C1[P 1p] u s' holds if and only if for some (any) v e w,
3n ~ 1. wv 1- (s ®V:= O);P (v:= 1) Us' ®V:= n. (10)
And since V e gv(P), w 1- s;C2[P/p] u s' holds if and onlyif
wv 1- (s ®v:= O);P (l.cmd) Us' ® v:= 0. (11)
Putting these facts together, to verify the example we must prove that (10)
holds if and only if (11) does.
Define 1{ E Rel( {v}) tobe
1{ def {(J.,J.)}u{(sl,s2)1si(v)=O=s2(v)}
u {(s1,s2) I si(v) = 1 & s2 = 1.}.
From the definition of the logical relation at type cmd (Definition 3.2) we find
that
WV 1- V:= 1 (1dw ® 1{)cmd l.cmd
holds. (Note that the ability of the parameter of the logical relation to re-
late states to 1. is crucial for this.) By the Fundamental Property 3.11,
w 1- P (1dw)cmd-cmd P. Hence by the definition of the logical relation at type
cmd- cmd, we have
WV 1- P (V:= 1) (1dw ® 1{)cmd P (l.cmd). (12)
Note that by definition of 1{, for any s' E States(w) and s2 E States(w).L we
have
(s' ®v:= n,s2) E 1dw ® 1{ <===> (n = 0 & s2 = s' ®v:= 0)
V (n = 1 & S2 = 1.). (13)
We apply the definition of (1dw ® 2{)cmd to (12) at the pair
(s ®v:= O,s ®v:= 0) E 1dw ® 1{. If (10) holds, thenit cannot be that
WVI- (s®v:=O);P(l.cmd) 1tcmd.
since in that case we would have (s' ® v := n, 1.) E 1dw ® 1{ with n ~ 1, co: .-
tradicting (13). So wv 1- (s ® v:= O);P (l.cmd) U s2 holds for some s2. Since
it is the case that (s' ® v := n, s2) E 1dw ® 1{, (13) implies that s2 = s' ® v := 0
and hence (11) holds. We thus have that (10) implies (11). Starting with the
observation that for all s1 E States(w).L and s' E States(w)
(Sl,S'®v:=0)E1dw®2{ <===> S1=s'®V:=O
one can show the converse implication by a similar argument. Thus (10) if and
only if (11), as required. I
Andrew M. Pitts 181
Example 4.2 (Stoughton [MS88, Example 5]) Let

C3 def new X:= 0 in
p (x := !x + 2) ;
if even(x) then .Lcmd eise skip
end
where .Lcmd is as in the previous example and even is a suitable fixpoint
term of type int - bool expressing a test for divisibility by 2. Then
p: cmd- cmd I- c3 ~cmd .Lcmd·
Proof: As in the previous example, the problern reduces via the Operational
Extensionality Theorem to showing for all worlds w, terms PE IAcmd-cmd(w),
and states s E States(w), that w I- C3[P /p], s 1l' cmd· It follows from the rules
in Figure 1 that w 1- C3 [PI p], s V. s' holds if and only if for some (any) v ~ w
wv 1- (s ® v:= O);P (v:= !v + 2), V.s' ® v:= n (14)
holds for some oddinteger n. Define 'R E Rel( { v}) to be
'R def {(.L, .L)} u {(s1,s2) I si(v) = s2(v) is even}.

Then
wv 1- (v := !v + 2) (1d ® 'R)cmd(v := !v + 2).
So if (14) holds, since (s ® v := 0, s ® v := 0) is in 1dw ® 'R, so is the pair
(s' ® v := n, s' ® v := n)-from which it follows that n is even, by definition
of 'R. Therefore (14) never holds for odd n, and hence w 1- C3 [P /p ], s 1l' cmd, as
required. I
Exarnple 4.3 (O'Hearn and Tennent [OT95]) Let
C4 de( new X:= 0 in Cs def newx:=Oin
p (x := !x + 1) (!x) p (x := !x -1) (-!x)
end end
Thenp:cmd- (int- cmd) 1- C4 ~cmd Cs.
Proof: By the Operational Extensionality Theorem 2.5, it suffices to show for
all worlds w, all terms PE IAcmd-(int-cmdJ(W), and all states s,s' E States(w),
that
wv 1- (s ® v:= O);P (v:= !v + 1) (!v) V. s' ®v:= n (15)
holds for some n if and only if for some n'
wv 1- (s ®v:= O);P (v:= !v-1) (-!v) V. s' ®v:=n'. (16)
Letting 'R E Rel( {v} ) be
{(SI. s2) I s1 = .L = s2 v si(v) = -s2 (v)},
we have that
WV I- V:= !v + 1 (1dw ® 'R)cmd V:= !v- 1
wv I- !v (1dw ® 'R);nt -!v
(S ®V:= 0, S ®V:= 0) E 1dw ® 'R.
Since w 1- P 'ldcmd-(int-cmd) P, it follows that

w 1- P (v := !v + 1) (!v) ('ldw ® :R)cmd P (V:= !v- 1) ( -!v).
Then by definition of ('ldw ® :R)cmd and :R, if (15) holds for some n, then (16)
holds with n' = -n, and vice versa. I
For our final example we combine use of the logical relation with some
equational properties of contextual equivalence-namely its congruence prop-
erty (evident from its definition) and validity of ß-conversion (established in
Example 2.10(v)). Note in particular that these two properties imply that con-
textual equivalence is preserved by the operation of substituting terms for
identifiers.
Example 4.4 (Sieber [Sie95a, page 55]) Given any world w, any global vari-
able v ft w, and any term PE lAcmd-cmd(wv), let
F def .\n: int. new x := 0 in
P (x := 1 ; v := n);
ü !x = 1 then l.cmd eise skip
end
Then for any world w' 2 wv and terms N,N' E IAtnr<w'h one has
w' t- F N <=cmd F N'.
Proof: Let G def .\n: int. .\c: cmd.P (c;v:= n). Applying the substitutionprop-
erty of r= mentioned above to Example 4.1, we have
w' t- C1[GNJp] =cmd C2[GNjp].
Using ß-conversion and the congruence property of r= we deduce that
w' t- C1[GN/p] <=cmdFN
Now, w' t- (l.cmd ; v := N) <=cmd l.cmd by Example 2.10(ix), and therefore

w' t- P (l.cmd; v := N) <=cmd P (l.cmd). Putting these facts together, for any
N E IAtnr<w'> we have w' 1- F N <=cmd P (l.cmd) and hence in particular
w' t- F N <=cmd F N', for any N,N' E IAtnr<w'>· I
5 Related and Further Work

Logical relations on domains have been used for proving program equiva-
lences involving local variables, especially by O'Hearn and Tennent [OT95),
and Sieher [Sie95a, Sie95b). The distinctive feature of the work presented here
is that the logical relation is defined directly on the syntax of the language, us-
ing an operational semantics rather than a denotational semantics. We claim
that this approach can lead to more easily applicable verification methods.
The examples given above seem to support this claim, at least as far as prov-
ing contextual equivalences is concerned.
It is interesting to compare the results presented here for ALGOL with the
operational methods for reasoning about local state in SCHEME-like languages
Andrew M. Pitts 183
developed by Honsell, Mason, Smith, and Talcott [HMST95). ML and SCHEME

combine call-by-value function application with declarations of local state in
function expressions. As we mentioned in the Introduction, this can result
in very complex properties of contextual equivalence compared with ALGOL.
The root of the problern is that, unlike for ALGOL, state grows during evalu-
ation of expressions-inthe sense that the underlying 'world' gets larger. Put
another way, the canonical forms to which function expressions evaluate are
not simply lambda expressions, but rather expressions of the form
new x:= nin .\y: u.M end. (17)
1n the presence of call-by-value evaluation of function application, such an

expression is not necessarily contextually equivalent to a lambda abstraction
(one cannot just push the new declaration under the ,\). Any version of Oper-
ational Extensionality for this kind of language has to take account of the fact
that two such expressions can be contextually inequivalent even though they
give contextually equivalent results when applied to any value. For it may well
be that some complicated context can get access to the bound variables x and
use them in arguments fed to .\y: u.M; therefore such a context may produce
more observable results than those produced merelyby applying (17) to argu-
ment values (which, up to oc-conversion, do not involve the bound variables X).
See [PS93, p 130) for an example of this phenomenon.
A technical tool used in [HMST95) is a weak form of extensionality, the (ciu)

Theorem [loc. cit.,2.3.2). It allows one to restrict-but only somewhat-the kind
of contexts needed to characterise contextual equivalence and is probably the
best such result known for this type of local state. By contrast, the Opera-
tional Extensionality Theorem presented here (2.5) shows that an extremely
restricted collection of contexts (generated by just [-I A, ![- ], and [-) := n)
suffices to characterise contextual equivalence for ALGOL-like languages.
Honsell et aldevelop a number of proof principles in [loc. cit.]somewhat

tailored to the invariance properties of local state in (SCHEME-analogues of)
particular Meyer-Sieber example equivalences. By contrast, these and other
equivalences were proved above in quite a uniform way-by picking suitable
instances of the state-relation parameter of the logical relation. The extension
of this operationally-based logical-relation method to the harder case of call-
by-value functions with local state will be described in [PS). Although the para-
metric logical relation presented there is merely sound for contextual equiva-
lence (i.e., therelation w 1- - (1dw )u - is contained in the relation w 1- - ~u -,
but is not equal to it), it seems to provide a very useful tool for reasoning
about the rather complicated behaviour that such functions can have. Both
here and in [PS) we restriet to simply typedlanguages, because we rely heavily
upon induction over the structure of types when defining the logical relation.
For untyped languages, or ones with type-reflexive features (such as storage
of higher-order values, or recursively defined datatypes), the mere existence
of such logical relations is problematic: we expect to adapt the denotational
techniques in [Pit96, Sect. 4) to tackle this extension.
References
[HMST95] F. Honsell, I. A. Mason, S. F. Smith, and C. L. Talcott. A variable typed logic
of effects. Information and Computation, 119(1):55-90, May 1995.
[How89] D. J. Howe. Equality in lazy computalion systems. In 4th Annual Sympo-

sium on Logic in Computer Sdence, pages 198-203. IEEE Computer Society
Press, Washington, 1989.
[How96] D. J. Howe. Proving congruence of bisimulalion in funclional programming

languages. Information and Computation, 124(2):103-112, February 1996.
[Mil77] R. Milner. Fully abstract models of typed lambda-calculi. Theoretical Com-

puter Science, 4:1-22, 1977.
[Mit90] J. C. Mitchell. Type systems for programming languages. In J. van Leeuwen,

editor, Handbook of Theoretical Computer Science, Volume B, pages 365-
458. North-Holland, Amsterdam, 1990.
[MS88) A. Meyer and K. Sieber. Towards fully abstractsemanlies for local vari-
ables. In Proc. 15th Symp. on Principles of Programming Languages, San
Diego, pages 191-203. ACM, 1988. See Chapter 7.
[MST] I. A. Mason, S. F. Smith, and C. L. Talcott. From operalional semanlies to

domain theory. Information and Computation (to appear). Revised and
extended version of [Smi92].
[Ole85] F. J. Oles. Types algebras, functor categories and block structure. In M. Ni-
vat and J. C. Reynolds, editors, Algebraic Methods in Semantics, chapter 15,
pages 543-574. Cambridge University Press, 1985. See Chapter 11.
[OR95a] P. W. O'Hearn and U. S. Reddy. Objects, Interference and the Yoneda Em·
bedding. In S. Brookes, M. Main, A. Melton, and M. Mislove, editors, Math·
ematical Foundations of Programming Semantics, Eleventh Annual Confer-
ence, volume 1 of Electronic Notes in Theoretical Computer Science, Tulane
University, New Orleans, Louisiana, March 29-April 1 1995. Elsevier Sci-
ence.
[OR95b] P. W. O'Hearn and J. C. Reynolds. From ALGOL to polymorphic linear

Iambda calculus. Lectures at the Isaac Newton Institute for Mathemalical
Sciences, Cambridge UK, August 1995.
[OT95] P. W. O'Hearn and R. D. Tennent. Parametricity and local variables. Journal

oftheACM, 42(3):658-709, 1995. See Chapter 16.
[Pit96) A. M. Pitts. Relational properlies of domains. Information and Computa-

tion, 1996. To appear. A preliminary version appeared as Cambridge Univ.
Computer Labaratory Technical Report Number 321, December, 1993.
[Pit] A. M. Pitts. Operationally-based theories of program equivalence. In P. Dy-

bjer and A. M. Pitts, editors, Semantics and Logics of Computation. Cam-
bridge University Press (to appear).
[PS] A. M. Pitts and I. D. B. Stark. Operational reasoning for functions with local
state. In A. D. Gordon and A. M. Pitts, editors, Higher Order Operational
Techniques in Semantics. In preparation.
Andrew M. Pitts 185
[PS93) A M. Pitts and I. D. B. Stark. Observable properlies of higher order func-

tions that dynamically create local names, or: What's new? In Mathe-
matical Foundations o( Computer Science, Proc. 18th Int. Symp., Gdarisk,
1993, volume 711 of Lecture Notes in Computer Science, pages 122-141.
Springer-Verlag, Berlin, 1993.
[Red95) U. S. Reddy. Global state considered unnecessary: Introduction to object-
based semantics. LISP and Symbolic Computation, 9(1):7-76, 1996. See
Chapter 19.
[Rey81) J. C. Reynolds. The essence of ALGOL. In J. W. de Bakker and J. C. van Vliet,
editors, Algorithmic Languages. Proceedings o( the International Sympo-
sium on Algorithmic Languages, pages 345-372. North-Holland, Amster-
dam, 1981. See Chapter 3.
[RP95) E. Ritterand AM. Pitts. A fully abstract translation between a i\-calculus
with reference types and Standard MI.. In 2nd Int. Con(. on Typed Lambda
Calculus and Applications, Edinburgh, 1995, volume 902 of Lecture Notes
in Computer Science, pages 397-413. Springer-Verlag, Berlin, 1995.
[Sco93) D. S. Scott. A type-theoretical alternative to eucH, ISWIM, OWHY. Theoreti-
cal Computer Science, 121:411-440, 1993.
[Sie95a) K. Sieber. Full abstraction for the second order subset of an AI.GOL-like lan-
guage. Technical Report A 04/95, Fach. Informatik, Univ. des Saarlandes,
Saarbrücken, Germany, April1995. To appear in Information & Computa-
tion. See Chapter 15.
[Sie95b) K. Sieber. Full abstractionvia logical relations. Habilitationsschrift, FB 14
Informatik, Universität des Saarlandes, July 1995.
[Smi92) S. F. Smith. From operational to denotational semantics. InS. Brookes
et al,editor, 7th International Conference on Mathematical Foundations o(
Programming Semantics, Pittsburgh PA, volume 598 of Lecture notes in
Computer Science, pages 54-76. Springer-Verlag, Berlin, 1992.
[Sta94] I. D. B. Stark. Names and Higher-Order Functions. PhD thesis, University
of Cambridge, 1994. Also published as Technical Report 363, University
of Cambridge Computer Laboratory, April1995.
Part VII
INTERFERENCE, IRREVERSIBILITY, AND

CONCURRENCY
Chapter 18
Syntactic Control of Interference Revisited
Peter W. O'Hearn, A. ]ohn Power, Makoto Takeyama and
Robert D. Tennent
Dedicated to ]OHN C. REYNows, in Honor of his 60th Birthday
In "Syntactic Control of lnterference" [33) J. C. Reynolds proposes three
design principles intended to constrain the scope of imperative state ef·
fects in ALGOL-like languages. The resulting linguistic framework seems
tobe a very satisfactory way of combining functional and imperative con-
cepts, having the desirable attributes of both purely functionallanguages
(such as PCF) and simple imperative languages (such as the language of
while programs).
However, Reynolds points out that an "obvious" syntax for interfer-
ence control has the unfortunate property that ß-reductions do not al-
ways preserve typings. Reynolds has subsequently presented a solution
to this problern [3 7), but it is fairly complicated and requires intersec-
tion types in the type system. Here, we present a much simpler solution
which does not require intersection types.
We first describe a new type system inspired in part by linear logic and
verify that reductions preserve typings. We then define a dass of "bire-
flective" models, which are shown to provide a sound interpretation of
the type system; a companion paper [10) provides a categorical analysis
of these models. Finally, we describe a concrete model for an illustrative
programming language based on the new type system; this improves on
earlier such efforts in that states are not assumed to be structured using
locations.
Contents
1 Introduction 189
2 Syntax 192
3 Semantics 201
4 A Functor-Category Model 212
Acknowledgement 223
References 223
1 Introduction
It has long been known that a variety of anomalies can arise when a programming
language combines assignment with a sufficiently power{ul procedure mechanism.
J. C. Reynolds (1978)
In an imperative programming language, a term C is said to interfere with a
term E if executing (or, as appropriate, assigning to or calling) C can affect the
outcome of E. For example, command x := a interferes with expression x + 1,
but not vice versa.
First appeared in S. Brookes, M. Main, A. Melton, and M. Mislove, editors, Mathematical Founda-
tions of Programming Semantics, Eleventh Annual Conference, Volume 1 of Electronic Notes in
Theoretical Computer Sdence, © 1995. Reprinted with permission from Elsevier Science NL, Sara
Burgerhartstraat 25, 1055 KV Amsterdam, The Netherlands.

190 Chapter 18. Syntactic Control of Interference Revisited
In purely functional languages, there is no interference between terms,

and it is usually taken for granted [4, 17, 16] that this explains why reasoning
about purely functional programs is relatively straightforward. However, for
"simple" imperative languages without full procedures, Hoare's logic [13] (and
total-correctness variants of it) are quite satisfactory. This suggests that it is
simplistic to attribute the serious difficulties that arise in reasoning about pro-
grams in conventional procedurallanguages to the presence of interference.
J. C. Reynolds [33, 34, 36] has provided a more refined analysis. He argues
that conventional procedural languages are problematical primarily because
they permit covert interference, that is to say, interference that is not syn-
tactically obvious. For example, if identifiers x and y are aliases (denote the
same storage variable), then y := a interferes with x + 1, and this is problem-
atic because the interference is not obvious from inspecting these phrases.
In general, alias detection in a conventional higher-order procedurallanguage
requires complex interprocedural data-flow analysis of an entire program.
Similarly, if a procedure accesses a non-local variable and the value of that
variable can be changed between calls of the procedure, then identical calls
of the procedure may have different effects. Covert interference via non-local
variables can also result in subtle bugs in the use of procedural parameters.
For example, suppose Traverse(p) applies procedural parameter p to every
node of a data structure and Remove has the effect of deleting the node to
which it is applied; then a call such as Traverse(Remove) will often fall to have
the effect the programmer intends because removing a node can interfere with
a traversal.
The problern of covert interference also affects language designers. For ex-
ample, programmers expect that, immediately after assigning a value to a vari-
able, the variable has the value just assigned; but this "obvious" property falls
for so-called "bad" variables, such as the Subscripted variable A(A(i)) whose
sub-expression A(i) is interfered with by the array variable A when A(i) = i. A
language designer might want to forbid bad variables syntactically, but covert
interference makes this very difficult; for example, A(j) is a bad variable if
j is an alias for A(i). Similar difficulties arise for a language designer trying
to provide a "block expression" (a command within an expression) without al-
lowing side effects to non-local variables, trying to provide secure features for
unions of types, or trying to allow concurrent composition of non-interfering
commands.
The difficulties created by covert interference are especially evident if one
considers reasoning principles. For example, in "specifi.cation logic," a Hoare-
like logic for full ALGOL-like languages [34, 36], the axiom for assignments
is
gv(V) & V# P => {P(E)} V:= E {P(V)}
The consequent is essentially the familiar axiom from [13], but assumption
V # P asserts that assignments to variable V do not covertly interfere with
the pre and post-conditions, and assumption gv(V) asserts that V is a "good"
variable. Similarly, the "Constancy" axiom in specifi.cation logic differs from
the corresponding axiom in Hoare's logic in that a simple syntactic side con-
dition must be replaced by a non-interference assumption. Finally, because
P. W. O'Hearn, A. ]. Power, M. Takeyama and R. D. Tennent 191
of possible covert interference, procedure specifications must be more com-

plex: explicit assumptions about what procedures do not do are required
(cf. the "frame problem" in artificial intelligence [6]) in order to discharge non-
interference assumptions in the context of procedure calls. All of these com-
plexities are clearly evident in the examples in [34].
For these reasons, many language designers have argued that program-
ming languages should be designed so that it is easy for programmers and
compilers to verify that program phrases do not interfere; some early exam-
ples are [5, 14, 41]. ln [33], three general design principles intended to facili-
tate verification of non-interference are proposed.
1. There should be no "anonymous" channels of interference; then the
problern of verifying that C doesn't interfere with E reduces to show-
ing that no free identifier of C interferes with any free identifier of E.
2. Distinct identifiers should not interfere; then if two sets of identifiers
are disjoint, they are guaranteed not to interfere.
3. Some types of phrases, such as side effect-free expressions, are "pas-
sive" (do not interfere with anything), and so the disjointness require-
ment can be relaxed to allow sharing of identifiers used only passively.
ln summary, to verify in this setting that C does not interfere with E, it is
sufficient to ensure that no actively occurring free identifier of C is also free
inE.
But of course the programming language must be designed so that there
are no anonymous channels of interference and, in every context, distinct iden-
tifiers do not interfere. The first requirement is straightforward, but to achieve
the second, it is proposed that the following basic constraint be imposed on
procedure calls P(A): the procedure part P and the argument part A should
be mutually non-interfering (and similarly for defined language constructs,
such as local definitions, that have implicit procedure calls). Note the elegant
circularity of the approach: the syntactic restriction ensures that distinct iden-
tifiers do not interfere, and this property makes it feasible to implement the
restriction using the syntactic criterion described in the preceding paragraph.
The syntax of an ALGOL-like programming language designed according to
these principles is described in [33]. This design is extremely successful in
most respects, combining the desirable attributes of both purely functional
languages (such as PCF) and simple imperative languages (such as the lan-
guage of while programs); however, a problern in the treatment of passivity is
noted. ln the approach used to incorporate the third principle (allowing shar-
ing of passive identifiers), the syntax is such that the subject-reduction prop-
erty falls; i.e., reductions may fall to preserve typing. Reynolds subsequently
presented a solution to this problern in [37], but it is fairly complicated and
requires intersection types [7] in the type system. We feel that the methods
of interference control should be applicable relatively independently of the
specifics of intersection types (which of course have substantial other merits).
ln this work, we present a very simple and intuitive alternative solution to
the problern of passive uses. Our solution does not require intersection types,
allowing interference control to be investigated without unnecessary syntactic
or semantic complexity. Also, it would be conceivable to apply these methods

in contexts, such as ML-like or HASKELL-like languages, where the addition of
intersection types would be far from trivial.
The semantics of passivity has also been problematic, requiring an analy-
sis of when meanings, of arbitrary type, do not "cause" state changes. To ad-
dress this issue, we present a new semantic model for interference-controlled
programming languages, inspired to some extent by the state-free model pre-
sented in [31]. Our model improves on earlier such efforts [38, 24] in that
states arenot assumed tobe structured using "locations." As a result, we ob-
tain a much cleaner model in which the "disjointness" of identifiers is clearly
visible. Distinct identifiers get associated with disjoint state-sets, and the shar-
ing of passively-used state is explained through semantic "contraction" map-
pings. Further, there is a semantic analysis of "passively occurring" identifiers;
i.e., identifiers, possibly of active type, that, in some contexts, are only used
passively. This analysis is subtle, but crucial for treating types that combine
passivity and activity, such as types for storagevariables or products of pas-
sive and active types.
2 Syntax
2.1 Passive Uses
The treatment of passivity in [33] is based on designating certain phrase types
(such as "state reader" expression types) as being passive, and then, for any
phrase R, determining
the set of identifiers which have at least one free occurrence in R
which is outside of any subphrase of passive type.
These are considered to be the acttvely occurring free identifiers of R. Unfor-
tunately, this definition, being context-independent, cannot take account of
the fact that, when R itself occurs within a passive phrase, none of its free
identifiers can be used actively. This means that the syntactic constraints on
procedure calls are unnecessarily restrictive, which results in anomalies when
types combine passive and non-passive capabilities.
For example, a storage variable is used passtvely when it is read from, as
on the right-hand side of an assignment Statement, and acttvely when it is
assigned to. Suppose that identifiers x and w are of type var[ T] (i.e., they
are T-valued variable identifiers, with T a data type such as int or bool), and
consider the following command:
(.\z: T. x := (.\y: T. w)z}(w) (1)
where typings of the formt: T indicate that L is a T-valued expression identifier.
Although w occurs in both the procedure and argument parts of the outer call,
the phrase is legal because both occurrences are in expressions and hence
regarded as passive. However, the command ß-reduces to
x := (,\y: T. w)w (2)
in which the right-hand side is illegal, according to Reynolds's treatment, be-
cause variable identifier w is deemed to occur actively in the procedure (which
P. W O'Hearn, A. ]. Power, M. Takeyama and R. D. Tennent 193
Table 1: Identity and Structural Rules
IDENTITY
---,------.,. Axiom
1 c e f- 1: e
STRUCTURE
TIIt:9,frP:cf>
-------'-- Passification
TI, 1: e r f- P: e·
1
-------.,. Activation
TI, t: e I r f- P: cf> TI 1 c e, r f- P: e'
TI Ir f- P: e TI I r~ f- P: e Exch ange
-----=------=--- Weakening ~
TI, TI' 1 r,r' f- P: e TI Ir f- P: e
TI,t:e,t':e 1 r f- P:e'
---'--="-'--".....:.,,......-,----:-:- Contraction
TI, t: e I r f- [P](t' - t): 9'
has type T - var[ T ]), and also occurs in the argument. But the procedure
call is actually an expression, and so there cannot be any interference via w;
indeed, the assignment ß-reduces tothelegal x := w.
It can be argued that the anornaly in this example could be avoided if
dereferencing coercions were explicit; however, rnore cornplex examples, as
in [33], show that the problern is a fundamental one. (An example of this
kind frorn loc. cit. will be discussed in Section 2.4). The problern arises essen-
tially because the context-independent notion of active occurrence cannot be
sensitive to Situations in which the context ensures passive use of potentially
non-passive entities. To avoid the anornalies, it is necessary to consider when
identifiers occur actively in instances of phrases, taking context into account.
2.2 The SCIR Type System

The phrase types are built frorn certain primitive types (prim) as follows:
e .. = (prim) 1 e ® e· e x e· e·- e e· - p e.
1 1 1
A subset (primp) of the primitive types is singled out as passive, and this
generates the passive types as follows:
cp ::= (primp) 1 cp ® cf>' 1 cp x cf>' 1 e- cp e· - p e.
1
There are two products: fJ x fJ', for which the cornponents can interfere, and
e ® fJ', for which the cornponents rnust be non-interfering. There are also two
exponentials: 0' - fJ, which is the type of ordinary procedures (which cannot
interfere with, or be interfered with by, their arguments), and fJ' - p e, which
is the type of passive procedures. A passive procedure does not assign to any
global variables (though a call of a passive procedure rnay be active, if the
argument of the call is).
Table 2: Rules for Type Constructors
TI 1 r 1- P: eo
TI 1 r 1- Q: e1 TI 1 r 1- P: eox e1
---'------'----.,..--- XE; ( i = 0, 1)
--------------~-- xl TI 1 r 1- rr; P: e;
r
TI 1 1- (P,Q):eo x e1
TI 1 r 1- P: eo ® e1
---'------==---~ ®E; ( i = 0, 1)
TI Ir1- rr;'
19 P: 0;
TI 1 r, t: e' 1- P: e Tio 1 ro 1- P: e' - e TI1 1 r1 1- Q: e'

--------~~.,..-----
TI Ir 1- i\t:O'.P:O'- e -I -E
TI 1 1- Q: e' - e r
TI 1 1- Q: - p e' e
-pl ------------~---- -pE
TI I 1- promote Q: e' - p e r
TI I 1- derelict Q: e' - e
We propose a syntax based on typing judgements IT I r 1- P: e in which

the usual phrase-type assignment on the left of the turnstUe is partitioned
into a "passive" zone TI and an "active" zone r. No identifier can be in both
the passive and the active zones. Intuitively, if an identifier is in the passive
zone, it can only be used passively, even if the type of the identifier is non-
passive. The typing rules will be arranged so that when a phrase under a type
assignment is placed in a context, that context must prevent identifiers in the
passive zone from being used actively.
This use of zones is reminiscent of Girard's Lu [12], with the passive/active
distinction here being similar to the classical/linear distinction there; however,
the permeability rules, that govern movement across the zone separator I, do
not appear in Lu nor, as far as we are aware, in other previous systems. These
rules are the most distinctive aspect of the treatment of passivity here. See
Section 2.7 for further discussion. ·
The rules concerning identifiers and contexts are in Table 1. Identifiers
are initially introduced in the active zone, but may change zones with the
help of the permeability rules of Passification 1 and Activation. Movement to
the passive zone is accomplished using Passification, when the phrase on the
right-hand side of the turnstUe is of passive type. This is the only way that an
identifier can move to the passive zone. On the other hand, a passive identifier
can always be activated using the Activation rule. Notice that e is unrestricted
in the Passilication rule, and that the change-of-zone is not accompanied by a
change-of-type for the assumption; this is a key difference from the otherwise
similar use of zones in Lu.
Weakening and Exchange can be used in either zone. When type assign-
ments are concatenated, as in the Weakening rule, we implicitly assume that
the domains are disjoint. fi and rare permutations of rr and r, respectively.
Contraction can only be used in the passive zone. This is the essential
1This fabricated word seems more attractive as a name for the rule than alternatives such as
Passivation or Deactivation.
restriction that implements the requirement that distinct identifiers do not

interfere. We are using the notation [P](L' .... Q) to denote the result of sub-
stituting Q for free occurrences of L' in P.
Rules for the type constructors are given in Table 2. Note that the active
zone in rule -pl is empty. Also, note that the type assignments for the pro-
cedure and the argument parts of procedure calls (rule - E) must be disjoint;
however, Contraction allows sharing of identifiers from the passive zone. Sim-
ilar remarks apply to the introduction rule for ®.
For ® elimination, one might have expected a rule more along the following
lines:
rr I r 1- p: Bo ® ei II' I ['I Lo : Bo, LI : ei 1- Q : e
rr, II' 1 r, r' r-Iet Lo ®LI be P in Q: e
However, in the presence of Weakening, ® is weaker than (i.e., convertible to) x
and, from a purely logical point of view, elimination rules based on projection
are interderivable with this form of rule. The projections have the advantage
of being considerably simpler, since they do not require the extra type e or
the term Q, which play merely contextual roles.
2.3 An lliustrative Programming Language

An illustrative ALGOL-like programming language is obtained by choosing ap-
propriate primitive types and constants. We use a type comm of commands
and types T for T-valued expressions:
(prim) TI comm
where T ranges over, say, int and bool. The only passive primitive types are
the expression types T.
The type var[T] of T-valued variables abbreviates (T -comm) x T. Deref-
erencing is implemented by the second projection; in examples, we will sup-
press explicit mention of this projection and assume a rule
rr 1 r 1- V:var[T] .
rr I r 1- V: T Dereferencmg
We can consider constants representing various imperative constructs, such
as
:=T:var[T] x T - comm assignment
; : comm x comm - comm sequential composition
ll:comm ® comm- comm parallel composition
ife:bool X ß X 0 - 0 conditional
Ye: (0 - p 0)- e recursion
newT: (var[T]- comm)- comm local allocation
doT: (var[T] - p comm)- T block expression
The block-expression form requires some explanation; the call doT (p) is eval-
uated by allocating a new local variable and applying p to it, as with the ordi-
nary command block newT(p), but then returning the final value of the local
variable as the value of the expression. The passivity of p: var[ T] - p comm
ensures that the block expression does not interfere with non-local variables,
and so no "snap-back" effect is needed to restore their original values.
2.4 Examples
Weillustrate the operation of the rules by presenting derivations of some typ-
ing judgements.
Consider first the (unreduced) example (1) discussed in Section 2.1. The
assignment can be typed as follows:
I w:var[T]t- w:var[T] Weake .
I w:var[T],y:T 1- w:var[T] rung
~--~~~------~~ -I
I w:var[T]t- ,\y:T. w:T- var[T] I z:T 1- z:T
I w:var[T],z:T 1- (,\y:T. w)z:var[T]
-E
.
----,,---.......:....-7--:---.......:....-:----'--:-__:.....:. Dereferencmg
I w:var[T],z:T 1- (,\y:T.w)z:T
-----,"'------'---- Passification
I x:var[T]t- x:var[T] w:var[T]I z:T 1- (,\y:T.w)z:T :=
w:var[T]I x:var[T],z:T 1- x := (,\y:T.w)z:comm
where the last step abbreviates use of the := constant, xi, -E and Weakening.
Note that after Dereferencing of the right-hand side, w can be moved to the
passive zone. The typing is then completed as follows, using a Contraction:
I w':var[T]t- w':var[T]
w:var[T]I x:var[T],z:T 1- x := (,\y:T.w)z:comm I w':var[T]t- w':T
-I Pass.
w:var[T]I x:var[T]t- ,\z:T. x := (,\y:T. w)z:T- comm w':var[T]It- w':T
w, w':var[T]I x:var[T]t- (,\z:T. x := (,\y:T. w)z) (w'):comm
-E
--'--~~~-~~~---~~~~--'---'--- Contraction
w:var[T] I x:var[T]t- (,\z: T. x := (,\y: T. w)z) (w): comm
The following shows how to derive a typing for the right-hand side of the
"illegal" assignment (2) in Section 2.1:
I w:var[T]t- w:var[T]
I w:var[T],y:T 1- w:var[T] Weak. I w':var[T]t- w':var[T] & •
-:---'-----:--7---'7-------"--':~ -I Dere.erencmg
I w:var[T] 1- ,\y:T.w:T- var[T] I w':var[T]t- w':T
I w, w':var[T] 1- (,\y: T. w)w':var[T] .
-E
------,--'--"'-----..,--'--- Dereferencmg
I w,w':var[T]t- (,\y:T.w)w':T
--'-.:.....,..--:-=-:-=:---'-:-'-------'--:-- Passification
w,w':var[T]It- (,\y:T.w)w':T
--'----::-"-::-7-'---::--'------:-- Contraction
w:var[T]It- (,\y:T.W)W:T
-:----~-:------'-:-'--'---',..---- Activation
I w:var[T]t- (,\y:T.w)w:T
Even though the types of w and w' are active, Contraction can be applied
when they are in the passive zone; but Dereferencing must be used before
these identifiers can be passified. The assignment can then be typed as usual:
I x:var[T]t- x:var[T] I w:var[T]t- (,\y:var[T]. w)w: T

I x, w:var[T]t- x := (,\y:var[T]. w)w:comm
The next example demonstrates that an identifier can be used both ac-
tively and passively. The following derivation involves shared passive use of a
variable identifier x:
I x:var[T]t- x:var[T]
I x:var[T]t- x:T
I y:var[T]t- y:var[T] x:var[T]It- x:T Pass.
x:var[T]I y:var[T]t- y := x:comm := x':var[T]I z:var[T]t- z := x':comm
-~~~~~~~~-~~--~~~~~---- II
x,x':var[T]I y,z:var[T]t- y := x II z := x':comm
-'----:-'-:-":--'----:-"-:-"--''--~:-'------ Contraction
x:var[T]I y,z:var[T]t- y := x II z := x:comm . .
----'--.......,----'----'------- Acnvanon
I x,y,z:var[T]t- y := x II z := x:comm
where the derivation for z := x' is similar to that for y := x, and the step for II
uses the introduction rule for ® followed by the elimination rule for - with
the constant 11. This can then be combined with non-passive use of x, as in the
following derivation:
I w:T,x:var[T] r- x := w:comm I x,y,z:var[T] r- y := x II z := x:comm .

I w:T,x,y,z:var[T] r- x := w; (y := x II z := x):comm '
The final example is essentially the problematic example from [33, p. 44).
Suppose n, y: var[int); then, the parallel command in
rro (n + 1, (n := 0 II y := rro (n, n := 0)))
is illegal in the treatment of [33) because n is used on both sides of 11. However,
the entire term is of type int, and so these uses should be regarded as passive.
To type this in our system, we can proceed as follows:
I n,n',y:var[int] r-rro(n + 1, (n := 0 II y := rro(n', n' := O))):int

n,n':var[int]l y:var[int] r-rro(n + 1, (n := 0 II y := rro(n', n' := O))):int Passilication
n:var[int] I y:var[int] r- rro(n + 1, (n := 0 II y := rr0 (n, n := O))):int Contraction
I n,y:var[int] r-rro(n + 1, (n := 0 II y := rr0 (n, n := O))):int Activation
The first line can be typed straightforwardly because the identifiers on either
side of II are distinct.
Notice that the subterm (n := 0 II y := rro(n, n := 0)) does not itself
have any typing in the SCIR type system. But it can nevertheless appear in
a larger term because Contraction can be applied when a similar term with
occurrences of n renamed apart appears within a passive phrase. This subtle
interaction of Contraction and Passilication is what allows the subject reduc-
tion problems from [33) tobe solved. An equivalent type system that does not
use Contraction explicitly can be formulated, but replaces this subtle interac-
tion by explicitly accounting for the "semi-typed" status of phrases such as
(n := 0 II y := rr0 (n, n := 0)) or, more simply, (Ax:comm.x; y)y.
2.5 Typing and Reduction

The principal reductions for the SCIR type system are in Table 3.
Theorem 1 (Subject Reduction) I{ n I r 1- P : e and P - ß Q then
n 1r 1- Q: e.
Typing is also preserved by various 17laws.
To prove this result we will concentrate on the reduction from (Ax.P)Q to
[P](t ,... Q). The proofs for projections and Promotion/Dereliction elimination
are similar, but easier, and the extension to arbitrary contexts is not difficult.
We need two lemmas.
Lemma 2 If n 1 r 1- At: e'. P: e' - e then n 1 r, t: e' 1- P: e .
Proof: Wehave assumed (without loss of generality) that L is not in n or r. The
result clearly holds if the last step of the derivation for At: e'. P is an instance
of -I, and is preserved by any structural rules that might be used after -I. I
Table 3: ß-reductions
rr2(P,Q) -ß Q
rrf(P ® Q) -ß Q
(.\L: O.P)Q -ß [P](L .... Q) derelict(promote Q) - ß Q
C[P]-ß C[Q]
Next is a generalized form of the "Cut" rule.

Lemma 3 If LI: lh, ... ' Ln: 8n I Ln+ I: 8n+lo ... ' Lm: 8m 1- P: e and, for all
15 i 5 m, n; Ir; t- Q;:8;, then
nlJ ... ,nm.fi.····fn I fn+l.····fm 1- [P](LI .... QI ••.. ,Lm .... Qm):8.
Proof: The proofis byinduction on the size ofthe derivationfor P. We discuss
only the key cases of structural rules that make use of the separation of a type
assignment into zones.
Case Contraction: the last step is
LI: ei •... ' Ln: 8n. L: 8n I Ln+ I: 8n+Io ...• Lm: 8m 1- P': e
LI:8I, ... ,Ln:8n I Ln+I:8n+I····•Lm:8m 1- P:8
where P = [P'](L .... Ln). By the induction hypothesis,
ni, ... ,nm.n.ri, ... ,rn.r I fn+I.····rm
1- [P'](LI,... QI, .•• ,Lm,... Qm,L,... Q):ß
where n I r t- Q: 8n is a variant of Dn I fn t- Qn: 8n with fresh identifiers not
appearing in any n; or f;. Then, n and r, being in the passive zone, can be
contracted to Dn and fn, respectively, using Contractions (and Exchanges), and
the resulting judgement is the desired conclusion.
Case Activation. The last rule is
LI: el. ...• Ln+ I: On+ I I Ln+2: 8n+2o ... ' Lm: 8m 1- P: e
LI: ei •... ' Ln: 8n I Ln+ I: 8n+Io ... 'Lm: 8m 1- P: e
By the induction hypothesis,
nlJ ... ,nm.rlJ ... ,fn+I I fn+2o•••ofm 1- [P](LI .... QI •..• ,Lm .... Qm):8
Using a nurober of applications of Activation, we can move fn+I to the right of

1, obtaining the desired conclusion
ni •... ,nm.fi,····fn I fn+l.····fm 1- [P](LI .... QI •••• ,Lm .... Qm):8.
Case Passification. The last rule is
LI: ei •... ' Ln- I: 8n-I I Ln: 8n •.•. ' Lm: 8m P: 4>
1-
LI: ei •... ' Ln: 8n I Ln+ I: 8n+lo ... ' Lm: 8m 1- P: 4>
By the induction hypothesis,

II1,···•IIm,f1,···•fn-1 I fn, ... ,fm f- [P](L1 ..... Q1, ... ,Lm ..... Qm):cf>.
Because cf> is passive (as Passification was the last rule), we can use Passifica-
tion a number of times to move fn to the left of I. and we obtain the desired
conclusion. I
We can now prove the following desired result: if TI I r f- (.\L: (}' .P)Q : 6
then TI 1 r f- [P](L ..... Q) : 6. For the proof, first note that if a derivation ends in
an application M(N) then there are only a number of possibilities for the last
rule. These are: -E and the structural rules of Contraction, Exchange, Weak-
ening, Passification, and Activation. Further, the structure of such a derivation
must always consist, at the end, of an instance of -E, followed by a number
of applications of these other rules. The proof goes by induction on the size
of this last part of the derivation, after the final elimination rule.
The basis case when the last rule is of the form
II I r f- .\L: 6'. P: 6' - 6 II' I f' f- Q:· 6'
TI, TI' I r, f' f- (.\L: (}'. P)Q: 6
follows directly from the two lemmas, taking
tobe TI
Ln+l: 6n+1• · · ·, Lm-1: 6m-1 tobe r
Lm: 6m tobe L: (}'
IIi I ri f- Qi: 6i tobe I Li: (}i ..... Li: (}i (1 s i < m)
Tim I fm f- Qm: 6m tobe II' I f' f- Q: 6'

The inductive steps of the proof of the theorem consist of Straightforward
verifications that the preservation of typing by a ß-reduction is preserved by
any use of structural rules. I
2.6 A Variation
The syntax can be simplified by using coercions and generic notation. For
example, the rules for - p can be treated implicitly, and the same syntax can
be used for both ordinary products and tensor products.
IIo I fo f- P: 6o II1 I f1 f- Q: 61 II I r f- P: 6o ® 61 .
-----,--------,..-----'~ ®I ®E- (z - 0 1)
IIo. II1 I ro. r1 f- (P, Q): 6o o:o 61 TI 1 r f- rri P: 6i ' - '
TI I f- Q: 6' - 6 I r f- Q: 6' - P 6
II
n I ..... Q: 6' -p 6 -pi n 1 r . . . Q: 6 ' - 6 -pE
Then standard .\-calculus reductions alone are sufficient.

rri(P, Q) - p P TT2(P, Q) - p Q (.\L.P)Q - p [P](L ..... Q)
In fact, if we identify- p and - , and x and ®, then any term typable using
these rules is also typable in simply-typed .\-calculus. As a result, properties
such as strong normalization are immediate from corresponding results for

the simply-typed .\-calculus.
These advantages for the implicit syntax must be balanced against the
mboxad hoc nature of the typing rules. Perhaps it would be best to consider
these issues in the context of a serious study of subtypes for the SCIR type
system, with ® converting to x and - p to - . These issues areoutside the
scope of our main concerns here. For the remainder of the paper, we continue
to use the explicit syntax, focusing our attention on the novel aspects of our
treatment of passive uses.
2.7 Relation and Non-Relation to linear Logic

The SCIR type system was inspired by linear logic, specifically in the focus
on a restricted use of Contraction. The specific presentation, based on zones,
was influenced by Lu, but the basictype systemwas worked out in May 1991
prior to seeing Lu. Previously, the syntax worked by "marking" identifiers
in typing contexts as being passively used, with Passification and Activation
manipulating the marks; the zones are a notational variant of this. This was
similar to the marking in [40), except that marking of identifiers was done
without changing types.
In linear logic, Contraction and Weakening are allowed only for types of
the form !A, whereas, in SCIR, Contraction is allowed only for passively-used
identifiers (in the passive zone). Furthermore, the Dereliction and Promotion
rules for the passive type constructor - P are obviously inspired by the corre-
sponding linear logic rules for the "!" modality, though they have precursors
in Reynolds's original (1978) presentation of Sei. These facts, supported by
semantic models, were the basis for the analogy of passivity as "!", and SCI as
affine linear logic, proposed in [23, 24). It was known then that the passivity-!
analogy was not an exact correspondence, and that there were some properties
of passivity not accounted for by "!".
For example, it would have been possible, in principle, to use a linear logic-
based type system to design an alternate type system for Sei satisfying the
subject reduction property. But if we had followed up the passivity - ! analogy,
the most obvious candidate syntax would have had a form of "boxing" [11]. For
example, the Promotion rule for passive procedures would be something like
(cf. [1))
While this syntax is perhaps appropriate for "!" in linear logic, it seems overly
heavy, with no conceivable justification, from the point of view of interference
control.
The rules of Passilication and Activation are what allow us to avoid these
syntactic complications, retaining a relatively simple syntax possessing the
subject reduction property. (Compare the implicit syntax mentioned above
with that just given for Promotion!) These two rules do not correspond to any
rules in linear logic, or Lu; this difference will be seen again when we consider
categorical models of the SCIR type system.
P. W. O'Heam, A. ]. Power, M. Takeyama and R. D. Tennent 201
3 Semantics
The permeability rules of Passification and Activation can exhibit subtle be-
haviour (as we saw in Section 2.4), and if we are to be sure that the syntax
makes sense, it is crucial to have a semantic analysis of these rules. In this
section, we define a dass of categorical models of the SCIR type system. We
do not attempt to formulate a most general possible notion of model. Rather,
we focus on a particularly cohesive dass, which we term "bireflective" models,
that are sufficient to secure our basic aim of showing a sound interpretation.
A concrete model for the programming language of Section 2.3 will be
presented in Section 4.
3.1 Bireflective Models
As usual, the types and terms of the language are to be interpreted as objects
and morphisms, respectively, of an appropriate semantic category C. We re-
quire, first, that C come equipped with a symmetric monoidal dosed structure
(1, ®, __" ), and finite products. This enables us to interpret the non-interfering
product, the interfering product, and function types in standard ways. For
example, the dosed structure will provide application maps
app(A,B): (A __" B) ® A ___.. B
for all objects A and B, and, for every map f: A ®B ___.. C, a curried map
f*: A ___.. (B __" C)
satisfying appropriate ß and 1J laws.

Typing contexts rr, r to the left of 1- in any syntax judgement will be inter-
preted as products built using ®:
[LI: 81, ... , Ln: 8n] = [8!] ® · · · ® [8n]
To interpret the Weakening rule, the tensor product ® must allow for pro-
jection maps, rr~: A ®B ___.. A and rrf: A ® B ___.. B. We therefore require that
e.
the unit I for ® be a terminal object 1 of C; then rro is (idA®!B); where !Bis
the unique map from B to 1, and e: A ® 1 ___..Ais the unity isomorphism, and
similarly for rrf.
To treat passivity, we begin by assuming a full subcategory P of C, to be
thought of as the subcategory of passive objects. The typing context in the
passive zone will be interpreted as a passive object. Thus, every judgement
rr 1 r 1- P: (} will be interpreted by a map
S[IT] ® [ r ] - [0]
where S[IT] is an object of P, and [r] and [0] are objects of C. To treat both
Contraction and Weakening in the passive zone, we simply require that ® be a
categorical product in P. The interactions of permeability rules and rules for
the passive function type are accounted for by making a further assumption
onP.
Definition 4 (Bireflective Subcategory) A bireflective subcategory of a cate-

gory C is a full subcategory P ofC with inclusion ]: P ._ C that has left and right
adjoints equal, say S: C - P, with the composite
E'
]SA --'A:..:...___. A _ __:_I1:..:..A--+ ]SA
being the identity, where 11 is the unit of adjunction S -; J and E' is the counit
of]-; S.
This definition is from [10], where its categorical properties are studied. Our
main concern here is to explain its connection to the SCIR type system.
The adjunction S -; J is used to interpret the permeability rules of Pas-
silication and Activation. For Passification, consider first the special case in
which there is only one identifier in the active zone and none in the passive
zone:
I t: 0 1-- M: cJ>
t:O Ii- M:cf>
The adjunction determines a transformation of maps
f:A-JP
passify(f): SA- P
where P is any object of P, and A is an arbitrary C-object. This interprets
the indicated instance of the rule, and instances involving more than one con-
textual identifier can be dealt with by assuming that S be a strong monoidal
functor; i.e., that it preserves tensor products up to (coherent) isomorphism:
S(A ® B) == SA ®SB and 51 == 1 [9, 18]. Additionally, the unit of the left ad-
junction gives us a natural family of maps IJA: A - SA to interpret the Activa-
tion rule.
The right adjunction J -; S is utilized in the treatment of -+p. Clearly,
we would like - p to behave like a function type. But, as evidenced by the
introduction rule -pl, these functions are subject to constraints ensuring the
passive use of free identifiers within them. If we set A - p B = S (A ~ B) then,
using J-; S, this determines an adjunction
]P®A-B
P - [A -+p B]
where Pisa passive object. (That is, (-)®A: P-Cis left adjointto S(A ~ (-) ),
for all C-objects A.) Thus, we have an interpretation of - P that takes into
account both passive use and functional properties such as ß and IJ.
The further requirement of bireflectivity-the coincidence of the left and
right adjoints to J and the coherence condition-implies certain equations re-
lating the left and right adjunctions. First, as the analysis in [10] shows, bire-
flectivity implies that the transformation of maps f ..... passify(f) associated
with the left adjunction S -; J can be calculated using the counit E~: SA - A
(where SA = ]SA) of the right adjunction J-; S:
passify(f) = E~ ; f (3)
P. W. O'Hearn, A.]. Power, M. Takeyama and R. D.-Tennent 203
where f:A-- P. Similarly, the transformation associated with the right ad-
junction
g:P--A
promote(g):P-- SA
can be calculated using the unit 11A:A-- SA (where SA = ]SA) of the left
adjunction:
promote(g) = g; 17A . (4)
The simplifying effect of these equations is dramatic.
For instance, in [1) it is emphasized that naturality requirements lead to a
syntactic treatment of promotion rules such as - pl that involve binding, much
like the rule discussed in Section 2.7. But by interpreting -pl using composi-
tion on the right, as in equation (4), all necessary naturality requirements are
met by the simpler form of syntax rule that we use. Similarly, the interpre-
tation of the Passification rule can now be given simply by composing on the
left as indicated by (3). This will be a great aid in establishing the connection
between model and syntax, as given by the coherence theorem below.
Definition 5 (Bireflective Model) A bireflective model of SCIR is given by the
following data:
(i) a symmetric monoidal closed category (C,1, ®,......,) with finite products
(1, x); and
(ii) a bireflective subcategory]: P .... C in which ( 1, ®) is a finite-product struc-
ture and the bireflector S: C -- P is a strong symmetric monoidal functor
{or which S -1 J -1 S are monoidal adjunctions.
Note that the reflective full subcategory P is closed under cartesian products,
so P is a monoidal category and the inclusion ] is a strong monoidal func-
tor with the comparison morphisms ]P ® ]Q-- ](P ® Q) and 1-- ]1 being
identities. An adjunction is monoidal when certain equations hold involving
the units and counits and the comparison morphisms SA ®SB-- S(A ® B)
and 1-- S1 [9, 18). Monoidal functors and adjunctions are useful for treating
rules involving typing contexts [1).
The conditions that S be strong monoidal and that S -1 ] and ] -1 S be
monoidal adjunctions are equivalent to the condition that, for A and B in C,
17 A:. :. ®:. : B____ ] S (A ® B)
A ® B -----"
"A 0 "' j JE~..

]SA ®]SB ---:-------:--- A ® B
E~ ®E~
commutes, where 17 is the unit of S -1 J and E' is the counit of] -1 S.
To simplify the presentation, we assume that the counit E of S -1 ]
is the identity, and identify P in P with ]P in C. Then the isomorphism
mA,B: SA ®SB-- S(A ® B) for the strong monoidal functor S can be written
E~ ® E~ l7 B
SA ®SB --~-.::...._--+- A ® B -----"Ac:.:®=--- S(A ® B)
with inverse E~ 08 ; TJA ® TJB, and m1: 1 - S1 is 171·

Notice that the units of the monoidal and cartesian structures coincide.
The adjunction J -1 S determines a co-monad on C, and this is the aspect of
passivity that is similar (but not identical) to "!" from linear logic. The left
adjoint to J determines additional structure, that of a monad.
Proposition 6 SP =P {or allpassive P, and hence S is idempotent.
Proof: Standard for reflective subcategories; see [20]. I
Proposition 7 [10]
1. P is Cartesian closed.
2. P x Q =P ® Q when P and Q are P-objects.
3. Pis an "exponential ideal" o{C; i.e., A --o P lies in P (up to isomorphism)
when P is a P-object and A is any C -object.

I
Part 1 of the proposition corresponds to the following intuition: the passive
fragment of SCIR has no interference constraints, and so a model of this frag-
ment should be a model of the full typed .\-calculus. Parts 2 and 3 correspond
to the syntactic classification of passive types. For instance, types of the form
() - p cJ> and () - cJ> are isomorphic, so that the two exponentials coincide for
passive result types.
The adjunction S -1 J can be used to show that "passifying all variables" is
bijective; but, we also want to passify one variable at a time. That "passifying
one variable" is also bijective is the content of the following.
Lemma 8 There is a bijection
f:]Q®A®B-JP
(id ® E~ ® id) ; f: ]Q ® ]SA ® B - ]P
where P and Q are passive objects.
Proof: Immediate from properties of monoidal functors and adjunctions, and
it can also be proven directly using the fact that P is an exponential ideal. I
Example 9 This is essentially from [22], and is related to the functor-category
model given later, which is based on [39, 25].
Let N be the category with a single object, *, and where the morphisms are
natural numbers together with an extra number oo. The composition m; n is
the minimum of m and n, with m; oo = oo ; m = m. The functor category SetsN
is a model of SCIR.
The category P of passive objects is the subcategory of constant functors,
where each morphism in N gets mapped to an identity. Functor S: SetsN - P
is given by L(A)* = {A(O)a I a E A(*)} and SA(m)a = S(O)a. The functors
SA are constant because 0; 0 = 0. Given a map f:A....:... P, the corresponding
map f': SA....:... Pis given by f' (*)a = (f( *) )(A(O)a). The adjunction] -1 S is
given by composing with the inclusion SA - A.
To give some intuition, consider a "locations" functor Loc: N - Sets.
Loc( *) is the set of natural numbers, together with an extra element .L. For
natural numbers n and ml Loc(n)m = m if m < n, and J. otherwisel and

Loc( oo )m = m. One may think of function Loc(n) as "disallowing access" to lo-
cations greater than or equal to nl by mapping these locations to J.. S (Loc) ( *)
has only one elementl J..
In this category we can begin to see a glimpse of semantic structure re-
lated to side effects. But the category P does not quite match computational
intuitions concerning passivity. It consists of constant functorsl which are
effectively stateless. State will be better treated in Section 4 by adopting a
category of worlds with multiple objects (to account for local state) to use in
place ofN.
3.2 Interpretation of the Typing Rules

In this sectionl we explain how typing rules are interpreted in any bireflective
model of SCIR. Each of the primitive types 9 is interpreted as an object [9] of
Cl with passive primitive types interpreted as objects of sub-category P. This
then determines interpretations of non-primitive typesl as follows:
[9 X 9'] = [9] X [9'] [9 ..... 9'] = [9] ~ [9']
[9 ® 9'] = [9] ® [9'] [9 -+p 9'] = S([9] ~ [9'])

It is clear that each syntactically passive type is interpreted as an object in P
(or an object isomorphic to an object in P).
Each typing judgement IT I r f- P: 9 is interpreted as a morphism from
S[IT] ® [f] to [9]1 where for any typing context ll: 911 ... ln: 9nl I
[ll: 91." • 1ln: 9n] = [9d ® ' ' ' ® [9n]

and where by S[IT] we mean explicitly
S[t1: 91. ... ~tn: 9n] = S[9d ® · · · ® S[9n]
In effectl we are bypassing the isomorphism S(A ® B) :: SA ®SB in the presen-
tationl and we are glossing over associativity and unity isomorphisms. We are
most concerned with an analysis of the rules of Passificationl Activationl and
Contractionl and so will concentrate for the most part on these.
The interpretation goes by induction on derivationsl so we are assigning a
meaning ['I'] to each proof 'I' of a typing judgement.
The Axiom and the structural rules of Weakening and Exchangeare treated
in the standard wayl using identities id1e!= [9] ..... [9]1 weakenings [9] ..... 11
and symmetries A ® B ..... B ® A respectively.
1
For Activationl suppose f: S[IT t: 9]®[[] ..... [9']; then we define the desired
1
map from S[IT] ® [t: 91f] to [9'] as the following composite:
S[IT] ® S[9] ® [f] _ _.:....f_ _ [9']
lld®n!OI®ld
S[IT] ® [9] ® [f]

where 17(A) = passify- 1 (idA) is the unit of the adjunction S -1 ].

For Passification, suppose f: S[II] ® [t: O,f]- [cJ>]. The interpretation is
S[II] ® [0] ® [f] _ _.....:.{_ _ _ [0']
lld®c'[9]®id
S[II] ® S[O] ® [f]

where E' is the counit of] -1 S. This interpretation is possible because of
equation (3).
For Contraction, suppose f:S[fl, t: 0, t': 0] ® [ f ] - [0']; then we define the
desired map from S[fl, t: 0] ® [f] to [0'] as follows:
S[II] ® S[O] ® S[O] ® [f] f [0']
l id ® duplicate(S(9]) ® id
S[fl] ® S[O] ® [f]

Here, duplicate is the diagonal map for the cartesian structure in P.
For rule -I, suppose that f: S[II] ® [f, t: 0 ' ] - [0]; then the desired map
is
f*:S[II] ® [ f ] - ([0'] ---o [0])
where f* is the currying of f, as discussed in Section 3.1. For rule - E, suppose
fo: S[flo] ® [fo]- ([0'] ---o [0]) and f1: S[fld ® [fd- [0']; then the desired
map is
l I
fo ® f1
S[flo] ® [fo] ® S[fld ® [fd _ ___:__::___.;...:'----+- ([0'] ---o [0]) ® [0']
y app([9']. [9])
S[flo] ® S[fld ® [fo] ® [fd [0]

where app is the application map discussed in Section 3.1 and y is the evident
isomorphism.
For rule -pl, suppose f:S[II]- [0- 0']; then the desired map is
S[II] _ ____:.{_ _.... [ 0'] ---o [ 0]
1 q([9'] _ [9])
S([O'] ---o [0])

where IJ(A):A- SA. This interpretation utilizes equation (4).
P. W. O'Hearn, A.]. Power, M. Takeyama and R. D. Tennent 207
For rule -pE, suppose f:S[n] ® [f]- S([O']--<> [0]); then the desired
mapis
l
S[n] ® [f] ---=-f___ S([O'] --<> [0])
E'([O']- [9])
[0'] --<> [0]

where E'(A):SA- Ais the counit of J -i S, definable as promote- 1 (idsA).
The remaining rules, for tensor and categorical products, can be treated
in an obvious way. Each constant is interpreted by a map out of the terminal
object.
3.3 Coherence
Notice that the presence of structural rules in the type system allows for mul-
tiple proofs of a typing judgement, and it is important to show that this does
not lead to semantic ambiguity. In this section we verify that the semantics is
in fact coherent; i.e., all proofs of any syntax judgement have the same inter-
pretation.
Theorem 10 (Coherence) Let 'l'o and '1'1 be proofs of I1 I f 1- P: 0; then
['l'o] = ['l'd.
The proof occupies the remainder of this section.
It will be convenient to have a notation for certain composite proofs. Sup-
pose 'I' is a proof of judgement rr 1 r t- Q : 0, and that we can extend 'I' by
applications 'I'' of only the structural rules of Contraction, Exchange, Weaken-
ing, Activation and Passification to obtain a proof of Il' I f' 1- Q' : 0. We write
'I'; 'I'' for the composite proof, and call 'I'' a structural extension of 'I'.
Notice that, because all structural rules are interpreted by composing on
the left, the denotation of any proof '1';'1'' of Il' I f' t- P' : 0 can be decomposed
so that
['I'; 'I''] = h ; ['I']
for a map h: S[Il'] ® [ f ' ] - S[n] ® [f] induced by structural rules in 'I''. We
often write ['I''] to denote a map of this form induced by a proof extension. If
'I'' is empty then we declare ['I''] to be the identity.
One important property to isolate is coherence of structural extensions.
Lemma 11 (Coherence of Structural Extensions) Suppose that 'I' is a proof of
rr I r
t- Q : o,
and that 'I'; '1'1 and 'I'; 'l'z are structural extensions that prove
judgement IT' I r' t- Q': 0; then ['I'; 'l'd = ['I'; 'l'z].
This is really a Statement about the maps induced by structural extensions,
and is independent of 'I', Q, and Q'. A structural extension determines a
function p from variables in rr I r to those in rr' I r' with p(x) being the
variable to which x contracts. (We omit a formal definition, which is a simple
induction on derivations). The desired result, with data as in the statement of
the lemma, is then:
(*) If structural extensions '1'1 and '1'2 determine the same p, then
(A) E'; ['l'd = E'; ['1'2], where E' here is an appropriate component of
the counit of J -1 S, and
(B) ['1'1] = ['1'2] if (} is non-passive (so neither derivation uses Passifi-
cation).
It is easy to verify that this formulation (which now has more the flavour of a
categorical coherence result) implies the Coherence of Structural Extensions.
Note that we cannot generally ask for equality of the ['l'i] (because of Passifica-
tion). In cases where (} is passive, we use (A) and the property f = g : A - JP
iff E'; f = E'; g to conclude the lemma. We indicate the proof of (*).
Proof: Given (} and a function p from TI I r to TI' I f', we can define a canonical
extension '1'1 (that determines p) as follows.
1. Passify all identifiers if (} is passive.
2. Performall Contractions indicated by p.
3. Activate allvariables in the intersection of the image of p and the do-
mainoff'.
4. Perform appropriate Weakenings for variables not in the image of p.
Step (ü) assumes that all Contractions indicated by p are for identifiers in the
passive zone (this is an assumption on p and 6). We thus obtain an extension
'1'1 = P ; C; A ; W consisting of Passifications, followed by Contractions, Activa-
tions, and Weakenings (with some Exchanges sprinkled throughout). We prove
*),
the property ( for '1'1 a canonical extension, by induction on the length of
'1'2. We consider two sample cases.
Base case: length 0. ['1'2] is the identity, whereas '1'1 is either empty or a
sequence P ; A of Passifications and Activations (if (} is passive). (B) is trivial,
and (A) follows from the identity 11; E'; f = f, where f:X- ]P. This equation
in turn follows from the identities E' ; f = passify(f) and 11; passify(f) = f, the
former a consequence of bireflectivity and the latter of S -1 ].
Case: last rule is Passification. Part (B) is trivial. For (A), the induction
hypothesis gives us E' ; ['l'i ] = E' ; ['I'~], where 'l'i = P' ; C' ; A' ; W' is canonical
and '1'2 = 'I'~ ; p, with p an instance of Passification. Suppose that x is the
identifier moved by p. There are three subcases to consider:
1. no rule in 'l'i explicitly involves x,
2. x was introduced in the active zone through a Weakening step in W', or
3. x was moved into the active zone through an Activation step in A'.
In subcase 1 we mean that x is not moved by Passification or Activation, or
introduced via Cantaction or Weakening. Clearly one of these three cases must
apply: note that if x was involved in Contraction, Activation, or Passification,
then subcase 3 would apply. Subcase 1 is Straightforward since x is interpreted
by an identity in ['l'i]; we concentrate on 2 and 3.
For subcase 2, we can replace the instance of Weakening that introduces x

in W' by another instance that puts x in the passive zone, giving us W". Then
[W"] = [W';p] because of the identity
A®B
Thus, ['1'2] = [P'; C'; A'; W"], and P'; C'; A'; W" is of the form prescribed above
for the canonical extension. Simple permutations within each component P',
A', C', W" suffice to show that it is semantically equal to the prescribed exten-
sion (in any case, there is some trivial imprecision, involving order of rules, in
the prescription (i)-(iv) for extensions).
For subcase 3, we first move p to the left of W', and then compose the
resulting instance of Passilication with the instance of A' that activates x; this
composition yields the identity. The equations involved are
Tf~ id
E'l/
SA SA--==----+SA
and
IE'
A ®B ----::---+- A A
Tf~
Thus [P'; C'; A"; W"] = [P'; C'; A'; W'; p] where A" has the mentioned occur-
rence of Activation removed (so later rules in A" and W" are slightly adjusted),
and the desired result follows as in subcase 2.
Other rules are treated in a similar fashion, using the induction hypothesis
and various identities to reduce a proof to a canonical extension. 1
With coherence of structural extensions, we may deduce the desired theo-
rem as a corollary of the following result.
Lemma 12 Suppose n I r 1- P: 6 is derivable both from llo I fo 1- Po: 6 and from
n1 I f1 1- P1: 6, using only the structural rules. Suppose further that, for i = 0, 1,
'I't is any proof of n, Ir, 1- P,: 6; then
['l'o; '1'~] = ['1'1 ; '1'{] : S[TI] ® [f] - [ 6]
for all structural extensions '1'[ such that 'I't ; '1'[ proves TI I r 1- P: 6, for i = 0, 1.
Note that, for i = 0, 1, P = [Ptlut for identifier substitutions u 1 introduced by
Contractions.
Proof: The proof is by induction on the sum of the sizes of proofs '1'0 and '1'1.
The main base case is when '1'0 and '1'1 are both instances of the Axiom
for identifiers. This case follows from the coherence of structural extensions.
The other base cases, for constants, are immediate if any constant C: 0 is
interpreted as a map [C]: 1 - [0]
If the last step in 'l'o is an instance of a structural rule then we prove the
result as follows. Suppose that RR is the last rule applied in 'l'o, and consider
any appropriate structural extensions 'I';, i = 0, 1. We want to show
['l'o ; 'I'~] = ['I'I ; 'l'i ]: S[II] ® [f] - [ 0] .
Since the last rule in 'l'o is RR, which is one of the rules permissible in proof
extensions, this means that 'l'o; 'I'~ is the same proof as '1'2; '1'~, where '1'2 is 'l'o
with the final instance of RR stripped off and 'I'~ is 'I'~ with the corresponding
instance of RR placed on the front. (We have simply moved the break-point ";"
indicating a structural extension.) Since the proof '1'2 is smaller than 'l'o, the
induction hypothesis applies and we may conclude
['1'2 ;'I'~]= ['I'I ;'l'i]:S[II] ® [ f ] - [0].
The result follows from the identity 'l'o ; 'I'~ = '1'2 ; 'I'~. The case when 'I'I ends in
a structural rule is symmetric.
The only remaining cases are when both '1'0 and 'I'I end in a non-structural
rule for a type constructor. There are two groups of rules to consider: those
that involve disjoint hypotheses, and those that do not.
For the latter group, we consider one example: xi. Suppose the last rules
of '1'0 and 'I'I are xi, with proofs 'I'iJ of their premises.
'Yoo 'Yoi 'l'u
. .
Ilo I fo r- Po : 0 Ilo I fo r- Qo : 0 rri 1 ri r- PI : e rri 1 ri r- Q1 : e
Ilo I fo f-- (Po,Qo): 0 X 0' rr1 1 ri r- (PI. Qd : o x O'
Let hk = ['I'~] : S[Ilk] ® [fk] - S[II] ® [f], k = 0, 1, be the maps induced
by the structural extensions. Then by the induction hypothesis, ho ; ['l'o1] =
h 1 ; ['I'IJ ], j = 0, 1. The desired result is then immediate from the usual identity
hk; (f, g) = (hk ;f, hk ;g). Other rules not involving disjoint contexts are proven
similarly using the induction hypothesis and an additional identity: for ®E and
xE, use h; (f; rr) = (h; f); rr; for -I, use h; f* = ((h ® id); f)*; for -pi, use
h;(f;IJ) = (h;f);IJ;for-pE,useh;({;E') = (h;f);E'.
For the rules involving disjoint contexts we consider ®I; -E is similar.
In the following, we will content ourselves with skimming over the details
of some of the (long) syntactic constructions involved. The basic idea will
be to postpone certain Contractions until the end, so that we can apply the
induction hypothesis to disjoint terms, and conclude the desired result using
the coherence of structural extensions.
Suppose the last rule in each of 'l'o, 'I'I is ®I, i.e.,
'l'oo '1'10 'l'u
IIo I for- Po= Oo II0I r~ r- qo: OI rri I ri r- PI: Oo rr~ I ri r- qi: oi

IIo, II0I ro, r~ r- Po ® qo: Oo ® OI rri.rr~ I r11ri r- PI® qi: Oo ® OI
We have structural extensions 'I'~ and 'I'{ to consider, where 'I'i ; 'I'; proves
II I r t- p ® q : fJo ® fJI. Since identifiers in Pi and qi are disjoint, there are
(other) structural extensions 4>i, 4> possessing the following properties.
• 'I'i; 4>i proves a sequent II' I f' 1- p' ® q', for i = 0,1, where p' and q'
have no free identifiers in common, and
• 'l'i ; 4>i ; 4> proves rr I r t- p ® q, for i = o, 1.
That is, we are performing just enough Contractions to identify Po and PI.
and q0 and qlt postponing the identification of identifiers in both p's and q's
until the 4> stage. The reader may wish to use the following picture (where the
contexts have been omitted):
4>o 4>I
Po ® qo _ _____.::....____... p' ® q' ---=---- PI ® qi
~!~/. p®q
Next, from 4>i we can obtain proofs 4>pi and 4>qi suchthat [4>pi] ® [4>qd = [4>d:
: 4>pi : 4lqi
ITpi I fpi 1- p' : fJo ITqi I fqi 1- q' : ei
II' I f' t- p' ® q' : fJo ® fJI
Theseare obtained by copying instances of rules that concem p or q, as appro-
priate. Finally, we may apply the induction hypothesis to conclude the middle
equality in the following
['l'o ; 4>o] ['l'oo; 4>po] ® ['I'OI ; 4>qo]
['l'w; 4>pd ® ['l'u ; 4>qd
where we have suppressed some symmetry isos. The outer two equalities
follow from the identity (h ® h') ; (f ® g) = (h; f) ® (h' ; g) and the indi-
cated construction of 4>pi and 4>qi· The desired result ['l'o; 'I'~] = ['I'I ; 'I'{]
then follows immediately from the coherence of structural extensions, using
[4>i;4>] = ['1';]. I
The Coherence theorem then follows directly by taking IIo = III = II, fo = fi =
f, and Po = PI = P.
Having established that the semantics is well-defined, we can note that it
satisfies the reductions listed in Table 3.
Proposition 13 The reductions in Table 3 preserve equality in any bire{lecttve
model of SCIR. I
=
For instance, the equivalence derelict(promoteM) M follows from the iden-
tity f = f; J7A; E~ where f:]P- A, which is true by virtue of J -1 S and
equation (4).
A fuller treatment of equivalences will not be given here. However, it is
worth noting that many additional equations beyond these ß laws are valid in
bireflective models. As one example, one can synthesize an equivalence from

the law of monoidal functors
mA,B
SA ®SB-----'-----+- S(A ® B)
YsA.<•I js<y..-1
SB® SA ---=m::::-B-.A---+- S(B ® A)
by replacing S(-) by C - p (-), where Cis a passive type. For instance, the
map mA.B would be replaced by the term
Af: (C --+p A) ® (C --+p B).
promote(.\x: C. (derelict (rr~f)x) ® (derelict (rr~f)x))
See [1, 3) for discussion.
Verifying coherence proved tobe quite a Iot of detailed work, even with
certain isomorphisms left implicit and with the skimming over of some syn-
tactic constructions. We wonder whether type theoretic coherence could be
better approached in a more general setting; see [30) for discussion and refer-
ences.
3.4 Discussion: Non-Bireflective Models
Wehave included the qualifi.cation "bireflective" in Definition 5 because there
are models of the SCIR type system in which the left and right adjoints to
the inclusion do not coincide. The first, and foremost, examples are given
by the models in [31, 32). Others are given, for example, by arrow categories
c-. The models that we know of have the form of two categories and three
functors between them, like so:
L
( I '\
P---='---+-C
\_ R )
with I fully faithful and L -1 I -1 R. Additional conditions that a more gen-
eral (not necessarily bireflective) model of SCIR should satisfy have not been
formulated. Coherence is the minimal requirement for any general notion of
model of SCIR, and is particularly subtle because of the intricate interactions
between the permeability rules and other rules.
4 A Functor-Category Model
In this section, we present a concrete model of the illustrative ALGOL-like pro-
gramming language of Section 2.3.
The main challenge is to define non-interference and passivity for enti-
ties such as commands, expressions and procedures, which are convention-
ally modelledas input-to-output functions. In [39, 25), the similar problems
that arise in treating the non-interference predicates in specification logic
are addressed by using a category-theoretic form of possible-world semantics

[35, 27]. Each phrase type () is interpreted as a (unctor [0] from a suitable
(small) category of "possible worlds" to a category of domains, and any phrase
Pis interpreted as a natural transformation [P] of such functors. We will show
that the same category of functors and natural transformations can be used
to provide a satisfactory model of the SCIR-based programming language.
4.1 The Category of Worlds

A category of possible worlds appropriate to treating non-interference and
passivity in ALGOL-like languages is defined as follows.
• The objects are sets (we require a small collection), thought of as sets of
states. The set of all worlds is assumed tobe closed under the following:
- if VT is the set of values appropriate to a data type T, VT is a world;

- if X and Y are worlds, so is their set product X x Y; and
- if X is a world, so is any Y c X.
• A map from X to Y is a pair (f, Q), where Q is an equivalence rela-

tion on X and f is a function from X to Y whose restriction to each
Q-equivalence dass is an injection. Intuitively, Xis a world "derived"
from Y, f maps states in X back into Y, and Q is an equivalence relation
on states which must be preserved by execution in world X.
The composition of maps (f,Q):X- Y and (g,R):Y- Z is the map
(h,P):X- Z suchthat h = f; g and xPx' iff xQx' and f(x)Rf(x'). The
identity map idx on world Xis Ux. Tx), where Ix is the identity function on
set X and Tx is the everywhere-true binary relation on X. We will designate
this category as X; however, it is the opposite of the category of worlds used in
[39, 25).
Any one-element set is a terminal object in X; the unique map from X
to, say, {*} is (,\x.*,=x). We can also define a tensor product as follows;
for objects X and Y, X ® Y = X x Y (the usual cartesian product of sets),
and (f, Q) ® (g, R) = (f x g, Q x R), where (f x g)(x, y) = (f(x), g(y)) and
(x,y)(Q x R)(x',y') if and only if xQx' and yRy'. This is the basis for a
symmetric monoidal structure on X, with the designated terminal object as
the unit; for example, the symmetry map from X ® Y to Y ® X consists of the
exchange function and the total relation on X x Y.
Projection maps rro: X® Y- X and rr1: X® Y- Y can be defined to consist
of: the usual projection functions on X x Y, and equivalence relations that re-
late (x, y) pairs having the same y or x components, respectively. These maps
are termed "expansions" in [39, 25), where the opposite categoryis considered,
and similar maps are treated in [27).
We can also define a natural family of diagonal maps öx:X- X ®X whose
components are: the diagonal function on X and the total relation on X. Note,
however, that öx; 7Tj * idx, and ® is not a categorical product.
4.2 Semantic Category and Basic Functors

The semantic category for our model is the category nx"" of contravariant
functors from the category of possible worlds to 0, where D is the category
of w-cpos, (i.e., possibly bottom-less w-complete posets and continuous func-
tions), with all natural transformations as the maps. This is essentially the
same semantic category used in [39, 25]. Finite products in I)X"'' can be ob-
tained pointwise from the familiar products in D.
We now consider interpretations in I)X"'' for the basic types (expressions
and commands) in the programming language. First, we define the "domain-of-
states" functor, St, tobe the covariant functor from X to D suchthat St(X) =
X, discretely-ordered, and St(f, Q) = f. Contravariant functors for expression
types can then be defined pointwise as follows:
[ T ]X = St(X) - (VT) .L and [ T ]f e = St(f) ; e
where VT is the set of values associated with T; i.e., Vmt is the set of integers
and V~~oo1 is the two-element set of truth values.
For the command type, if Xis a world then c E [comm]X is a family of par-
tial functions, indexed by all X-maps with co-domain X, so that c(f: Y - X)
is a partial function on St(Y). The uniformity condition on the family is the
following "semi-commutativity" requirement: for all f: Y - X and g: Z - Y,
c(g; f) ; St(g) !;;; St(g) ; c(f),
where the !;;; relation is graph inclusion of partial functions:
c(f)
y _ _ _. :.:. . ;__ __..y
St(g)1 2 1St(g)
z -----:::------+-Z
c(g; f)
The semi-commutativity allows command meanings to become less-defined in
more-restricted worlds; however, the family must also satisfy the following
commutativity requirement arising from the equivalence-class component of
X-maps. For any X-map (f, Q): Y - X and y E St(Y), let
Y' = {y' E St(Y) I yQy'}
(i.e., the set of states Q-reachable from y); then
Y _ _c...::.(f....:...,Q..::.;);__._... Y
St([Y')1 1St([Y'I
Y' _c..:...:.(f_Y'.....:..;. ::..((..:. Q=):.-.)
., ..... Y'
must commute (and not just semi-commute), where rY': Y'- Y is the X-map
with components: the insertion function from Y' to Y, and the total relation
on Y'. This requirement is imposed to ensure that, when c(f, Q) has a defined
result, it preserves the Q-equivalence dass of its argument.
The morphism part of [comm] is defined as follows: for any X-map

f: Y - X, command meaning c E [comm]X, and X-map g: Z - Y,
[comm]f c g = c(g; f)
This makes [ comm] a contravariant functor from X to D, as required.
We now discuss some examples to show how these functors interact with
the X-maps defined in the preceding section.
Because of maps from subsets of state sets, expression meanings in the
semantics cannot have side effects, not even "temporary" ones. For any world
W and w E W we can restriet to the Singleton set of states {w} using the "re-
striction" map r{w}: {w}- w whose components are: the insertion function
and the total relation on {w}. Then, for any expression meaning e E [T]W,
the value of ein State W is completely determined by the meaning [ T]( r{W} )e
at world {w}:
e
W ----'=-----+- (VT).L
Sl(f{w)) 1
{w}
where the vertical arrow is the insertion of {w} into W. There can be no side
effects during evaluation of e(w) because, in world {w}, there are no other
states to change to!
The behaviour of commands under restrictions is quite different. Consider
the command meaning c( ·) E [comm](W x Z) corresponding to an assign-
ment Statement z := z + 1, where z accesses the Z-valued component in X x Z.
The partial function for c (idwxz) maps (w, n) to maps (w, n + 1). But we
also need to define c(f) for all other X-maps f into W x Z, including restric-
tion maps. In particular, if we consider c( r{(w, n}}) then this component of
c cannot produce an output state, because {w, n + 1) is not an element of the
world {(w, n} }. More generally, c(f)s can be defined only if (w, n + 1} is in the
range of St(f). In contrast to the previous example, command meanings are
not completely determined at Singleton worlds, just because they may change
the state.
Suppose now that we restriet to the world
Y = { (w, n) E W x Z I n is even}
and consider the composite z := z + 1 ; z := z + 1, and its semantic counterpart
c; c. Sequential composition is interpreted componentwise, so for command
meaningsc1 and c2, (c1 ;c2 }(f) is justthe composition ct(f) ;c2 (f) of the partial
functions for the components. Thus, we get that (c ;c}(idwxz)(w, n) = (w, n}.
However, (c;c)<rY)(w, n} is undefined, because c<rY)(w, n} is undefined. The
attempt to "stray" out of Y, even at an intermediate state, leads to divergence.
4.3 Non-Interference
4.3.1 Tensor Product
Intuitively, meanings a E A(W) and b E B(W) are non-interfering if neither
makes active use of any memory used by the other. We formalize this intuition
as follows: a # b iff there exist worlds X and Y, an X-map f: W- X® Y and

meanings a' e A(X), b' e B(Y) suchthat A(f; rr0)a' = a and B(f; rr1 )b' = b:
rro rr1
a' E A(X) X-+--__..;:..- X® Y ---=-- Y b' E B(Y)
JA(f;rro) rj B(f; rr,) j

a E A(W) w b e B(W)
The idea isthat a and b "come from" disjoint worlds X and Y, respectively.
The archetypical example of this arises in the declaration of a new local vari-
able: the new variable and non-local entities are non-interfering because they
can be viewed as "coming from" the factors of a product world [25, Section 5).
The map f in the definition of a # b allows for sharing of passively-used
memory, as in
rro rr1
X®Z -+---=---X®Z ®Z® Y ---=---- Z®Y
jldx e6z eld,

X®Z®Y
The composite maps from X ® Z ® Y to X ® Z and Z ® Y have the equality
relation = z as the equivalence-relation component on Z; this ensures that the
shared memory Z can only be used passively. An example is discussed below.
We can now define a bifunctor ® on oxoP to interprettype assignments and
the non-interfering product type constructor in the syntax. For any functors
A, B: X.OP - D and world W,
(A®B)(W) = {(a,b) e (AxB)(W) I a#b}
and the morphism part is defined as follows; for any f: W 2- Y,
(A ® B)(f)(a, b} = (A(f)a, B(f)b} .
If 17 : A ....:.... A' and J.1 : B ....:.... B', then

(17 ® J.t}(W)(a, b} = (17(W)a, J.t(W)b} .
To complete the monoidal structure on oxoP, we define the unit to be a speci-
fied terminal object 1, which can be defined pointwise. These definitions make
(OX"", ®, 1) a symmetric monoidal category.
4.3.2 Sharing and Contraction

To illustrate the interaction between sharing and disjointness in the definition
of ®, we consider a map
II: [comm] ® [comm]....:.... [comm]
P. W. O'Hearn, A.]. Power, M. Takeyama and R. D. Tennent 217
for interpreting the deterministic parallel composition of non-interfering com-

mands. Given (c1rc2) E ([comm] ® [comm])(W), there exist ci and c~ as
follows:
rro rr1
ci E [comm]X X -+----"--X x Y -----"----+- Y c~ E [comm]Y
j[
comm)(f ; rro) f 1 [comm](f ; rr,) j
c1 E [comm]W W c2 E [comm]W
Define ci x c~ E [comm](X ® Y) tobe the component-wise product map; i.e.,
(ci x c~) (g) = ( ci g) x (c~ g), using the morphism part of the cartesian product
x in the category of sets and partial functions. To get a meaning at world W
we use map f, as follows:
II (W)(c1,c2) = [comm](f)(ci x c~).
Here, X, Y, c1 and c2 are not uniquely determined, but the functoriality re-
quirements on [comm] are sufficient to ensure that this is a good definition.
The f map is what allows for a limited amount of sharing. To illustrate
this, suppose X= Y = Z ® Z, ci (id)(n1, n2) = (n2 + 1, n2) and c~(id) (n1, n2) =
(n1r n 1 + 3). Then, we can form a composite command in which ci and c~
operate on disjoint portians of the state:
ci x c~ E [comm](Z ® Z ®Z ® Z) .
Sharing can be achieved via a diagonal map
Z®Z®Z®Z
1idz ® Öz ® idz
Z®Z®Z
yielding the meaning
c = [comm](idz ® 8z ® idz)(ci x c~).
We find that c(id) (n 1, n2, n3) = (n2 + 1, n2. n2 + 3): the two middle components
in the product Z ® Z ® Z ® Z get identified, which is to say, shared, by the
diagonal map. Intuitively,
• ci corresponds to a command x := y + 1
• c~ corresponds to a command z := y' + 3, and
• c corresponds to the command x := y + 1 II z := y + 3, obtained by
parallel composition followed by Contraction of y and y',
where the identifiers correspond to evident components in Z4 and Z 3.
Thus, the semantics of II is given by combining functions on disjoint state-
sets, followed by sharing. This corresponds closely to how parallel commands
are typed: first, commands with no identifiers in common are combined, and
then sharing is introduced using the Contraction rule.
4.3.3 Exponential
An exponential construction right adjoint to ® makes nX"P a closed cate-
gory; (A - B) (W) is defined to be the set (ordered pointwise) of families
q(X):A(X)- B(W ®X) of continuous functions indexed by worlds X, such
that, for all X-maps f: Y - X, the following naturality diagram commutes:
A(X) ---=-q..:...(X..:...>_..... B(W ®X)
A(f) j JB(ldw ® ()
A(Y) q(Y) B(W ® Y)
(A - B)(W) is simply the (pointwise-ordered) hom-set nX"''(A,B(W ® -)}.

Note that the argument of q(X) is an element of A(X); i.e., W is not involved,
corresponding to the principle that a procedure and its argument are disjoint.
The morphism part of A - B is defined as follows: for any X-map f: X - W,
(A - B)(f)(q)(Y) = q(Y); B(f ® idy). If 17:A' ....:.... A and iJ:B ....:.... B', then
11- iJ: (A-B)....:.... (A'- B') is given by
(17- IJ){W)(p E (A- B)W)(X) = 17(X); p(X); IJ(W x X) .
The application map app(A, B): (A - B) ® A ....:.... Bis defined by
app(A,B)(W)(q E (A- B)(W),a E A(W)} = B(f)(q'(Y)a'),
where f: W - X ® Y, A(f ; rro)a' = a, and (A - B)(f ; rrt)q' = q. Here,
f: W - X® Y, a' E A(X) and q' E (A - B)(Y) arenot uniquely determined,
but the naturality condition on procedure meanings is sufficient to ensure that
this is a good definition. lf 17:A ® B....:.... C, the curried map 17*:A....:.... (B- C)
is defined by
17* (W) (a' E A(W)) (X)(b' E B(X)) = 17(W ®X) (A(rro)a', B(rrt)b'} .
Proposition 14 (IJX"'', ®, 1,-) is a symmetric monoidal closed category.
Proof: The structure described is an instance of an abstract construction pre-
sented in [8]. I
4.4 Passivity
Intuitively, a E A(W) is passive if it doesn't interfere with anything. This can
be defined rigorously using "state-change constraint" endomaps ocw: W- W in
X whose components are: the identity function on W and the equality relation
on W. It is easily verified that the ocw are idempotent maps, and, furthermore,
that they constitute a natural family of maps; i.e., oc is a natural idempotent
on the identity functor.
The importance of the ocw for treating passivity is that, because of the
definition of [comm], they preclude any state changes; hence A(ocw) applied
to any a E A(W) "passifies" it so that it cannot interfere with anything. For
example, suppose that c E [comm]W is the denotation of w := w + 1; the
second uniformity condition on command meanings ensures that c(ocw )s can
be defined only if c(idw )s = s, and so, for this c, we obtain that [comm](aw )c
is everywhere-undefined.
The effect of state-change constraints on expression meanings is quite dif-
ferent. Foreach world Wand e E [T]W, [T](aw)e = e. State-change con-
straints have no effect here because expressions cannot cause side effects.
These examples suggest the following definition: a E A(W) is passive if
and only if A(aw )a = a. For example, [skip]W (a family of identity functions)
and [diverge]W (a family of everywhere undefined functions) arepassive ele-
ments of [comm] W.
The following results establish the connections between passivity and non-
interference.
Proposition 15 lfp E P(W) and q E Q(W) are passive, p # q.
Proof: lf p and q are passive, P(aw)P = p and Q(aw)q q; but aw

8w; Tri for i = 0, 1, and so p # q. I
Proposition 16 a E A(W) is passive iff a # a.
Proof: The "only if" part follows from the preceding Proposition.
In the other direction, suppose that a # a; then there exist worlds X and Y,
ax E A(X), ay E A(Y), and an X-map f: W- X® Y suchthat A(f; TTo)ax =
a = A(f; rri)ay. Let Qi for i = 0, 1 be the equivalence-relation components
of f; Tri; then Uw, Qi) ; f; Tri = f; Tri, and so we get, by functoriality of A, that
A(Iw, Qi)a = a for i = 0, 1. This gives us that A((lw, Qo); Uw, Q1) )a = a; but
Uw, Qo); Uw, Qd = aw, and so a is passive. I
An object A of I)X"P is passive iff, for every world W, every a E A(W) is
passive. For example, a terminal object 1 is passive because it is a constant
functor, and [T] isapassive object because, for anyworld Wand e E [T ]W,
[T](aw)(e) = St(aw);e morphismpartof[T]
= e St( aw) is the identity function
Let P be the full subcategory of passive objects of I)X"P. This determines a

model of SCIR, which follows in fact as a special case of the abstract results of
[10).
Theorem 17 Category I)X"P, tagether with subcategory P, comprise a bireflec-

tive model of SCIR. I
The following data are thus obtained, allowing us to interpret the SCIR typing
rules:
• the bireflector S:nx"P - P, which takes A(X) to the sub-cpo of passive
elements: SAX= {a E A(X) I a is passive}, and SAfa = Afa;
• the unit 1JA:A- SA of S-i], given by 1JAWa = A(aw)a; and

• the counit E~: SA- A of] -i S, given by the inclusion SAW ..... AW.
220 Chapter 18. Syntactic Control of lnterference Revisited
4.5 Interpretation of the Constants

We now present interpretations of selected constants. The interpretation of II
has already been given in Section 4.3.2.
Sequential composition is given by a map
sequence: [comm x comm] ....:.... [comm] .
The definition is sequence(W)(c1,c2)(f> = ci(f); c2(f), using composition of
partial functions. One can show that the following diagram commutes
exchange
[comm ® comm] ------=----..... [comm ® comm]
'I
[comm x comm] -----=-se~q==-u:-::e""n""""ce~--- [comm]
jn
where II is the interpretation of parallel composition from Section 4.3.2, i is

the evident inclusion, and exchange is the twist map exchanging the two com-
ponents of ®.
For assignment, we define a map
assign: (([T]-- [comm]) x [T]) x [T]....:.... [comm].
Because of the presence of x instead of ® on the left, we cannot simply use the
app map to apply the procedure. To deal with this, we supply the "acceptor"
component of a variable with a constant-function argument. Given v E VT,
define kv E [T]l tobe the constant meaning suchthat kv(f)(w) = v for all
f: 1 2.... Wand w E W. We can then define the assignment map as follows.
. (W) (( } '} { i(a(1)(kv)(w, *}), if e'(w) = v * .L
asszgn a, e •e w = undefined, if e' (w) = .L
where i: W x 1 - W is the unity isomap.

Finally, we indicate how the block-expression combinator doT is treated by
defining
do.r:S([var[T]]-- [comm])....:.... [T].
First, let {a, e} E [var[Tl]VT be the standard "local" variable meaning at world
VT [25]. Then
d (W) _ { v, if p(VT)(a,e){w, v0 } = {w, v)
0-r pw - .L, if p(VT)(a,e){w, v0 } is undefined
where v0 is a standard initial value for T-typed variables. The passivity of p

guarantees that w' = w whenever p(X)(e)(w,x) = {w',x'}, so there is no need
for a snap-back effect.
Other constants can be treated as in [27, 39].
4.6 An Alternative Presentation

]. C. Reynolds has suggested (private communication) that an interference-
controlled ALGOL-like language should be interpreted by families of contin-
uous functions, indexed by assignments of state-sets to identifiers, with each
identifier in the context interpreted by a meaning relative to its own state-set.
ln our framework, this would mean that a syntax judgement TI I r 1- P : ()
would be interpreted by a family of functions </>(W), indexed by assignments
W of worlds to identifiers, with the functionality of </>(W) being
(n1edomn
S[llt](Wt)) x ( n
1edomr
[ft](Wt)) - [()]( n
LEdom<n.n
Wt)
Note that the products in the domain of </>(W) are cpo products, whereas the
product in the co-domain is a set product. This form of semantic interpreta-
tion seems intuitively appealing because it makes the disjointness of distinct
identifiers very explicit; but it is highly non-standard.
ln this section, we show that we can define a bijection between the Stan-
dard form of semantics discussed in earlier sections and this non-standard
form. To simplify the treatment, we will consider natural transformations
17:A®B..:... C
and families of functions
</>(X, Y):A(X) x B(Y)- C(X x Y)
where X and Y are X-objects. From a natural transformation 17, we can define
a family </>(X, Y) of functions as follows:
</>(X, Y)(a',b') 17(X x Y)(A(xY)a',B(Xx)b'}
ln the other direction,
17(W){a,b) = C(f)(4>(X, Y)(a',b')}
X
where f: W - X x Y, a' E A(X) and b' E B(Y) such that A(f; rro)a' = a
and B(f; rrdb' = b must exist because (a, b) E (A ® B)(W). Naturality of 17
is straightforward, provided that 17(W)(a,b) is uniquely defined; for this, the
family </>(X, Y) must be suitably uniform. We will not bother to formulate an
explicit definition of the condition; it is a routine exercise to do so, and to
verify that the mappings 17 ...... <1> and <1> ...... 17 just given are mutual inverses,
given such a condition on the </>( · ).
5 Concluding Remarl{S
The type system presented here was actually worked out by the first author
in 1991, but lay dormant foranurober of years because it contained features
for which no satisfactory semantic explanation existed. Its revival was mo-
tivated by [31], which exhibited structure corresponding very directly to the
permeability rules in Section 2.2, and provided the first example of a model of
the SCIR type system. Reddy made the key realization that the permeability
rules of Activation and Passification correspond in his semantics to a monad
structure. The models described in [38, 24] do not possess this structure asso-
ciated with passivity, and, in particular, only the comonadic aspect of passivity
is present in [24]. It subsequently became clear that the approach to passiv-
ity in [39, 25] has the requisite properties for the permeability rules, with the
crucial step forward being the utilization of Day's tensor product construction
(the relevance of which was suggested by A. Pitts).
Another novel aspect of Reddy's approach is that different identifiers de-
note independent "objects," where the state is implicitly represented in "his-
tories of Observations." In our model, though it is not stateless, there is also a
move away from the viewpoint of a common "global store" that programs act
upon. Specifically, in the presentation sketched in Section 4.6, and implicitly
in the standard presentation, each identifier is associated with its own state
set, disjoint from the state-set associated with other identifiers; intuitively,
each identifier denotes an object acting upon a piece of "local" state.
Syntactic control of interference is an important step toward the ideal of a
"clean" form of imperative programming. It retains basic principles of ALGOL-
like and functional programming, including equational laws such as the ß
law; this it has in common with recent work emanating from the functional-
programming community (see, e.g., [28, 21, 19]). But interference control also
begins to address some of the problems of state, such as aliasing. Functional
principles alone do not make state significantly easier to reason about, as is
abundantly clear, for example, from specification logic. Controlling interfer-
ence addresses some of the most prominent difficulties.
At present, syntactic control of interference has developed to the point
where it possesses quite satisfactory type systems and models. Nevertheless,
there are many issues that need to be addressed before the ideal of a clean
and practical form of imperative programming can be realized. The following
is a partlallist of immediately relevant issues.
1. Our example programming language does not have facilities for pro-
gramming dynamically-reconfigurable data structures of the kind often
implemented using pointers or references. Simple languages of this
form can serve as a useful testbed for ideas on integrating imperative
and functional programming, but extending the basic approach of Sei
to support coding of dynamic data is clearly crucial. It is not obvious
what the best way to do this might be.
2. A call-by-value version of Sei could have some interest. Achallenge for
such a design is to maintain a controlled form of side effects.
3. One motivation for interference control is that it should simplify reason-

ing about programs. To find evidence for this position, one might inves-
tigate a version of specification logic stripped of the pervasive # assump-
tions. A more ambitious program would be to set down axioms charac-
terizing independence of identifiers, possibly using the parametricity
ideas of [26], and to investigate the thesis that such a characterization
simplifies the logical form of specifications needed for familiar objects
or procedures.
4. The complexity of type checking and the possibility of type inference

need to be investigated for the type system presented here.
5. The semantic model presented here possesses two kinds of exponen-
tials, one for the monoidal closed structure, and another, adjoint to x,
for cartesian closed structure. This raises the question of whether in-
terference control and uncontrolled ALGOL can coexist harmoniously in
one system, which might be useful in addressing difficulties with jumps
and recursive definitions having active free identifiers. Various "unified
logics" [12, 2] have similar aims, combining intuitionistic, linear, and
classicallogics; we would want to combine intuitionistic and affine sys-
tems. An interesting point to note is that here the two kinds of closed
structure coexist in the same category, so there is no need to pass to a
separate category, such as a Kleisli category, to interpret the intuitionis-
tic (i.e., ALGOL's) function types.
6. The hope for a "linear logic-based functionallanguage" that can express
state manipulation remains unrealized, or certainly not adequately real-
ized; but the similarities with interference control, both in aims and in
technical details, are alluring. Rather than taking functional program-
ming as the starting point, a reasonable approach might be to modify
syntactic control of interference so that it provides a range of types for
expressing manipulation of state, instead of a single type comm.
Acknowledgement
We are grateful to Uday Reddy for numerous discussions that have substantially influ-
enced the content and presentation of this paper.
References
[1] N. Benton, G. Bierman, V. de Paiva, and M. Hyland. A term calculus for intuition-
istic linear logic. In M. Bezen and J. F. Groote, editors, Typed Lambda Calculi
and Applications, volume 664 of Lecture Notes in Computer Science, pages 75-90,
Utrecht, The Netherlands, March 1993. Springer-Verlag, Berlin.
[2] P. N. Benton. A mixed linear and non-linear logic: proofs, terms and models
(preliminary report). Technical Report 352, University of Cambridge Computer
Laboratory, October 1994.
[3] G.M. Bierman. What is a categorical model of intuitionistic linear logic? In Pro-
ceedings of Second International Con(erence on Typed A.-calculi and Applications,
volume 902 of Lecture Notes in Computer Science, pages 78-93, Edinburgh, Scot-
land, April1995. Springer-Verlag, Berlin.
[4] R. Bird and P. Wadler. IntroducNon to Functional Programming. Prentice-Hall
International, London, 1988.
[5] P. Brinch Hansen. Structured multiprogramming. Comm. ACM, 15(7):574-78,
1972.
[6] F. Brown, editor. The Frame Problem in Artificial Intelligence. Proceedings of the
1987 workshop. Morgan Kaufmann, 1987.
[7] M. Coppo and M. Dezani. A new type assignment for A.-terms. Archiv. Math. Logik,
19:139-156, 1978.
[8] B. J. Day. On closed categories of functors. InS. Mac Lane, editor, Repons o(the
Midwest Category Seminar, volume 137 of Leerure Notes in Mathematics, pages
1-38. Springer-Verlag, Berlin-New York, 1970.
[9] S. Eilenberg and G. M. Kelly. Closed categories. In S. Eilenberg et al., editors,
Proceedings o( the Con(erence on Categorical Algebra, pages 421-562, La Jolla,
California, 1965. Springer-Verlag, NewYork, 1966.
[10] P. Freyd, P. W. O'Hearn, A. J. Power, M. Takeyama, and R. D. Tennent. Bireflec-
tivity. In S. Brookes, M. Main, A. Melton, and M. Mislove, editors, Mathematical
Foundations of Programming Semantics, Eleventh Annual Con{erence, volume 1
of Electronic Notes in Theoretical Computer Sdence, Tulane University, New Or-
leans, Louisiana, March 29-April11995. Elsevier Science.
[11] j.-Y. Girard. Linear logic. Theoretical Computer Science, pages 1-102, 1987.
[12] J.-Y. Girard. On the unity oflogic. Annals o(Pure andApplied Logic, 59:201-217,
1993.
[13] C. A. R. Hoare. An axiomatic basis for computer programming. Comm. ACM,
12(10):576-580 and 583, 1969.
[14] C. A. R. Hoare. Hints on programming-language design. In C. Bunyan, editor,
Computer Systems Reliability, volume 20 of State of the An Repon, pages 505-34.
Pergamon/lnfotech, 1974. Also pages 193-216 of [15].
[15] C. A. R. Hoare and C. B. Jones, editors. Essays in Computing Sdence. Prentice Hall
International, 1989.
[16] P. Hudak. Conception, evolution, and application of functional programming
languages. Computing Surveys, 31:359-411, 1989.
[17] j. Hughes. Why functional programming matters. The Computer Journal, 32:98-
107,1989.
[18) G. M. Kelly. Doctrtnal adjunctions. In G. M. Kelly, editor, Category Seminar:
Proceedings, Sydney Category Theory Seminar, 1972/73, volume 420 of Leerure
Notes in Mathematics, pages 257-280. Springer-Verlag, New York, 1974.
[19) j. Launchbury and S. Peyton jones. State in HAsKELL. LISP and Symbolic Compu-
tation, 8(4):293-341, December 1995.
[20] S. Mac Lane. Categories {or the Working Mathematician. Springer-Verlag, New
York, 1971.
[21] M. Odersky, D. Rabin, and P. Hudak. Call by name, assignment, and the Iambda
calculus. In POPL [29], pages 43-56.
[22] P. W. O'Hearn. The Semantics o( Non-lnter{erence: A Natural Approach. Ph.D.
thesis, Queen's University, Kingston, Canada, 1990.
[23] P. W. O'Hearn. Linear logic and interference control. In D. H. Pitt et al., editors,
Category Theory and Computer Science, volume 530 of Leerure Notes in Computer
Science, pages 74-93, Paris, France, September 1991. Springer-Verlag, Berlin.
[24] P. W. O'Hearn. A model for syntactic control of interference. Mathematical Struc-
tures in Computer Sdence, 3(4):435-465, 1993.
[25] P. W. O'Hearn and R. D. Tennent. Semantical analysis of specification logic, 2.
Information and Computation, 107(1):25-57, 1993. See Chapter 14.
[26] P. W. O'Hearn and R. D. Tennent. Parametricity and local variables. ]. ACM,
42(3):658-709, May 1995. See Chapter 16.
[27] F. J. Oles. A Category-Theoretic Approach to the Semantics o( Programming Lan-
guages. Ph.D. thesis, Syracuse University, Syracuse, N.Y., 1982. See Chapter 11.
[28] S. Peyton-Jones and P. Wadler. Imperative functional programming. In POPL [29],

pages 71-84.
[29] Conference Record ofthe Twentieth Annual ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages, Charleston, South Carolina, 1993. ACM,
NewYork.
[30] A. J. Power. Why tricategories? Information and Computation, 120(2):251-262,
1995.
[31] U. S. Reddy. Passivity and independence. In Proceedings, Ninth Annual IEEE Sym-
posium on Logic in Computer Science, pages 342-352, Paris, France, 1994. IEEE
Computer Society Press, Los Alamitos, California.
[32] U. S. Reddy. Global state considered unnecessary: Introduction to object-based
semantics. l.JSP and Symbolic Computation, 9(1):7-76, 1996. See Chapter 19.
[33] J. C. Reynolds. Syntactic control of interference. In Conference Record of the Fifth
Annual ACM Symposium on Principles of Programming Languages, pages 39-46,
Tucson, Arizona, January 1978. ACM, New York. See Chapter 10.
[34] J. C. Reynolds. The Cra(t of Programming. Prentice-Hall International, London,
1981.
[35] J. C. Reynolds. The essence of ALGOL. In J. W. de Bakker and J. C. van Vliet, ed-
itors, Algorithmic Languages, pages 345-372, Amsterdam, October 1981. North-
Holland, Amsterdam. See Chapter 3.
[36] J. C. Reynolds. IDEALIZED ALGOL and its specification logic. In D. Neel, editor,
Tools and Notions for Program Construction, pages 121-161, Nice, France, De-
cember 1981. Cambridge University Press, Cambridge, 1982. See Chapter 6.
[37] J. C. Reynolds. Syntactic control of interference, part 2. In G. Ausiello, M. Dezani-
Ciancaglini, and S. Ronchi Della Rocca, editors, Automata, Languages and Pro-
gramming, 16th International Colloquium, volume 3 72 of Lecture Notes in Com-
puter Science, pages 704-722, Stresa, Italy, July 1989. Springer-Verlag, Berlin.
[38] R. D. Tennent. Semantics of interference control. Theoretical Computer Science,
27:297-310, 1983.
[39] R. D. Tennent. Semantical analysis of specification logic. Information and Com-
putation, 85(2):135-162, 1990. See Chapter 13.
[40] P. Wadler. A syntax for linear logic. InS. Brookes et al., editors, Mathematical
Foundations of Programming Semantics, volume 802 of Lecture Notes in Com-
puter Science, pages 513-529, New Orleans, 1993. Springer-Verlag, Berlin.
[41] N. Wirth. On the design of programming languages. In J. L. Rosenfeld, editor,
Proceedings IFIP Congress 74, pages 386-393, Stockholm, 1974. North-Holland,
Amsterdam.
Chapter 19
Global State Considered Unnecessary:
Introduction to Object-Based Semanlies
Uday S. Reddy
Semantics of imperative programming languages is traditionally de-

scribed in terms of functions on global states. We propose here a novel
approach based on a notion of objects and characterize them in terms
of their observable behavior. States are regarded as part of the inter-
nal structure of objects and play no role in the observable behavior. It is
shown that this Ieads to considerable accuracy in the semantic modelling
of locality and single-threadedness properlies of objects.
Contents
1lntroduction 227
2lnterference-controlled ALGOL 233
3Objects 242
4A Domain-Theoretic Model of Objects 251
4.1 Object spaces 255
4.2 Functions on objects 257
4.3 Semanties 262
5 Passivity 264
5.1 Active-passive spaces 265
5.2 Semantics 269
6 The Structure of Object Spaces 270
7 Example Equivalences 274
8 Extensions 278
9 Conclusion 281
References 282
A Categorical Structure of the Model 287
B Proof of Operational Adequacy 292
1 Introduction
Semantics of programs that deal with state ("imperative programs") is a long-
standing research problern in the theory of programming languages. Tradi-
tionally, such programs are given semantics in terms of global states. (See, for
example, [Sto77].) A global state is an element of a suitably large set that gives
the value of every storage variable at a given instant of execution, e.g., the set
of all sequences of data values (State = Val*). The allocation of a new local
variable is interpreted as enlarging the sequence by adding a new component,
and deallocation is interpreted as shrinking the sequence by deleting the new
component.
First appeared in LISP and Symbolic Computation, 9(1):7-76, 1996. Permission to reprint granted
by Kluwer Academic Publishers.

228 Chapter 19. Global State Considered Unnecessary
Comm.ands are interpreted as transformers of global states, i.e., partial

functions of type State - State. Expressions (as in ALGOL 60) are interpreted
as partial functions of type State - Val. This much seems fairly natural. But,
problems begin to surface as soon as we consider functions. A function phrase
("procedure") of type s - t acts on an argument of type s to produce a result
of type t. Now, it is perfectly reasonable for the argument to act on a portion
of the state to which the procedure has no access (since local variables can be
allocated outside the procedure definition). Similarly, it is also possible for the
procedure to act on local variables that cannot be accessed by the argument.
Yet, the result of the procedure (of typet) acts on the entire global state. 1t is
not possible to disentangle the actions of the procedure and the argument on
the global state.
The following program equivalence, adapted from [MS88], illustrates this
issue:
(new[int] x. x := 0; p(x := x + 1)) =
p(skip) (1)
Here, the free identifier 1 p is a function from comm.ands to comm.ands, i.e.,
it is of type comm - comm. (Equivalently, it is a procedure that takes a "pa-
rameterless procedure" as its argument.) The comm.and on the left allocates
a local variable x and calls a procedure p with an increment procedure on x
as the argument. Note that the procedure p has no direct access to the vari-
able x. After the completion of the procedure call p(x := x + 1), the variable
x is deallocated. Since x is never read before it is discarded, the effects of
p(x := x + 1) on the variable x are unobservable. Hence, calling the procedure
p with a trivial "do nothing" procedure skip as the argument should have an
equivalent effect.
Now, consider the global state interpretation. The meaning of p must be a
function that maps global state transformers to global state transformers, i.e.,
a function of type [ State- State] - [State- State]. There is no a priori reason
for the result of p to respect the local-variable abstractions. For instance, p
might denote the function
(f) _ .\ { s, = n ~ 1 and s(n) = 0
if lsl
P - s. undefined, otherwise
which ignores its argument and tests if the most recent component of the
state is 0. For this p, the left-hand side of equivalence (1) evaluates to the
do-nothing state transformer but the right-hand side gives a state transformer
that is typically undefined, in particular, when applied to the empty state.
(In place of "undefined," one can substitute any state transformer with an
observable effect such as printing a "." on the screen.) The problern is that
p(f) is a transformer of global states. There are infinitely many such functions
p which cannot be expressed in programming languages with local-variable
abstractions.
This failure of the global state semantics has been recognized for some
time, and various solutions have been devised for modelling local-variable ab-
stractions [HMT83, MS88, OT92, OT93, Ole85, Rey81b, Ten90]. (The survey
1We use the terminology of ALGOL 60 [Nau60]: "variable" means a storagevariable and "iden-
tifier• means a variable in the sense of Iambda calculus; "expression• means a state-reading com-
putation and "phrase" means a term in the sense of Iambda calculus.
Uday S. Reddy 229
articles [OT92, Ten95] and the text [Ten91] give good overviews of the extant
techniques.) Essentially, all these solutions view commands not as state trans-
formers, but as families of state transformers indexed by state sets (formal-
ized as functors in the categorical sense). Procedures are viewed as families of
functions with appropriate uniformity conditions (typically naturality). While
these solutions lose some of the simplicity of the global-state semantics by
moving to second-order concepts (like functors and natural transformations),
they are still unable to represent local-variable abstractions sufficiently to val-
idate equivalence (1).
Another issue that one must address in the semantics of imperative
programs is that state changes are actually "changes," an issue first raised
in [OT95]. Running a command causes the state of the program tobe destruc-
tively overwritten by a new state, and it is not possible, in general, to revert
to the original state. If, for example, the procedure p in (1) runs its argument
command, the value of x would get incremented and there is no way for the
procedure to revert to the original value of x. The following equivalence, due
to P. W. O'Hearn, makes this explicit:
(new[int] x. x := 0; p(x := x + 1); ü x > 0 then diverge else skip)
(2)
- p(diverge)
The equivalence must hold because both sides diverge if p runs its argument.
(Again, one can use commands with observable effects in place of diverge to
create similar examples.) But, state transformers are mathematical functions.
They have no notion of "change" built-in. The state transformer representing
p(x := x + 1) may very weil yield the original state even after computing new
states. The following function p of type [State- State] - [State- State]
represents such a "snap-back" operation:
(f) = ,\ { s, if f(s) is defined
P s· undefined, otherwise
Thus, the equivalence (2) falls in all known semantic models of imperative
programs.
We believe that most of these difficulties accrue from a premature focus on
states. Our intuitions suggest that states have to do with the intemal structure
of implementations, not the Observable behavior. For example, in classical au-
tomata theory, the internal structure of machines is defined in terms of states,
but the observable behavior is defined in terms of languages or sequential
functions that the machines recognize or compute. If the meaning of program
phrases is similarly specified in terms of observable behavior, we might fi-
nesse all the intricate mathematical issues regarding state sets in higher-order
programming languages.
The author initiated a fresh approach to the semantics of imperative pro-
grams in the summer of 1992 with these considerations. The inspiration came
from linear logic [Gir87a] and its close connection to Reynolds' syntactic con-
trol of interference [Rey78] as espoused by O'Hearn [O'H91]. Being a radically
different approach to the semantics of imperative programs, it could initially
be stated only in very theoretical terms [Red93c]. However, it is now possible
to explain the approach in the everyday programming terminology of "objects"

(with an attendant formalization of this concept).
An object is a state machine; it has an intemal state and a collection of ex-
temally observable operations. Invoking these operations can affect the inter-
nal state so that successive Observations can produce different results. Thus,
objects have a history-sensitive behavior. The key fact is that it is possible to
specify the observable behavior of objects without reference to states. More-
over, such object behaviors form domains. Appropriate functions between
such domains denote "constructions" for building objects from other objects.
Program phrases are interpreted as functions denoting such constructions.
This is the essence of what we call the object-based approach to the semantics
of imperative programs. 2
Applying these ideas to equivalence (1), we interpret the procedure p as
acting on "command objects" (objects with a single operation of type comm).
The phrase x := x + 1 builds a command object from a variable object. The
phrase skip gives a trivial command object. The key fact is that the two com-
mand objects have precisely the same observable behavior: their command
operation can be invoked an arbitrary number of times and it terminates each
time. (The effect of the invocations on the intemal state of the objects differs
but this is transparent to the procedure p.) Therefore, the behavior of the
procedure p in the two cases must be equal.
Applying these same ideas to equivalence (2), we note that the procedure
p can only use its argument object via its command operation. 1t has no direct
access to the intemal state of this object. Since there is no operation provided
in the object for reverting its state to an earlier one, state changes caused by
invoking its command operation are irreversible.
Our experience shows that the accuracy of the object-based model is com-
parable tothebest state-based models. In fact, the object-based model goes
further in modelling the "irreversible change" (or "single-threadedness") as-
pect of objects which, so far, has not been possible in the state-based models.
The surprising factisthat all this can be done at the "ground level" in terms
of domains and functions without moving to second-order concepts such as
functors and natural transformations. However, the "ground level'' seman-
tics exists only for certain well-behaved programs that we call "interference-
controlled" programs.
Interference is the phenomenon of two program phrases acting on a com-
mon piece of store. For example the command x := a interferes with the
expression x + 1 because both act on the common variable x. Interference-
control is the programming discipline that maintains that interfering phrases
should not be used in contexts where they might appear to be independent.
For example, in a procedure call P(Q 11 Q2 ), written in the traditional ALGOL
notation, one would normally expect the phrases P, Q1 and Q2 tobe indepen-
dent. If Q 1 were the command x := a and Q2 the expression x + 1, then the
standard reasoning about the procedure P would become invalid.
2 We use the term "object-based" rather than "object-oriented" to emphasize that our objects
have state. The latter term is often used to describe languages with object inheritance, either with
or without state.
Uday S. Reddy 231
Conventional formulations of Hoare logic [Hoa69, Hoa71] assume freedom

from aliasing (which is an instance of interference control). They would be-
come unsound if aliasing were permitted. One way to reason about alias-
ing and interference is to use a sound generalization of Hoare logic such as
Reynolds' specification logic [OT93, Rey82, Rey81a, Ten90], but most program-
mers find the overhead of reasoning about interference in this logic to be ex-
cessive.
We believe that a similar Situation arises with denotational semantics. The
global-state concepts that occur in the conventional approaches are there in
order to handle interference. A better focus on the key concepts is obtained by
considering interference-controlled programs. In a sense, the role of interfer-
ence control is parallel to that of types. Just as typed lambda calculus is often
taken to be the foundation underlying the untyped lambda calculus [Sco80],
we believe that interference-controlled languages should be treated as the
foundation for languages with free interference.
What we seek is a semantics of interference-controlled ALGOL that has a
structure similar to that of functional programming languages. The Standard
semantics of PCF [Plo77], for example, interprets types as domains and terms
as (continuous) functions. We would similarly like a semantics that interprets
interference-controlled ALGOL types as domains and phrases as appropriate
functions between domains. It appears that this goal is unlikely tobe achieved
for full ALGOL with uncontrolled interference. On the other hand, such a se-
mantics is very well possible and quite attractive for interference-controlled
ALGOL. 3
In this paper, we explain the basic ideas of the object-based model using
the semantic framework of coherent spaces. Coherent spaces are a particu-
larly simple form of dl-domains [Ber78] formulated by Girard [Gir87a, GLT89].
Among their notable accomplishments is the inspiration for linear logic. In
fact, the earllest (denotational) model for linear logic was in terms of coherent
spaces. We inherit them by way of linear logic. We would like to stress, how-
ever, that coherent spaces form just one framework where the object-based
concepts can be formalized. There can be many other frameworks where ob-
jects can live. Some recent frameworks that seem to have this capability in-
clude [AJ94, AJM94, CCF94, Win94]. We expect that many of these new frame-
works will be used for modelling objects in the future, and some of them, in
particular games models, will improve on coherent spaces in accuracy.
Related work
The previous work on semantics of local variables was already mentioned. In
recent work, carried out almost in parallel with the present work, O'Hearn and
Tennent [OT95] have used the ideas of relational parametricity to character-
ize the necessary uniformity conditions for procedures. Sieher [Sie93, Sie94]
presents a similar model in the context of locally complete partial orders.
These recent models do validate equivalence (1) and other equivalences having
3The application of object-based semantics to full ALGOL is explored in the later work [OR95].
However, our experience suggests that this necessarily involves global states and functor
categories.
to do with local variables. However, a treatment of irreversible state changes

in this framework is still awaited.
The reader would notice that the present semantics runs very much
counter to these approaches. While they attempt to restriet a global state-
based semantics to meaningful denotations, we start by identifying the Ob-
servable behaviors of individual state variables and build up to larger values.
The earlier efforts in studying the semantics of interference control in-
clude those of Tennent [Ten83] in the traditional global-state approach and
O'Heam [O'H90, O'H93] in the functor-category approach. More recently,
O'Heam and Tennent [OP'IT95] formulated a model which, though in an
explicit-state functor-category framework, attempts to split up the global state
into smaller pieces.
Girard's linear logic [Gir87a] was an important source of new ideas. For
pedagogical reasons, we mention little of linear logic in this paper, but the
informed reader can see linear-logic ideas everywhere. Considerable debt is
owed to O'Heam's work [O'H91] on relating linear values and active values
(as in linear logic and SCI respectively). This work, together with Wadler's
related insights [Wad91] formed the original inspiration for this work. Another
important contribution from the linear-logic side is the "before" connective,
due to Girard and Retore [Ret93], which played a prominent role in the early
development of this model [Red93c, Red93b].
There is a large body of work on concurrency which subscribes to essen-
tially the same philosophy as that advocated here: state is localized in pro-
cesses and any notion of global state is shunned. Some of the major pieces
of work in this area include CSP [Hoa85], CCS [Mil89] and actors [Agh86]. In
relation to concurrency, it should be noted that, in studying imperative pro-
gramming, we deal with objects instead of processes. The difference is that
objects lack any form of intemal "control". This is a simplification but, at the
same time, results in much structure that is hard to find in process calculi,
such as functions, types and higher-order values. Our focus will be on mod-
elling this structure. However, the author has, after the fact, become aware
of many commonalities between the present semantic model and models of
concurrency, and has adopted the terminology of concurrency for related no-
tions, such as traces [Hoa85, Maz77] and pomsets [Pra84]. Some of the recent
work in concurrency is moving towards semantic concepts like functions and
types [Gup94, Hen94], where again some similarities with the current work
become apparent. Abramsky has been studying concurrency using linear logic
foundations (see, e.g., [Abr94]), leading to similar notions as ours. However,
unlike him, we choose to adapt the conventional denotational paradigm to the
issues of state instead of replacing it with a new one.
Another important piece of related work is Shapiro's modelling of state
in concurrent logic-programming languages [Sha87]. This is closely related to
the classical stream-based approach to modelling state in functional program-
ming [FW79, KM77, KL85]. However, concurrent logic programming languages
fill in an important missing piece in this set-up (often called "logic variables").
Our model may be seen as a formalization of the dependencies implicit in the
use of logic variables.
Uday S. Reddy 233
Since we use concepts of "objects" pervasively in this work, one might won-
der if there is some link with the semantic models of object-oriented programs.
It is not yet clear if such is the case. The majority of the semantics work in
object-oriented programming seems focused on unraveling inheritance. The
issues of state are rarely addressed. The work that does address state, such
as [RK94], uses the traditional state-based approach. Some of the work on
inheritance [PT93], however, suggests that the issues of state and inheritance
might indeed be related.
Overview
We first review the language of interference-controlled ALGOL, which forms the
subject of this study (Section 2). In Section 3, we introduce the basic concepts
of object-based semantics informally and motivate the issues. Sections 4 and
5 define the formal aspects of the model. Section 6 is devoted to a brief study
of the semantic domains obtained. In Section 7, we illustrate the semantics by
reasoning about several example equivalences. Section 8 briefly reviews some
possible extensions to the language and semantic framework.
In Appendix A, we gather together the salient mathematical structure of
the model in a categorical framework. Appendix B contains a proof of compu-
tational adequacy of the semantics.
2 Interference-controlled ALGOL
lDEALIZED ALGOL, due to Reynolds [Rey8lb], is a clean integration of fune-
rtonal and imperative programming features. It is a typed lambda calculus
whose primitive types allow for state manipulation. These primitive types in-
clude:
• var[6]: variables holding 6-typed values,
• exp[o]: state-dependent expressions giving 6-typed values, and
• comm: state-modifying commands.
Thus, the type system of ALGOL is described by the following syntax of types:
data types o .. - int I bool I ...
(phrase) types e .. - var[o] I exp[o] I comm I el Xßz I el - ßz
Though ALGOL 60 [Nau60] is one of the oldest programming languages, it

has concepts that are remarkably modern. In particular, it is the only widely
known imperative programming language that satisfies unrestricted ß equiva-
lence (often identified with "referential transparency"). Several recent propos-
als for integrating functional and imperative programming features [ORH93,
PW93, SRI91] involve ideas resembling those of ALGOL, and Reynolds hirnself
has been designing a successor language called FORSYTHE [Rey88]. Therefore,
we take ALGOL to be the focus of our study. The reader should be able to
relate these concepts to other programming languages. (In particular, see the
discussion in Section 8.)
Syntactic control of interference

The central idea of syntactic control of interference (SCI), also due to
Reynolds [Rey78, Rey89), is that, in a function application (P Q), the phrases
P and Q should be "independent", i.e., P does not change something that Q
reads or writes and vice versa. Ensuring that applications always satisfy in-
dependence has the benefit that all free identifiers are always independent.
Thus, to check for the independence of P and Q, one only needs to check that
they have no common free identifiers.
However, imposing that P and Q never have common free identifiers is
too stringent. For example, we could not write plus x x where plus is of type
exp[int) - exp[int] - exp[int]. Torelax the restriction, Reynolds identifies
a special dass of values called passive values which never change the state.
Passivevalues are independent of each other, induding themselves. Free iden-
tifiers denoting passive values can then be shared by P and Q. Since x in
plus x x is passive, such an application is permitted.
To accord special treatment to passive values, we identify a subdass of
types called passive types:
passive types cf> ::= exp[8] I cf>r x cf>z I fJ - cf> I fJr -p fJz
According to this syntax, expressions are passive, pairs of passive values are
passive and all functions returning passive values are passive. In addition, a
special dass of functions called passive functions (whose type is written with
the - p constructor) are passive. Passive functions are those that do not mod-
ify global variables.
Adding passivity to the SCI type regimen Ieads to certain technical prob-
lems with regard to subject reduction, as noted in [Rey78]. An elegant solution
to these problems was recently formulated by O'Hearn et al. [OPTT95). We
adopt their solution below.
Syntax
The terms of an imperative programming language are often called phrases in
order to avoid confusion with expressions (which are phrases of the specific
type exp[8]). The (unchecked) phrases of interference-controlled ALGOL have
the following context-free syntax:
P ::= x I k I Ax.P I PrPz I (Pr.Pz) I fst(P) I snd(P)
where k ranges over constants. This syntax is the same as that of any (applied)
Iambda calculus, but the novelty lies in the type syntax, shown in Table 1.
A typing judgement is of the form n Ir f-- P: fJ, where
• P is a phrase,
• fJ is a type,
•n= {xr:tJr, ... ,xn:tJn} and r = {yr:fJi, ... ,ym:tJ:n} are sets of typing
assumptions (normally written without braces) for the free identifiers of
P, suchthat
• Xr, ... , Xn, Yr, ... , Ym are distinct identifiers.
Uday S. Reddy 235
-----Id
li 1r, x: 9 1- x: 9
li 1 r, x: 9 1- P : 9'
li Ir 1- ?..x.P: 9- 9' - 1
li, x: 9 1 r 1- P : 9' . 1IIf,x:91-P:cf> .

li I r, x: 9 1- P : 9 , Activate li, x: 9 I r 1- p : 4> Passify
li I 1- P : 9I - 82 li 1 r 1- P : 9I - p 82
" Promote
" - p 172
li I 1- P : 17I li I r 1- p : 9I - 92 Derelict
Table 1: Type syntax of interference-controlled ALGOL
A judgement of this form may be read as "P is a well-typed phrase of

type 0 using the identifiers XI: O~o ... , Xn: On passively and the identifiers
YI:Oi, ... ,ym:O:n possibly actively." The type contexts TI and rare respec-
tively called the "passive zone" and the "active zone" of the typing judgement.
The identifiers occurring in them are called the "passive free identifiers" and
"active free identifiers" of P.
The first three lines of Table 1 form what may be called an "affine" lambda
calculus (with product types). Its distinguishing feature is that, in forming
a function application phrase (P Q), we have to split the available free iden-
tifiers into two disjoint sets III I ri and n2 I r2 and use them in p and Q
respectively. This means that P and Q cannot share free identifiers. This
implements Reynolds's principle of interference control.
Note that no such identifier restrictions are applicable to pair formation
(P, Q). This means that the two components of a pair could be interfering in
general. It also means that the currying transformation is not applicable: the
types OI x 0 2 - 0' and OI - 82 - 0' have different meanings. It is possible to
add a separate type constructor for "independent products" which would put
together non-interfering components. We consider this briefly in Section 8.
The remaining rules are referred to as structural rules. They are concemed
with maintenance of identifiers and types. The rule Contr (for "contraction")
on the fourth line brings back limited amount of sharing. (We use the notation
[Q/x]P for the substitution of Q for all free occurrences of x in P.) Any iden-
tifier x occurring in the passive zone can be made into two copies x 1 and x 2,
which can then be used in the two branches of a function application phrase.
This allows us to write expression phrases like plus x x, for example.
The two rules Activate and Passify let identifiers move between zones. The
rule Activate says that any passive free identifier can be regarded as an active
free identifier. (This is necessary for binding it by the rule -1.) The rule
Passify says that any active free identifier can be regarded as a passive free
identifier as long as it is used in a passive phrase. (Note that this is the only
place in the type system where passive types are distinguished from other
types.) This allows us to derive, for example:
v: var[int] I 1- deref v : exp[int]
Even though the identifier v is of an active type var[int], it is used passively in
deref v because the latter is of a passive type exp[int]. This curious form of
the Passify rule has a direct correspondence with the semantics described in
Section 5.4 Since v is regarded as a passive free identifier, one can use Contr
to further derive
v:var[int] I 1- plus (derefv) (derefv): exp[int]
Finally, the last two rules allow a function phrase to be given a passive
function type provided it has no active {ree identi{iers and to forget the fact
that a function phrase is passive.
The following is a sample of constants one finds in an ALGOL-like language.
0 exp[int]
+ exp[int] X exp[int] - p exp[int]
skip comm
comm x comm - p comm
comm - p (comm- comm)
new[ö] (var[ö] - comm) - p comm
:=o var[o] x exp[ö] - p comm
derefo var[ö] - p exp[ö]
ife exp[booll x e x e - p e
rece ((} - p e> - p e
For convenience and clarity, we associate with them the concrete syntax shown
in Table 2. The parallel composition combinator C1 II Cz is added to show the
analogy with function application: the two subcommands C1 and Cz cannot
share active free identifiers. The construct new[8] x. C creates a local variable
and binds it to the identifier x within the scope of C. Since it is a binding
construct, it is formally treated as a second-order function. We often omit
writing the combinator deref except for clarity in some examples. We use
undef as a short form for the diverging phrase rec x. x.
4 The author is informed that P. W. O'Hearn developed this type system in 1991, but it was not
made public because no semantic justification for the Passify rule was known. Its revival was
made possible by the present semantics-more precisely, a variant of it presented in [Red94],
which was itself motivated by the subject-reduction issues with SCI. This mutual reinforcement
is an excellent example of the interplay between syntax and semantics.
Uday S. Reddy 237
rr 1 r 1- Et : exp[int] rr 1 r 1- E2 : exp[int]
rr 1 r 1- o : exp[int] rr 1 r 1- Et + E2 : exp[int]
rr 1 r 1- v: var[ö] rr 1 r 1- E: exp[ö]
rr I r 1- skip : comm rr I r 1- v := E : comm
rr I r 1- Ct : comm rr I r 1- C2 : comm fit I r1 1- Ct : comm IT2 I r2 1- C2 : comm

rr Ir 1- Ct;C2: comm flt,IT2 I ft.f2 1- Ct II C2: comm
rr I r,x:var[ö] 1- C: comm rr Ir 1- V: var[ö]

rr Ir 1- new[ö] x. c: comm rr Ir 1- derefV: exp[ö]
rr 1 r 1- E : exp[bool] rr 1 r 1- Pt : e
rr 1 r 1- P2 : e rr 1 x: e 1- P : e
rr I r 1- if E then Pt eise P2 : (} rr I 1- rec X. p : (}
Table 2: Primitive phrases of interference-controlled Algol
Discussion
lf we disregard the higher types such as lh x lh and lh - lh we obtain the
language of basic imperative programs. This language is essentially defined by
the combinators of Table 2. Its programs have standard semantics in terms of
state transformation (or execution). When we form a command using higher-
type abstractions, the semantics of lambda calculus becomes applicable. The
command phrase is interpreted by first reducing it, using the standard re-
duction rules such as ß-reduction, until one obtains a command phrase that
can be executed. 5 Thus, the semantics of IDEALIZED ALGOL is an orthogonal
combination of typed lambda calculus and the language of basic imperative
programs [Rey8lb, WF93].
As a simple example, consider the function
twice: comm- comm
twicec = c;c
When applied to a command c, the function produces a command that has the
effect of running c twice. For example, twice (print * produces a command 1 1
)
that prints two *'s. It is important to note that the function twice itself does
not "run" any commands. It is an honest-to-goodness function that produces a
command as its result. This result must then be used in a context where it will
be executed to produce any effect. lf it is used in a context where it is ignored,
no effects are produced. For example, if ignore is the function .\c. skip, then
ignore ( twice ( print * 1 ) ) produces no effect even when it is run.
1
As an aside, note that twice can be given a passive function type:

twice: comm - p comm
SThis corresponds to the "copy rule" semantics for procedures described in the Al.GOL 60 re-
port [Nau60]. There is, however, no notion of a standard reduction, and the normal form of a
phrase is typically an "infinite phrase. • In practice, the reduction and execution phases of the se·
mantics operate concurrently, with the execution phase demanding reduction steps when needed.
Since it has no active free identifiers, it cannot cause any state modifications
to non-local variables.
As a generalization of twice, consider a function that maps a command c
to an n-fold composition of c with itself:
times: exp[int] -p comm - p comm
times n c = if n = 0 then skip
else c; times (n - 1) c
If n is any natural number, times n is a function of type comm - p comm.
This shows that every natural number can be encoded as a function of type
comm - p comm. It turns out that the converse is true as well, i.e., every func-
tion of type comm- p comm, other than the undefined function, is equivalent
to timesn, for some natural number n. Thus, functions of type comm-pcomm
are similar to Church numerals.
Control structures for commands can be defined as functions on com-
mands. For example, the function:
while: exp[bool] x comm - p comm
while (b, c) = if b then c; while (b, c)
eise skip
defines a while loop control structure. Novel control structures can be defined
just as easily. For example, by adding recursive data types like lists, we may
define higher-order operations for commands analogous to map:
mapdo: (9- comm) -P (Iist e- comm)
mapdo f [ ] = skip
mapdo f (x :: xs) = fx; mapdo f xs
listdo: Iist comm - p comm

listdo [ ] = skip
listdo (c ::es)= c; listdocs
Note that we have mapdo f = listdo o (map f) as an equationallaw of these

functions.
More important to our concems is the ability to build objects with inter-
nally encapsulated state and exported operations (called methods). Such ob-
jects are typically built from variables (which are themselves primitive objects
built into the language). For example, the following function builds counter
objects from variables:
counter = exp[int] x comm
mkcounter: var[int] - p counter
mkcounterv = (derefv, v := v + 1)
A counter object has two methods: the first, of type exp[int], returns the
current value of the counter and the second, of type comm, increments the
value of the counter.
Uday S. Reddy 239
We often use sugared record notation for product types so that mnemonic
names for the fields are available. ln this notation, we write mkcounter as:
counter = [val: exp[int] x inc: comm]
mkcounter:var[int] - p counter
mkcounterv = [val = derefv, inc = (v := v + 1)]
We would then write c.val and c.inc for the methods of a counter c.
To build and use a counter object in a larger program, we use one of two
techniques. By the first technique, we might use an existing variable v to
build a counter object, bind the counter to an identifier c, and then use c in a
command. This corresponds to a program structure of the following form:
Iet c = mkcounter v
inP
where P is a command phrase. The let-block is desugared in the Standard
fashion: (.\c.P) (mkcounterv). ln this form of a program, we must think of
the variable v as the "raw material" used for building the counter c. While
the counter is in use, we cannot directly access this raw material. Doing so
would cause interference. Indeed, SCI ensures that v does not occur free in
the phrase P. However, the variable v can be used in the commands that
precede or follow the let-block. ln this sense, mkcounter builds a temporary
"scaffolding" araund the variable v which is in effect during the execution of P.
The second technique is to create a new variable and erect a permanent
scaffolding araund it in the form of a counter. This is expressed by the follow-
ing function:
newcounter: (counter- comm) - p comm
newcounter k = new[int] v.
v:= 0;
k ( mkcounter v)
This function takes as its parameter a counter "consumer" k. It creates and
initializes a new variable v and supplies the consumer with a counter built
from v. To create and use a counter object, we use a program structure of the
form:
newcounter .\c.
p
where P is a command phrase. This corresponds to what would be written as
{counter c; P}
in a more traditional object-oriented programming language. The function
newcounter corresponds to a "dass". Its task is to create new instance objects
of its dass.
We dose this discussion with a Ionger example that puts many of these
ideas together. A "histogram object" is an array of counters, i.e., a counter-
valued function on a finite range of integers, while a histogram is an array of
integers:
histobj = exp[int] - counter
histogram = exp[int] - exp[int]
We can create new histogram objects using:

new_hist: exp[int] x exp[int] - p (bistobj- comm) -p comm
new_hist (a, b) k = new_int_var_array (a, b) .\A.
k (mkcounter o A)
where new_inLvar_array isaprimitive operation for allocating arrays of inte-
ger variables. We define two further operations to access the methods of the
counter objects:
count:histobj -p (exp[int]- comm)
count h i = (h i).inc
vals: histobj - P histogram
vals h i = (h i).val
To build a histogram for a list of integers, we can now write:

build_histogram:list exp[int] - p exp[int] x exp[int]-p
(bistogram- comm) - P comm
build_histogramxs (a,b) k = new_hist (a,b).\h.
mapdo (count h) xs;
k (vals h)
These examples must convey to the reader the powerful techniques for
building and composing objects made available by the higher-order features
of IDEALIZED ALGOL.
Operational semanlies
The operational semantics of the language is defined in two stages [Rey8lb].
As explained under Discussion above, a program phrase is interpreted by first
reducing it as far as necessary, and then executing the phrase obtained from
reduction. The two stages are formalized as a reduction system and an execu-
tion semantics respectively.
The reduction system is expressed by the following reduction rules.
Reductions for higher types:
fst(PI,Pz)
snd(P1,Pz) Pz
(.\x.P) Q [Q/x]P
Unfoldings:
rece P P (rece P)
Propagations:
fst(ifexe' (Po, P1. Pz)) ife (Po, fst(P1), fst(Pz))
snd(ifexe' (Po, P1. Pz)) ife, (Po, snd(P1), snd(Pz))
ife-e' (Po, P1. Pz) Q ife' (Po, P1 Q, PzQ)
ifvar[öJ(Po,PI.Pz) := Q ifcomm(Po, P1 := Q, Pz := Q)
Uday S. Reddy 241
The relation - is extended to a reduction relation on phrases (for reduction

in all contexts) in the Standard fashion. The basic properties of the reduction
system may be established as follows:
Proposition 1 (O'Hearn and Tennent) I( TI I r t- P : 0 is a derivable phrase
and P - P' then TI I r t- P' : 0 is a derivable phrase.
Proposition 2 The above reduction system is confluent; i.e., if P - * P1 and
P - * P2, there exists P' such that P1 - * P' and P2 - * P'.
Proof: Since the left-hand sides of the reduction rules have no repeated
meta-variables and no critical overlaps, the classical techniques are applica-
ble [Bar84]. I
The second stage of the operational semantics is execution. For this stage,
we limit attention to expression and command phrases whose free identifiers
are all of variable types, i.e., phrases of the form
~I~' t- E: exp[c5] and ~I~' t- C: comm
where ~~~' isavariable type context xl:var[c5d, ... l ... ,xn:var[c5nl· We refer
to such phrases as semi-closed phrases. If ~I~' is a variable type context,
a ~I~' -state isafinite map of the form [x1-h •... ,Xn-inl. where each ik is a
data value of type Ök. Note that the variables mapped by the state are precisely
the variables in the type context ~I~'. We use the symbol u to range over such
states. The notation u[x-i] means u with its x component updated to i, and
u 1 e u 2 denotes the join of two states with disjoint domains.
We defi.ne two families of relations:
• (u,E) .u.~.~~ ..s i, where u is a ~1~'-state, E an expression with typing
~W t- E: exp[c5], and i a data value of type c5.
• (u, C) .u.~.~'.comm u', where u and u' are ~IA'-states and Ca command
with typing ~I~' t- C: comm.
The first family of relations denotes the evaluation of an expression in a state,
and the second family denotes the execution of a command in a state to give a
new state. Table 3 gives an inductive definition of the relations for well-typed
phrases. For the parallel composition C1 II C2, execution involves partitioning
the state into u1 and u2 based on the free identifiers occurring in C1 and C2.
For the new[c5] combinator, we are assuming that x has been renamed tobe
distinct from the variable identifiers in u. The execution involves adding a
new component for x in the state and discarding it after the execution of C.
This represents the "stack discipline" of local variables in ALGOL. The new
components are initialized to a designated data value init[c5] upon creation.
The last two rules are for phrases derived by the Contr rule. Strictly speaking,
we should also have rules for phrases derived by Activate and Passify, but
these rules do not affect the execution relations.
Proposition 3 For all semi-closed expressions E and commands C:
1. I( (u, C) .U. u' then, (or allpassive (ree identifiers x o(C, u(x) = u' (x).
2. I((u,E) .U. i and (u,E) .U. i' then i = i'.
3. I((u,C) .U. u' and (u,C) .u. u" then u' = u".
Proof: By induction on the type derivation of the phrase. I
(u,EI) U h (u,E2) U i2
(u,O) U 0 (u,E1 +E2) U h +i2
(u,E) U tt (u,E1) U i (u,E) U ff (U,E2) U i

(u,ü(E,Et.E2)) U i (u,ü(E,Et.E2)) U i
(u, CI) U u' (u', C2) U u" (Ul,Cl) U Ul (u2,C2) U Uz

(u, skip) U u (u, C1; C2) U u" (Ul E9 U2, Cl II C2) u u1 E9 Uz
(u E9 [x-init[8]], C) U u' E9 [x-i] (u,E) U i
(u,new[ö] x.C) U u' (u,x := E) U u[x-i] (u,deref x) U u(x)
(u,E) U tt (u,CI) U u' (u,E) U ff (u, Cz) U u'

(u,ü(E,C1,C2)) U u' (u,ü(E,Ct.C2)) U u'
(u E9 [x1-i,xz-i], E) uj (u E9 [x1-i,x2-i], C) U u' E9 [x1-j,x2-j]

(U E9 [x-i], [X/Xt.X/X2]E) U j (u E9 [x-i], [xfxl,xtxz]C) U u' E9 [x-j]
Table 3: Execulion semanlies
A program is a closed command phrase. The only Observable effect of the

program is terminalion:
Definition 4 A closed phrase 1- C : comm is said to terminate ü there is a
command 1- C' : comm suchthat C -* C' and ([ ], C') U [ ]. Otherwise it
is said to diverge. Two phrases P and Q are observationally equivalent iff, for
allprogram contexts C[ ], either C[P] and C[Q] both terminate or they both
diverge.
Note that the phrase C' in this definilion is some arbitrary reduct of C. It does
not have tobe any kind of "normal form." A program C diverges ü there is no
reduct C' of C for which execution is defined. A typical example is undef with
the infinite reduction sequence undef - undef - · · ·. A typical example
of a terminating program is while (false, C) which reduces in one step to the
executable phrase ü(false, C; while (false, C), skip).
In praclice, one would add constants for input and output and consider
equivalence under such observable effects. However, a better focus on the
theoretical properlies of the language is obtained by considering the coarser
equivalence above.
3 Objects
A central tenet of the present semanlic model is that states are not simply
values, but rather attributes of entities that persist in time. To this end, we
postulate entities called objects.6 An object has an intemal store (which we
6 In an earlier version of this paper [Red93a), two kinds of values called "passive" and "active•
values were mentioned. "Objects" of the present paper subsume both these values, though our
focus is mainly on active values.
Uday S. Reddy 243
(a) schematic object (b) object function
Figure 1: Objects
think of as a "physical resource"), and a collection of observable operations

that potentially read or alter the store. 7 See Figure l(a) for a schematic pic-
ture. The operations have types (comm, exp[8] etc.) which determille how the
operations can be used. The types of the operations also determille what kind
of semantics is associated with the object.
In devising a mathematical description of objects, we would like to ignore
the structure of their stores (because they are purely intemal) and focus on
their observable operations. To this end, we must have some idea of how an
object is to be used and what kind of behavior it supports. We postulate the
following hypotheses regarding this behavior.
Thesis 1 An object can in general be used only sequentially.

This is because objects have changeable state in their intemal store. Carrying
out multiple parallel accesses to an object would cause quite unpredictable
effects on its intemal state. Thus, sequential access is the only viable option,
both theoretically and pragmatically. Note that this does not preclude "con-
current" accesses that are serialized in some fashion at the object boundary
(though such concurrency does not arise for the language studied in this pa-
per).
Objects without changeable stores (called "passive" objects) form a special
case for which the sequential-use restriction can be relaxed. We retum to this
issue in Section 5.
By insisting that objects should be used sequentially, we are requiring that
the collection of Operations performed on the object be totally ordered, i.e.,
7 This notion is consistent with the terminology used in the object-oriented programming com-
munity, e_g_, [Weg87)_ On the other hand, note that we propose to (ormalize this notion in a way
that has not been done before_
form a sequence. This gives a local notion of "time" for each object. The oper-
ations occurring earlier in the sequence are ''before" the operations occurring
later.
Thesis 2 The behavior of an object is in generat a(fected by its past history of
operations.
This is the sense in which objects are "dynamic" or "have state". The past
history determines the current state of the object which, in turn, determines
the current behavior.
State machines as in classical automata theory have both these properties.
We use them as a metaphor for motivating the various issues surrounding ob-
jects. Figure 2 shows the state transition diagrams of several example objects.
The nodes in these diagrams should be interpreted as states and arcs as state
transitions.
The first object, called a "stepper," has a single operation that changes the
intemal state and produces an integer. (It incrementally "steps through" a
sequence of integers over a period of time.) We label each transition by the
integer that is produced. In any given run of a program, a single sequence of
integers can be extracted from the object. Similarly, for any object, a single
sequence of observations can be made in any given run of a program. We will
call such sequences of observations traces, in analogy with Hoare's terminol-
ogy for processes [Hoa85], and the set of all traces that can be observed from
the object its trace set. Note that the trace set is a state-free description of the
observable behavior of an object, much like the notion of a "language" of an
automaton. The trace set of the stepper object consists of sequences:
{), {0), {0,1), {0,1, 2), ...
The trace set is prefix-closed because every state of the object is (implicitly)
regarded as a terminal state.
Figure 2(b) shows the behavior of the counter object discussed in Section 2.
Invoking its val operation retums the current value of the counter and makes
no change to the state. Invoking the inc operation changes its state and retums
a dummy completion signal that we write as *· So, the trace set of the counter
object is:8
{), {val.O}, {inc.*}, {val.O,val.O}, {val.O,inc.*},
{inc.*,val.1}, {inc.*,inc.*}, ...
assuming the counter starts with an initial value of 0.
Our thesis is that all types of ALGOL similarly give rise to objects. Fig-
ures 2(c-e) show canonical example objects corresponding to the primitive
types of ALGOL. A command object is an object with a single command as
its operation. Invoking it potentially changes the intemal state and returns a
completion signal. For example, defining:
inc:var[int]-p comm
inc(x) = (x := x + 1)
8 The notation "val.O" means the value 0, tagged with a symbol "val" for identification purposes.
Mathematically, it is just an ordered pair (val, 0).
Uday S. Reddy 245
(a) stepper (b) counter (c) command
C7
(d) expression (e) storage

. scell
. e 2·· Obiect
Ftgur ~ behaviOr
we can construct a command object from a variable object. The procedures p

in equivalences (1) and (2) of Section 1 receive such command objects as their
arguments. The behavior shown in Figure 2(c) is what is observable by such
procedures. The effect of the command on the variable x will be represented in
the meaning of the function inc, explained below. Since a command object has
changeable intemal state, it need not produce "*"in every state. For instance,
the phrase
x:var[ö] 1- ü x < n then x := x + 1 eise undef: comm
produces a command object that eventually reaches a diverging state.
The expression object in Figure 2(d) retums a value for each invocation of
its operation and makes no change to the state. This corresponds to the fact
that expressions in IDEALIZED ALGOL do not cause side effects. Objects that
do not cause state changes will be called passive objects.
Note that projecting the val and inc operations of a counter object gives
an expression object and a command object respectively. This is the sense
in which a counter is a "pair" of an expression and a command. ln general,
"pairing" involves pairing of methods, not pairing of objects.
Finally, a canonical variable object called a storage cell has the behavior
shown in Figure 2(e). It has an operation get to retrieve the value stored in
the cell and an Operation put to store a new value. The dashed arcs emanating
from each state denote potentially infinite families of arcs, one for each data
value ik. Notlee that each get operation retrieves the value previously stored
in the cell. This explanation shows that storage cells can be interpreted as
"pairs" (in the same sense as counters are "pairs"). The get components are
expression objects while the put components are called "acceptors" [Rey81b].
The two components correspond to what are often called the r-value and the
1-value of a variable.
A function on objects allows us to construct one object from another ob-
ject as shown in Figure l(b). An example is the function mkcounter which
constructs a counter object from a variable object. The effect of such a con-
struction is to simulate every operation on the outer object by a sequence of
operations on the inner object and translate their results back to a result of
the outer object. Such Simulations can be described compactly by maps that
we call patterns. The pattem for the mkcounter function has input-output
pairs of the form
{get.i) .... val.i
{get.i,put.(i + 1)) .... inc.*
for allinteger values i. This shows that the val operation of the counter object
is simulated by a get operation on the variable object and the inc operation
of the counter object is simulated by an appropriate get-put sequence on the
variable object. 9
Note that, in such a Simulation, the intemal store of the original object
becomes the intemal store of the new object. Thus, the nested object picture
9 We are uslng the term "simulation"in an informal sense. In particular, the technical notion of
"simulation" as in [Mil71] is quite different. This is also the case for the recent use of "simulations"
as morphisms in [BG90, Gup94], though there is a strong resemblance.
Uday S. Reddy 247
in Figure l(b) is quite appropriate. At the same time, the function carrying out
the simulation has no direct access to the internal state of the original object.
It can only effect state changes via the operations of the object.
This fact allows us to ignore the internal states of objects and work entirely
at the Ievel of operations and behaviors. It Ieads to a domain-theoretic model
of interference-controlled ALGOL presented in the next two sections. Yet, im-
perative programs are often thought of as acting on state sets. In the remain-
der of this section, we indicate how object behaviors relate to an explicit-state
point of view.
Automata and simulations

We can illustrate the structure of objects for simple cases using the classical
notions of automata. An automaton for an instruction set ~ (or a ~-automaton)
is a pair (Q, a: Q x ~- Q) where Q is a set and a is a partial function (written
as an infix operator). It is standard practice to extend the function a to a
function a: Q x ~* - Q by
qa(ai, ... ,an) = (· · · (qaad · · · aan)
We call Q the set of states of the automaton and a its transition function. By
picking appropriate instruction sets, we can define automata for various types.
For example, taking ~ = { *}, we obtain automata that correspond to com-
*
mand objects. They have a single instruction for running the command once
and instruction sequences (*)" achieve the effect of running the command n
times.
The behavior (or the language) of an automaton (Q, a) at a state q E Q is
defined by
Ltx(q) = { x E ~* : qax is defined}
It is easy to see that Ltx(q) is always a prefix-closed set. Moreover, given any
prefix-closed set X ~ ~*, we can define an automaton (Q, a) such that its
language at a designated state q E Q is X. A simple construction is to pick
Q =X and define a by a: (x, a) - x · (a) whenever x · (a) E X. The start state
q is the empty sequence (). One can also construct a minimal automaton by
merging all equivalent states in (Q, a). Thus, up to behavioral equivalence,
automata with designated start states are the same as prefix-closed subsets of
P. We make much use of this fact in this paper.
Let ~ and r be instruction sets. Consider a function f from ~-automata
to r -automata that represents a Simulation. Our intuitions about Simulations
suggest that the instructions of r must be simulated by sequences of instruc-
tions of ~- In other words, f is uniquely determined by a pattem map h: r- P,
a partial function. Note the reversal of the direction. The function f on au-
tomata is then given by:
f(Q, a: Q x ~- Q) = (Q, ß: Q x r- Q) (3)
where q ßb = q a h (b). One sees that such functions f are intuitively inde-
pendent of (or uniform in) the underlying state sets of the automata. More
precisely, one can state the following correspondence (pointed out to us by
John Gray):
Proposition 5 Fundions f:~-Aut- r-Aut that preserve the underlying state

sets and state mappings (homomorphisms of automata) are one-to-one with
partial functions h: r - p.
Proof: Suppose h: f - ~* is a partial function. Consider the function f given by
(3). It evidently preserves state sets. Let t: (Q, oc) - (Q', oc') be a state mapping
of ~-automata, i.e., a function t: Q- Q' satisfying t(q) oc' a = t(q oc a). Clearly,
t(q) oc' x = t(qlix) for all x E ~*. Denoting f(Q, oc) by (Q, ß) and f(Q', oc')
by (Q', ß'), it follows that t(q) ß' b = t(q ß b) for all b E r. So, t is a state
mapping of r-automata.
Conversely, let f: ~-Aut - f -Aut be a function preserving state sets
and state mappings. There exists a "free" ~-automaton (P, oc0 ) where
x oco a = x · (a}. Let its image under f be (~*, ßo). We can define the pat-
tem map h: r - ~* by h(b) = 0 ßo b. Given any ~-automaton (Q, oc) and state
q E Q, there exists a state mapping q: (~*, oc0 ) - (Q, oc) given by ij(x) = q ocx.
From the fact that all such state mappings are preserved, one can verify that
f satisfies equation (3). 1
Simulations of this form correspond closely to phrases of interference-
controlled ALGOL For example, consider command objects treated as
{* }-automata. A function from command objects to command objects is de-
termined by a map h: {*} - {*} *. What maps are there? There is the unde-
fined map and, for every natural number n, there is a map hn(*) = (*}n. Each
of these maps determines a function at the level of automata. The function
corresponding to hn is:
fn(Q, oc:Q X{*}- Q) = (Q, ß:Q X{*}- Q)
where q ß * = q 7i ( *} n. All such functions are realizable in interference-

controlled ALGOL: the function fn corresponds to the function phrase times n
mentioned in Section 2. So, already at this elementary level, the object-based
viewpoint provides a solution for one of the key problems in the semantics of
state.
From automata to objects

The simple notions of automata outlined above are not sufficient for mod-
elling objects in general. While the instructions of automata are purely inputs,
the operations of objects have input as well as output information. For exam-
ple, the operation of a command object has essentially input information as
explained above. ln contrast, the operation of an expression object has essen-
tially output information. Its transition function is of the form oc: Q - Z x Q
(where Z is the set of integers). Objects with higher-type operations will have
more complex breakdown of input and output information. We would like to
cover all cases uniformly.
For this purpose, we make use of a standard fact. A (partial) function
f: A - B is nothing but a special kind of a relation f ~ A x B. What distin-
guishes a function from general relations is that any given input determines at
most one output in the relation, i.e., for all (x, y), (x', y') E f, x = x' ~ y = y'.
Let us say that two input-output pairs (x,y) and (x',y') are consistent, and
Uday S. Reddy 249
write (x,y) :: (x',y'), when this property holds. Then a function f:A- Bis
nothing but a relation f !;;;; A x B whose input-output pairs are pairwise con-
sistent. The causality information missing in relations can be brought back by
defining a separate consistency relation in this fashion. The advantage is that
complex causality relationships can be expressed using consistency relations.
So, in a first attempt, we Iet each type 0 determine a set of values ~ and
a binary consistency relation :: on Q x ~ x Q. A transition map is a relation
oc !;;;; Q x ~ x Q such that the tuples of oc are pairwise consistent. For command
objects, we Iet ~ = { *} and define the consistency relation for transition maps
tobe:
(q}, *,qi_):: (q2, *·q~) = (q1 = q2 = qi_ = q~)
For integer-expression objects, Iet ~ = Z and define the consistency relation
for transition maps to be:
(qi.a1,qi_):: (q2,a2,q~) = (q1 = q2 = a1 = a2 A qi_ = q~)
For integer-variable objects, ~ is defined to be the disjoint union of sets
Z + Z = { get.a : a e Z } u { put.b : b e Z }
The consistency relation for transition maps is:
(q1.h.ai.qi_):: (q2,12.a2,q~)=
(h = 12 = get = q1 = q2 = a1 = a2 A qi_ = q~) A
(h = 12 = put = q1 = q2 A a1 = a2 = qi_ = q~)
Note how the consistency relation bandies the fact that the get opera-
tions have output information and the put operations have input informa-
tion. More generally, suppose that types 01 and 02 have sets of values ~ 1
and ~ 2 and transition-consistency relations :: 1 and :: 2 respectively. Then,
for the product type 01 x fh, we Iet ~ be the disjoint union ~1 + ~2 =
{La: a e ~1} u { 2.b: b e ~2 }. The consistency relation for transition maps
is
(qi. i.a1, qi_) :: (q2,j.a2, q~) = (i = j = (qi. a1, qi_) ::, (q2, a2, q~))
In all these cases, the consistency relation for transition maps can be given
uniformly, provided we admit a consistency relation for values themselves.
This Ieads to a second attempt where we associate with each type 0, a set
of values ~ and a binary consistency relation :: on ~ itself. The consistency
relation for transition maps is then defined uniformly by:
(q1.a1,qi_):: (q2,a2,q~) = (q1 = q2 = a1:: a2) A (4)
(q1 = q2 A a1 = a2 = qi_ = q~)
lf we assign the following sets of values and consistency relations for the types
mentioned above:
comm ~ {*} identity relation
exp[int] ~ z identity relation
var[int] ~ Z+Z 1.a :: 1' .b = 1 = 1' = get = a =b
01 X 02 ~ ~1 +~2 i.a :: j.b = i =j = a ::1 b
it can be verified that definition (4) gives the same consistency relation for
transition maps as defined earlier. The consistency relation assigned to value
sets may be intuitively understood as follows: a 1 :: a 2 means that either a 1
and a2 have differing input information or they have the same output informa-
tion. This motivates the condition in (4) that, whenever a 1 and a 2 are observed
in the same state of an object, they must be consistent. Conversely, define the
inconsistency relation:::: on ~ by a1 ::: a2 iff a1 = a2 v ...,(a1 :: a2). Now, a 1 :::: a 2
signifies that a 1 and a2 have the same input information.
Next, we extend the consistency relations to sequences ~*. The extension
of transition maps to sequences is the natural one: (q, (a 1, ... ,an),q') E a iff
there exist states qo, ... , qn suchthat q = qo, qn = q' and
(qo,a1,qi), ... ,(qn-loan,qn) E OC
The relation a must be a transition map consistent in the sense of (4).
This forces a consistency relation on sequences in ~*, viz., (a~o ... , an} ::
(a;, ... , a:n) iff
(a~o ... , ai-1} = (a;, ... , a;_ 1} => a, :: a; for all i = l, ... , min(n, m) (5)
Note Thesis 2 at play here. The past events in a trace a1, ... , at-1 determine
the future event a1 (modulo its own input part). It is easy to see that whenever
oc !;;;; Q x ~ x Q is a transition map, its extension a !;;;; Q x ~* x Q is also a
transition map.
As an example, a storage cell object with the behavior shown in Figure 2(e)
can be defined by taking the state set to be the set of integers and the transi-
tion map given by:
(i,get.j,i') E oc = i = j "i = i'
(6)
(i,put.j,i')Eoc = i'=j
It may be verified that this is a proper transition map satisfying the consis-
tency condition (4).
The trace set of an object (Q, oc) at a state q E Q is defined by
La(q) ={XE~*: 3q' E Q. (q,x,q') E Li}
This is a pairwise consistent set by the above consistency relation for ~*.
Finally, we consider "functions" on objects. A function of type lh - 62
must map objects with transition maps oc1 !;;;; Q x ~1 x Q to objects with tran-
sition maps oc2 !;;;; Q x ~2 x Q. As argued previously, any such "function" must
be determined by a pattem map h !;;;; ~i x ~2. The map records the sequence of
input instructions (in ~n required to simulate an output instruction (in ~ 2 ). To
see what kind of a consistency relation must be satisfied by h, Iet (x, b) E h.
First, the input information of b must uniquely determine the input informa-
tion of x. So, if (x', b') E h isanother pair, we must have:
b:::: b' => x::: x' (7)
Second, for any given input information of b, the output information of x must
uniquely determine the output information of b, i.e.,
b :::: b' 1\ x = x' => b = b' (8)
Uday S. Reddy 251
It is often more convenient to express these conditions in the forward direc-

tion: two pairs (x, b), (x', b') E h are consistent iff
(x: x' = b: b') 1\ (x: x' 1\ b = b' = x = x') (9)
With some work, it can be seen that this definition is equivalent to the original
conditions (7) and (8). Maps of this kind are called linear maps. We examine
them in more detail in Section 4.2.
As in the case of automata, a linear pattem map h uniquely determines a
function at the level of objects:
f(Q, CX1!;;; Q X ~1 X Q) = (Q, CX2!;;; Q X ~2 X Q) (10)
where
(q,b,q') E CX2 = 3X E ~j. (X,b) Eh 1\ (q,x,q') E CX1
Note that x in the above existential is unique.
An object of a function type lh - lh is similar to a function. Its value
set is ~F = ~i x ~2 and its consistency relation is defined by (9). However,
being an object, it can have its own intemal store and use it to control the
Simulation of operations in a history-sensittve fashion. So, its application to
an argument object of type lh yields an object whose behavior is controlled
by both the store of the function object and the store of the argument object.
So, we can view a function object (Qp, txp !;;; Qp x ~F x Qp) as determining a
function from objects (Q1, cxd to objects (Qp x Q1. cx2) with transition maps
CX2 !;;; (Qp X QI) X ~2 X (Qp X Q1) given by
((q,q!},b, (q',qi)) E CX2 = 3x E ~j. (q, (x,b),q') E CXp 1\ (q1,X,qi) E CX1
Thus, function-type values expressible in imperative languages can have a

richer behavior than functions themselves. One must take care to keep the
two notions separate.
Reynolds's passive-function type lh - p lh brings back a correspondence.
Since terms of type lh - p fh cannot have free active identifiers, the objects
they denote do not have changeable stores. Such (passive) objects precisely
correspond to functions el- 02.
In the next two sections, we formalize these concepts using the semantic
framework of coherent spaces.
4 A Domain-Theoretic Model of Objects

In this section, we present a domain-theoretic model of object behaviors. The
central fact is that object behaviors form a certain kind of domains, and "func-
tions" on objects can be characterized as a dass of functions between such
domains. While the intemal structure of objects, described in the previous
section, can be used for intuitive understanding, the formal analysis can be
carried out entirely in terms of behaviors.
The domains we use for this purpose are Girard's coherent spaces [Gir87a].
The basic source on coherent spaces is [GLT89], Chapters 8 and 12, while
Zhang [Zha91] discusses the connections with other kinds of domains used in
the literature.
A coherent space A is a domain of sets, ordered by the subset order, such

that Ais
• down-closed: if x E A and y f; x then y E A, and
• coherent: if X f; A and Vx,y E X.x u y E Athen UX E A.
Note that down-closure implies that lub's and glb's are given by union and
intersection respectively. The bottom element is 0. Experts in domain
theory might note that, up to order-isomorphism, coherent spaces are pre-
cisely dl-domains that are coherent (all pairwise-consistent sets have lub's) and
atomic (the elements covering .L form a sub-basis). A linear function f: A - r B
between coherent spaces is a continuous function such that
1. xu y E A => f(x n y) = f(x) n f(y), and
2. X f; A" (Vx,y E X.x u y E A) => f(UX) = Uf(X).
In other words, linear functions preserve glb's of consistent pairs (stability)

and lub's of pairwise consistent sets (linearity). Coherent spaces and linear
functions form a closed (but not cartesian-closed) category.
In practice, we work with a representation of coherent spaces called a
"web." Suppose Ais a coherent space. Define:
• lAI = U A, the set of elements of elements of A. These elements are

called the "atoms" or "tokens" of A.
• A binary relation of "consistency" ::: A f; lAI x lAI, defined by a ::: A a' <=>
{a,a'} E A. Note that :::Ais reflexive and symmetric.
We can recover the domain A from the web. The elements of A are all pairwise
consistent sets (also called "coherent sets") over lAI. So, webs (countable sets
with reflexive-symmetric relations) form canonical representations for coher-
ent spaces, and we use them as such.
We argued in Section 3 that the types of interference-controlled ALGOL
should determine sets with binary consistency relations. We now see that such
sets with consistency relations represent coherent spaces-a well-known dass
of domains. The tokens of a coherent space should be regarded as atomic
pieces of information about its elements which can be extracted in a single
"use" of an element. The consistency relation ::: A states whether two such
pieces of information can coexist in an element.
Table 4 gives the definitions of coherent spaces we use in this paper (via
their web representations). The spaces bool and int are flat domains. The
domain A1 x A2 is the product of A1 and A2. A token of A1 x A2 carries an
atomic piece of information about either an element of A1 or an element of A2.
So, IA1 x A2l is the disjoint union IA1I + IA2I- The token fst.a corresponds to
the element conventionallywritten as (a, .L) while snd.a corresponds to (.L, a).
Since the two kinds of tokens are considered consistent, the domain A1 x A2
Uday S. Reddy 253
Ibooll = {tt, ffl : bool = the identity relation

lintl = {0,1,2, ... } : inr = the identity relation
IA1 xA2I IA1I + IA2I l.a: l'.a' =(I= I'= a :A, a')
IA1I } u
{ fst.a : a E
{ snd.a : a E IA2I }
IA®BI = lAI x IBI (a,b): (a',b') = a :A a' "b :B b'
ITI =0 :T = 0
111 = {*} : 1 = the identity relation
lA -o BI lAI X IBI (a,b): (a',b') =
b: Q E lAI, b E IBI} (a :A a' b = :B b')"
= a = a')
{ Q ....
(a :A a' "b = b'

Table 4: Common coherent spaces
has the expected structure:
{fst.al, snd.a2}
{fst.ad
/~ {snd.a2}
~/ {}
When we use Iabelied products, such as [h:A1 x lz:Az], we use the Iabels h
and lz as the tags for tokens instead of fst and snd.
The domain A ® B is called the tensor product. It is an "eager" kind of
product in the sense that each token of A ® B contains information about both
an A component and a B component. 10 Sometimes, we use Iabelied tensor
products such as [h:Al ® • • • ®ln:Anl· In that case, the tokens ofthe coherent
space are treated as finite maps [h -a1o ... , ln-an] where each a, E lAd. The
domain T has a single undefined element and the domain 1 is a two point
lattice. It is easily verified that T and 1 are the units of x and ® respectively:
A X T :: A :: T X A, A ® 1 :: A :: 1 ® A.
Under the action of linear functions, the product type behaves as a "choice"
rather than a conventional product. lf f: A x B - L C is a linear function, then
the action of f on {fst.a, snd.b} is determined by its action on {fst.a} and
{snd.b}. In other words, every atomic piece of information in the output of
f is derived from either the A or the B component of the pair, but not both.
For instance, there is no linear function of type int x int - L int that represents
10The elements of A®B do not correspond to any kind ofpairs (whichjustifies the name "tensor"
product). We use this construction in the context of linear functions (Section 4.2), where it will be
seen that the elements are not of much consequence.
addition. On the other hand, the tensor product A ® B is defined so as to make

information of both the components available for a linear function. Note, for
example, that the addition of integers is representable by a linear function of
type int ® int - r int (cf. Table 5.)
To explain A ---<> B (called the "linear function space"), we need a further
analysis of linear functions. Consider a linear function f: A - r B between co-
herent spaces. Suppose b E f(x). Since f preserves (consistent) glb's, there
exists a least (finite) element xo ~ x suchthat b E f(xo). This is the import of
the preservation of consistent glb's: every atomic piece of information in f(x)
"comes from" a unique approximation xo of x. Since f also preserves lub's,
xo must be a singleton {a}. This then is the significance of preservation of
lub's. Every atomic piece of information in f(x) comes from a unique atomic
piece of information in x. In this fashion, linear functions capture the intu-
ition of functions that "use their argument precisely once." Define a relation
11f ~ lAI x IBI, called the linear map of f, by
J.lf = { a ...... b: b E f( {a})}
From the linear map, we can recover the function f by:
f(x) = { b: 3a Ex. a ...... b E J.lf}
This correspondence is a bijection.
Proposition 6 (Girard) Let f: A - r B be a linear function between coherent
spaces and 11f its linear map. Then, for all a1 ...... b1, az ...... bz E J.lf,
1. a1 :::A az = b1 ::: 8 bz, and
2. a1 :::A az "b1 = bz = a1 = a2.
Conversely, any relation F ~ lAI x IBI that satisfies these properties is the linear
map of a linear {unction.
Property 1 is an obvious consequence of monotonicity, while property 2 fol-
lows from stability. Recall that these two conditions were already seen in
Section 3 as condition (9). They capture the bidirectional flow of information
involved in linear functions. Condition 1 captures the forward causality that
inputs "give rise" to outputs. Condition 2 captures the intuition that individual
"demands" for outputs give rise to unique demands for inputs. From now on,
we will call any relation satisfying these conditions a linear map and regard
linear maps as canonical representations for linear functions.
Table 5 gives examples of linear maps. The reader would find it instructive
to verify that they correspond to the linear functions they are meant to repre-
sent. An important aspect of the composition operator is that the token b in
the existential is unique. (Suppose b' is another token such that a ...... b' E f
and b' ...... c E g. Since a :::A a, we have b ::: 8 b'. But, then, b ...... c, b' ...... c E g
implies that b = b' .) Most existentials that arise with linear functions are
similarly forced to be unique.
Returning to Table 4, taking the conditions of Proposition 6 as the consis-
tency relation yields a coherent space A ---<> B, called the linear function space
of A and B. Note that the pairwise consistent sets of A ---<> B are precisely linear
maps. The partial order of A - o B is the subset order on linear maps. Given
Uday S. Reddy 255
idA:A-rA {a- a: a E lAI}

gof:A-rC { a- c: 3b. a-b E f" b- c E g}
+: int ® int -r int { (i, j) - i+ j : i, j E Iint I }
fstA,B:A x B -r A { fst.a - a : a E lAI }
sndA,B:A x B -r B { snd.b - b: b E IBI}
(f,g):C -r A X B { c - fst.a : c - a E f} u { c - snd.b : c - b E g}
!A:A-T 0
Table 5: Examples of linear functions
that linear maps are one-to-one with linear functions, there is a corresponding
partial order on linear functions which may be expressed as follows:
f!;;;;; g = Vx,y E A.x ~ y = f(x) = f(y) ng(x)
This is called the stable order or Berry order [Ber78]. It is notably different
from the pointwise order commonly used with continuous functions on Scott
domains. 11
There is an isomorphism of linear functions:
A ® B - r C :: A - r (B _.., C) (11)
which establishes that coherent spaces and linear maps form a (symmetric
monoidal) closed category. The maps in the two directions give the stan-
dard combinators for higher-order functions. For the left-to-right direction, if
f: A ® B - r C is a linear map, the corresponding map (curry f): A - r (B _.., C)
is defined by
curryf = {a- (b- c): (a,b)- c E f}
It can be verified that this is a proper linear map and that curry is invertible.
4.1 Object spaces
Recall that an event of an object trace must correspond to the information

obtained via a single use of the object. In a coherent space, the information
that can be extracted in a single use is represented by the tokens. So, the
trace of an object with observable operations of type A must be a sequence of
tokens of A. This formalizes Thesis 1. For example, assuming that exp[int]
is modelled by the domain int and comm by the domain 1, we have a domain
counter = [val: int x inc: 1] with tokens in lcounterl = {val.i : i E I intl} u
{inc. *}. Each event of a counter trace in Figure 2(b) is a token of this domain.
We define a domain construction for object behaviors as follows.
11 The stable order is often looked upon with suspicion because it gives inappropriate results
for functional programming languages like PCF. However, we find that the stable order matches
quite weil with imperative programming languages. See Section 6.
lexp[c5] I = lc51 :exp[.SJ = the identity relation

lcomml = {*} :comm = the identity relation
lvar[c5]1 lc51 + lc51
{get.i: i E lc51} u
l.i: I' .i' =
(I= I'= get =
i = i')
{put.i: i E lc51}
Table 6: Coherent spaces for ALGOL types
Definition 7 If A is a coherent space, the (free) object space of A, denoted t A,

is a coherent space that has
• tokens ltAI = lAI*, and
• consistency relation {a1o ••. , an) :: t A {a~, ... , a~) iff
{a1, ... , a,_I) = {a~ •... , a;_ 1) ~ a, ::A a; for i = 1, ... ,min(n, m)
(A general notion of object spaces is given in Appendix A)
The consistency relation :: t A is the same as (5) from Section 3. Essentially,
two sequences are consistent if, at the first point of difference between them
(if any), they differ consistently. If they do not differ at any position, i.e., one
of them is aprefix of the other, they are vacuously consistent.
For every element x E A, there is a corresponding element x* E t A (where
x* denotes the set of all sequences over x). We call such elements regular
elements. They correspond to behaviors of objects that have no (Observable)
mutable state. The non-empty prefix-closed elements are trace sets. They
indicate the behavior of objects starting from a particular state. We call them
active elements. The remaining elements model the behavior of objects with
designated start and final states.
The elements of t A model object behaviors starting from a particular state.
So, in a sense, they are also modelling states. The empty trace set models the
undefined state. If x is a trace set and s is a trace, then x/ s = { t : s · t E x}
models the state obtained by carrying out the sequence of operations s on an
object in state x.
Table 6 shows the definitions of coherent spaces for interpreting the prim-
itive types of interference-controlled ALGOL. The domain exp[ö] (for a data
type ö) is defined tobe the same as the domain for ö. Only flat domains are
allowed for the interpretation of data types. The elements of texp[ö] model
expression objects with possible side effects, e.g., the stepper object of Fig-
ure 2(a). This will be refined in Section 5 for modelling side effect-free expres-
sions. The domain comm has a single token "*" which is thought of as the
termination signal of a command. The domain var[ö] models the operations
of variable objects. Note that two put tokens are always consistent (signifying
that any value can be stored in a given state). A get token is always consis-
tent with a put token. On the other hand, two get tokens are consistent only
if the value obtained is the same in both cases. (The transitions of storage
cell shown in Figure 2(e) are pairwise-consistent in this sense.) These domains
Uday S. Reddy 257
correspond to the operations of objects. The domain of object behaviors is

obtained by applying the t operator to them.
The elements of the domain tvar[o] modelnot only what we normally
think of as storage variables (or storage cells), but arbitrary objects with a
get and a put operation (where get returns a data value and put accepts
a data value). For example, we can have a trace of the form (put.1, get.O)
which, somewhat counter-intuitively, returns a value different from the one
previously stored. Variable objects with such behavior are, however, express-
ible in interference-controlled ALGOL. For example, assuming free identifiers
x:var[int] and y:var[int], the phrase
Iet v = (if x = 0 then x eise y)
in v := 1; print(v)
prints 0 rather than 1 (assuming both x and y have the initial value 0.) The
phrase if x = 0 then x eise y is a perfectly legitimate phrase of type var[int]
though it does not denote a storage cell. The language guarantees, however,
that the variables created by the primitive new[ o] are always storage cells (also
called "good variables" [Rey81a]). Their behavior is characterized as follows:
Definition 8 A trace t in Itvar[ o] I is called a (storage) cell trace if
t = (... , get.i, get.i', ... ) ==> i = i'
t = (... , put.i, get.i', ... ) ==> i = i'
For every data value i E lol, define an element
cellt = { t E Itvar[o] I : (put.i) · t is a cell trace}
This element is called the cell trace set with initial value i.
Note that each cellt is an active element of tvar[o].
4.2 Functions on objects

Having postulated a notion of objects for modelling the types of ALGOL, we
examine what functions are appropriate for such objects. As an example, con-
sider the phrase
x:var[int] 1- [val = x, inc = (x := x + 1)]: counter
which constructs a counter object from a variable object. The meaning of the
phrase must be a function from variable objects to counter objects:
mkcounter: tvar[int]- tcounter
The purpose of such a function is to determine the behavior of a counter
object in terms of the behavior of a given variable object.
Wehave observed that objects are only sequentially usable, and we have
already defined object spaces with built-in structure for sequential reuse of
objects. Such objects are now usable just once in an object function, i.e., every
trace of the output object must "come from" a unique trace of the input object.
Therefore, we postulate:
Thesis 3 Object functions must be linear (unctions.
Example 9 Consider the ALGOL function inc: var[int] - comm defined by

inc(x) = (x := x + 1)
It maps objects of type var[int] to objects of type comm, i.e., it is a linear

function of type tvar[int] - r tcomm. The linear map of this function consists
of input-output pairs of the form:
() ()
(get.ii.put.(ii + 1)) (*)
(get.h,put.(h + 1),get.i2,put.(i2 + 1)) (*) 2
(get.ii,put.(ii + 1), . .. ,get.in,put.(in + 1)) (*)n
where ii, ... , in stand for arbitrary integers in Iintl. The notation ( * )n means
a sequence of n *'s.
This map must be understood as saying that whenever the command
inc(x) is demanded n times, an n-fold repetition of a get-put sequence is de-
manded on x, thereby causing the corresponding changes in the internal state
of x.
Note that there is no requirement in the above map that each ik+I is equal
to ik + 1. While this property is satisfied by storage cells, the meaning of inc
should be applicable to all objects of type tvar[int], not only storage cells.
There is another ingredient to object functions. They produce an object
behavior from the behaviors of their input objects, but other than this, they
do not depend on anything else. They do not have any hidden state in which
they can remernher information. So, if they simulate a particular operation of
the output object by a series of Operations on the input object, they should
also simulate any future instance of the same operation by the same series of
operations on the input object. Notice this in the linear map of the function
inc in the above example. Every "*"in the output behavior "comes from" a
sequence (get.i, put. (i + 1)) in the input behavior. This is independent of the
position of "*" in the output trace. Functions that behave in this form may
be described as being "passive", "history-free", or "regular". This leads us to
postulate:
Thesis 4 Object functions are regular functions.
The notion of regular functions is formalized as follows:
Definition 10 Given object spaces t A and t B, a regular function f: t A - R tB
is a linear function (viewed as a linear map) that satisfies:
1. (SI ,... ti), ... , (Sn,... tn) E f implies (SI··· Sn,... ti · · · tn) E f, and
f implies there exists a decomposition s
2. (s .... ti · · · tn) E = SI · · ·Sn
suchthat (SI .... ti), ... , (Sn .... tn) E f.
Uday S. Reddy 259
(The decomposition si · · · Sn in the second condition is forced to be unique.)

The definition captures the idea that the translations carried out by a regular
function are Urne-independent. An output trace t; can come from s; some
time in the "future" if and only if it can come from s; at the "present". Note
also that a regular function maps prefix-closed elementsoft A to prefix-closed
elements of tB. (Suppose s- t E fand ti is aprefix oft, i.e., there is tz such
that t = ti tz. Then, by condition 2, there is aprefix SI of s suchthat SI - ti E f.
So, if x E t A is a prefix-closed element, f (x) is also prefix-closed.)
It may be verified that the function inc of the above example is a reg-
ular function. An example of a non-regular linear function is the function
accumulate: tint -r tint with the following form of input-output pairs:
n
(h,iz, ... ,in) - (h,h+iz, ... ,:Lik}
k=I
This is not regular because, for example, (h} - (ii} and {iz} - (iz} are in
accumulate, but not (h, iz} - (h, iz}. This function remembers information
from past uses; so it is not regular.
A regular function is a kind of homomorphism. See Appendix A for a for-
mal treatment of this structure. Just as homomorphisms on free algebras are
uniquely determined by their action on a set of generators, regular functions
are uniquely determined by simpler linear functions.
Proposition 11 There is an order-isomorphism tA -r B == tA - R tB.
If f: t A - r B is a linear function, define the corresponding regular function
f:tA -R tBby
i = {SI · · · Sn - (bi, ... , bn} : n ~ 0 1\ SI - bi, ... , Sn - bn E f} (12)
Conversely, if g: t A - R t B is a regular function, we obtain a linear function
g:tA -rB by
g = {S - b: S - (b} E g} (13)
It is easy to verify that these two constructions are mutually inverse. They are
evidently monotone (in the inclusion ordering of linear maps).
We call f (or r> the regular extension of f, and g the linear pattern of g.
Note that the regular function inc of the earlier example has the linear pattern
{ (get.i,put.(i + 1)}- *: i E lintl}
The regular function itself is obtained by iteration of this pattern as defined
by (12).
As described in Section 3, such a linear pattern determines a function at
the level of objects. Seedefinition (10). If (Q, a s;; Q x ivar[ö]i x Q) is a
variable object, the function inc applied to this object yields a command object
(Q, a' s;; Q x icommi x Q) given by:
(q, *·q') E a' = 3i. (q, (get.i,put.(i + 1)}, q') E a
In particular, if the variable object is the storage cell (6) then the resulting
command object has the transition map:
(i, *• i') E a' = i' = i + 1
Thus, a linear pattern represents, in a compact form, the effect of an object
function on all possible argument objects.
Multipleargum ents
The above considerations generalize to object functions with multiple argu-
ments in a Straightforward fashion. Consider a function with argument objects
of types t A1, ... , t An and result of type t B. This should be visualized as in
Figure 1(b) except that there aremultiple inner objects involved in building the
result object. Carrying out an operation of the result object involves perform-
ing some number of operations on potentially all the inner objects. Therefore,
the function must first be a linear function of type tA1 ® · · · ® tAn -r tB.
The elements of its linear map are pairs of the form s ,..... t where s is a tuple
of traces s1, ... , Sn. Secondly, the function must be a regular function in the
following sense:
Definition 12 A regular map f: tA 1 ® · •· ® tAn -R tB isalinear map satis-
fying:
1. s1 ,..... t1, ... , Sn ,..... tn E f implies (sl · · · Sn ,..... t1 · · · tn) E f, and
2. (s ,..... h · · · tn) E f implies there exists a decomposition s = s1 · · ·Sn
suchthat (SI ,..... t1 ), ... , (Sn ,..... tn) E f.
where concatenation s 1 · · · Sn on tuples of traces is defined pointwise.
Note that the product t A1 x · · · x t An would not be useful here since a linear
function can only use information from one of the components of a product;
cf. the discussion of Table 4.
Proposition 11 generalizes as:
(Q9 t A;) - L B ~ ( Q9 t A;) - R tB
i i
So, we can still express regular functions by linear patterns.

NOTATION From now on, we say that f is an object function from
A 1 , ••• ,An toB and write f:A 1 , •.• ,An- B to mean that f isalinear func-
tion t A1 ® • • • ® t An - r B. (It uniquely determines a regular function
f: t A1 ® · · · ® t An - R t B.) We use bold face letters A to range over sequences
of the form A 1 , ••• ,An. Sometimes we use identifiers as labels for the argu-
ments. ln that case, we write f: (XI: A1), ... , (xn: An) - B to mean that f is a
linear function from a labelled tensor product: [x1: t A1 ® · · · ® Xn: t An] -r B.
This terminology is convenient because A/s and B directly correspond to
ALGOL types and we implicitly understand that we intend for functions to
operate on objects of these types. The expert reader would note that we are
using a multicategory structure on object spaces and object functions [Lam87].
An alternative view in terms of coalgebras may be found in Appendix A.
Table 7 gives examples of object functions. Note that the composition of
f: A - B and g: B - C is obtained by the composition g o f of linear functions.
One can similarly define composition for object functions with multiple argu-
ments. The application of an object function f: A - B to an element x E A is
defined using the same principle. Note also the distinction between the two
kinds of object functions A, B- C and A x B- C. The former kind of function
acts on two separate objects with operations of types A and B respectively.
Uday S. Reddy 261
idA:A- A { (a) ... a: a E lAI}

gof:A-C {s ... c:3t.s ... tEfAt ... cEg}
f(x):B { b E IBI : 3a~o ... , an Ex. (a~o ... , an) ... b E f}
+: exp[int] x exp[int] - exp[int]
{(fst.i,snd.j) ... i+j:i,jE lexp[int]l}
plus: exp[int], exp[int] - exp[int]
{ ((i), (j)) ... i + j: i,j E lexp[int]l}
(stA,B:A X B-A { (fst.a) ... a: a E lAI}
sndA,B:A x B- B { (snd.b) ... b: b E IBI}
(f,g):X-AxB { s ... fst.a : s ... a E f} u { s ... snd.b : s ... b E g }
discardA:A- 1 {() ... *}
fixA[f]:A { a E lAI : 3n ;::; 0. () ... a E fn}
Table 7: Examples of object functions
The latter acts on a single object with two operations of types A and B respec-
tively. The element fixA [f] denotes the least fixed point of an object function
f:A- A, i.e., the least element x E A suchthat f(x) = x.
In Table 8, we list the functions involved in interpreting the constants of
interference-controlled ALGOL . The function seq (which interprets ";") acts on
an object with two command operations and produces a command that runs
the two commands in sequence. The function par (which interprets "II ") acts
on two independent command objects and runs them in parallel (by extracting
*
a token from each). The remaining functions can be understood similarly,
except for new.s which involves a higher·order type discussed below.
Function types
An object function of typeA-B isalinear function tA -r B. Since allsuch
functions are representable by the coherent space t A - B, this directly gives
us a representation of the function space for interference-controlled ALGOL.
Explicitly, define the function space A => B as a coherent space with:
lA =>Bi = { s ..... b: s E ltAI Ab E IBI}
(S ,_ b) =A=B (S' ,_ b') <=> (S =tA S' ==> b ::B b' A
s =tA s' Ab= b' ==> s = s')
The function space satisfies an order-isomorphism:
X, A - B ~ X- (A => B) (14)
as a direct consequence of isomorphism (11). Suppose X is the se-
quence X1, ... ,Xn. Then, an object function X,A- Bis a linear function
tX1 ® • • • ® tXn ® tA -r B. By (11), such linear functions are one-to-one with
linear functions t X1 ® • • • ® t Xn - r ( t A - B) and these are nothing but ob-
ject functions X- (A => B). The curry combinator that maps f:X,A- B to
(curry f):X- (A => B) is given by
curryf = {r- (s ..... b): (r,s ..... b) ef}
skip:comm {*}
seq: comm x comm- comm {{fst.*,SDd.*) ~ *}
par. comm, comm- comm {((*), (*)) .... *}
condA: exp[bool] x A x A - A { (fst.tt, snd.a) .... a : a e lAI } u
{ (fst.ff, third.a) .... a: a e lAI }
assign6 :var[8] x exp[8]- comm { (snd.i,fst.put.i) .... *: i e 181}
deref6 : var[8] - exp[8] { (get.i) .... i: i e 181}
new.s: (var[8] - comm) - comm { (s .... *) .... *: s E cellinit[c5]}
Table 8: Interpretation of constants
By setting X to the empty sequence, we obtain A-B == - (A = B). Thus,

every object function A - B can be regarded as element of A B which, in =
=
turn, corresponds to a regular element of t(A B). But, there are other (non-
regular) elementsoft (A= B) which model dynamic objects with function-type
methods.
4.3 Semanlies
The foregoing discussion gives us enough tools to define the semantics of
the basic phrases of interference-controlled ALGOL. This corresponds to the
language defined by the first three lines of Table 1. While we discuss passivity
in the next section, which is essential for interpreting the structural rules, we
show the semantics of the basic phrases here to make the discussion concrete.
The types of interference-controlled ALGOL are interpreted as coherent
spaces:
[var[c5]] = var[ö] [lh X !12] = [Od X [02]
[exp[c5]] = exp[c5] [OI- !12] = [Od [02] =
[comm] = comm
The semantics of phrases is given by induction on their type derivations. Note
that a phrase P has a typing of the form
XI:OI,···I ... ,Xn:On 1- P: 0
where x 1 , ••• • xn are assumed tobe distinct identifiers and the order of the
typing assumptions is immaterial (within their zones). The meaning of such a
phrase, written
[XI:O~r ... I ... ,Xn:On 1- P: 0]
is an object function of type
(XI: [0!]), ... , (Xn: [On])- [0]
This, in turn, means that it is a linear map of type
[XI: t[OI] ® • • • ® Xn: t[On]] -L [0]
(Note that the zones of the free identifiers do not affect the form of the map.
This will be refined using a treatment of passivity in Section 5.) The linear map
Uday S. Reddy 263
id e
[II 1r, x: 1- x: 01 {17o[x-(a))- a}
x1 [II 1 r 1- (P,Q): 61 x 62] { 11 - fst.a : 11 - a E [II I r 1- P : Od } u
{ 11 - snd.a : 11 - a E [II I r 1- Q : 62]}
xlX [II I f 1- fst(P): 911 { 17 - a : 17 - fst.a E [II I r 1- p : 91 X 92]}
x2X [II I r 1- snd(P) : 62] { 11 - a : 11 - snd.a E [II I r 1- P : 61 x 62]}
-1 [II Ir 1- Ax:9.P: 9- 9'] { 11- (s- b) :
11$ [x-s]- b E [II 1r,x:e 1-P: 9']}
-x [II,II' 1 r,r' 1- PQ: O'] { 11 $ 17' - b: 3s.
11 .... (s .... b) E [II I r 1- P : 9 - 9' 1 "
er
11' .... s e [II' 1r' 1- Q : l
Table 9: Semantic interpretation of phrase rules
is a coherent set of input-output pairs each of the form [x1-s1. ... , Xn-snl .....
a. We call the input part of such a pair a "trace environment." The metavari-
able T] is used to range over such trace environments. The symbol TJo denotes
a trace environment where allvariables are mapped to (), TJ[x-s] denotes T]
with the x component updated tos, and T] ED TJ' denotes the join of two trace
environments T] and TJ' with disjoint domains. If T] and TJ' are trace environ-
ments with identical domains, then T] • T]' denotes the trace environment with
x mapped to T](x) · T]' (x).
Table 9 gives the semantic interpretations of the basic phrases. For the
most part, the combinators used in the interpretation have already been men-
tioned earlier. Recall that the notation [TI' lf' 1- Q : Of means the regular ex-
tension of the object function.
The interpretation of the primitive phrases is obtained by applying the con-
stants shown in Table 8. For example, the meaning of [TI Ir 1- C1; C2: comm]
is obtained by
seq o ([TI Ir 1- C1 : comm], [TI I r 1- C2 : comm]) .
For convenience, we show some of these derived meanings in Table 10. Note
in particular the difference between sequential and parallel composition. The
interpretation of new[o] x. C is to apply the meaning of the function term
.\x. C to the object behavior cellinit[liJ (which is the behavior of a storage cell
with initial value init[o]). The denotation of .\x. C then uses a unique trace s
from this behavior to run the command C.
Example 13 Consider the ALGOL function
mkcounter: var[int] - counter
mkcounter(x) = [val = deref x, inc = (x := x + 1)]
Its meaning is an object function of type var[int] - counter containing the
pairs
(get.i) val.i
(get.i,put.(i + 1)) inc.*
[rr 1r r- EI + E2 : exp[intH = {,., · ,.,, - i + i : ,., - i E m 1r r- EI : exp[int]] "

,.,, - i E [rr 1r r- E2 : exp[int]] }
[fi I r r- skip: comm]
{'7o - *}
=
[n Irr- CI;C2 :comm] = {'7· 17'- * :17- * E [fi Irr- CI :comm]"
11' - * E [fi I r r- C2 : comm] }
[IT,n' 1r,r' r- CI II C2: comm] = { 11 e 11'- *: 11- * E [n 1r r- CI: comm]"
11' - * E [n' 1r' r- C2 : comm] }
[fi I r r- new[8] x. C: comm]
= { 11- * : 3s E cell;nit[öl· 11 e [x-s] - * E [fi Ir, x:var[8] f- C: comm]}
[fi I r r- V := E : comm] = { 17' · 11 - * : 3i E Iintl.
11 - put.i E [fi 1r r- V: var[8]] "
17' - i E [fi I f f- E: exp[8]]}
[n I r f- deref V: exp[8]] = {,.,- i:,., - get.i E [fi I r f- V: var[8]]}
Table 10: Interpretation of primitive phrases
for all i E lintl. The corresponding regular function is obtained by iterating

the above pattem. For example, it has input-output pairs of the form:
(get.ii,get.i2,put.(i2 + l),get.i3) ..... (val.ii,inC.*, val.i3)
If we apply this function to the cell trace set shown in Figure 2(e), we obtain
the counter trace set shown in Figure 2(b).
Example 14 As an example of higher-type objects, consider the following ob-
ject constructor for bank accounts:
account [bal: exp[int] x dep: exp[int] ~ comm x wd: exp[int] ~ comm]
=
mkaccount: var[int]~ account
mkaccount(x) = [bal = deref x, dep = (.\a. x := x + a), wd = (.\a. x := x- a)]

(We allow the balance to go negative, for simplicity.) The operations dep and
wd are of function types. Wehave a corresponding object space
account = [bal: exp[int] x dep: exp[int] ~ comm x wd: exp[int] ~ comm]
The meaning of mkaccount is an object function:
mkaccount: var[int] ~ account
mkaccount = { (get.n) ..... bal.n : n E Iintl } u
{ (get.n,put.(n + i)) ..... dep.(i ..... *): n,i E lintl} u
{ (get.n,put.(n- i)) ..... wd.(i ..... *): n,i E lintl}
Again, we obtain an account object by applying the regular extension of
mkaccount to an integer cell with initial value 0.
5 Passivity
The framework defined in Section 4 models interference-controlled ALGOL
without any notion of passive values. This has some undesirable conse-
quences:
Uday S. Reddy 265
lexp[6]1p lexp[c5] I
lcommlp 0
lvar[c5] lp {get.i: i E 161}
IAxBip {fst.a: a E IAip} u {snd.b: b E IBip}
IA®Bip { (a, b) : a E IAlp 1\ b E IBip}
ITip ITI 0
lllp 111 = {*}
Table 11: Passive tokens for active-passive spaces
1. All operations of an object must be completely sequenced, including

operations that only read information from an object.
2. Object spaces contain some traces that are not realizable, such as
(get.O,get.l) in Jtvar[int]J or (bal.100,bal.200) in ltaccountl.
To solve the first problem, Reynolds introduced a notion of passive types. We
will see that, by modelling passive types, we can solve the second (semantic)
problern as well.
5.1 Active-passive spaces

Our main use of coherent spaces is for modelling the transitions of state ma-
chines that make up objects. We expect that some of these transitions are
"passive" in that they only read information from the object without altering
its state. This suggests that we must delineate, in each coherent space, certain
tokens as "passive tokens."
Definition 15 An active-passive (coherent) space A is a coherent space to-
gether with a designated set of tokens IAip s lAI. The members of IAip are
called passive tokens and the others active tokens.. If all tokens of the active-
passive space are passive, i.e., IAJp = lAI, then it is called a passive space.
Table 11 lists the passive tokens of coherent spaces that we need for mod-
elling interference-controlled ALGOL All these spaces will now be regarded
as active-passive coherent spaces. It is worth noting that exp[ö] isapassive
space, which corresponds to the fact that expressions of IDEALIZED ALGOL do
not have side effects. The space comm, on the other hand, has no passive
*
tokens. Its unique token is meant to change state. Note also that the get
components of var[ö] are passive. The unit domains T and 1 are passive
and the constructions x and ® preserve passivity, i.e., A x B and A ® B are
passive whenever A and B are passive. The constructions t A and A ~ B are
different from the corresponding constructions for coherent spaces. They are
discussed in detail below.
Note that, for any active-passive space A, there exists a (universal) passive
subspace obtained by selecting just the passive tokens of A. We denote this
subspace by PA. Formally, JPAI = JPAJp = IAJp and the consistency relation
::PA is the corresponding restriction of ::A- It is obviously a passive space.
Taking the passive subspace of an already passive space has no effect, i.e.,
PP= P for any passive space P. In particular, t'PA =PA.
An object (Q, a s;; Q x lAI x Q) for an active-passive space Ahasan addi-
tional condition on its transition map:
(q,a,q') E a" a E IAip = q = q'
This represents the intuition that passive transitions do not change state. Most
of our development from Sections 3 and 4 can be carried over to active-passive
spaces. There are only two changes. We modify the definition of object spaces
using the fact that passive transitions do not change the state. And, we restriet
object functions to account for passivity.
Active-passive object spaces
To arrive at the new definition of object spaces, we make the following obser-
vations:
1. If successive operations on an object are passive operations, their rela-
tive order is insignificant, i.e., we want to regard the sequences (a, a')
and (a', a) as the same trace whenever a and a' are passive tokens.
2. If successive operations on an object are identical passive operations,
their number is insignificant, i.e., we want to regard the sequences (a, a)
and (a) as the same trace whenever a isapassive token.
These identifications have a deeper significance than just ignoring order and
number. Since the tokens represent entire operations, not merely atomic
events, the identifications have the effect that passive operations on objects
can in fact be done concurrently. Thus, to model passivity, we revise Thesis 1
to the effect that objects can in general be used sequentially, except that mul-
tiple passive operations can be done concurrently. This matches dosely with
the syntax of interference-controlled ALGOL, in particular the Contr type rule.
The identifications mentioned above are formalized as follows:
Definition 16 Let A be an active-passive space. The trace monoid of Ais the
quotient monoid lAI* /= where = is the least monoid congruence generated
by the equivalence relation:
(a, a') (a', a) for all a, a' E IAlp
(a,a) (a) for all a E lAI!'
An element of lAI* /= is an equivalence dass of sequences, called an (active-
passive) trace. The equivalence dass containing a sequence s is denoted [s].
The unit trace (or empty trace) is [ () ]. The multiplication of traces is defined
by [s] · [s'] = [ss']. (We often omit writing "·".)
Traces of this kind (and more general ones) have been studied extensively
in the context of Petri nets [AR88, Maz89]. One useful result from this theory
is the existence of so-called Foata-normal form. Applied to the current Situa-
tion, it means that every trace [s] can be written in the form [sd· [sz] · · · [sn].
where each [s1] is nonempty and the consecutive segments altemate between
active and passive traces. Note that an active trace is a singleton equivalence
Uday S. Reddy 267
class (tokens eannot be permuted). On the other hand, a passive traee is an

equivalenee class of all permutations. So, an aetive traee is essentially a se-
quenee and a passive traee is essentially a finite set. The Foata-normal form of
an aetive-passive traee ean thus be regarded as a formal produet of the form
Poa1P1 · · · anPn where the a,'s are aetive tokens and Pt's are (possibly empty)
finite sets of passive tokens.
In examples, we simply write traees as sequenees with the implieit under-
standing that eonsecutive passive tokens ean be freely permuted.
Definition 17 Given an aetive-passive eoherent spaee A, the aetive-passive eo-
herent spaee t A is defined by
• the token set It Al being the set of all coherent traees over A, i.e., traees
poa1P1 · · · anPn in Foata-normal form where eaeh Pt isafinite eoherent
set,
• passive atoms ltAip being eoherent traees with no aetive tokens (i.e.,
n = 0), and
• eonsistency relation given by Poa1P1 · · · anPn ::::tA p~ai_pi_ · · · a;,.p;,. iff
Po :::: p~ and, for all i = 1, ... , min(n, m),
{a1, ... ,a,_I) = {ai_, ... ,a;_ 1) => a, ::::A a; A Pt:::: p;
where p:::: p' means '<Je E p,c' E p'.c ::::Ac'.
The eonsistency relation represents the intuition that only aetive transi-
tions from the past ean have a eausal e:lfeet on future transitions. A eoherent
traee is a traee that is eonsistent with itself. For example, {get.O,get.1) is not
a eoherent traee of tvar[ö] beeause the tokens get.O and get.1 are ineonsis-
tent even though their aetive past is identieal (empty in both eases). Thus, our
objeet spaees now eontain only meaningful traees.
Note that the t eonstruetion preserves passivity. For any passive spaee
P, t P is passive. The traees of t P are finite eoherent sets of tokens. So,
for passive spaees, the t eonstruetion coincides with Girard's ! eonstrue-
tion [Gir87a, GLT89]. 12 An important result of Girard's isthat linear funetions
!A-LB are order-isomorphie to stable funetions A -s B. This result obvi-
ously earries over to passive objeet spaees as well. Linear funetions t P - L A
are order-isomorphie to stable funetions P- s A whenever P is a passive spaee.
Object functions
If f:A- B models a funetion phrase and f(x) isapassive value, then no aetive
token of x eould have been "used" in produeing f(x). Astateehange operation
eannot be involved in a "pure reader" of state information. This leads to our
final thesis regarding a model of interferenee-eontrolled ALGOL:
Thesis 5 The linear maps of object functions must be passivity-re(lecting.
We formalize this notion as follows:
12 In a previous version of this paper (Red93a], the ! and t constructions on coherent spaces
were used to model "passive values" and "active values" respectively. The move to active-passive
spaces allows us to model both kinds of values under one heading. This gives a more general
treatment of interference-controlled ALGOL than previously possible.
Definition 18 A (passivity-reflecting) linear function f: A -

L B between active-
passive spaces is a linear function of the underlying coherent spaces such that,
for all a .... b E pf, b E IBI"' implies a E IAip.
Regular maps A-R B and object functions A-B for active-passive spaces
are now defined in the same way as for coherent spaces, using passivity-
reflecting linear functions. The function space is defined to have passivity-
reflecting tokens:
IA~BI {s .... b: sEItAlAb E IBIA (b E IBI"' ~ s E ltAip)}
IA~BI"' {s .... b E lA ~BI : b E IBI.!'}
-A=>B same as for coherent spaces
The passive tokens of A ~ B have the b component passive (and, hence, the s
component passive as well).
To get the intuition behind these notions, let us relate them back to ob-
jects as state machines. If f: A - B is an object function (as a linear map),
the corresponding function on objects maps objects with transition maps
oc 1 ~ Q x lAI x Q to objects with transition maps oc2 ~ Q x IBI x Q given by
(q,b,q') E OC2 <= 3s E ltAI.s .... b E f 1\ (q,s,q') E OC1
If b is passive then (q, b, q') E oc2 implies q = q'. Hence, for the unique s such
that s .... b E f, (q,s,q') E oc1 implies q = q'. Since this must hold uniformly
for all objects, we require that s should be passive.
Passive function space

To model Reynolds's passive function type, we introduce another function
spaceA~pB.
Definition 19 For active-passive spaces A and B, the passive (unction space

A ~ p B has the same tokens and consistency relation as A ~ B, but all its
tokens are designated as passive tokens, i.e., lA ~P BI&>= lA ~P BI.
The passive function space has an isomorphism
P,A-B ::; P- (A~pB) (for sequences of passive spaces P)
The combinator cuny is the same as for A ~ B. Note that
curry f = { p .... S .... b : (p, S .... b) E f}
satisfies the passivity-preservation property only ü p is passive (since s .... b is

a passive token of A ~ p B). This is ensured by insisting that P be passive in
the above isomorphism.
By setting P tobe the empty sequence in the above isomorphism, we obtain
A-B ::; - (A ~PB). So, the elements of A ~PB precisely correspond to
object functions A - B. There exists an object function recA : (A ~ P A) - A
such that rec<1 (f) = fixA [f]. This is used to interpret the recursion combinator
rece.
There are further theoretical properlies one must note about passivity.
These may be found in Appendix A.
Uday S. Reddy 269
Contr [ll,x: 6 Ir 1- [X/Xt.X/X2]P: 6']

{ 11 Gl [X-P1 U P2]- a:
11 Gl [X1-Pt.X2-P2]- a E
[ll,X}:6,X2:61 f 1- p: 6')}
Activate [n 1 r,x:61- P: 6'] [n, x: 6 1 r 1- P : 6' J
Passify [n, x: 6 1 r 1- P : <1> 1 [n 1 r, x: 6 1- P : 4>]
Promote [ll I 1- P: 61 - p 621 [lll 1- p : 61 - 62]
Derelict [ll Ir 1- P: 61 - 621 [n 1r 1- P: 61 - p 62J
Table 12: Semantic interpretation of structural rules
5.2 Semantics
We now complete the definition of semantics for interference-controlled
ALGOL using active-passive spaces. The semantics of phrases given in Sec-
tion 4.3 using coherent spaces can be easily refined to active-passive coherent
spaces. The interpretation of a type [ 9] is now understood to mean an active-
passive space (using Table 11). The passive function type is interpreted by
[9 - p 9'] = [9] ~p [9'].
The interpretation of a phrase TI I r 1- P : 9 was given as an object function
of type [TI], [f]- [9] over coherent spaces. We now understand this tobe
an object function over active-passive spaces, i.e., a passivity-preserving linear
map of type (@[TI])® (@[f]) - L [9]. It can be verified that the interpretation
in Table 9 gives passivity-preserving maps. Moreover, any input-output pair
1'11 E9 172 ...... a in the interpretation of P (where 171 is a trace environment of
[TI] and 172 one for [f]) will only have passive traces in 171· An elegant way of
stating this is that the interpretation of P is an object function of type
.!'[TI], [f] - [0]
Again, this can be verified for the interpretation in Table 9. For the rule Id,
the base case, 171 maps all identifiers to 0 which is a passive trace. The other
inductive cases preserve this property.
Table 12 gives the interpretation of the structural rules. The interpretation
of rule Contr says that, if an identifier x occurs multiply in independent con-
texts of a phrase, the information used from x is the union of the information
used in each occurrence. Note that all these occurrences are passive uses of
the identifier. So, the information used is represented by passive traces (finite
coherent sets).
The remaining rules cause no change to the semantics of the phrase. In
a sense, this is to be expected because we would not want to assign multiple
interpretations to the same phrase. We must verify, however, that these inter-
pretations are of the right types. For the rule Activate, the meaning of P on the
right is an object function of type .!'[II],x:.!'[9], [ f ] - [9']. Clearly, it is also
of type .!'[TI],x: [9], [f]- [9']. (We merely forget that the binding of x is pas-
sive.) For the rule Passify, the meaning of P on the right is an object function of
type .!'[TI], [f], x: [ 9]- [ cf> ]. Since [ cf>] isapassive space (and object functions
are passivity-preserving), all input-output pairs in the meaning of P have only

passive tokens. So, the meaning of P is also of type !'[TI], [f], x: .P[ 0] - [ 4>].
For the rule Promote, the meaning of P on the right is an object function of
type .P[TI]- ([Od => [82]). Since the token set of [011 =>p [82] is the same as
that of [Od => [82], the meaning is also of type .P[II]- ([Od =>p [82]). The
verification of Derelict is similar.
Thus, we have shown:
Proposition 20 The meaning assigned to any type derivation ofii I r 1-- P: 0
is an object function oftype .P[II], [ f ] - [0].
Somewhat more technical is the following property of "coherence:"
Proposition 21 The meaning assigned to every type derivation o(II 1 r 1-- P: 0
is the same object function.
This can be proved using the same techniques as O'Hearn et al. [OP1T95I. Note
that the structural rules other than Contr do not affect the meaning. So, their
relative position in derivations does not affect the meaning either.
Operational adequacy
To show that the semantics defined here agrees with the operational behavior
of interference-controlled ALGOL, we prove that it is sound and adequate with
respect to the operational semantics:
Proposition 22 If C is a closed command phrase, [ 1-- C : comm] is nonempty
(i.e., has an input-output pair [I .... *) if and only i(C terminates.
Recall from Section 2 that the operational semantics of ALGOL is defined to
work in two stages: reduction and execution. The command C terminates iff
there is a closed command phrase C' such that C - * C' and ( [ I, C') ~ [ 1.
Our proof of operational adequacy is similarly factored into two stages. See
Appendix B for details.
6 The Structure of Object Spaces

Having carried out a long analysis of object spaces and object functions, let us
examine what results have been obtained.
The structure of ALGOL presents some paradoxical issues. Consider the
type comm as a prototypical example of object types. The elements of type
comm should correspond to observably distinct closed phrases of type comm.
What phrases are there? Since a closed phrase does not have any free variable
identifiers, the only observable effect of such a phrase is termination. So, there
are precisely two closed phrases up to observational equivalence: undef and
skip. A "good" semantics of ALGOL should thus have precisely two elements
in comm.
Closed phrases of type comm - comm should correspond to command
phrases with a single free identifier c: comm. Again, what phrases are there?
We still have the diverging command undef. But, we also have some state to
Uday S. Reddy 271
play with: whatever state the command c might act on. We can affect this state
by running c some number of times. This gives phrases of the form
n times
c" = c; · · · ;c
The various functions i\c. c" are observationally inequivalent. We can observe
the difference between them by putting them in program contexts Pn[] of the
form
new[int] x.
x:= 0;
[ ](x := x + 1);
if x = n then skip else undef
So, the elements of the function space comm => comm should have the struc-
ture of flat naturals, N1.P
Now, here is the paradox. If comm has only two elements, how can
comm => comm have an infinite number of elements? 14
This observation suggests that the notion of "elements" in a semantics of
ALGOL is a delicate issue. There must be different kinds of elements which
come to the fore depending on the context. The "elements" that correspond
to meanings of closed phrases are regular elements mentioned in Section 4.1.
Note that the meanings of closed phrases are functions of the form f: 1 - L A.
Such functions correspond to elements x = { a : * ...
a E f } of A. Their
regular extensions f: 1 - R t A similarly correspond to elements x * of t A. So,
the regular elements of t A form a domain isomorphic to the domain A, and
both the domains represent meanings of closed phrases. Armed with this
notion, let us analyze some of the basic types of our model.
Fact 1 There are precisely two regular elements in tcomm.
The two elements are diverge = 0 * = {() } and skip = {*}*.
Fact 2 The elements of (comm = comm) form a domain isomorphic to N 1..
A token of comm => comm is of the form (*)" ...... * where n ~ 0. Denote
such a token by fz. Since ( *)" ::: (*
)m in tcomm, fz ::: mif and only if n = m. ln
other words, the consistency relation of comm => comm is the identity relation
making it a flat domain. Since each fz corresponds to a natural number n, the
structure is that of N 1..
Note that this structure is right for interference-controlled ALGOL. The
element 0 of comm => comm models i\c. undef and an element {fz} models
i\c. c".
This fact is unprecedented in the semantics of imperative programs. All
other known models fall to capture comm => comm accurately. The model that
13 While it has been possible, in principle, to calculate the structure of such simple domains by
syntactic means, there is no evidence that anybody has done so. The first instance where simple
domains are calculated is in [OT95), where the calculation is done using semantic tools.
14 This observation means that Milner's context lemmafalls for ALGOL (as well as most other pro-
gramming languages with mutable variables), a known fact of folklore. From a categorical Stand-
point, this means that the fully abstract model of ALGOL is not a "well-pointed" category [Mit90).
The functor-category semantics of Reynolds and Oles [Ole85, Rey8lb) seems tobe the first work
to reflect this fact.
comes closest is the parametricity-based model of [OT95] (as weil as the re-
lated model of Sieher [Sie93, Sie94]). In addition to the ALGOL functions men-
tioned above, the parametricity-based model contains functions expressible
using the so-called "snap back" operator. The command snap-back combina-
tor is a constant try:comm - p comm with the semantics that try C runs the
command C and then snaps the state back to the original state. (By adding
such a combinator, we can express new functions of the form i\c. try cn+m; c"
which diverge for cases where i\c. c" would terminate.) Note that the snap-
back operator is counter to one's intuition that state changes are irreversible.
The reason for the presence of such operators in the parametricity model (as
weil as other models) is that commands are modeiled by state-to-state func-
tions. We avoid this pitfall because, as stated in Section 3, we do not treat
states as entities. They are at best derived attributes of objects, and do not
play a central role in our model.
Notlee how our model answers the puzzle mentioned at the beginning of
this section. The regular elements of tcomm are the values that are directly ex-
pressible. The other elements of t comm such as {( *) n} remain hidden. They
come to the fore in contexts where their difference becomes distinguishable
(such as the argument positions of procedures).
One might wonder if the other elements of objects spaces are express-
ible in some other form. Indeed, an important dass of elements, viz., active
elements mentioned in Section 4.1, correspond to object behaviors. Such ele-
ments arise as the values of phrases with active free identifiers.
Fact 3 The active elements of tcomm form a domain isomorphic to VNat, the
domain of "vertical" natural numbers (ordered by numerical order).
The element corresponding to a natural number k is the set of all prefixes of
( *) k. Such elements arise as the meanings of phrases:
x:var[int] 1- if x s k then x := x + 1 else undef: comm
Applying the meaning of this phrase to cello, we obtain the element with all
prefixes of ( *) k.
Let us examine a second-order type:
Fact 4 The domain (comm = comm) = comm is isomorphic to a subdomain of
P (N* ) that contains all subsets of N* without any mutual pre(ixes.
= =
A token of (comm comm) comm is of the form (ih, ... , iik) - * where fit
=
are tokens of comm comm mentioned previously. Two such tokens are con-
sistent if and only if the sequences on the left are inconsistent, i.e., not prefixes
of each other. So, every set of such tokens that excludes mutual prefixes on the
=
left is an element of (comm comm) = comm. The diligent reader would be
able to verify that all finite elements of this domain are expressible by closed
phrases. For example, the element {(n) · s1 - *• (n) · s2 - *• (m) · t - *},
*
with n m, is expressible by
i\p. new[int] x.
x:= 0;
p(x := x + 1);
if x = n then 9s(P)
eise if x = m then 9r(P)
elseundef
Uday S. Reddy 273
where g5 and g 1 are terms expressing the elements {s1 ...... *, Sz ...... *} and
{t ...... *} respectively.
Regarding the semantics of passive types, we have the following observa-
tion. Notice that the fragment of interference-controlled ALGOL involving only
passive types is a functional programming language. In this fragment, the dis-
tinction between the active and passive free identifiers vanishes because the
free identifiers can freely move between the passive and active zones of typ-
ing judgements. So, the language is essentially the same as PCF (with product
types). We have:
Fact 5 The object-based semantics of the passive (ragment coincides with the
stable semantics of PCF [Ber78].
The semantics of this fragment involves only passive spaces, for which the
function space tP __., Q is identical to the stable function space [P -s Q].
More important to our concerns is the interaction between the active and
passive sublanguages. With regard to this, we have:
Fact 6 The domain (comm => exp[8]) is isomorphic to 8.
This fact holds because of the passivity-preservation property of functions.
The only passive token of tcomm is the empty trace. Since exp[8] isapassive
space, the tokens of comm => exp[8] are of the form() ...... i for some i E 181.
In other words, the elements of comm => exp[8] are all constant functions.
Note that this is indeed the case for IDEALIZED ALGOL. Any nontrivial use of a
command in an expression would amount to a side effect and expressions of
IDEALIZED ALGOL do not have side effects.
Most other models of ALGOL fall to model comm => exp[8] accurately. In
fact, they support an expression snap-back combinator (more general than
the try C operator mentioned above) of the form do C result E, where C is a
command and E an expression. See the discussion in [OT95). This combina-
tor embeds commands inside expressions and causes the breakdown of most
reasoning principles of expressions. 15 The only other known model that sat-
isfies Fact 6 is Tennent's model of specification logic [Ten90). Our techniques,
however, seem markedly different from his.
We make a few remarks regarding the domain order of function spaces.
Most semantic models of programming languages use continuous function
spaces with pointwise order. In contrast, we are using linear functions (a sub-
dass of stable functions) ordered by Berry's stable order. A question arises as
to whether this is an appropriate choice. Indeed we find that the stable order
matches quite closely with the semantic structure of interference-controlled
ALGOL. Note that, in view of the discussion at the beginning of this section,
the fully abstract model is not extensional. So, it cannot be order-extensional
either. Moreover, the pointwise order is clearly inappropriate for the obvious
possibilities. Given that comm is a two-point lattice, the continuous function
space [ comm- comm] would order the function Ac. c below .\c. skip. But, they
are distinguishable in the language. Even the function space [VNat.L- comm]
does not have the right order to represent comm - comm. In contrast, the
15 Note that the full-abstraction result claimed in [Sie94] is for a language with such a snap-back
combinator.
stable order seems tobe working correctly even up to second-order functions,

as evidenced by Facts 1-4.
On the other band, when we look to passive types, the stable order results
in well-known problems [JM91]. We can use this fact to our advantage. We
understand that stable order is modeHing history-sensitive computations. To
combine it with the pointwise order required for history-free computations,
we marry the two using the framework of bidomains. We indicate this briefly
for the representation in terms of bistructures recently obtained by Plotkin
and Winskel [PW94]. Recall that a bistructure is a 4-tuple (lAI, s~. s!, :A)
satisfying certain axioms. To this, we add another component !Alps;; lAI for
modelling passivity and require that !Alp be down-closed with respect tos!
and :;::~. The (active-passive) coherent spaces for primitive types embed into
(active-passive) bistructures in a Straightforward fashion. We only need to
define the construction t A for object spaces. This is as follows:
• tokens ltAI are active-passive traces Poa1P1 · · · anPn where each Pt is a
finite (stable) configuration over IAIP and each a, is an active token,
• ltAip and =tA are as for coherent spaces, and
• the orders s 1 (for l = L, R) are defined as follows: Poa1P1 · · · anPn s 1
qoboql · · · bmqm iff n = m, each a, = bt and each Pt s 1 q, (the latter
defined as for !A).
Note that the orders sL and sR reduce to identity for purely active bistructures
like tcomm and they reduce to the orders of !A for purely passive bistructures
like texp[ö]. By using passivity-reflecting linear maps t A-LBas object func-
tions, we obtain a model that properly restricts the coherent space model by
incorporating pointwise order for passive computations.
7 Example Equivalences
An important application of a semantic model is to test the equivalence of
program fragments. The accuracy of a model can be gauged by the variety of
equivalences it can validate. Since the object-based model is accurate for many
first-order types, we expect that most equivalences involving free identifiers of
such types can be validated using it. ln this section, we show several examples
of such equivalences. ln all of these, an unknown non-local procedure p is
passed an object built from local variables.
Consider a variant of equivalence (1) from Section 1:
new[int] x. new[int] x.
x:=O; x:= 0;
p(x:=x+1) p(x := x -1)
where the free identifier p is of type comm - comm. It is easy to see that the
equivalence holds in the object-based model. Both sides of the equivalence
denote the following object function of the type (comm => comm) - comm:
{{ii)-*:n;::O}
Uday S. Reddy 275
Recall from Section 6 that ii is short for (*)" .... *• a token carrying the infor-
mation that the procedure runs its argument n times.
A variant of the above example with a more practical interest is:
X:= 0; X:= 0;
p[val = x, inc = (x := x + 1)] p[val = -x, inc = (x := x -1)]
where p: counter - comm. The procedure p is being passed two different
implementations of a counter object. Since the two implementations have the
same Observable behavior, we expect the equivalence to hold.
The meanings of the two sides of the equivalence are:
{ [p- (s .... *)] .... *: s E mkcounter((cell0 )}
{ [p- (s .... *)] .... *: s E mkcounter2~(cello)}
where mkcounter1 and mkcounter2 are the meanings of the two counter
phrases regarded as functions of a variable object, and cell0 is the trace set
of a storage cell with an initial value 0. So, the equivalence reduces to the
equality of mkcounter 1 ~(cello) and mkcounter2~(cel10 ). The two functions are
given by the linear pattems:
mkcounter1 { (get.i) .... val.i : i E Iintl } u
{ (get.i,put.(i + 1)) .... inc.*: i E lintl}
mkcounter2 { (get.i) .... val.(-i): i E lintl} u
{ (get.i,put.(i -1)) .... inc.*: i E lintl}
It is easy enough to see that the two object functions produce the same counter
trace set when applied to cell0 . But, let us see how one can show this formally.
Theorem mkcounter((cello) = mkcounter2~(cello).
Proof: The cell trace sets can be defined inductively as follows:

cell; {()} u ((get.i) · cell;) u <UJEiintl(put.j) · cellJ)
where · denotes the obvious extension of multiplication to sets of traces. To
be completely clear, we regard cell as a function of type lintl - tvar[int].
Since such functions form a cpo, the recursive definition has the standard
interpretation as the least fixed point. A family of counter trace sets can be
defined in a similar fashion:
cnt; {()} u ((val.i) · cnt1) u ((inc.*) · cntt+d
Then, by using fixpoint induction, we show:
mkcounter((cell1) = cnt1
mkcounter{(celL 1) = cnt 1
for all i <::: 0. Evidently, the two functions are equal for cell0 • I
An alternative method to show this equivalence is to reason about repre-
sentation information, and show that the two representations are equivalent
using ideas similar to [Hoa72, Mil71, OT95).
Theorem For all s E It counterl,

3tl e cello. h .... s e mkcounter( ~ 3t2 e cello. t2 .... s e mkcounter2A
Proof: The fact that mkcounter( and mkcounter2 are linear functions means
A
that the t1 and t2 of the two existentials are unique whenever they exist.
For a trace t e cell0 , say that t represents a state i ü t · (get.i) e cell0 •
Define a relation R !; cello x cello by
t1 R t2 ~ 3i. t1 represents the state i "
t 2 represents the state -i
Now, we strengthen the statement of the theorem as follows:

• If t1 e cell0 such that t1 .... s e mkcounter( then there exists t2 e cello
suchthat t2 .... s e mkcounter{ and h R t2.
• If t2 e cello such that t2 .... s e mkcounter2 then there exists t1 E cello
A
suchthat t1 .... s e mkcounter1A and t1 R t2.

The strengthened hypothesis can be proved by induction on the length of s.
The conclusion follows. I
This proof illustrates how one can perform "state-based" reasoning though
there are no explicit states in the model. Essentially, the idea is to express
state information in terms of observable operations. It is also noteworthy that
relational reasoning is available to us, even though no relation-preservation
properties are explicitly postulated in the model.
The next example illustrates the "extensionality" properties of the seman-
tics. The following equivalence is an example of an extensionality property for
commands:
X := X + 1; X := X + 1 E X := X + 2
One expects such equivalences to hold in the language of while programs.
However, the equivalence falls for ALGOL. Suppose we substitute the following
phrase for x:
ify=Othenyelsez
where y and z are of type var[int]. The two sides of the equivalence give
different results starting from an initial state where y = 0 and z = 0. We
gather that variables in ALGOL are in general arbitrary objects with get and
put operations. They are not necessarily what we called storage cells.
On the other band, the new[ö] operation of ALGOL does create storage
cells. So, one would expect the following variant of the equivalence to hold:
C1; C1;
p(x := x + 1;x := x + 1); p(x := x + 2);
c2 c2
where C1 and C2 are arbitrary command phrases. This equivalence holds in
the object-based model. It can be formally proved in the same fashion as the
counter example using the relation
t1 R t2 ~ 3i. t1 and t2 represent the state i
Uday S. Reddy 277
Thus, it may be gathered that the model is extensional in modelling commands

even though it has an "intensional" feel.
The next few examples illustrate the "irreversible change" (or "single-
threadedness") properties of the model. (See discussion in [OT95].) Consider
the equivalence:
if x = 0 then f(x + y) else 1 = if x = 0 then f(y) else 1
where f:exp[int]- exp[int]. This is essentially a "constant propagation" op-
timization. Surprisingly, the equivalence falls in most models of ALGOL. It
is easy to understand this fallure by noting that most models support the ex-
pression snap-back combinator. The function f could be ,.\z. do x := 1 result z,
in which case f(x + y) = y + 1 differs from f(y) = y. (Keep in mind that the
parameter passing is by name.) This illustrates how the snap-back combinator
destroys even mundane principles of reasoning for expressions.
The equivalence is trivial in the object-based model. Recall that the func-
tions in exp[int] => exp[int] are precisely the standard (stable or, in this case,
continuous) functions (int- int]; cf. Fact 5. So, the standard reasoning for
such functions continues to be valid.
As a final example, consider equivalence (2) from Section 1:
new[int] x.
x:= 0;
- p(undef)
p(x := x + 1);
if x > 0 then undef else skip
where p: comm - comm. For the left-hand side, if p runs its argument at
all, then x > 0 holds after the call and divergence results. In this case, the
right-hand side diverges too. If p ignores its argument, p(C) is independent of
C. So, both the commands have the same behavior. As mentioned in connec-
tion with Fact 2, all known models of imperative programs fall to satisfy such
equivalences because they model the snap-back combinator try. (Consider
p = try.)
On the other hand, the equivalence holds trivially in the object-based
model. The meaning ofboth sides is {[p- (Ö)] ..... *}.
Assertion-based reasoning
A widely used method for reasoning about imperative programs is in terms
of assertions. Hoare logic [Apt81] for while programs and Specification
logic [Rey81a, Ten91] for higher-order procedures are canonical examples of
such reasoning. In these logics, one reasons about commands using "Hoare
triple" formulas {A} C {B} where A and B are "assertions" and Cis a com-
mand. The formula means that whenever the assertion A holds in a state, the
execution of C yields astatein which the assertion B holds. Since the object-
based semantic model does not mention states explicitly, it is not immediately
clear how to interpretsuch formulas in the model. We briefly indicate how this
maybedone.
Recall, from Section 4.1, that the elements of an object space denote object
behaviors as well as states. If x E t X is an active element, every s E x yields
an "x-state" x/s. Thesenotions can be generalized to interpretations of type
contexts [II I f] in the obvious fashion. Let x range over active elements of
[II I f], 17 over trace environments and u over x-states of the form x/11. We
say that an assertion A holds in u if there exists 17 E u such that 17 .... tt E [A].
Then, the satisfaction of Hoare triples may be defined as follows:
Definition 23 If II Ir f-- {A}C{B} : formula is a Hoare triple and XE [II I f]

is an active element, x is said to satisfy {A}C {B} if, whenever A holds in a
*
x-state u and there exists 17 E u suchthat 17 .... E [ C], B holds in u 111·
The assignment axiom for interference-controlled ALGOL programs is the fol-
lowing: Let rr I r f-- V: var[ö] and rr I r f-- E : exp[ö] be phrases. Then, for all
assertion-valued functions a: exp[ö]- assert (that are independent of V and
E), wehave
gv(V) ==> {a(E)} V:= E {a(deref V)}
where gv(V) is a formula stating that V is a "good variable" [Rey81a], i.e., the
regular function [Vf gives 0 or cellt for some i E 181. 1t is easy to verify that
the axiom is satisfied by all active elements x E [II,a:var[ö]- assert I f],
showing that it is valid.1s
8 Extensions
In this section, we briefly consider some extensions to the basic language con-
sidered in this paper.
Sum types
A type constructor for sum types ih + lJ2 can be added with the usual syn-
tax. Its interpretation is [ lJ1 + lJ2] = t [ lJ1] + t [ lJ2] where + is the coproduct
of coherent spaces (also called the "direct sum" [GLT89, Section 12.1]). This
interpretation is in the same spirit as the lifted sum construction used with
Scott domains and Girard's "linearized" sum in [GLT89, Section 12.5]. The
interpretation of terms is
[rr 1r f-- inl(P) : 01 + 021 r}

{ 17 .... l.s : 17 .... s E [II I r f-- p : (}1
[II Ir f-- inr(Q): lJ1 + lJ2] { 11 .... 2.t: 11 .... t e [II 1 r f-- Q: 02f}
[II,II' 1 r,r' f-- case P ofinl(x1) ~ Q1 I inr(x2> ~ Q2: 0']
{ 17 EB17' .... a:
11 .... i.s e [II Ir f-- P: 01 + 021 A
17' EB [Xt-S] .... a E [II' I f',xt: Ot f-- Qt: 0']}
The interpretation of case makes clear the reasons for the presence of t in the
interpretation of lJ1 + lJ2.
16The soundness of such proof rules is not in question as other models already exist for spec·
ification logic [OT93, Ten90]. The point of interest is that such reasoning principles are valid in
our model, while they would be invalid in models that support snap-back expressions.
Uday S. Reddy 279
Independent product
The product type 01 X Oz of interference-controlled ALGOL represents a compo-
sition of interfering components. One can add a separate type constructor for
independent products el ® ez which puts together independent components.
The term syntax for independent products [OP1T95] is given by:
TI1 I r1 1- P : e1 Tiz I fz 1- Q : Oz
----~------------~~- ®1
TI1.Tiz I r1.rz 1- P ® Q: e1 ® ez
TI 1 r 1- P : e1 ® ez TI I r 1- P : 01 ® Oz ®21"
® 1T
--~----_.:;..--~
-TI-'I-f-1--fs-t-(P.:c.)-:-,e~l TI I r 1- snd(P) : Oz
The independent product allows one to write "uncurried" procedures by using
the isomorphism: 01 ® Oz- 9' ;: 01 - {ez- e'). To give semantics to this
extension, we need to extend the semantic framework as well. Essentially, we
must enlarge the notion of "objects" to include composite objects that have
multiple individual objects as components. Appendix A describes a frame-
work of "finitary object spaces" which incorporates this extension. Another
approach in terms of "dependence spaces" is described in [Red94].
Acceptors
In [Rey81b], Reynolds defines a type of acceptors corresponding to the 1-values
of variables. We postulate a primitive type acc[6] for acceptors (of 6-typed
data values). The type of variables may then be defined as the product:
var[6] = [put:acc[6] x get:exp[6]]
The assignment operator := then has the (more general) type
acc[o] x exp[6] - comm
with an implicit coercion whenever a variable is used as the left-hand side
of:=.
To interpret the acceptor type, we define an active-passive coherent space
acc[6] as follows:
lacc[6]1 161, :::acc[oJ
Note that our original interpretation of variables satisfies var[ 8]
[put: acc[6] x get: exp[6]]. So, there is no substantial change to the seman-
tics.
Reynolds also gives a treatment of acc[6] as the function space
exp[8]- comm. This treatment, however, is not useful for the interference-
controlled language. We often want to apply the acceptor of a variable to
an expression that involves the same variable, e.g., x := x + 1 desugared as
x.put(x.get + 1). Such phrases arenot legal in interference-controlled ALGOL.
On the other hand, we see that Reynolds's conception is very well represented
in our semantics as the isomorphism acc[6] ;: 8 __., comm.
Active expressions and monad combinators

Recent language design efforts in functional programming propose to add
state-manipulation facilities to functional languages using monad combina-
tors [ORH93, PL95, PW93]. While it is not entirely clear how to provide inter-
ference control for such combinators, we can certainly consider a simple form
of monad types where interference control issues do not arise.
Let act[ö] denote the type of computations (active expressions) that may
change state and eventually return data values of type ö. The basic combina-
tors are:
TI I r 1-- E: exp[ö] TI Ir 1-- P: act[ö] TI 1 r,x:exp[ö] 1-- Q: act[ö']
TI 1 r 1-- retum E: act[ö] TI 1 r 1-- P 1> x. Q: act[ö']
1t is also useful to extend the command sequencing combinator ";" for active
expressions. All these combinators can be treated as constants:
retum exp[ö] - p act[ö]
_I>_ act[ö] x (exp[ö] - act[ö']) -p act[ö']
comm x act[ö] - p act[ö]
A simple example of these combinators is the accumulator object; cf. Sec-
tion 4.2:
accum = exp[int] - act[int]
mkaccum:var[int] - p accum
mkaccum(v) = ;\i. v := v + i; retum (deref v)
To give semantics to active expressions, we define an active-passive space
act[ö] as follows:
lact[ö]l = löl, ~ ~
-act[6] = -6• lact[ö]lp = 0

This is similar to exp[ö] except that it has no passive tokens. The meanings
of the above combinators are then given by the linear maps:
return,s exp[ö]- act[ö]
{ i - i: i E Iöl }
bind.s,.s' act[ö] x (exp[ö] ~ act[ö'])- act[ö)

{ {fst.i, snd.(p- j))- j: i EI öl" jE iö'l "p ~ {i}}
comm x act[ö]- act[ö]

{ {fst.*, snd.i) - i: i E Iöl}
Promotion for active expressions

Recent functionallanguages with state [PL95, ORH93, SRI91] also contain pro-
posals for promotion of active expressions. Such expressions allocate and use
state variables locally but do not have any effects on global variables. Thus,
they may be viewed as "applicative" expressions from the outside.
Uday S. Reddy 281
To provide this feature, we add a promotion construct for active expres-

sions by the type rule:
rr 1 ~ P : act[ö]
--~----"____::..,,-- Promoter5
rr 1 ~ run(P) : exp[ö]
Note the similarity with the promotion rule for passive functions - p 'E.
The semantics of the promotion construct, as in Section 5, makes no
change to the meaning of the phrase:
[II I ~ run(P) : exp[ö]] = [II I ~ P: act[ö]]
This interpretation is sound because the active type context of P is empty (and
the meaning is a passivity-reflecting function).
Similar promotion facilities have been used in traditional ALGOL-like lan-
guages (without active expressions). In this context, they are called "block
expressions" [Ten91, Section 9.7], but the essential idea is similar.
9 Conclusion
We have shown that it is possible to give semanlies to higher-order impera-
tive languages without involving a notion of a global state. Such semantics
seems to have an intuitive "feel" of being abstract, and this is corroborated by
the relative ease with which we are able to validate equivalences which have
traditionally failed in conventional approaches.
The main difference between our semantics and the conventional ap-
proaches is that we model objects by their observable behavior without ref-
erence to their intemal states. This decision obtains theoretical economy and
allows us to formulate a ground-level domain-theoretic model of object be-
haviors. In contrast, conventional approaches use explicit states and model
objects as state transformers. But, to represent local-variable abstractions
correctly, they must characterize object functions as being "uniform" in the
underlying state sets.
The functor-category approaches [Ole85, Rey8lb, Ten90) attempt to model
uniformity by natural transformations. This approach has not yet led to sat-
isfactory solutions because the functors involved have "mixed variance" and
naturality is not enough to capture uniformity. In contrast, the relational para-
metricity models [OT95, Sie93) model uniformity by preservation of relations.
The recent full-abstraction result of Sieher [Sie94) suggests that this approach
can be quite successful.
Stepping back, we can see that the idea of objects with local states is at the
heart of the above approaches as well (though it may not have been explicitly
stated in those terms). The main difference is then the treatment of state sets.
By eschewing the explicit treatment of states, we are able to avoid second-
order concepts like functors and finesse the issue of uniformity. On the other
hand, we believe that both the explicit state view and the behavior-based views
have useful roles to play. The insights obtained in the current study should
prove useful for resolving the outstanding issues in the explicit state view.
The most important of these issues is modeHing the irreversibility of state
changes. All known explicit state models (for higher-order languages) contain
the snap back operator try. All but Tennent's model [Ten90] also contain the
more troublesome do-result operator (which invalidates common reasoning
for expressions). The present model is the first to avoid such state change
reversals. Note, however, that Proposition 5 already gives an indication of
how irreversible state changes can be modelled in an explicit state view. This
should be explored further in the future work.
Our model also brings to light important connections between the seman-
lies of state and other subjects in programming language theory. One of
them, viz., connection to linear logic, is studied in [Red93c]. This should
pave the way for good operational models of stateful languages such as ge-
ometry of interaction [AJ92, Gir87b], games [AJM94, H094] and sequential
algorithms [CCF94]. A second connection, to parametricity, arises in studying
the relationship to the explicit state model. At least for the types that arise
in the semantics of interference-controlled ALGOL, our approach shows that
the independence of a parametric type on its type parameters can be explicitly
modelled (via a suitable generalization of Proposition 5). It is an open question
whether this can be carried further for more general parametric types. A third
connection is to concurrency theory. Note that the behavior-based implicit
state view taken here is a common practice in concurrency [Hoa85, Mil89].
The use of Simulations as morphisms is also found in recent models of con-
currency [BG90, Gup94]. These connections should prove useful for studying
concurrent imperative languages.
Finally, an important issue that is left untouched in this work is the
development of uniform reasoning principles. In a sense, the traditional
methods for reasoning, including assertion-based methods and relational
param.etricity-based methods, can be said to reflect an explicit state view of
the semantics. What reasoning methods would be contributed by the behavior-
based view taken here?
Acknowledgements
This work owes much to the encouragement and inspiration provided by Peter O'Hearn
throughout its development. The feedback from him, Bob Tennent and Phil Wadler
were crucial for the development of the current presentation. Anonymaus referees
pointed out many a rough spot. Special thanks go to William Harrison and Howard
Huang for their help in proof-reading.
Thanks to Christian Retore for providing the foundational ideas of pomset logic
(which are implicit throughout this work) and Samson Abramsky for pointing me
in this direction. I thank Guo-Qiang Zhang for explaining his constructions for
dl-domains (used in Finitary Object Spaces, Appendix A).
This research was supported by National Science Foundation under grant NSF-
CCR-93-03043.
References
[Abr94) S. Abramsky. Interaction categories and communicating sequential pro-
cesses. In A. W. Roscoe, editor, A Classical Mind: Essays in Honor of
C. A. R. Hoare, pages 1-16. Prentice-Hall International, 1994.
[Agh86) G. Agha. Actors: A Model of Concurrent Computation in Distributed Sys-
tems. The MIT Press, 1986.
Uday S. Reddy 283
(AJ92] S. Abramsky and R. Jagadeesan. New foundations for geometry of interac-

tion. In Proceedings, Seventh Annual IEEE Symposium on Logic in Computer
Science, pages 211-222. IEEE Computer Society Press, June 1992.
(AJ94] S. Abramsky and R. Jagadeesan. Games and full completeness for multi-
plicative linear logic. ]. Symbolic Logic, 59(2):543-574, 1994.
(AJM94] S. Abramsky, R. Jagadeesan, and P. Malacaria. Full abstraction for PCF
(extended abstract). In M. Hagiya and J. C. Mitchell, editors, Theoretical
Aspects of Computer Software, volume 789 of Lecture Notes in Computer
Science, pages 1-15. Springer-Verlag, 1994.
(Apt81] K. R. Apt. Ten years of Hoare's logic: A survey. ACM Transactions on
Programming Languages and Systems, 3(4):431-483, October 1981.
(AR88] I. J. Aalbersberg and G. Rozenberg. Theory of traces. Theoretical Computer
Science, 60:1-82, 1988.
[Bar84] H. P. Barendregt. The Lambda Calculus, 2nd edition. North-Holland, 1984.
(BBdPH92] P. N. Benton, G. M. Bierman, V. C. V. de Paiva, and J. M. E. Hyland. Term
Assignment for Intuitionistic Linear Logic. Technical Report 262, Computer
Laboratory, University of Cambridge, August 1992.
(Ber78] G. Berry. Stahle models of typed .\-calculi. In Fifth International Colloquium
on Automata, Languages and Programming, volume 62 of Lecture Notes in
Computer Science, pages 72-88. Springer-Verlag, 1978.
(BG90] C. Brown and D. Gurr. A categorical linear framework for Petri nets. In
Proceedings, Fifth Annual IEEE Symposium on Logic in Computer Science,
pages 208-218.1EEE Computer Society Press, June 1990.
(Bie93] G. M. Bierman. On Intuitionistic Linear Logic. PhD thesis, Computer Labo-
ratory, University of Cambridge, December 1993.
(BMMM95] S. Brookes, M. Main, A. Melton, and M. Mislove, editors. Mathematical Foun-
dations of Programming Semantics: Eleventh Annual Con(erence, volume 1
of Electronic Notes in Theoretical Computer Science Elsevier, 1995.
[CCF94] R. Cartwright, P.-L. Curien, and M. Felleisen. Fully abstract seman-
tics for observably sequential languages. Information and Computation,
111(2):297-401, June 1994.
[dBdRR89] J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors. Linear Time,
Branching Time and Partial Order in Logics and Models of Concurrency,
volume 354 of Lecture Notes in Computer Science. Springer-Verlag, 1989.
(FW79] D. P. Freidman and D. S. Wise. An approach to fair applicative multipro-
gramming. In G. Kahn, editor, Semantics of Concurrent Computation, vol-
ume 70 of Lecture Notes in Computer Science, pages 203-226. Springer-
Verlag, 1979.
[Gir87a] J.-Y. Girard. Linear logic. Theoretical Computer Science, 50:1-102, 1987.
[Gir87b] J.-Y. Girard. Towards a geometry of interaction. In Gray and Scedrov
(GS89], pages 69-108.
[GLT89] J.-Y. Girard, Y. Lafont, and P. Taylor. Proofs and Types. Cambridge Univer-
sity Press, 1989.
(GS89] J. W. Gray and A. Scedrov, editors. Categories in Computer Science and
Logic, volume 92 of Contemporary Mathematics, AMS, 1989.
[Gun92] C. A. Gunter. Semantics of Programming Languages: Structures and Tech-
niques. The MIT Press, 1992.
[Gup94] V. Gupta. Chu Spaees: A Model of Concurrency. PhD thesis, Stanford Uni-
versity, August 1994.
[Hen94] M. Hennessy. A fully abstract denotational model for higher-order pro-
cesses. Information and Computation, 112(1):55-95, July 1994.
[HMT83] j. Y. Halpem, A. R. Meyer, and B. A. Trahktenbrot. The semantics of local
storage, or what makes the free list free? ln Tenth Annual ACM Symposium
on Principles o{Programming Languages, pages 245-257. ACM, 1983.
[H094] j. M. E. Hyland and C.-H. L. Ong. On full abstraction for PCF (preliminary
version). Manuscript, Cambridge University, October 1994.
[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Comm.
ACM, 12:576-583, 1969.
[Hoa71] C. A. R. Hoare. Procedures and parameters: An axiomatic approach. ln
E. Engeler, editor, Symposium on Semanties of Algorithmie Languages, vol-
ume 188 of Leerure Notes in Mathematies, pages 102-116. Springer-Verlag,
1971.
[Hoa72] C. A. R. Hoare. Proof of correctness of data representations. Acta Infor-
matiea, 1:271-281, 1972.
[Hoa85] C. A. R. Hoare. Communieating Sequential Processes. Prentice-Halllnterna-
tional, London, 1985.
[JM91] T. Jim and A. R. Meyer. Full abstraction and the context lemma. ln T. Ito
and A. R. Meyer, editors, Theoretieal Aspects of Computer Software, vol-
ume 526 of Leerure Notes in Computer Scienee, pages 131-151. Springer-
Verlag, 1991.
[KL85) R. M. Keller and G. Lindstrom. Approaching distributed database imple-
mentations through functional programming concepts. ln International
Conferenee on Distributed Computing Systems. IEEE, May 1985.
[KM77) G. Kahn and D. B. MacQueen. Coroutines and networks of parallel pro-
cesses. ln Information Processing 77, pages 993-998, 1977.
[Lam87] j. Lambek. Multicategories revisited. ln Gray and Scedrov [GS89].
[Mac71] S. Mac Lane. Categories (or the Working Mathematician. Springer-Verlag,
1971.
[Maz77] A. Mazurkiewicz. Concurrent program schemes and their interpretations.
DAIMI Report PB 78, Aarbus University, Aarhus, 1977.
[Maz89] A. Mazurkiewicz. Basic notions of trace theory. ln de Bakker et al.
[dBdRR89], pages 285-363.
[Mil71] R. Milner. An algebraic definition of simulation between programs. ln Proc.
Seeond International Joint Con(erenee on Artificialintelligenee, pages 481-
489, London, 1971. The British Computer Society.
[Mil89] R. Milner. Communieation and Coneurrency. Prentice Hall, 1989.
[Mit90] J. C. Mitchell. Type systems for programming languages. ln J. van Leeuwen,
editor, Handbook of Theoretieal Computer Scienee, Volume B, pages 365-
458. North-Holland, Amsterdam, 1990.
[MS88) A. R. Meyer and K. Sieber. Towards fully abstract semantics for local vari-
ables. ln Fi(teenth Annual ACM Symposium on Prineiples o( Programming
Languages, pages See Chapter 7. 191-203. ACM, 1988.
[Nau60] P. Naur (editor), J. W. Backus, et al. Report on the algorithmic language
ALGOL 60. Comm. ACM, 3(5):299-314, May 1960.
Uday S. Reddy 285
[O'H90) P. W. O'Hearn. Semantics of Noninter(erence: A Natural Approach. PhD

thesis, Queen's University, Kingston, Canada, 1990.
[O'H91) P. W. O'Hearn. linear logic and interference control. In Category Theory
and Computer Science, volume 350 of Lecture Notes in Computer Science,
pages 74-93. Springer-Verlag, 1991.
[O'H93) P. W. O'Hearn. A model for syntactic control of interference. Mathematical
Structures in Computer Sdence, 3:435-465, 1993.
[Ole85) F. J. Oles. Type algebras, functor categories and block structure. In M. Nivat
and J. C. Reynolds, editors, Algebrate Methods in Semantics, pages 543-
573. Cambridge University Press, 1985. See Chapter 11.
[OP'IT95) P. W. O'Hearn, A. j. Power, M. Takeyama, and R. D. Tennent. Syntactic con-
trol of interference revisited. In Brookes et al. [BMMM95). See Chapter 18.
[OR95) P. W. O'Hearn and U. S. Reddy. Objects, interference and the Yoneda em-
bedding. In Brookes et al. [BMMM95).
[ORH93) M. Odersky, D. Rabin, and P. Hudak. Call by name, assignment and the
lambda calculus. In Twentieth Annual ACM Symposium on Principles o(
Programming Languages ACM, 1993.
[OT92) P. W. O'Hearn and R. D. Tennent. Semantics of local variables. In M. P. Four-
man, P. T. Johnstone, and A M. Pitts, editors, Applications of Categories in
Computer Science, pages 217-238. Cambridge University Press, 1992.
[OT93) P. W. O'Hearn and R. D. Tennent. Semantical analysis of specification
logic, 2. Information and Computation, 107(1):25-57, 1993.
[OT95) P. W. O'Hearn and R. D. Tennent. Parametricity and local variables. ]. ACM,
42(3), 1995. See Chapter 16.
[PL95) S. L. Peyton Jones and J. Launchbury. State in HAS.KELL. LISP and Symbolic
Computation, 8(4):293-341, 1995.
[Plo77) G. D. Plotkin. LCF considered as a programming language. Theoretical
Computer Science, 5:223-255, 1977.
[Pra84) V. Pratt. The pomset model of parallel processes: Unifying the temporal
and the spatial. In Seminar on Concurrency, volume 197 of Lecture Notes
in Computer Science, pages 180-196. Springer-Verlag, 1984.
[PT93) B. C. Pierce and D. N. Turner. Object-oriented programming without recur-
sive types. In Twentieth Annual ACM Symposium on Principles o( Program-
ming Languages, pages 299-312. ACM, 1993.
[PW93) S. L. Peyton Jones and P. Wadler. Imperative functional programming.
In Twentieth Annual ACM Symposium on Principles of Programming Lan-
guages, pages 71-84, ACM, 1993.
[PW94) G. Plotkin and G. Winskel. Bistructures, bidomains and linear logic. In
ICALP '94, volume 820 of Lecture Notes in Computer Science. Springer-
Verlag, 1994.
[Red93a) U. S. Reddy. Global state considered unnecessary: Semantics of
interference-free imperative programming. In ACM SIGPLAN Workshop
on State in Programming Languages, pages 120-135. Technical Report
YALEU/DCS/RR-968, june 1993.
[Red93b) U. S. Reddy. A linear logic model of state. Electronic manuscript, University
of lllinois (anonymous FTP from cs.uiuc.edu), October 1993.
[Red93c) U. S. Reddy. A linear logic model of state (extended abstract). Technical

report, University of Glasgow, January 1993.
[Red94) U. S. Reddy. Passivity and independence. In Proceedings, Ninth AnnualiEEE
Symposium on Logic in Computer Science, pages 342-352. IEEE Computer
Society Press, July 1994.
[Ret93) C. Retore. Reseaux et Sequents Ordonnes. These de Doctorat, specialite
Mathematiques, Universite Paris 7, February 1993. (English translation
available from the author).
[Rey78) J. C. Reynolds. Syntactic control of interference. In ACM Symposium on
Principles o(Programming Languages, pages 39-46. ACM, 1978. See Chap-
ter 10.
[Rey81a) J. C. Reynolds. The Craff of Programming. Prentice-Hall International,
London, 1981.
[Rey81b) J. C. Reynolds. The essence of ALGOL. In J. W. de Bakker and J. C. van Vliet,
editors, Algorithmic Languages, pages 345-372. North-Holland, 1981. See
Chapter 3.
[Rey82) J. C. Reynolds. IDEALIZED ALGOL and its specification logic. In D. Neel,
editor, Tools and Notions for Program Construction, pages 121-161. Cam-
bridge University Press, 1982. See Chapter 6.
[Rey88) J. C. Reynolds. Preliminary Design of the Programming Language FoRSYTHE.
Technical Report CMU-CS-88-159, Carnegie-Mellon University, June 1988.
See Chapter 8.
[Rey89) J. C. Reynolds. Syntactic control of interference, Part ß. In Automata, Lan-
guages and Programming, 16th International Colloquium, volume 372 of
Lecture Notes in Computer Science, pages 704-722. Springer-Verlag, 1989.
[RK94) U. S. Reddy and S. N. Kamin. Two semantic models of object-oriented
languages. In C. A. Gunter and J. C. Mitchell, editors, Theoretical Aspects of
Object-Oriented Programming, pages 463-496. The MIT Press, 1994.
[Sco80) D. S. Scott. Relating theories of the Iambda calculus. In To H. B. Curry:
Essays on Combinatory Logic, Lambda Calculus and Formalism, pages 403-
450. Academic Press, 1980.
[Sha87) E. Shapiro. CONCURRENT PROLOG: Collected Papers. The MIT Press, 1987.
(Two volumes).
[Sie93) K. Sieber. New steps towards full abstraction for local variables. In ACM
SIGPLAN Workshop on State in Programming Languages, pages 88-100.
Technical Report YALEU/DCS/RR-968, Yale University, New Haven, 1993.
[Sie94) K. Sieber. Full Abstraction for the Second Order Subset of an ALGOL-like
Language (preliminary report). Technical Bericht A 01/94, Universitaet
des Saarlandes, Saarbruecken, February 1994. See Chapter 15.
[SRI91) V. Swarup, U. S. Reddy, and E. Ireland. Assignments for applicative lan-
guages. In R. J. M. Hughes, editor, Conf. on Functional Programming Lan-
guages and Computer Architecture, volume 523 of Leerure Notes in Com-
puter Science, pages 192-214. Springer-Verlag, 1991. See Chapter 9.
[Sto77) J. E. Stoy.
Denotational Semantics: The Scott-Strachey Approach to Pro-
gramming Language Theory. The MIT Press, 1977.
[Ten83) R. D. Tennent. Semantics of interference control. Theoretical Computer
Science, 27:297-310, 1983.
Uday S. Reddy 287
[Ten95] R. D. Tennent. Denotational semanties. In S. Abramsky, D. M. Gabbay,

and T. S. E. Maibaum, editors, Handbook of Logic in Computer Science,
volum.e 3, pages 169-322, Oxford University Press, 1995.
[Ten90] R. D. Tennent. Semantieal analysis of speeifieation logie. Information and
Computation, 85(2):135-162, 1990. See Chapter 13.
[Ten91] R. D. Tennent. Semantics of Programming Languages. Prentiee-Hall Inter-
national, London, 1991.
[Wad91] P. Wadler. Is there a use for linear logie? In Proc. Symposium on Partial
Evaluation and Semantics-Based Program Manipulation, pages 255-273.
ACM, 1991. (SIGPLAN Notiees, Sept. 1991).
[Weg87] P. Wegner. Dimensions of objeet-based language design. In Object Oriented
Programming Systems, Languages and Applications. ACM SIGPLAN, 1987.
[WF93] S. Weeks and M. Felleisen. On the orthogonality of assignments and pro-
eedures in ALGOL. In Twentieth Annual ACM Symposium on Principles of
Programming Languages, pages 57-70, ACM, 1993. See Chapter 5.
[Win89] G. Winskel. An introduetion to event struetures. In de Bakker et al.
[dBdRR89], pages 364-397.
[Win94] G. Winskel. Stahle bistrueture models of PCF. In Mathematical Foundations
of Computer Science, volum.e 841 of Leerure Notes in Computer Science.
Springer-Verlag, 1994.
[Zha91] G.-Q. Zhang. Logic of Domains. Birkhäuser, Boston, 1991.
[Zha93] G.-Q. Zhang. Some monoidal closed categories of stable domains and event
struetures. Mathematical Structures in Computer Science, 3:259-276, 1993.
Appendix A Categorical Structure of the Model

The model of interference-eontrolled ALGOL presented here is an instanee of a gen-
eral eonstruetion outlined in [BBdPH92], Theorem 8. (See also [Bie93].) We use this
eonstruetion to explain the eategorieal strueture of the model.
The body of the paper mentions two base eategories: the eategory of eoherent
spaees and linear maps CohL in Seetion 4, and the eategory of aetive-passive eoherent
spaees and (passivity-preserving) linear maps APCohL in Seetion 5. Both the eategories
are symmetric monoidal closed with tensor produets given by ®, the tensor unit 1
and the exponential given by ~. Let us faetor out the eommonalities by assum.ing a
symmetrie monoidal closed eategory (C, ®, 1, ~) with finite products ( x, T).
First, we define a symmetrie monoidal funetor t: C- C and extend it to a eomonad
by defining monoidal natural transformations:
readA tA - A { (a) .... a : a E lAI }
dupA tA-ttA = {SI···Sn.-(Sl,···•Sn):Sl·•·SnEitAI}
to say that t is a "symmetrie monoidal" funetor is to say that there arenatural trans-
formations:
mergeA,B tA®tB-t(A®B)
{ ((a~o ... ,an), (b~o ... ,bn)) .... ((a~obi), ... , (an,bn))
: a~o ... ,an E lAI A b~o .•• ,bn E IBI}
1-tl
{* . . <*>": n ~ 0}
which commute with the symmetric monoidal structure in an appropriate fash-

ion [BBdPH92]. To say that read and dup are monoidal transformations is to imply
that they commute with the merge transformations.
Next, we consider the (Eilenberg-Moore) category ct of t-coalgebras and coalgebra
morphisms [Mac71]. Recall that a coalgebra isapair (C,hc:C- tC) of an object C
and an arrow hc: C - tC such that the requisite diagrams commute. The object C is
called the underlyjng object of the coalgebra and hc its structure map. We often write
the coalgebra as simply C with the structure map understood. Coalgebra morphisms
f: C - D are arrows f: C - D of the underlyjng objects suchthat the following square
commutes:
C ----'-'-.... D
hcj tf J•D
tC ---'-'--- tD
What we call "object spaces" are (spedal classes of) t -coalgebras and "regular (unctions"
are coalgebra morphisms.
A free coalgebra isapair (tA,dupA:tA- ttA) for an object A of C. Notlee the
(natural) isomorphism
ct (C, tA): C(UC,A)
where U:ct -Cis the "underlyjng object functor". The maps in the two directions
are:
f = C~tC___iL..tA foranyf:UC-A
g UC~tA~A
f
Morphisms o( the form are called "regular ex.tensions" o( linear maps in Section 4.
Likewise, g is the "linear pattem" o( a regular (unction. The semantics of interference-
controlled ALGOL is given using free coalgebras.
If C and D are coalgebras, their tensor product C ®D can be made into a coalgebra
by associating the structure map:
hc ® hD mergec,D
C®D tC® tD t(C®D)
The tensor unit is (l,merge1 : 1 - tl). This gives a symmetric monoidal structure to
ct. However, C ®Dis not a free coalgebra even if C and D are. So, we cannot simply
work in the subcategory of free coalgebras. This is the reason for using a multicategory
structure in Section 4. We require, however, that (l,merge1 ) is the terminal object in
ct. This gives a unique coalgebra morphism
discardc: C - R1
which is used for interpreting "weakening" (implicit in the rule Id).

For any coalgebra C and a free coalgebra t A, there exists an exponent C => t A =
t(UC ..... A). This is dear from the isomorphisms
ct (D 0 C, tA) =C(UD 0 UC,A): C(UD, UC -o A): ct (D, t(UC ..... A))
The associated combinators are:
A(f) D ~ tD tA<readA•fl t(C -o A)
applYc,tA t(C -o A) ®C __!!_... t(t(C -o A) ® C)
- -t'-'<_re_ad_®_ld.:....).... t ( (C -oA ) ® C) -
tapply
tA
Uday S. Reddy 289
Thus, in the words of [BBdPH92], "the full subcategory of finite tensor products of free
coalgebras forms a symmetric monoidal closed category" whenever C is symmetric
monoidal closed and t is a symmetric monoidal comonad.
If C has products (which is the case for our base categories), the free coalgebras
have products. The product of tA and tB is t(A x B). The maps involved in this
structure are:
trr1 trrz
• t(A x B) _....:_.:__.,.. tA and t(A x B) _....:_=---.... tB; and
• c _ __.;:;..._
hc t<i.9>
tC -"'--'-=--+- t (A X B).
Recall that 1 is already the terminal object and is now seentobe isomorphic to tT.
It is easily verified that, by considering arrows f: t A1 ® • • • ® t An - B of C as
multi-arrows {:A1. ... ,An- B, we can form a multicategory. We call this the "Kleisli
multicategory" of C under t and denote it by Ch>t· The semantics of Section 4.3 is
given in such a multicategory.
All of this captures the surface structure of the model, given an appropriate
comonad t. It does not, however, explain t (which is where the novelty of the present
modellies). An earlier paper [Red93b] defines t as the free comonoid comonad with
respect to an additional (non-symmetric) monoidal structure (t>, 1). The bifunctor t>
called "before" represents a notion of sequential composition. See [Ret93] for a proof-
theoretical study of this bifunctor.
Passivity
The category of active-passive coherent spaces used for modelling passivity has im-
portant elements which can also be expressed at the categoricallevel.
Our prototypical base category C (such as APCohL) has a full subcategory P
for modelling passive types. This subcategory is reflective as weil as co-reflective.
(See [Mac71], Sec. IV.3.) This means that there are functors P, P: C - C taking values
in P such that we have the natural isomorphisms:
passify- 1 P(PA,P) C(A,P) : passify
promote- 1 P(P,PB) C(P,B) : promote
By the first isomorphism, we obtain a natural transformation pasA:A-PA as the unit
of the reflection, and, by the second isomorphism, derB: PB - B as the co-unit of the
co-reflection.
For active-passive coherent spaces, the functor P assigns, to each space A, its
passive subspace PA and, to each (passivity-reflecting) linear map f: A-LB, the corre-
spondingrestrictionPf:PA-rPB. Theunit pasA is given by {a ~ a: a E IAiv }. The
isomorphism passify and the unit pas are used in interpreting the type rules Passify
and Activate respectively.
The functor P assigns to each space A, the passive space PA with IPAI = IPAiv =
lAI and the same coherence relation as A. A (passivity-reflecting) linear map f:A -r B
is mapped to the same map regarded as an arrow PA-L PB. The co-unit derB is given
by { b ~ b : b E IB I }. The isomorphism promote and the co-unit der are used in
interpreting the type rules Promote and Derelict respectively.
Note that the functor P is full. This makes the unit pasA a split epi. The right
inverse of pasA is then a monic, actA:PA- A. We may thus call PA the "passive
subobject" of A (terminology first used in [O'H93]).
The full subcategory P is closed under all the constructions mentioned previously:
®, 1, A __., (- ), x, T, and t. Further, the reflector P preserves all of this structure on
the nose:
PI 1 P(A ®B) PA®PB
PtA WA P(A-B) A-PB
PT T P(A x B) PAx PB
Since P preserves the monoidal structure, the associated reflection is a monoidal ad-
junction. This fact is also used in the interpretation of Passify and Activate.
Finally, the passive sublanguage of interference-controlled ALGOL is a functional
programming language. Therefore, the tensor product in Pht must be the categor-
ical product. One way of ensuring this is to notice that free t coalgebras in P have
"diagonals", i.e., there is a monoidal natural family of coalgebra morphisms:
dupp: t P - R tP ® tP = {PI u P2 - (PI. P2) :PI u P2 E It PI }
suchthat (P, dupp, discardp) forms a commutative comonoid. Further, all coalgebra
morphisms are comonoid morphisms. It then follows that tensor products in Pht
are isomorphic to products by [BBdPH92, Theorem 9]. In other words, we have an
isomorphism
tP® tQ t(PxQ)
given by
packp,Q: tP ® tQ- t(P X Q) = { (pll,p12)- p: p E lt(P X Q)l}
where p 11 = {fst.a : a E p } and p 12 = { snd.b : b E p } .
Note that the Kleisli multicategory Pht is equivalent to the Kleisli category
Pt because multicategory maps t PI ® • • • ® t Pn - Q are one-to-one with maps
t(PI x · · · x Pn)- Q. The Kleisli category is cartesian dosed.
Finitary object spaces

The multicategory structure outlined above is not entirely ideal. For certain appli-
cations, such as the Yoneda embedding used for modelling interference [OR95], one
would like to use an ordinary category rather than a multicategory. The difficulty is
that the free coalgebras do not have tensor products while the category of finite ten-
sor products of free coalgebras does not have products. So, some other approach is
needed. There seem to be two alternatives.
One can enrich coherent spaces with further structure so that free coalgebras over
such enriched coherent spaces are dosed under tensor product. Structures called
dependence spaces are described in [Red94] with this property. In addition to having
tensor products, these structures also give a smooth treatment of passivity.
The second alternative is to find a dass of coalgebras that are dosed under ten-
sor product. We explore this alternative here by defining a dass of coalgebras called
finitary object spaces. The main issue in formulating object spaces other than the free
ones is to calculate the exponentials. While the exponents of free coalgebras can be
represented by free coalgebras, the more general exponents cannot be so represented.
So, we need to examine the structure of morphisms more dosely.
We define an object space as a coherent space (ICI, :c) where the set of tokens
is equipped with the structure of a partial monoid ICI = ( ICI, ·, ec) such that the
following condition is satisfied:
XI . YI : X2 . Y2 = (XI : X2 A (XI = X2 = YI = Y2))
To say that ICl isapartial monoid is to say that its multiplication operation "·" is a
partial function. (We often omit "·"in writing a product xy.) Note that an object space
is a t-coalgebra with the structure map:
hc ={XI·· ·Xn- (XI, ... ,Xn): n 2: OAXI, ... ,Xn E ICI AXI· · ·Xn E ICI}
Uday S. Reddy 291
There exists a preorder on the monoid of tokens defined by x :Sc y = 3x'. xx' = y.
Note that, if a product xy is defined, then xy' is defined for all y' :S y. Secondly, x :S y
implies x' ::: y' for all x' :S x, y' :S y. In particular, ec ::: x for all x E ICl. We call an
object space finitary if :S is a finitary partial order. (The set { y : y :S x } is finite for all
x E ICl.) Regular maps f: C -R D are coalgebra morphisms, as usual. Thus, we form
a full subcategory FOb of CohL t.
A free object space t A is dearly a finitary object space. Its finitary partial order is
the prefix order. It is easy to see that finitary object spaces carry the structure of prime
event structures which, in turn, correspond to dl-domains [Win89). Regular maps are
special cases of linear maps on dl-domains.
The tensor product C ® D of object spaces is the tensor product of the underlying
coherent spaces with the monoid structure being the monoid product ICl x IDI. The
object space 1 has the one-element monoid structure. Note that 1 is the terminal
object of FOb. The product C x D of finitary object spaces has the token-monoid
IC x Dl =I Cl e IDI, the monoid coproduct of ICl and IDI.
To define the exponent C = D of of finitary object spaces, we need to consider
another dass of maps called active maps. An active map f: C - A D is a linear map
suchthat
1. ec - ev E f, and
2. x- y E fand y' :S y implies there exists (unique) x' :S x suchthat x' - y' E f.
Note that active maps properly indude regular maps. (They still form a subdass of
linear maps on dl-domains.) The tokens of C = D are active maps with a maximumpair
x - y. Call them prime active maps. For an active map f: C-A D and pair x - y E f,
Iet fx- Ylr denote the set
fX - Y 1{ = { x' - y' E f : x' :S X 1\ y' :S y }
Then all prime active maps can be written as fX - y 1{ for some f: C - A D and
x - y E f. The exponent C = D is defined as follows:
IC=DI = {fx-Ylr:f:C-ADAx-yEf}
fx1- Yllf1 ::: fxz- Y2lr2 = 3f:C -A D. fx1- Yllf1 u fxz- Yzlr2 ~ f
with the monoid structure:
ec~v = {ec- ev}
fx1 - Yll{1 • fxz - Y21{2 = fx1x2 - YlY21{
where f = fx1 - Yllf1 u { x1x' - Y1Y' : x' - y' E fxz - Yzlr2 }. (Note that the
above product of prime active maps is defined if and only if the products x 1xz and
YlY2 are both defined.) This construction dosely parallels the construction of expo-
nents for dl-domains [Zha93). To see that C = D is indeed the exponent in FOb,
suppose f:B ® C -R Dis a regular map. For any x E IBI, we can define an active map
fjx:C -AD by
fix= {y'- z': 3x' ~ x. (x',y')- z' E f}
Then, the natural isomorphism B ® C- R D ;: B- R ( C = D) is given by the combinators:
A(f) B-R (C=D)
{x- fy-zlr 1x:(x,y) -zEf}
applvc.v (C=D) ®C-RD
{(fy- Zlf.Y)- Z :f:C-AD 1\Y- z Ef}
Lengthy calculations show that these maps are regular and give the required isomor-
phism.
Todefine active-passive object spaces APFOb, we equip object spaces (ICI, :c)
with designated (partial) submonoids ICLv such that, for all x, y E ICip, and x' E ICl,
x' ::> x=x' E ICip

xy =yx
x ::> y = xy = y
(Since xy : yx, the product xy of passive tokens is defined only if x : y.) The arrows
are the passivity-reflecting regular maps.
Passive object spaces are those with ICip = ICl. The full subcategory of passive
object spaces is reflective and coreflective. The functors 83, P: APFOb- APFOb (taking
values in the subcategory) are defined as follows: !'C is the passive subspace of C and
!'(f: C -R D) is the restriction of f to !'C -R t'D. Todefine PC, we consider the least
equivalence relation on ICI such that, for all x,y E ICI, xy = yx and x ::> y => xy = y.
Then,
IPCI { [x]: 'ltX1.X2 E [x].XI :c xz}
[x] :pc [y] = 3x' E [x],y' E [y].x' :c y'
This space is equipped with the submonoid IPCip = IPCI to make a passive object
space. The action of P on a map f: C - R D is
Pf:PC-RPD = {[x]-[y]:x-yE(, [x]EIPCI}
It can be verified this is a regular map (in particular, [y] E IPD I), and that the action
is functorial. The counit is then given by
derc:PC -R C = { [x]- x: x EI Cl, [x] E IPCI}
To summarize, we have the following hierarchy of full subcategories:
CohLt ~ CohLht ~ FOb Ob CohLt

APCohLt ~ APCohLht ~ APFOb APOb APCohLt
where the notation Cht is used for the category of finite tensor products of free
coalgebras. FOb and APFOb are the least categories in these hierarchies which are
closed under all of tensor products, exponentials and products. The semantics of
interference-controlled ALGOL can be viewed as working in the category APFOb.
Appendix B Proof of Operational Adequacy

The proof follows the generalplan of Plotkin [Plo77]. Since this is standard, we mainly
focus on the parts of the proof related to the handling of state.
We call a phrase P semi-closed if all its free identifiers are of types var[ö]. We use
~ to range over variable type contexts. A semi-closed phrase of a basetype (exp[ö]
or comm) is said to be a normal phrase if its only redexes are instances of undef. So,
normal phrases satisfy the following context-free syntax:
(expressions) E .. - OIEI+Ezlderefxlif(E,EI,Ez) lundef

(commands) c skip I C1;Cz I C1ll Cz I x :=EI if(E,CI,Cz)
I new[ö] x. C I undef
If P is a semi-closed phrase of a base type, w(P) denotes the phrase obtained by
replacing all its redexes by undef. Note that [w(P)] ~ [P].
Uday S. Reddy 293
To relate states involved in the operational semantics and traces involved in the
denotational one, we define some relations. For s E ltvar[8]1. define a relation
s !; 181 x 181 inductivelyby
i ....!1...;1
i1
= i = i1
(get.J} ·s
i1
= i= j 1\ i...!... i1
(put.j} ·S
= . s
J-+-1
.,
We extend this to states and trace environments (with respect to a context 6161 ) by
u...!!.. ul
= u(x) ~ U 1 (x) for all identifiers x in 616 1
Note the following facts:
1. The relation ..!!.. is single-valued, i.e., u ..!!.. U 1 and u ..!!.. u" implies U 1 = u".
2. If 11 is a passive trace environment, u ..!!.. U 1

implies u = U 1
•
3. u ..!!.. U for some u and U if and only if each 17(x) is a storage cell trace.
1 1
4. If u !!1. u1 and u !!.5. u2 then 111 ::: 112.

Lemma 24 The semantics o( normal phrases is sound and adequate (or execution, i.e.,
(or any normal phrase 6 I 6 1 f- P : e,
• if9 isexp[8] then (u,P) ~ i = 317 E l[6l6 1 ]l.u..!!.. u A 11- i E [P],
• if9 iscomm then (u,P) ~ U 1

= 317 E l[6l6 1 ]l.u..!!.. U 1
A 11- * E [P].
Proof: By induction on the structure of P. (Note that the 17's in the existentials are
unique.) This is a Straightforward verification. We show a few cases:
Suppose P = E1 + E2. By definition of ~. (u,P) ~ i iff there exist i1oi2 such
that i = h + i2, (u,EI) ~ i1 and (u,E2) ~ i2. By the inductive hypothesis, this is
equivalent to the existence of 111.112 suchthat u !!1. u, u !!.5. u, 111 - i1 E [Ed and
112- i2 E [E2]. All this amounts to the existence of 11 = 111 · 112 suchthat u..!!.. u and
11- i E [EI +E2].
Suppose P = deref x. Then (u,P) ~ i iff i = u(x). Let 11 = 17o[x-(get.i) ]. Wehave
u ..!!.. u and 11 - i E [deref x]. Since 11 is uniquely determined, the reverse implication
holds as weil.
Suppose P = (x := E). Then (u,P) ~ U 1 iff there exists i suchthat (u,E) ~ i and
U 1 = u[x-i]. By the inductive hypothesis, (u,E) ~ i is equivalent to the existence of
17 1 suchthat u !!1. u and 111- i E [E]. Let 112 = 17o[x-(put.i)]. Wehave u~u~
and 111 · 112 - *
E [x := E].
Suppose P = C1 11 C2. Then (u,P) ~ U 1 iff there exist corresponding decomposi-
tions u = u1 e u2 and U 1 = u{ e u~ suchthat (ui. CI) ~ u{ and (u2, C2) ~ u~. By the
inductive hypothesis, this is equivalent to the existence of 111.112 suchthat u1 !!1. u{,
'12 I
u2 - u 2. 111 - *
E [Cd and 112 - *
E [C2 . Wehave u1 e u2
]
u 1 e u 2 and
'11 $'72 I I
111 e 112 - *
E [CI II Cz].
Suppose P = new[8] x. C. Then (u,P) ~ U 1 iff there exists i such that (u e
[x-init[8]], C) ~ U 1 e [x-i]. By the inductive hypothesis, this is equivalent to the
existence of 11 and s suchthat u e [x-init[8]] 'lfD[x-sl U 1 e [x-i] and 11 e [x-s]-
* E [C]. So, we have u..!!.. U 1 and, since s E cellinit[6]• 1J- E [new[8] x. C]. I *
Lemma 25 Semantics is sound (or reduction, i.e., i(P -* P 1
then [P] = [P 1 ] .
Proof: By induction on the length of the reduction sequence P - * P' and the struc-
ture of P. It only remains tobe seen that each reduction rule is semantics-preserving.
Tilis is a Straightforward verification. As an example, we show the property for the
last propagation rule:
if(Po,PI,Pz) := Q - if(Po, P1 := Q, Pz := Q)
Suppose 17 - * is in the denotation of the left-hand side. Then there is a decomposi-
tion 17 = 1'/r · 110 · 111 suchthat 1'/r- i E [Q] (for some i E 181), '70- t E [Po] (for some
t E {tt,ff}), and 111- put.i E [Pk] (for k = 1,2 depending on t). Now, I'Jr and 110 are
*
passive traces (because i and t arepassive tokens). So, 17 = 110 · 1'/r · '11· Clearly, 17- is
in the denotation of the right-hand side. Moreover, the argument is invertible. Hence,
the two sides have the same denotation. 1
For the opposite direction, we define a notion of computable phrases:
Definition 26 A phrase P is said to be computable if one of the following conditions
holds:
• Suppose Pisa semi-closed phrase of type e. If (J is a base type, Pis computable
if there exists P' such that P - * P' and [P'] is adequate for execution (in the
sense of Lemma 24, forward direction). If (J is var[ 8], P is computable if deref P
is computable and P := E is computable for all semi-closed computable expres-
sions E. If (J is B1 x Bz, Pis computable if fst(P) and snd(P) are computable. If
(J is B1 - Bz, Pis computable if, for all semi-closed computable phrases Q, PQ
is cornputable.
• A general phrase x1: B1. ... , Xn: Bn f- P : (J is computable if, for all semi-closed
computable phrases Q1, ... ,Qn of appropriate types, [Q!, ... ,Qn/X!.····Xn]P
is computable.
Lemma 27 If P - P' and P' is computable then P is computable.
Proof: By induction on the type of P. I
Lemma 28 If[P] = 0 then P is computable.
Proof: By induction on the type of P. I

Lemma 29 All phrases I1 Ir f- P : e are computable.
Proof: By induction on the type derivation of P. We need to show that, for all semi-
closed computable substitutions u that are correct for I1 I r, u(P) is computable. The
proof is a standard argument. (See, e.g., [Gun92].) We show one case, P = ifo, where
a subsidiary induction on (J is involved. The goal is to show that for all semi-closed
computable phrases Po, P1 and Pz, the phrase ifo(Po,PI,Pz) is computable.
If (J is a base type, say comm, then ifo(Po,PI.Pz) -* ifo(P0 ,Pi,P~) whenever
Pi -* P; (for i = 0, 1, 2). It is easy to see that if [P[] are adequate for execution then
[ifo(Po,PI.Pz)] is adequate for execution.
If (J is var[8], we must show that deref ifo(Po,PI.Pz) is computable and that
ifo(Po,PI.Pz) :=Eis computable for all semi-closed computable expressions E. For
the first, use an argument similar to (J = comm above. The second reduces in one
step to ifcmnm(Po, P1 := E, Pz := E) whose computability is covered by the case of
(J = comm above. Wehave the conclusion by Lemma 27.
If (J = lh - Bz, we must show that, for all semi-closed computable phrases
Q of type B1. ifo(Po,PI.Pz) Q is computable. Tilis term reduces in one step to
if02 (Po,PlQ,PzQ), which is computable by the inductive hypothesis for Bz. Wehave
the conclusion by Lemma 27. I
Uday S. Reddy 295
Proof of Proposition 22: Suppose C terminates, i.e., there exists C' such that
C -* C' and ([ ], C') ~ [ ]. It is easy to see (by induction on the structure of
C') that ([ ], w(C')) ~ [ ]. Lemma 25 gives [C] = [C'], and Lemma 24 shows
([] .... *) E [w(C')]. Since [w(C')] s;; [C'], we have ([] .... *) E [C'].
Conversely, if ([] .... *) E [C], by Lemma 29, there exists a phrase C' suchthat
C - * C' and [ C'] is adequate for execution. Since [ ] is the only state for the empty
type context and [] .!l [ ], we have that ([ ], C') ~ []. Hence, C terminates. I
Chapter 20
Linearity, Sharing and State: A Fully Abstract
Game Semantics for IDEALIZED ALGOL with
Active Expressions
Samson Abramsky and Guy McCusker
Contents
1 Introduction 297
2 Models for IA 299
3 The Functional/Imperative Boundary 302
4 TheSemanticsofnew 303
5 Games 306
6 IA- {new} 314
7 Modelling new 316
8 Computational Adequacy 318
9 Full Abstraction 324
10 The Extensional Model 324
11 Related Work 326
12 Further Directions 327
References 328
The manipulation of objects with state which changes over time is all-
pervasive in computing. Perhaps the simplest example of such objects
are the program variables of classical imperative languages. An impor-
tant strand of work within the study of such languages, pioneered by
John Reynolds, focusses on IDEALIZED ALGOL, an elegant synthesis of
imperative and functional features.
We present a novel semantics for IDEAUZED ALGOL using games,
which is quite unlike traditional denotational models of state. The model
takes into account the irreversibility of changes in state, and makes ex-
plicit the difference between copying and sharing'of entities. As a formal
measure of the accuracy of our model, we obtain a full-abstraction theo-
rem for IDEALIZED ALGOL with active expressions.
1 Introduction
Our starting point is the elegant synthesis of functional and imperative pro-
gramming due to John Reynolds [27]. His approach is to take an applied
simply-typed A-calculus in which, by suitable choices of the base types and
constants, imperative features can be represented. The resulting language is
referred to as IDEALIZED ALGOL (lA for short).
The language is in fact parametrized by the choice of basic data types and
operations on them. ln Reynolds's approach, a sharp distinction is drawn be-
tween these basic data types-which can be regarded as discrete sets-and
An extended abstract of this work is to appear in the Proceedings of ünear Logic 1996, Electronic
Notes in Theoretical Computer Sdence, volume 3, Elsevier Sctence, 1996.
298 Chapter 20. linearity, Sharing and State
the pbrase types of the programming language. For each basic data type
(i.e., set) X, there will be two basic pbrase types of the language:
• exp[X]-the type of expressions that yield values in the set X.
• var[X]-the type of (assignable) program variables that can contain
values from the set X.
In addition, there is a basic type c om of commands. Reynolds makes a sharp
distinction between expressions, which he does not allow to have side-effects,
and commands, which are executed precisely to have side-effects. We shall
relax this distinction, and can consequently identify com with exp[1] where
1 is a one-point set-the "unit" type.
The syntax of basic types is then
B ::= exp[X] I var[X] I com.
The general types are defined by
T ··= BIT=> T.
The constants of the language will be as follows:
• Recursion combinators YT: (T => T) => T foreachtype T.
• Conditionals
condB: exp[B] => B => B => B
for each base type B.
• For each operation
{:X1 X··· X Xk- X
on the basic data types, a constant
f: exp[Xd => • • • => exp[Xk] => exp[X].
• Command sequencing:
seqx: com => exp[X] => exp[X]
for each set X. Taking X= 1 this yields
seq: com => com => com
as a special case. Also,
skip:com.
• Variable dereferencing and assignment:
derefx: var[X] => exp[X]
assignx:var[X] => exp[X] => com.
• Block structure:
newx.Y: (var[X] => exp[Y]) => exp[Y].
Again, taking Y = 1 yields
newx: (var[X] => com) => com
as a special case.
Samson Abramsky and Guy McCusker 299
The first three items mean that we can regard lA as an extension of PCF [24],
identifying exp[N]. exp[B] with the basic types nat, bool of PCF. Reynolds's
version of the language, in which expressions cannot have side-effects, is ob-
tained by removing all constants seqx, newx,Y except for seq, newx. With
these constants, we can encode the usual imperative constructs.
Examples
1. x := x + 1 is represented by
x:var[N]t- assignx (succ(derefx)): com.
2. while •(x = 0) do x := x- 1 is represented by
x: var[N]t- Ycom(i\c: com. cond (iszero(deref x))
skip
(seq (assignx (pred(derefx)))
c)): com.
3. The code new x in

(x := 0;
p(x:=x+1);
if x = 0 then n else skip
)
translates into
p: com ~ com 1- new(i\x: var[N].
seq (assign x 0)
(seq (p(assign x (succ(deref x))))
(cond (iszero(deref x))
n skip))): com.
It is worth noting how the translation into lA forces us to be precise about the
types of the variables, and whether they occur free or bound.
lA is surprisingly expressive. For example, scoped arrays with dynamically
computed bounds can be introduced by definitional extension [32], as can
classes, objects and methods [26]. It can thus serve as a prototypicallanguage
combining state and block structure with higher-order functional features in
the same way that PCF has been studied as a prototypical functionallanguage.
2 Models for lA
What should a model for lA look like? Since the language is an applied simply
typed i\-calculus, we should expect to model it in a cartesian-closed category
C [9]. To accommodate the recursion in the language, we can ask for C to
be cpo-enriched [5], or more minimally, to be rational [2]. This says that C
is enriched over pointed posets, and that the least upper bounds of chains
{fk o .L I k E w} of iterated endomorphisms f: A- A exist in a suitably enriched
and parametrized sense (see [2] for details).
As regards the basic data types, following [1] we can ask that the functor
C(l, -):Co- Set.
300 Chapter 20. Iinearity, Sharing and State
have a left adjoint left inverse (.), where Co is a suitable sub-category of C,

and Set. is the category of pointed sets. (If C is Cpo, then Co will be the
sub-category of strict maps, and X:. is the flat domain X1.. If C is a category
of games, then Co will be the sub-category of total morphisms on rr-atomic
objects, and X:. will be the flat game over the set X; see [1].)
Unpacking this definition, it says that for each object A of Co and pointed
set X* (where X is the set of elements of X* excluding the basepoint), there is
a bijection
Co(X":.,A) =Set*(X.,C(l,A))
natural in X* and A, and such that the unit
17x.:X*- C(l,X:.)
is a bijection. This means that each x E X corresponds to a unique morphism
x: 1 - X:. in C, and for each family
(fx: l - A I X E X)
there is a unique C0 -morphism
[fx IX E X]: X:. - A
suchthat
xo; [fx IX E X] = fxo
for all x0 E X. As a special case, each f:X* - Y* in Set* (i.e., each partial
function f: X - Y) is represented by
[gx I XE X]: X::-~
where
gx = { f(x), f(x) de!'ifled
.ly;;-, othel"Wlse.
Thus this adjunction gives us a "constant" or "numeral" for each of the
elements of a data type, and a case construct to branch on the values of a
data type, with (partial) functions between data types represented as special
cases.
This data is used in modeHing the basic types and constants of lA as fol-
lows:
• exp[X] is interpreted by X:., and corn = exp[l] by f:.
• The conditionals and basic operations on data types are interpreted us-
ing the case construct. For example, the constant
ifO: exp[N] ~ exp[N] ~ exp[N] ~ exp[N]
is represented by [gn I n E N], where

9o = [.\x,y: exp[N].x]
9n+l = [.\x,y: exp[N].y].

Samsan Abramsky and Guy McCusker 301
• Skip and sequencing are represented as the degenerate cases of con-

stants and case constructs for the underlying data type X = 1 = { •}.
That is,
[skip] = T ~ i: 1 - 1:
[ se~] = [g. I • E { •} ]: 1: ~ A ~ A
where g. = [.\x:A.x].
To understand this modelling of sequencing, think of 1: as a type with
a single defined value (the denotation T of skip); this value being re-
turned when a command is invoked corresponds to the successful ter-
mination of the command. Now just as a conditional firstly evaluates
the test, and then selects one of the branches for execution, so seq as
a "unary case statement" will firstly evaluate the command, and then,
provided the command terminates successfully, proceed with the con-
tinuation.
What about variables? Here we can make use of another important idea due
to Reynolds [27]. 1f we analyze the "methods" we use to manipulate variables,
in the spirit of object-oriented programming, we see that there are just two:
• the reading (or dereferencing) method:
derefx: var[X] ~ exp[X] .
• the writing (or assignment) method:
assignx:var[X) ~ exp[X) ~ com.
We can identify var[X] with the product of its methods:

var[X] = acc [X] x exp[X]
where acc[X] is the type of "acceptors" or write capabilities. It is then tempt-
ing to take a further step (which Reynolds has often, but not always, taken [27];
cf. also [32]), and identify acceptors with the type indicated by the assignment
operation:
acc[X] = exp[X] ~ com.
However, we do not wish to do this, for the following reason. lA is a call-
by-name language, but it is intended that only values of basic data types, not
"closures" or "thunks", be stored in program variables. Thus we prefer to
define
acc[X] = comx,
the product of X copies of com. We can then define a retraction
c: acc[X] <1 (exp[X] ~ com): r
where c: acc[X]- (exp[X] ~ com) is defined by exponential transposition
from
c:X:.- (comx ~ com)
c = [rrx I XE X],
302 Chapter 20. Linearity, Sharing and State
and
r = (rx I x EX): (exp[X] => com) - acc[X]
where rx: (exp[X] => com)- com is defined by:
exp[X] => com::;;;; (X:,=> com) x 1 ~<X:.=> com) x X:.~ com.
If these definitions are worked out in the case of Cpo, it will be seen that r is
"strictification", while c is just inclusion of strict functions, as expected.
Given these definitions, we can now define
[deref] = snd
[assign] = c o fst.
Since we have omitted products from our version of lA for notational simplic-
ity, it also makes sense to define a variable constructor
mkvarx: (exp[X] => com) => exp[X] => var[X]
by
[mkvarx]fe = (r o {, e).
3 The Functional/lmperative Boundary

At this point, the reader should be experiencing a sense of vertigo, or at least
puzzlement. Wehave provided a notion of model for lA which is only the
mildest extension of the usual notion of model for PCF, and yet which appears
to account for all the imperative features of the language, without introducing
states or any other device for explicitly modelling assignable variables! What
is going on?
The answer is indeed a very interesting consequence of Reynolds's analysis
of imperative languages, although it is one which, as far as we are aware, he
has not hirnself explicitly drawn. Firstly, note that a more precise statement
is that the notion of model we have developed to this point accounts for ev-
erything in lA ext;ept the new constants, i.e., block structure. We refer to the
sub-language obtained by omitting the new constants as lA- {new}. We can
now formulate the following thesis:
IlA- {new} isapure functionallanguage.j
At first sight, this seems nonsensical, since the usual "basic imperative lan-
guage" [33], which does not include block structure, can be represented in
lA- {new}, as shown in Section 1. However, recall that the process of trans-
lating an imperative language into lA forced us to be more explicit about free
and bound variables. The "basic imperative language" of the textbooks actu-
ally relies on an implicit convention by which the program variables, which are
all global, are bound (and possibly initialized) at the top level. We claim that
it is only when identifiers of type var[X] are bound to actual "storage cell
objects"-which is exactly what the new constants do-that real imperative
behaviour arises.
Of course, to substantiate this claim, we must show, not only that our sim-
ple specification of a "functional model" for lA- {new} suffices to interpret
the syntax, but that actual models so arising do faithfully reflect the concepts
in the language, and capture the operational behaviour of programs. We can in
fact do this in a very strong sense. As we shall see in Section 6, the categories
of games used to give the first syntax-independent constructions of fully ab-
stract models for PCF [2, 11], when used to give models for lA- {new} in the
way we have described, again yield fully abstract models. Moreover, the proof
of full abstraction is a very easy extensionofthat for PCF, and can be given at
the axiomatic level introduced in [1]. This latter point means that any model
of the axioms in [1] yields a fully abstract model of lA- {new}.
Firstly, however, we shall turn to the question of modeHing the new con-
stants.
4 The Semantics of new

Our previous discussion has located the functional/imperative boundary, the
point at which genuinely "stateful" behaviour arises, in the semantics of the
new constant. What are the key features of this construct?
Locality The "object" created by a local declaration
newx inC
must be "private" to C. This causes problems for traditional models
based on representing the state in a global, monolithic fashion by a
mapping from "locations" to values. The functor-category approaches
[21, 32] address this problern by replacing the global state by a functor
varying over "stages".
Irreversibility When a variable is updated, the previous value is lost. Again,
models based on representing states as functions find it hard to account
for this feature. For good discussions of this point see [18, 25].
Sharing Multiple occurrences of a variable in a functional program refer, con-
ceptually at least, to different "copies" of the same, unebanging value
("referential transparency"); this implies that the temporal order in
which these occurrences are dereferenced makes no difference to the
outcome. By contrast, multiple references to an assignable variable re-
fer to different time-slots in the life of a single underlying object with
state which changes over time; this is sharing rather than copying.
How can we capture these features? The point of view we wish to adopt is
one we have already hinted at, and indeed appears in a significant line of
previous work [15, 16, 25]. We want to understand new x in C as binding
the free identifier x of type var[X] to an "object" or "process" that gives the
behaviour of a storage cell. The behaviour of new x in C then arises from
the interaction between C and this cell, which is "intemalized", i.e., hidden
from the environment. Such an account immediately addresses two of the key
features of new noted above:
• Locality is addressed, since the interaction between C and the storage
cell process is hidden from the environment.
• Irreversibility is addressed, since the state of the storage cell will change
as C interacts with it.
How can we formalize this idea in our current framework? A first attempt is
to consider introducing a constant
cellx: 1 - var[X]
such that, if f: var[X] - A, new(f) is given by the composition
new(f) = 1 ~ var[X] ..1.. A.
The idea is that cellx gives the "behaviour" of our storage cell process. How-
ever, recalling that
var[X] = comx x exp[X]
this is clearly hopeless, since a constant of this type, which in particular will
supply a constant value every time we read from the variable, is clearly just
what we don't want!-We need to take account of the changing state of the
variable.
At this point we produce our deus ex machina: linear Logic! Up to this
point, we have been working exclusively with intuitionistic types; since every-
thing except new was essentially functional, this was all we needed, at least to
get a model. But now we need a loop-hole to get some access to the dynamics,
and linear Logic provides such a loop-hole. Suppose then that our cartesian
closed category C arises as C = K,(.L), the co-Kleisli category of a linear cate-
gory L with respect to the ! comonad [6, 28]. The intuitionistic function types
we have been using get their standard decompositions into the linear types:
A~B=!A-oB.
In particular, we see that the type of newA is:

newx,A: !( !var[X] _., exp[A]) _., exp[A].
Now suppose that we have a morphism
cellx:I- !var[X].
Then we can define newA as the composition
·!( !var[X] _., exp[A])
!der
!var[X] _., exp[A]
!~
(!var[X] _., exp[A]) ®I
lidecellx
( !var[X] _., exp[A])® !var[X]
!Ap
exp[A]
(Here der is the derelietion map (the eounit of !), and Ap is the linear appliea-
tion.)
Note that Linear types really are neeessary here. If we had a eonstant
cellx: var[X] in the language, and tried to define
new f = f cellx,
then this would be interpreted in K, (L) by
cellÖ f
I - !var[X] - - A
where cellÖ is the "promotion" of a morphism

cell 0 : I - var[X].
But the promotionwill behave "uniformly" in eaeh eopy of var[X], whereas
we clearly need behaviour that is history-sensilive, and depends on the previ-
ous history of aeeesses to other "eopies" (whieh are really the previous time
slots of the single shared underlying objeet with state). Thus the cell mor-
phism we require will notbe of the form cellÖ for any cello:I- var[X).
Provided that we ean define a suitable morphism
cellx:I- !var[X]
that does eapture the behaviour of a storage eell objeet, then we have eom-
pleted our semanlies of lA. In Seetion 7 we shall see that this ean indeed be
done for a suitable eategory of games, and by this means we will obtain the
first fully abstraet model of lA.
The point tobe emphasized here is how small an inerement from the mod-
elling of PCF is required to eapture lA, provided a suffieient handle on the
dynamies is present in our semanlies in order to define the cell morphism.
The key feature of game semanties is that the dynamics is already there.
How is sharing represented in this approaeh? Firstly, the multiple refer-
enees to a variable are interpreted using the eoeommutative eomonoid strue-
ture of !var[X], i.e., the eontraetion rule, so that the interpretation of a bloek
new x in C looks like:
!var[X]
cell
/®
I !var[X] : !Cl com
~®
!var[X]
The eontraetion merges the aeeesses to the variable x arising from the various
oecurrenees of it in C into a single "event stream". The task of the cell
morphism is to impose the appropriate eausality on this event stream, so that
in particular a read will return the last value written.
5 Games
We will describe three categories of games in this paper:
• {7: a linear category of games;
• C: a cartesian closed category derived from {7, essentially by a co-Kleisli

construction; and
• C/;!;: an "extensional" (but not well-pointed!) category, obtained from C
by quotienting by the intrinsic preorder.
{1 will be basic to all our work. We will present a model of lA in C and prove
the key results on Computational Adequacy and Definability for that model.
The full abstraction of CI;!;; will then be an easy consequence.
An important technical role will be played by a lluf (same objects, fewer
morphisms) subcategory {;mn ... {1 of innocent strategies. For contrast, we will
call the strategies in the larger category knowing.
The category {;mn was introduced in [13, 14] and used there to construct a
fully abstract model for FPC, a functionallanguage with sums, products, func-
tions and recursive types. It is a generalization of Hyland and Ong's previous
category of dialogue games and innocent strategies [11], with many improve-
ments in defi.nitions, presentation and identification of key lemmas based on
the ideas in [2].
Most of the verification that the structures described below have the re-
quired properties is identical tothat for the categories described in [13], so we
shall refer extensively to that work for proofs.
5.1 Arenas, views and legal positions

Definition An arena Ais specified by a structure (MA, AA, 1-A) where
• MA is a set of moves;
• AA:MA- {0, P} x {Q,A} is a labelling function that indicates whether a

move is by Opponent (0) or Player (P), and whether it is a question (Q) or
an answer (A). We write the set {0, P} x {Q,A} as {OQ, OA, PQ, PA}, and
use .\~P to mean .\A followed by left projection, so that .\~P (m) = 0 if
.\A (m) = OQ or .\A (m) = OA. Define .\~ in a similar way. Finally, XA is
.\A with the 0/P part reversed, so that
XA(m) = OQ = .\A(m) = PQ
and so on.lf .\~P(m) = 0, we call man 0-move; otherwise, m is a P-move;
• 1- A is a relation between MA + { *} (where * is just a dummy symbol)
and MA, called enabling, which satisfies
(el) *1-Am=>.\A(m)=OQA[nl-Am = n=*];
(e2) mI-An 1\ .\~(n) = A => .\~(m) = Q;
(e3) m 1-A n " m /. * => .\~P (m) /. .\~P (n).
The idea of the enabling relation is that when a game is played, a move can
only be made if a move has already been made to enable it. The * enabler
is special-it says which moves are enabled at the outset. A move m such
that * 1- A m is called initial. Conditions (e2) and (e3) say that answers are
enabled by questions, and that the protagonists always enable each other's
moves, never their own.
Given an arena, we are interested in sequences of moves of a certain kind.
Before defining these, let us fix our notation for operations on sequences. If s
and t are sequences, we write st for their concatenation. We also write sa for
the sequence s with element a appended. Sometimes we use the notation s · t
or s · a when it aids legibility. The empty sequence is written as E. The prefix
ordering on sequences is written as ~;.
Definition A justified sequence in an arena A is a sequence s of moves of A,
together with an associated sequence of pointers: for each non-initial move m
in s, there is a pointer to a move n earlier in s such that n 1- A m. We say that
the move n justifies m. Note that the first move in any justified sequence must
be initial, since it cannot possibly have a pointer to an earlier move attached
to it; so by (el), justified sequences always start with an opponent question.
Given a justified sequence s' define the player view rs, and Opponent
view LsJ of s by induction on lsl, as follows.
rE' E.
rsm' . . s,m, if m is a P-move.
rsm' m, if * 1-m.
rsmtn' rs'mn, if m justifies n and n is an 0-move.
LEJ E.
LsmJ Ls.Jm, if m is an 0-move.

LsmtnJ Ls.Jmn, if m justifies n and n is a P-move.
The view of a sequence is intended to represent the "currently relevant" sub-

sequence of moves. However, notice that the view of a justified sequence need
not itself be justified: the appearance of a move m in the view does not guar-
antee the appearance of its justifier. This will be rectified when we impose the
visibility condition, to follow.
A justified sequence s is well-formed if it satisfies
(wl) Players alternate: if s = s 1 mns2 then A0 P(m) f. A0 P(n).
(w2) The bracketing condition. We say that a question q ins is answered by a
later answer a in s if q justifies a. The bracketing condition is satisfied
by s if for each prefix tqua of s with q answered by a, the last unan-
swered question in tqu is q; in other words, when an answer is given, it
is always to the most recent question that has not been answered-the
pending question.
A useful intuition is to think of questions as left parentheses, (, and
answers as right parentheses, ). ln order to satisfy the bracketing con-
dition, the string of brackets must be a prefix of a well-formed string of
brackets, and furthermore each ) must be justified by the correspond-

ing (. Of course this is where the name "bracketing condition" comes
from.
A well-formed sequence s is legal, or is a legal position, if it also satisfies
the following visibility condition:
• if tm !;; ; s where m is a P-move, then the justifier of m occurs in r t,.
• if tm!;;;;; s where m is a non-initial 0-move, then the justifier of m occurs
in Lt J •
We write LA for the set of legal positions of A.

5.2 Games and strategies
Definition Let s be a legal position of an arena A and let m be a move in
s. We say that m is hereditarily justified by an occurrence of a move n ins
if the chain of justification pointers leading back from m ends at n, i.e., m is
justified by some move m1o which is in turn justified by m2 and so on until
some mk is justified by an initial move n. We write s t n for the subsequence
of s containing all moves hereditarily justified by n. This notation is slightly
ambiguous, because it confuses the move n with a particular occurrence of n;
however, no difficulty will arise in practice. We similarly define s t I for a set I
of (occurrences oO initial moves instobe the subsequence of s consisting of
all moves hereditarily justified by a move of I.
AgameAis specified by a structure (MA, .\A, I-A, PA) where
• (MA,.\A,I-A) isanarena.
• PA is a non-empty, prefix-closed subset of LA, called the valid positions,
and satisfying
if s E PA and I is a set of initial moves of s then s t I E PA.
5.2.1 Multiplicatives
Given games A and B, define new games A ®B and A - B as follows.
MA®B MA +MB.
,\A®B (,\A, ,\B ).
* 1-A®B n = * 1-A n V* 1-B n.
m I-A0B n = m 1-A n v m 1-B n.
PA®B {s E LA0B 1 s r A E PA A s r B E PB}.
MA-B MA+MB.
,\A-B rxA."B1·
*1-A-Bm =*I-Bm.
mi-A-Bn = mi-Anvmi-BnV(*I-BmA*I-An) form#*.
PA-B {s E LA-B I s r A E PA A s r BE PB}.
ln the above, s r A denotes the subsequence of s consisting of all moves from
MA, and s t Bis analogous. The conflict with the previously introduced nota-
tion s r I should not cause any confusion.
The tensor unit is defined by I= (0, 0, 0, {E}).
5.2.2 Strategies
Definition A strategy a for a game A is a non-empty set of even-length posi-
tions from PA, satisfying
(sl) sab E a ==> s E a.
(s2) sab, sac E a ==> b = c, and the justifier of b is the same as that of c. In
other words, the justified sequences sab and sac are identical.
The identity strategy for a game A is a strategy for A __" A defined by
idA = {s E Pl~~Az I Vt ~;;even S. (t t A1 = t t Az)}.
We use subscripts to distinguish the two occurrences of A, and write t ~;;even s
to mean that t is an even-length prefix of s.
All that idA does is to copy the move made by Opponent in one copy of
A to the other copy of A. The justifier for Player's move is the copy of the
justifier of Opponent's move. lt is easy to checkthat this does indeed define a
strategy.
5.2.3 Composition
The categories we will work in have games as objects and strategies as mor-
phisms. Therefore, given strategies a:A __"Band T:B __" C, we would like to
compose them to form a strategy a; T: A __" C. First, some auxiliary definitions
are necessary.
Definition Let u be a sequence of moves from games A, B and C together
with justification pointers from all moves except those initial in C. Define
u t B, C to be the subsequence of u consisting of all moves from B and C; if a
pointer from one of these points to a move of A, delete that pointer. Similarly
define u t A,B. We say that u is an interaction sequence of A, B and C if
u t A,B E PA-Band u t B, CE PB-C· The set of allsuch sequences is written
as int(A, B, C).
Suppose u E int(A, B, C). A pointer from a C-move must be to another
C-move, and apointer from an A-move a must be either to another A-move,
or to an initial B-move, b, which in turn must have a pointer to an initial
C-move, c. Define u t A, C tobe the subsequence of u consisting of all moves
from A and C, except that in the case outlined above, the pointer from a is
changed to point to c:
A B
b/
__,c C
becomes
A
/c c
a
/ a
Given strategies a: A __" B and T: B __" C, define a II T tobe
{u E int(A,B,C) Iu t A,B E a 1\ u t B,C E T}.
We are now ready to define the composite of two strategies.
Definition If a:A __"Band T:B __" C, define a; T:A __" C by
a ;T = { u t A, C I u E a II T}.
5.2.4 Innocent strategies

Definition A strategy u: A is innocent if and only if it satisfies
sab Eu 1\ t Eu 1\ ta E PA 1\ 'ta' = •sa' = tab Eu.
In other words, how u plays depends only on the current P-view.
5.2.5 The categories (j and Yinn

The objects of (j and its Huf subcategory Yinn are games. A morphism from
A to B in (j is a strategy u: A __., B. The Huf subcategory Yinn has as mor-
phisms only the innocent strategies. Composition and identities are as de-
scribed above.
Proposition 1 (j and Yinn are categories.
5.2.6 Monoidal structure

Wehave already given the object part of the tensor product. We now describe
the corresponding action on morphisms that makes tensor into a bifunctor
and (j into a symmetric monoidal category.
Given u:A- Band T: C-D, define u ® T: (A ® C) __., (B ® D) by
u ® T = {s E LA®C~B®D Ist A,B Eu" s t C,D E T}.
We can now define natural isomorphisms unit, assoc and comm with com-
ponents unitA: A ® I - A, assocA,B,c: A ® (B ® C) - (A ® B) ® C and
commA,B: A ® B - B ® A given by the obvious copycat strategies-in each case
the set of moves of the domain game is isomorphic to the set of moves of the
codomain game. It is then trivial to verify the foHowing.
Proposition 2 The structure described above makes (j into a symmetric mon-

oidal category. Yinn is a sub-symmetric monoidal category o{ (j.
5.2.7 Closed structure

To make (j into a symmetric monoidal closed category, we need to show that
each functor - ® B has a (specified) right adjoint. Observe first that the only
difference between games A ® B _., C and A _., (B _., C) is in the tagging of
moves in the disjoint unions. Therefore
(j(A ® B, C) {u I u is a strategy for A ® B _., C}
{u I u is a strategy for A __., (B _., C)}
(j(A, B _., C).
Denote this isomorphism by A 8 (-). This structure gives us:
Proposition 3 (j is an autonomous (i.e., symmetric monoidal closed) category.

Yinn is a sub-autonomous category of(j.
5.2.8 Products
Given games A and B, define a game A &B as follows.
MA&B MA +MB
AA&B [.\A, AB]
* 1-A&B n <=> *1-AnV*I-Bn
m 1-A&B n <=> m1-Anvm1-Bn
PA&B {s E LA&B Ist A E PA Ast B = E}
u {s E LA&B I s t BE PB A s t A = E}.
We can now define projections rr1:A&B- A and rr2:A&B- B by the obvious
copycat strategies. Given u: C-A and T: C- B, define (u, T): C- A&B by
(u, T) {s E Lc-A&B Ist C,A Eu Ast B = E}
u {s E Lc-A&B Ist C,B ETAs t A = E}.
Proposition 4 A & B is the product of A and B in both {i and {imn, with projec-
tions given by rr1 and rr2.
1t should be clear how this definition generalizes to give all products.
5.3 Exponential
Definition Given a game A, define the game !A as follows.
M!A MA
A!A AA
1-!A I- A
P!A {s E L!A I for each initial move m,s t m E PA}.
5.3.1 Promotion
Given a map u: !A - B, we wish to define its promotion ut: !A - !B to be a
strategy that plays "several copies of u". However, in general this cannot be
done because there is no way for ut to know how the many threads of dialogue
in !A - o !B should be grouped together to give dialogues in !A - o B. There is a
dass of games B for which this can be done, however: the well-opened games.
Definition Agame A is well-opened iff for all sm E PA with m initial, s = E.
In a well-opened game, initial moves can only happen at the first move, so
there is only ever a single thread of dialogue. Note that if B is well-opened
then so is A - o B for any game A, so while !A is not well-opened except in
pathological cases, the game !A - o Bis well-opened whenever Bis. We are
going to construct a cartesian closed category in which all games are well-
opened and exponentials (in the ordinary sense, not the linear logic one) are
given by !A - o B, so this Observation is important.
Given a map u: !A-B, define its promotion ut: !A- !B by
ut = {s E L!A-!B I for all initial m,s t m Eu}.
Proposition 5 If A and B are well-opened games, and u is a strategy for
!A - o B, then ut is a strategy for !A - o !B. If u is innocent then so is ut.
5.3.2 Dereliction
For well-opened games A, we can define derA: !A- A tobe the copycat strategy
{s E Pt'Z~A I Vt !;;even s.t r !A = t r A}.
Dereliction and promotion behave as expected where they are defined.
Proposition 6 Let A, B and C be well-opened games, and Iet u: !A - B and
T: !B - C be strategies. Then
• ut ; derB = u,
• der1 = id,A, and
• ut;Tt=(ut;T)t.
We now note an important Iemma.
Lemma 7 (Bang Lemma) If B is well-opened and u: !A - !B is innocent then
u = (u;derB)t.
5.3.3 Contraction
We define conA: !A - !A ® !A. For any s E P!Ao-!At @!Az, Iet I be the set of
occurrences of initial moves in A1 and J be the set of occurrences of initial
moves in A2. Let s1 = s r I and s2 = s r ]. Then define conA as
{s E P,'Z:~!At@!Az I Vt !;;even s. (tl r !Ao = tl r !AI) A (t2 r !Ao = t2 r !A2)}.
5.3.4 Exponential isomorphisms
These reduce to identities in the present setting:
!(A&B) !A ® !B.
I = !I.
5.4 The cartesian dosed categories C and C1nn

We can now define the cartesian closed category of games C, in which we will
modeiiA.
Objects : Well-opened games
Morphisms u: A - B : Strategies for !A - B
For any well-opened game A, the strategy derA: !A - Ais the identity map
on A, and given morphisms u:A- Band T:B- C, that is to say strategies
u: !A - B and T: !B - C, we define the composite morphism u ~ T: A - C to
be ut ;T.
The innocent strategies form a lluf subcategory C1nn of C.
Products in C and C1nn are constructed as in (:1: set A x B = A&B; moreover,
C(AxB,C) (j(!(A&B),C)
(j(!A ® !B, C)
_ (j(!A, !B- C)
C(A,!B- C).
So we can define A => B to be the game !A - B, giving cartesian closure.
Proposition 8 C is a cartesian closed category, and C1nn is a lluf sub-cartesian
closed category of C.
5.4.1 Order enrichment

The strategies for agame A are easily seen to form a directed-complete partial
order under the inclusion ordering, with least element .L= {E}. Moreover,
composition, tensor, currying etc. are all continuous with respect to this order.
Applying this to the hom-objects A _.., B, we obtain:
Proposition 9 (i is a CPO-enriched autonomous category. C is a CPO-enriched
cartesian closed category.
For any innocent strategy u: A, define the view-function of <T to be the
partial function f from P-views to P-moves defined by
f(v) = b = 3sa.sab E <T" •sa' = v.
Proposition 10 The knowing strategies for agame A form a dl-domain; the
compact strategies are those with a finite set of positions. The innocent strate-
gies for a game A also form a dl-domain, with the compact strategies being
those with finite view-function.
Note that an innocent strategy with finite view-function is not nece~sarily
finite qua set of positions-this was the point of introducing view-functions
in the first place. For example, by the Bang Lemma any innocent strategy
for !A other than 1. has an infinite set of positions. Thus we shall speak of
an innocent strategy u: A with finite view function being innocently compact,
i.e., compact in §~nn(I,A).
5.5 Standard data types

As described in [1], the category C has standard data types given by flat games.
For any set X, the game X: has one initial question q, and one answer for each
element x EX. The valid positions of the game are given by the set
{E,q} u {qx I x EX}.
For any x E X, the morphism x: 1 -X: is the strategy {E, qx} that responds
to the question q with answer x. Fora family of maps (fx: 1 - A I x E X),
the morphism [fx I x E X]: X: - A is the strategy that responds to the initial
move of A by playing q in X:, and after receiving the answer x, continues to
play in A according to fx·
Following the interpretation of lA- {new} outlined in Section 2, the type
exp[X] is interpreted as the game X:. In the case of com = exp[l ], weshall
call the initial question run and the unique answer done. The type var[X] is
interpreted as exp[X] x comX; weshall refer to the initial question of the first
component as read, and to the moves of the xth copy of com as write(x)
and ok. The strategy interpreting seqcom is therefore:
com ~ com ~ com
run
run
done
run
done
done
and the interpretation of assign is as follows.

var[X] ~ exp[X] ~ com
run
read
X
write(x)
ok
done
Note that these strategies are innocent; in fact the whole machinery of Stan-
dard data types works inside C~nn, so our interpretation of lA- {new} uses
only innocent strategies.
5.6 Intrinsic Preorder

Our full abstraction result will in facthold not in C, but in the quotient of C
with respect to a certain preorder, which we now define. Let ~ be the game
with a single question q and one answer a (so ~ is isomorphic to the game
interpreting com as described above). There are only two strategies for ~=
1.= {E} and T = {E,qa}. Maps a:A- ~in C can be thought of as tests
on strategies for A: a strategy u passes the test if u ~ e< = T. The intrinsic
preorder for strategies on A is defined as follows.
U ~ T iff Ve<:A- ~.U ~ C< = T = T ~ C< = T.
So u ~ T if T passes every test passed by u. It is Straightforward to show the

following.
Proposition 11 :s is a preorder on each hom-set of C, and the quotient C 1~ of
C by ~ is a poset-enriched cartesian closed category.
6 lA- {new}
The structure exhibited for G1nn in the previous section allows us to model
lA- {new} according to the definitions given in Section 2. Since innocent
strategies correspond precisely to functional programs, as shown in [11, 13,
14], this provides some immediate confirmation of our thesis that lA- {new}
is a pure functionallanguage.
The aim of this section is to prove the following result.
Theorem 12 (Innocent Definability) Let T be an IA type. Every compact inno-
cent strategy u on the game [ T] is definable in IA- {new}; i.e., for some closed
term1-M: T, [M] = u.
We will in fact prove a more general result at the axiomarte Ievel introduced
in [1]. (We shall assume the material in [1] as background.)
Theorem 13 (Definability for Normed Sequential Categories) Let C be a
normed sequential category with all small products (where it is understood that
rr-atomicity now re{ers to arbitrary products rather than just finite ones). Any
such category gives rise to a model of IA- {new} as specified in Section 2. Then
for any IA typeT and compact morphism f: 1 - [T] in C, f is definable in
IA- {new}.
Since Cmn is a normed sequential category, as shown in [1] and [13], Theo-
rem 13 implies Theorem 12.
Proof: The proof is a Straightforward extension of the proofs of the Decom-
position Theorem (Theorem 4.1) and the Definability Theorem for Normed
Categories (Theorem 8.2) in [1]. We shall just describe the additional steps in
the argument. For notational simplicity, we shall assume that the only basic
data types are N and the unit type.
Suppose then that T = T1 ~ T2 ~ . . . ~ Tk ~ B is an IA type, where
Ti = Ui.l ~ ... ~ Ui,q1 ~Bi, 1 ::5 i ::5 k, and that
f: 1- [T]
is a compact morphism in C.
Suppose first that [B] =X:. (so that B = exp[N] or B = com = exp[l ]).
Since [B] is discrete, we can apply a case analysis:
• f =.L. Then f = [,\x: f.n], where we write f = T1, ... , Tk.
• f is (the exponential transpose of)
!(T1 & · · · & Tk) --.. 1 ___i_.. .f:.
for a (necessarily unique) c E X. Then if B = exp[N], f = [A.x: f.c],
while if B = com, f = [,\x: f. skip].
• f =Ci({!, ... ,fqp (go, . .. ,g,_I)) where Bi= exp[N]. Then
f = [A.x: f. case,(xi(Mlx) · · · (Mq1x))(Pox) · · · (P1-1x)]
where [Mj] = fi for 1 ::5 j ::5 qit and [Pj] = 9i for 0 ::5 j < l.
• f = C<f1 .... ,{q1 • (g.)) where Bi= com. Then

f = [,\x: f. seqs(xi(Mlx) · · · (Mq1X))(Px)]
where [Mj] = {j for 1 ::5 j ::5 qi and [P] = g •.
• f = Ci({!, ... , {qp (go, ... , 91-d) where Bi = var[N]. ln this case, by the
rr-atomicity of B, f must factor through one of the projections
var[N] ~ exp[N]
or
var[N] ~ com.
ln the first case,
f = [,\x: f. case,(deref(xi(Mlx) · · · (Mq 1x))(Pox) · · · (P1-1x)) ],
while in the second case,

f = [A.x: f. seqa(assign(xi(Mlx) · · · (Mq1x))n)(Px)]
where Mj. Pi and P are defined inductively as in the previous two cases.
Finally, we consider the case where B = var[N]. By the universal property of

the product,
f = ((fn In E N),fe)
and by the previous cases, fn = [Pn] for all n E N, and fe = [M], while fn =l.
for almost all n by compactness of f. Then for some l,
f = [Ax:f.mkvar(Ax:exp[X].case,xP0 • • ·P1-dM].
I
Anormal form for compact terms of lA- {new} can be extracted from this
proof, extending the PCF "evaluation trees" [2].
7 Modelling new
Returning to the discussion in Section 4, to complete our semantics for lA, we
must specify a morphism
cellx:I- !var[X].
Plays in !var[X] have the form
read · vo · write(vt) · ok · read · v2 ...
where each re ad and each wri t e (-) is initial, and all other moves are justi-
fi.ed by the immediately preceding move. Note that the type !var[X] imposes
no causality constraints between the result returned by a read and the value
previously written. Thus in the above example we could have v2 :/= v1 • The
definition of cell as a deterministic strategy on this game is quite clear; it
should respond to a write(v) with ok, and to a read with the value last
written, if any. If there has been no write performed, the uninitialized cell
will have no response to a read, while an initialized cell cellx.vo with initial
value v0 will return v0 in this case.
This strategy clearly implements the required behaviour, and is a well-
defi.ned deterministic strategy. However, it is not innocent. Indeed, note
that since all Opponent moves are initial, the P-view when Opponent has just
moved consists only of the move Opponent has just played. Thus innocent
and history-free strategies coincide on this game. This lack of innocence is
exactly what allows cell to take account of the previous accesses to the vari-
able, and hence to correctly implement sharing rather than copying.
Thus we find that our model of lA- {new} lives entirely in the subcate-
gory Cmn (and implicitly in ~mn), while to model new we have to use the larger
category ~ of knowing strategies. An obvious question then arises: what sub-
category of ~ is generated by ~inn and cell? The answer is provided by the
following result.
Theorem 14 (Innocent Factorization) Let A be agame suchthat
sa E p~dd A •sa,b E PA ==> sab E PA,
and u: I - A be any (knowing) strategy. Then there exists a set X, x 0 E X, and
an innocent strategy T: !var[X] - A such that
0' = cellx,x0 ; T.
Moreover, if u is compact, T is innocently compact.
Note that this is a weak orthogonality property in the sense of factorization
systems [7].
Proof: The idea is that T simulates a using its view of the play in A together
with (a code for) the full previous history of the play, which it keeps in the
variable. Thus we use state to encode history, a standard idea in automata
theory; the interesting thing here is that we find a point of contact between
machine simulations and factorization systems.
The set X is taken to be (a set of codes for) the positions of A (so it must
be a set of cardinality greater than or equal to that of the set of positions of
A), and x0 tobe the code for the initial position E. Note that the P-view of a
position s in !var[X] _" A contains the string 's t A,. At each 0-move a in A,
following a previous play s, the strategy T behaves as follows:
If a does not have a response at any position of A with player view
'sa t A,, T has no response. Otherwise, it reads code(t) from the variable.
Let b = a(ta). If 'sa t A'b f/; PA, T has no response. Otherwise it writes
code(tab) back into the variable, and then plays bin A.
Note that the assuroption on A together with the fact that a is a valid
strategy ensures that T is well-defined. It is clear that T is innocent, and that
the composite cellx,xo; T = a, as required. Further, if a is compact, it only
has a responsebat a finite nurober of positions ta. ln this case, the strategy T
only has a response at a finite nurober of views, so T is innocently compact. I
We must now show that for any lA type T, the game [T] satisfies the
hypothesis of the above theorem.
Lemma 15 For any IA type T, the valid positions of the game [ T] are precisely
the legal positions with at most one initial move.
Proof: By induction on the structure of T. The base cases are trivial, while
for the inductive step we make use of several technicallemmas from [13].
Suppose T = A ~ B, so that [T] = ![A] __., [B]. It is clear that each valid
position contains at most one initial move and is legal. For the converse, we
proceed by induction on the length of a legal sequence containing at most one
initial move. Again the base case is trivial, so consider a legal position sa with
at most one initial move, and suppose that s E P[T]. To complete the proof we
must show that sa t ![A] E P!IAI and sa t [B] E P[BJ· By the outer inductive
hypothesis, it suffices to show that each of these sequences is legal. For the
altemation condition, in the case a is an 0-move, the visibility condition in [T]
implies that a is in the same component as the last P-move ins, so both so
the altemation condition is satisfied. If a is a P-move, the "state diagram" of
Lemma 3.2.1 of [13) shows that 0 played last in both components, so P cannot
possibly violate the altemation condition. The bracketing condition is clearly
satisfied in each component. For the visibility condition, one can adapt the
proof ofLemma 3.1.6 of [13] to show that 's, t [B] is a subsequence of 's t B',
and similarly for the 0-view, and for the other component. Therefore, since the
justifier of a is in the appropriate view of s, it is also in the appropriate view
of s restricted to the component of a, so the visibility condition is satisfied. I
Proposition 16 For every IA type T, the game [T] satis(ies the hypothesis of
the Innocent Factorization Theorem.
Proof: We must show that if sa E P[f1 and 'sa'b E P[TJ then sab E PITI.
Since r sa' b E Prn. we know that sab is a justified sequence and that players
altemate. The bracketing condition holds in sab because the pending question
at sa is the same as that at r sa,. The visibility condition for sab is clearly
satisfied. Therefore sab is a legal position, and contains at most one initial
move since sa does, and b is a Player-move and therefore not initial. So by the
previous lemma, sab E P[T). I
Theorem 17 (Definability) Every compact strategy er: I - [T] in C, where T
is an JA type, is definable in JA.
Proof: By Theorem 14 and Proposition 16, er factors as
er = cellx,v0 ; T
where T is a compact innocent strategy. By the Innocent Definability Theorem,

for some term 1- M : var[X] => T of lA- {new}, AT = [M]. Writing T =
f => B for some base type B, if B = exp[X] for some X then
er= [A.x: f.new(.\v:var[X]. seqa(assign V vo)(M V x))].
If B = var[X], one can use the universal property of products together with
the above and the constant rnkvar to find a term defining er. The details are
left as an exercise. I
Note that, if the basic data types of lA are countable, then the set of posi-
tions of [T] is countable for every lA type T, and we can take X = N in the
Definability Theorem.
8 Computational Adequacy
1n this section, we introduce the operational semantics of lA and demonstrate
that the the games model is both sound and computationally adequate, yield-
ing an inequational soundness theorem. We present the operational semantics
as a "big-step" evaluation relation, with an auxiliary relation of "structural con-
gruence" (cf. [17)) denoted by =. The structural congruence isthat generated
by ß-conversion and all instances of
M=YM.
We shall assume that the only program variables are of type N for simplicity.
Let us introduce some notation. A var[N]-context r is one of the form r =
xi: var[N], ... ,xn: var[N], with the xi distinct. Ar-store isapartial function
s: {XI, ... , Xn} - {n I n E N}. We write St(f) for the set of all such stores.
If s E St(f,x:var[N]), then s 1 x is the r-store obtained by restricting the
domain of s, while (s I x .... n) denotes the result of updating the contents of x
instobe n. Note that this operation may extend the domain of s, if s(x) was
previously undefined, or may override an existing value for x.
We now define relations of the form
r,s 1-M .(J.B c,s'
where
• r is a var[N]-context
• s,s' e St(f)
• B is a base type
• f 1- M : B is a term-in-context
• c is a canonical form such that r 1- c : B is derivable.
The canonical forms are:
• at type exp[N], the numerals n, and similarly at other expression types;
• at type com, the command skip;
• at type var[N], variables x and expressions mkvar f e.
The relations are defined inductively below. We omit the type tags, and leave
the reader to fill in the rules for the extra, unspecified, operations on base
types.
Structtrrrucongruence----------------------------------~
M =M' f, s 1- M' 1J. c, s'

r,s 1-M 1J. c,s'
r,sl-clJ.c,s
Conditional-------------------------------------------,
f,s 1-M 1J. tt,s' f,s' 1- N 1J. c,s" f,s 1-M 1J. ff,s' f,s' 1- P 1J. c,s"
r,s 1- cond MN P 1J. c,s" r,s 1- condM NP 1J. c,s"
Aritlnnetic------------------------------------------,
f,s 1-M 1J. n,s' f,s 1-M 1J. n+ l,s'
f,s 1-succ M 1J. n+ l,s' f,s 1- predM 1J. n,s'
~quendmg----------------------------------------~
f,s 1-M 1J. skip,s' f,s' 1- N 1J. c,s"

r,s 1- seqM N 1J. c,s"
320 Chapter 20. ünearity, Sharing and State
~ferenc~----------------------------------------,
r,s 1- V~ x,s' s'(x) = n f,s 1- V~ mkvar f e,s' f,s' 1- e ~ n,s"

r,s 1- deref V~ n,s' f,s 1- derefV ~ n,s"
As~gmnent------------------------------------------,
· f,si-E~n.s' [,S'i-V~x.s"
r,s' 1- assign V E ~ skip, (s" I x- n)
f,s 1- E ~ n,s' f,s' 1- V~ mkvar f e,s" f,s" 1- fn ~ skip,s"'
r,s' 1- assign V E ~ skip,s"'
Blocksttucnue---------------------------------------,
f,x:var[N],s 1-M~ c,s'
r,s 1- new ll.x.M ~ c,s' 1x
At first sight, the rule for new may seem restricted, since it applies only
to terms of the form new ll.x.M. However, there is no loss of expressive
power. In our denotational model, the q-law is valid, so for any term M of
type var[X] ~ exp[Y], the terms new M and new ll.x.Mx have the same de-
notation. In the light of the adequacy result to follow, this means that these
two terms are observationally equivalent, so our rule is sufficiently general.
A program is a closed term of type com. We write P~ as an abbreviation
for, () 1- P ~ skip, ()in this case, and Pft for ...,p~. Let Trm(f, T) be the set
of all M suchthat r 1-M: T is derivable. The program contexts Ctxt(f, T) are
those contexts C[-] suchthat C[M) isaprogram for all ME Trm(f, T). The
observational preorder S on Trm (f, T) is then defined by
MSN iff VC[-] E Ctxt(f, T). C[M] ~ => C[N] ~.
8.1 Making state explicit

The correspondence between the behaviour of the model and the operational
semantics is intuitively compelling, but nonetheless the proofs of the sound-
ness and adequacy results that follow are slightly unusual. This is a conse-
quence of the implicit nature of our model of state: the state needs tobe made
explicit in order for the connection between terms and their interpretations to
be made precise.
Consider a var[N]-context r and a state s E St(f). This state can be
represented in our model by a strategy [s]:I -o !var[N] ® • • • ® !var[N]
consisting of a tuple of suitably initialized cell strategies. For example, if r
is x:var[N],y:var[N],z:var[N] and s is the state (x ...... 3,z ...... 7) then [s] is

the strategy
I 2... I® I® I cell 3 ®cell®cell 7 !var[N] ® !var[N] ® !var[N].
The interpretation in the games model of a term r 1- M in state s is given by

the linear composition [s]; [f 1-M]. To study these behaviours more closely,
it will be necessary for us to consider the interaction
[s] II [f 1-M] E int(I, !var[N] ® · · · ® !var[N]. A) ,
where A is the object interpreting the type of M. For any sequence qt1 t 2 in
[s] II [r 1-M], where q is an initial question and t 1 is an even-length sequence
of moves in the !var[N] ® · · · ® !var[N] component, we say that t1 leaves
state s' if the last write moves in each !var[N] aresuchthat each cell is set to
the value given by s'. For example, the sequence
I -o !var[N] ® !var[N] ® !var[N] A
q
read
3
write(5)
ok
write(5)
ok
a
in the state s described above leaves the state (x ...... 3, y ...... 5, z ...... 5).
8.2 Soundness
We are now in a position to state the soundness lemma.
Lemma 18 For any var[N] -context r, any term r 1- M : A and any s E St([),
iff, s 1- M JJ. c, s' then each sequence qt in [s] II [M] has the form qt1 t2, where
t 1 is a sequence of reads and writes in the [r] component leaving state s', and
[s'] II [c] contains the string qt2 • Further, each sequence in [s'] II [c] arises in
this way.
Proof: By induction on the derivation of r, s 1- M JJ. c, s'. The base cases,

for canonical forms, are trivial, and the case of the rule making use of the
=
structural congruence follows from the fact that if M N then [M] = [N].
For new, we have the rule
r,x:var[N],s 1-M JJ. skip,s'
[,s 1- (new .\x.M) JJ. skip,s' 1 X
Notice that [s] interpreted as a r,x : var[N] state is the extension of the
interpretation of [s] as a r state by a single uninitialized cell, that is
I 2-o I® I [s]®cell [r] ® !var[N].
By the inductive hypothesis, the sequence [s] II [M] has the form
[M]
I~ [f] ® !var[N] ----o com
run
t
done
where t leaves state s'. But by definition of [new], the strategy [new(,\x.M)]
behaves as cell; [M], so [s] II [new(,\x.M)] behaves as required.
The cases for all the other constants are similar. We consider that of seq
for illustration. The rule in question is below.
f,s 1-M .U skip,s' f,s' 1- N .U c,s"
r,s 1- seqMN .u c,s"
By the inductive hypothesis, [s] II [M] has the form run · t1 • done, where t 1
leaves state s', and the sequences of moves in [s'] II [N] have the form qt2t3,
where t 2 leaves state s". The sequences in [s"] II [c] are precisely those of the
form qt3 • Because of the copycat nature of [seq], it is then easy to show that
[s] II [seqMN] consists of strings of the form qt1tzt3, giving the result. I
The following simple corollary expresses the sense in which our model is
sound.
Proposition 19 If r, s 1-M .U c, s' then [s]; [M] = [s']; [c].
8.3 Computational Adequacy

We now strengthen our soundness result to show that the model is compu-
tationally adequate; that is, if, for some r 1- M of base type and some state
s E St(f) we have [s]; [M] -/=1.., then r,s 1-M .U. As usual our proof of this
result makes use of logical relations; we shall only describe the proof in out-
line, indicating the points at which it differs from standard such proofs for
functionallanguages.
Define for each type T of lA and each var[N]-context r a relation ~~
between strategies a: ![f] _., [T] and terms r 1-M: T as follows.
• a ~~om M iff for all s E St(f),

[s]; a -/=.1.. leaving state s' => r, s 1-M .U skip, s'.
• a ~~xp[Nl M iff for all s E St(f),

[s]; a = [n] leaving state s' => r,s 1-M .u n,s'.
• a ~~ar[N] M iff
a; 1T1 ~~xp[NJ deref M 1\ a; 7Tz; 1Tn ~~om assign Mn.
• a ~~=>B M iff for any T ~~ N, (a, T) ; ev ~~ MN and if A => B is

var[N] => exp[X], then cell; A-l (a) ~~xp[Xl new M.
In the above, andin what follows, given a strategy u: A ___., (!var[N] ___., B), we
use cell; A-l (u) as an abbreviation for the map
A 2-.o A ®I id®cell A ® !var[N] ~ B.
The extra clause in the case of var[N] ~ com reflects the fact that program
variables can be bound in two ways: either by application to a term of type
var[N], or by allocation of a new local variable.
Lemma 20 Let r, ~ 1- M : T, where r is apart of the context containing only
variables of type var[N] while ~ may contain variables of any type (including
var[N]). Suppose ~ = y 1 : T1 , .•• , Yn: Tn and let O"; be strategies and N 1 be terms
suchthat CT; ~~; N; (or i = 1, ... , n. Write if; ~ [M] for the composite
[f] (id,UJ, ... ,Un) [f, ~] ~ [T],
Then ift ~ [M] 4 M[Ni/)ii].

Proof: By induction on the length of the derivation of r, ~1-M. Weshall just
highlight some of the interesting cases.
• If M is a variable, there are two subcases: either the variable is from r or
it is from ~. In the latter case the result is trivial, while in the former it
is just a matter of showing that [f 1- x] ~~ar[Nl x, which is simple.
• If M is an abstraction, again there are two cases: either it has type
var[N] ~ exp[X], or some other type. In the latter case the result
follows straightforwardly from the inductive hypothesis. Otherwise, let
us just consider the case of the type var[N] ~ com. Suppose we have
r.~ 1- ll.x.M: var[N] ~ com, derived from r.~.x:var[N] 1-M: com.
There are two parts to check, one corresponding to application, the other
to allocation of a new program variable. The first part is proved in the
usual way, by considering x as being in the "~-part" of the context when
applying the inductive hypothesis. For the second part, x must be con-
strued as being in the "f-part". The inductive hypothesis gives us
if; ~ [M] ~~·~m M[Ni/)ii].
We must show that

cell ;A- 1 (if1 ~ [ll.x.M]) ~~om new ll.x.M[Ni/)ii],
i.e., that for any s E St(f), if [s]; (cell; A- 1 (if1 ~ [ll.x.M])) -/=1. leaving
state s' then r,s 1- new ll.x.M iJ. skip,s'. But the left-hand side of the
above is equal to
[s]; (if; ~ [M])
so the result follows from the inductive hypothesis.
• For the case when M is new, it is sufficient to show that
[new] ~(var[N]~com)~com new. Let e ~var[N]~com M. Then by defini-
tion of the logical relation, cell ;A-l (e) ~com new M. But by definition
of [new], ([new], e); ev = cell; A- 1 (e), so the result follows immedi-
~~ I
324 Chapter 20. Iinearity, Sharing and State
Proposition 21 (Computational Adequacy) Let P be a program; then PU iff

[P] /-L
Proof: The left-to-right implication is given by Proposition 19. For the right-
to-left direction, we use the previous Lemma, which teils us that [P] -<com P,
so that if [P] /-1.., then PU by definition of -<com· I
At last we can prove the inequational soundness result in the usual way.
Theorem 22 (Inequational Soundness) Let M,N E Trm(f, T); if [M] ~; [N]
thenMr;;;N.
Proof: Suppose that [M] ~; [N], and that for some C[-] E Ctxt(f, T) we have
C[M]U. By the previous Proposition, [C[Ml] /-1.., and by compositionality of
the semantics, [C[Ml] ~; [C[Nl]. Therefore [C[Nl] /-1.., and hence by the
previous Proposition again, C[N]U. Therefore MSN. I
Note that this result applies to the model in C. To extend it to the model in
CI:S, just observe that Proposition 21 immediately extends tothat model. The
above proof can therefore be used to show the following.
Theorem 23 (Inequational Soundness in CI :s) Let M,N E Trm(f, T); if
[M] :::, [N] then MSN.
9 Full Abstraction
With the Inequational Soundness and Definability results in place, it is a rou-
tine matter to show that C1:::, is a fully abstract model of lA.
Theorem 24 (Full Abstraction) Let M,N E Trm(f, T); then
[M]:::, [N] = MSN.
Proof: The left-to-right direction is the Inequational Soundness result above.
For the converse, suppose that [M] :f; [N]. Without loss of generality we may
assume M and N are closed terms; then by definition of the intrinsic preorder
there exists a strategy oc: ![T] - ~ suchthat [M] ~ oc = T and [N] ~ oc =1...
Clearly oc can be chosentobe compact. Since the game ~ is the same as [com],
the Definability Theorem implies that there is an lA term x: T 1- C[x] : com
suchthat [C[xl] = oc. Therefore [M] ~ oc = [C[M]], and similarly for N. By
Computational Adequacy, C[M] U and C[N] 1t. Therefore M ~ N, completing
the proof. I
10 The Extensional Model

Our fully abstract model C1:::, involves two ingredients: the intensional cate-
gory C and the intrinsic preorder :s. In the case of PCF, our understanding
of the intrinsic preorder on innocent strategies is limited; the recent result of
Loader [12), which implies that it is undecidable even on compact strategies,
shows that this is unavoidable. By contrast, we can give an explicit characteri-
zation of the intrinsic preorder on knowing strategies, from which the effective
presentability of the fully abstract model of lA follows easily.
Say that a play in a game is complete ü it is maximal and all questions have
been answered. Note that, for any lA typeT, the complete plays in [T] are
exactly those in which the initial question has been answered. We call agame
simple in this case. We write compA for the set of complete plays in A. If u
is a strategy on A, we write comp(u) = u n compA. We write Pref(S) for the
prefix-closure of a set of sequences S.
Theorem 25 (Cbaracterization Theorem) Let u and T be strategies on a sim-
ple game A in C. Then
u ::5 T = comp(u) ~ comp(T)
= Pref(comp(u)) ~ Pref(comp(T)).
Proof: Suppose that s = m1 •.. mn E comp(u) \ comp(T). We define a strategy
01: A - ~ that "follows the script of s" (playing as 0) as long as P does. If s is
completed, it replies in ~=
a
Note that 01 is a well-defined (but not in general innocent) strategy. Then by
assumption u; 01 = T while T; 01 =.L. Thus u ::5 T => comp(u) ~ comp(T).
For the converse, suppose that ut; 01 = T and Tt; 01 =.L. The interaction
-
between u and 01 has the form
-u
!A
()(
~
q
m1
mn
a
The sequence s = m1 ... mn can be decomposed into the "threads" s1 = s t it,
••• , Sk = s t ik, where i1, ... , ik are the occurrences of initial moves ins. Each
St must be a complete play in A by the bracketing condition. Clearly we must
have s1 ff. T for some j, 1 !> j !> n, since otherwise we would have Tt; 01 = T.
Finally, since Pref is monotone, comp(u) ~ comp(T) => Pref(comp(u)) ~
Pref(comp(T)). Since the elements of comp(u) aremaximal plays, they form
an anti-chain under the prefix ordertng; Pref is order-reflecting on anti-chains,
yielding the converse. I
Now given the dl-domain C(l ,A), where A is a simple game, define
p:C(l ,A)- C(l ,A) by
p(u) = Pref(comp(u)).
Proposition 26 The map p is a finitary projection [3] whose image is a

dl-domain.
Proof: Note that p(u) = I (u n compA). 1t is easily seen from this description
that p has the stated properties. I
Note that it follows from the Characterization Theorem that
C(A,B)I~ ;;:;; ({p(u) Iu E C(A,B)},~).
The compact elements of C(A, B) I~ correspond to the finite consistent sets of

complete plays, where s consistent with t means that s n t has even length. 1t is
then clear that, if we start from basic data types that are given as enumerated
sets [4], then for each lA type T, C(l, [T])I~ is an effectively presentable
domain.
Theorem 27 (Effective Presentability) The fully abstract model of JA is effec-
tively presentable.
Example Consider the type corn ~ corn. The interpretation of this type in C
is isomorphic to the lazy natural numbers. That is, for each k E N, there is a
strategy denoted by
.\c: corn.c; · · ·; c,
k times
but also a strategy denoted by
.\c: corn. c; · · · ; c; 1.,
k times
and there is a strategy denoted by
Y(.\F: com ~ corn. .\c: corn. c; (Fe)).
In C1~ all these partial strategies, which have no complete plays, collapse
to 1., and the interpretation of corn ~ corn is isomorphic to the flat natural
numbers.
11 Related Work
There have been two main strands of work addressing the issue of local-
ity of store in programming languages from a semantic point of view. The
first, based on the use of functor categories, was pioneered by Reynolds and
Oles [21], and has since been considerably refined, notably by O'Hearn and
Tennent [20]. The idea is essentially to take a traditional "global state" model
and parameterize it with respect to store shapes, to account for the allocation
and later deallocation of local variables. Stark has also used functor categories
to model ML-style references [30], and similar ideas have led to denotational
models of the TT-calculus [10, 31]. The second, perhaps computationally more
compelling, method has been termed "object-based semantics" by Reddy [25].
In this view, commands, procedures and variables are seen as objects or pro-
cesses that interact with one another during the course of a computation. Mil-
ner adopted this approach in an operational setting, translating a language
with local-variable declarations into the process calculus CCS [16], while Reddy
realized the same ideas denotationally, using coherence spaces [25]. Our work
can be seen as the next stage in this line of enquiry.
A somewhat different investigation into the behaviour of ALGOL-like lan-

guages has recently been undertaken by Pitts [23], who uses the operational
semanlies directly to prove certain program equivalences and establish rea-
soning principles, such as a context lemma. It is to be hoped that our games
model can be used for similar purposes, perhaps to strengthen his context
lemma, as has been done for functionallanguages [13], or to develop a novel
logic for reasoning about ALGOL programs.
As regards full abstraction, the strongest results previously achieved have
been by O'Hearn and Reddy [18], for a model combining object-based and
functor-category ideas, and by Sieher [29], for a model using logical relations.
In both cases, the results are that the model captures definability of first-order
functions, and hence full abstraction for closed second-order terms. O'Hearn
and Reddy's results are for essentially the same version of lA as ours. Sieber's
results are for a language without side-effecting expressions, but with "snap-
back" and parallel conditional.
12 Further Directions
As we mentioned in the Introduction, Reynolds's original version of lA does
not allow side-effects in expressions. To capture this restricted language, we
must reflect the distinction between acttve and passive types in the model [26,
19]. A passive type P does not allow side-effects to the environment in the
course of computing a value of type P. This distinction is also crucial to the
Syntactic Control of Interference [26], which is a type discipline for controlling
interference and aliasing in imperative programs.
It is possible to refine the model we have presented here to incorporate
the active/passive distinction, and hence to get a fully abstract model for
Reynolds's originallanguage with passive expressions. This will be described
in a sequel to the present paper. From the point of view of game seman-
tics, what is interesting about this refined model is that, instead of a simple
innocent/knowing dichotomy, we get a whole spectrum of possibilities, with
innocent strategies (when all moves are passive) and knowing strategies (when
all moves are active) as the extreme cases.
This model should also prove a good setting for studying the Syntactic
Control of Interference from a semantic point of view.
Another point for further investigation is suggested by the following dia-
gram:
•l A •B
""'/
I A •B •I AB
lAB
Here I denotes innocence and B the bracketing condition. The category {]1nn
embodies both constraints on strategies, and very successfully captures pure
functional programming [11, 13, 14]. As we have seen in the present paper,
the category of knowing (but well-bracketed) strategies captures lA. If we con-
versely retain innocence but weaken the bracketlog condition then we get a
328 Chapter 20. Ilnearity, Sharing and State
model of PCF extended with non-local control operators [8, 22]. Thus we be-
gin to develop a semantic taxonomy of constraints on strategies mirroring the
presence or absence of various kinds of computational features.
References
[1) S. Abramsky. Axioms for full abstraction and full completeness. Submitted for
publication, 1996.
[2) S. Abramsky, R. Jagadeesan, and P. Malacaria. Full abstraction for PCF. Submitted
for publication, 1996.
[3) S. Abramsky and A. Jung. Domain theory. In S. Abramsky, D. Gabbay, and T. S. E.
Maibaum, editors, Handbook of Logic in Computer Science, Volume 3, pages 1-
168. Oxford University Press, 1994.
[4) A. Asperti and G. Longo. Categories, Types and Structures : An introducnon to
category theory for the working computer sdentist. The MIT Press, 1991.
[5) G. Berry, P.-L. Curien, and J.-J. Levy. Full abstraction for sequentiallanguages:
the state of the art. In M. Nivat and J. C. Reynolds, editors, Algebraic Semantics,
pages 89-132. Cambridge University Press, 1986.
[6) G. Bierman. What is a categorical model of intuitionistic linear logic? In Proceed-
ings ofthe Second International Con(erence on Typed i\-calculi and Applications,
pages 78-93. Leerure Notes in Computer Sdence, volume 902, Springer-Verlag,
1995.
[7) F. Borceux. Handbook of Categorical Algebra, volume 1. Cambridge University
Press, 1994.
[8) R. Cartwright, P.-L. Curien, and M. Felleisen. Fully abstract semantics for observ-
ably sequentiallanguages. Information and Computation, 111(1):297-401, 1994.
[9) R. Crole. Categories (or Types. Cambridge University Press, 1994.
[10) M. P. Fiore, E. Moggi, and D. Sangiorgi. A fully abstract model for the rr-calculus.
In 11th AnnuallEEE Symposium on Logic in Computer Science, pages 43-54. IEEE
Computer Society Press, 1996.
[11) M. Hyland and C.H. L. Ong. On full abstraction for PCF. Submitted for publication,
1996.
[12) R. Loader. Finitary PCF is undecidable. Unpublished manuscript, available from
http: I/info. ox. ac. uk/..:.loader/,1996.
[13) G. McCusker. Games and Full Abstraction (or a Functional Metalanguage with
Recursive Types. PhD thesis, Imperial College, University of London, to appear.
[14) G. McCusker. Games and full abstraction for FPC. In 11th AnnuallEEE Symposium
on Logic in Computer Science, pages 174-183. IEEE Computer Society Press, 1996.
[15) R. Milner. Processes: a mathematical model of computing agents. In Logic Collo-
quium '73, pages 157-173. North Holland, 1975.
[16) R. Milner. A Calculus o(Communicating Systems. Springer-Verlag, 1980.
[17) R. Milner. Functions as processes. Mathematical Structures in Computer Sdence,
2(2):119-142, 1992.
[18) P. W. O'Hearn and U. Reddy. Objects, interference and the Yoneda embedding.
In M. Main and S. Brookes, editors, Mathematical Foundations of Programming
Semantics: Proceedings of 11th International Con(erence, Electronic Notes in The-
oretical Computer Science, volume 1. Elsevier Science, 1995.
[19) P. W. O'Hearn, M. Takayama, A. ]. Power, and R. D. Tennent. Syntactic control
of interference revisited. In M. Main and S. Brookes, editors, Mathematical Foun-
dations of Programming Semantics: Proceedings o( 11th International Confer-
ence, Electronic Notes in Theoretical Computer Science, volume 1. Elsevier Science,
1995. See Chapter 18.
[20) P. W. O'Hearn and R. D. Tennent. Parametricity and local variables. Journal of the
ACM, 42(3):658-709, May 1995. See Chapter 16.
[21) F. ]. Oles. Type categories, functor categories and block structure. In M. Nivat and
]. C. Reynolds, editors, Algebraic Semantics. Cambridge University Press, 1985.
See Chapter 11.
[22) C.-H. L. Ong and C. A. Stewart. A Curry-Howard foundation for functional com-
putation with control (summary). Preprint, ]uly 1996.
[23) A. M. Pitts. Reasoning about local variables with operationally-based logical rela-
tions. In 11th AnnuallEEE Symposium on Logic in Computer Science, pages 152-
163. IEEE Computer Society Press, 1996. See Chapter 17.
[24) G. Plotkin. LCF considered as a programming language. Theoretical Computer
Science, 5:223-255, 1977.
[25) U. Reddy. Global state considered unncessary: Introduction to object-based se-
mantics. LISP and Functional Programming, 9(1):7-76, 1996. See Chapter 19.
[26) ]. C. Reynolds. Syntactic control of interference. In Conf. Record 5th ACM Sym-
posium on Principles of Programming Languages, pages 39-46, 1978. See Chap-
ter 10.
[27] ]. C. Reynolds. The essence of ALGOL. In ]. W. de Bakker and ]. C. van Vliet,
editors, Algorithmic Languages, pages 345-372. North Holland, 1981. See Chap-
ter 3.
[28) R. A. G. Seely. Linear logic, *-autonomous categories and cofree coalgebras. In
Category theory, Computer Science and Logic. American Mathematical Society
Contemporary Mathematics, volume 92, 1989.
[29) K. Sieber. Full Abstraction for the Second-Order Subset of an ALGOL-like Language.
Technischer Bericht A/04/95, FB14, Universität des Saarlandes, 1995. See Chap-
ter 15.
[30) I. Stark. Namesand Higher-Order Functions. PhD thesis, University of Cambridge,
December 1994.
[31) I. Stark. A fully abstract domain model for the rr-calculus. In 11th AnnuallEEE
Symposium on Logic in Computer Science. IEEE Computer Society Press, 1996.
[32) R. D. Tennent. Denotational semantics. InS. Abramsky, D. M. Gabbay, and T. S. E.
Maibaum, editors, Handbook of Logic in Computer Science, volume 3, pages 169-
322. Oxford University Press, 1994.
[33) G. Winskel. The Formal Semantics of Programming Languages. The MIT Press,
1993.
Chapter 21
The Essence of PARALLEL ALGOL
Stephen Brookes
We consider a parallel ALGOL-like language, combining the .\-calculus

with shared-variable parallelism. We provide a denotalional semanlies
for this language, simultaneously adapting the possible-worlds model of
Reynolds and Oles [Rey81, Ole82] to the parallel setting and generaliz-
ing the "transilion traces" model of [Bro93] to the procedural setting.
This semantics supports reasoning about safety and liveness properlies
of parallel programs, and validates a number of naturallaws of program
equivalence based on non-interference properlies of local variables.
We also provide a relationally parametric semantics, generalizing
[Bro93] to permit reasoning about relation-preserving properlies of pro-
grams, and adapting work of O'Hearn and Tennent [OT95] to the parallel
setting. This semantics supports standard methods of reasoning about
representational independence.
The clean design of the programming language and its semanlies sup-
ports the orthogonality of procedures and shared-variable parallelism.
Contents
1 Introduction 331
2 Syntax 333
3 Possible Worlds 334
4 Semantics of Types 335
5 Semantics of Phrases 338
6 Relational Parametricity 343
7 Conclusions 347
References 348
1 Introduction
The programming langnage ALGOL 60 has had a major impact on the theory
and praclice of langnage design and implementation. lDEALIZED ALGOL, as
characterized by John Reynolds [Rey81), augments a simple sequential imper-
ative langnage with a procedure mechanism based on the simply-typed call-
by-name .\-calculus; procedure definitions, recursion, and the conditional con-
struct are uniformly applicable to all phrase types. Reynolds identified these
features as embodying the "essence" of ALGOL.
lDEALIZED ALGOL is a sequential programming langnage. Nowadays there
is interest in langnages for shared-variable parallel programming, to permit
the design of efficient programs that exploit parallelism inherent in a problern
by running parallel commands that cooperate by reading and writing to shared
First appeared in Proceedings Eleventh Annual IEEE Symposium on Logic in Computer Sdence,
Brunswick, New Jersey, July 1996, pp. 164-174. © 1996 IEEE, reprinted with permission.

332 Chapter 21. The Essence of PARAllEL ALGOL
memory. The use of procedures in such a language would permit encapsula-

tion of common parallel-programming idioms. For instance, a procedure im-
plementing mutual exclusion with a semaphore could be written (in sugared
form) as:
procedure mutex(nt. c1, n2, c2);
booleans;
begin
s:=true;
wbile true do
(n1; await s then s:=false;
c1; s:=true)
wbile true do
(n2; await s then s:=false;
c2; s:=true)
end
Here c1 and c2 are parameters representing "critical" regions of code, and n 1
and n 2 represent non-critical code. Local variable declarations provide a way
to delimit the scope of interference: the correctness of this procedure relies
on the inaccessibility of s to the procedure's arguments.
It is well known that parallel programs can be hard to reason about, be-
cause of the potential for undesirable interference between commands run-
ning in parallel. One might expect this problern to be exacerbated by the in-
clusion of procedures. Indeed, semantic accounts of shared-variable languages
in the Iiterature typically do not encompass procedures; the (usually implicit)
attitude seems to be that concurrency is already difficult enough to handle by
itself. Similarly, existing models for sequential ALGOL [Rey81, Ole82, OT95]
do not handle parallelism, presumably because of the difficulty even in the
sequential setting of modelling "local" state accurately [HMT83]. Neverthe-
less it seems intuitive that procedures and parallelism are "orthogonal" con-
cepts, so that one ought to be able to design a programming language in-
corporating both seamlessly. This is the rationale behind our design of an
idealized PARALLEL ALGOL, blending a shared-variable parallellanguage with
the .:\-calculus while remaining faithful to Reynolds's ideals.
Even for sequential ALGOL the combination of procedures and local vari-
ables causes well-known semantic problems for traditional location-based
store models. Such models fall to validate certain intuitive laws of pro-
gram equivalence whose validity depends on "locality" properties of local vari-
ables [HMT83]. A more satisfactory semantics was proposed by Reynolds and
Oles [Rey81, Ole82], based on a category of "possible worlds": a world W
represents a set of "allowed states"; morphisms between worlds represent
"expansions" corresponding to the declaration of new variables; types denote
functors from the category of worlds to a category of domains and contin-
uous functions; and well-typed phrases denote natural transformations be-
tween such functors. A command meaning at world W is a partial function
from W to W. Naturality guarantees that a phrase behaves "uniformly" with
respect to expansions between worlds, thereby enforcing locality constraints.
The parallel setting requires a more sophisticated semantic structure be-
cause of the potential for interference between parallel commands. We adapt
Stephen Brookes 333
the "transition traces" semantics of [Bro93], modelling a command at world W

as a set of finiteandinfinite traces, a subset of (W x W)"". The trace seman-
tics given in [Bro93] covers a simple shared-variable parallellanguage, without
procedures, with while-loops as the only means of recursion, assuming a sin-
gle global set of states. This semantics was carefully designed to incorporate
the assumption of (airness [Par79].
It is far from obvious that this kind of trace semantics can be general-
ized in a manner consistent with Reynolds's idealization, to include a generat
procedure mechanism, and a conditional construct and recursion at all types.
Similarly, it is not evident that the possible-worlds approach can be made to
work for a parallellanguage. We show here that these approaches can in-
deed be combined. The treatment of recursion is rather delicate, and requires
the use of Tarski's theorem on greatest fixed points of monotone functions
on complete lattices. The resulting semantics brings out the stack discipline
clearly yet models parallelism at an appropriate level of abstraction to permit
compositional reasoning about safety and liveness properties of programs.
The categorical recasting of [Bro93] permits an improved treatment of local
variables. The semantics for the .\-calculus fragment of the language is com-
pletely standard, based as usual on the cartesian closed structure of the un-
derlying category. Thus our semantics supports the claim that procedures and
parallelism are "orthogonal".
Certain laws of program equivalence, involving the use of local variables
and procedures to represent abstract data objects, are not validated by the
Reynolds-Oles semantics [OT95]. These equivalences embody the principle of
"representational independence" familiar from programming methodology: a
program using an object should behave the same way regardless of the ob-
ject's implementation, provided its abstract properties are the same. These
problems led O'Hearn and Tennent to propose a "relationally parametric" se-
mantics for (sequential) IDEALIZED ALGOL [OT95] (building on foundations laid
in [Rey83]). In this semantics, a type denotes a parametric functor from worlds
to domains, and phrases denote parametric natural transformations between
such functors. The parametricity constraints enforce the kind of relation-
preserving properties needed to establish equivalences involving representa-
tion independence.
These problematic equivalences also fall in the above semantics for
PARALLEL ALGOL. We show how to construct a relationally parametric se-
mantics for PARALLEL ALGOL, generalizing the O'Hearn-Tennent model to the
parallel setting. We thus obtain a semantics that validates reasoning meth-
ods based on representation independence, as adapted to deal with shared-
variable programs.
2 Syntax
2.1 Types and type environments
The type structure of our language is conventional [Rey81]: data types repre-
senting the set of integers and the set of booleans; phrase types built from
expressions, variables, and commands, using product and arrow. We use T as
334 Chapter 21. The Essence of PARALLEL ALGOL
a meta-variable ranging over the set of data types, and (} to range over the set
of phrase types, as specified by the following abstract grammar:
(} ::= exp[T] I var[T] I comm I (0- 0') I (} x (}'
T ::= int I bool
Let L range over the set of identifiers. A type environment rr is a partial func-
tion from identifiers to types. We write dom(rr) for the domam of rr, i.e.,
the set of identifiers for which rr specifies a type. Let (rr I t: 0) be the type
environment that agrees with rr except that it maps L to (}.
2.2 Phrases and type judgements

A type judgement of form rr 1- P : (} is interpreted as saying that phrase P
has type (} in type environment rr. A judgement is valid iff it can be proven
from the axioms and rules in Figure 1. We omit the rules dealing with phrases
of type var[T] and exp[T], except toremarkthat the language contains the
usual arithmetic and boolean operations.
A phrase of form await B then P is a "conditional atomic action"; we im-
pose the conventional syntactic constraint that the body P be "atomic" (i.e., a
finite sequence of assignments or skip). This does not affect the expressive
power of the programming language.
In addition, for convenience, we add the following rule:
rr 1- P: var[T]
TT 1- P: exp[T]
This allows us to elide the otherwise necessary projection for extracting the
"R-value" of a variable.
In displaying examples of programs it is sometimes convenient to use a
sugared form of syntax. For instance, we may write begin integer z; P end for
new[int] z in P.
3 Possible Worlds
The category W of possible worlds [Ole82] has as objects a (small) collection of
sets called "worlds" or "store shapes", representing sets of allowed states. We
assume that Ob(W) is closed under (binary) cartesian product, and contains
Vmt = { ... ,-1,0,1, ... } and Vbool = {tt,ff}.
The morphisms from W to W' are pairs h = (f, Q) where f is a function
from W' to W and Q is an equivalence relation on W', such that the restriction
of f to each equivalence dass of Q is a bijection with W:
• Vx', y'. (x' Qy' & fx' = fy' ~ x' = y');
• 'Vx E W. Vy' E W'. 3x'. (x'Qy' & fx' = x).
Intuitively, when (f,Q):W - W', we think of W' as a set of "large" states
extending the "small" states of W with extra storage structure; f extracts the
small state embedded inside a large state, and Q identifies two large states
when they have the same extra structure.
Stephen Brookes 335
rr r- skip : comm
rr r- X: var[T] rr r- E: exp[T]
rr r- X:=E: comm
rr r- PI : comm rr r- Pz : comm
rr r- PI;Pz: comm
rr r- PI : comm rr r- Pz : comm
rr r- PI II Pz : comm
rr f- P : exp[bool) rr f- PI : 0 rr f- Pz : 0
rr f- Ü P then PI eise Pz : 0
rr r- B : exp[bool] rr r- P : comm
(P atomic)
rr r- await B then P : comm
rr, t:var[T] r- P: comm
rr r- new[T] L in P: comm
Tr f- L: 0 (when Tr(L) = 0)
rr f- p : Oo X OI
rr r- fst P : Oo
rr r- Po : Oo rr r- PI : OI
rr f- (Po, PI): Oo X OI
rr f- p : Oo X OI
rr f- snd p : OI
rr,t:Or-P:O
rr r- rec t.P: 0
Tr, L: 0 f- P : 0'
rr r- .\L: O.P : (0- 6')
rr f- p : 0 - 0' rr f- Q : 0
rr r- P(Q) : 0'
Figure 1: Type judgements
The identity morphism on W is the pair (idw, W x W), where idw is the
identity function on the set W. Foreach pair of objects W and V there is an
"expansion" morphism- x V: W - W x V, given by
- x V= (fst:W x V- W,Q),
where Q = {((w0 , v), (WI, v)) I w0 , WI E W & v E V}. The composite of mor-
phisms h = (f, Q): W- W' and h' = (g,R): W'- W", denoted h; h': W- W",
is the pair given by:
(f o g, {(zo,zd ER I (gzo,gzi) E Q} ).
4 Semantics of Types
Each type (}will be interpreted as a functor [(}] from W to the category P of
predomains and continuous functions, such that:
• for each world W, [9]W is a domain;

• for each h: W - W', [ 9]h is a strict continuous function.
As shown by Oles [Ole82], the category whose objects consist of such functors,
with natural transformations as morphisms, is cartesian closed. We will use
the categorical product and exponentiation in this ccc to interpret product
types 9o x 81 and arrow types 9o - 81. respectively.
4.1 Commands
We interpret the type comm using "transition traces" [Bro93], but instead of
assuming a single global state set we parameterize our definitions in terms of
worlds. Foreach world W, [comm]W will consist of sets of traces over W.
A finite trace (w0, w0)(w1, wi) · · · (wn, w~) of a command represents a termi-
nating computation from state w0 to w~, during which the state was changed
externally n times (by interference from another command running in paral-
lel), the ich interruptionchanging the state from w;_ 1 to Wt. An infinite trace
((wn. w~))~=o of a command represents an infinite execution, again assuming
repeated interference.
When A is a set, we write A * for the set of finite sequences over A, A +
for the set of non-empty finite sequences over A, A 00 for the set of (countably)
infinite sequences over A, and A oo = A + u A 00 • Clearly, each of these operations
extends to a functor (on Set), the morphism part being the appropriate "map"
operation, which applies a function to each element of a sequence.
Using the above notation, a command denotes a subset of (WxW) More- 00 •
over, the trace set of a command is closed under two natural operations: stut-
tering and mumbling. The two closure conditions correspond to the use of
-*, the reflexive and transitive closure of the one-step transition relation, in
a conventional operational semantics for the programming language. As a re-
sult, each element (w, w') of a trace represents a finite sequence of atomic
actions performed by the relevant command. The use of closed sets of traces
guarantees full abstraction for the simple shared-variable language [Bro93].
We formalize this notion of closure as follows. We define relations
stutA,mumA s;;; (A x A)+ x (A x A)+ as follows:
stutA = {(ocß, oc(a, a)ß) I a E A & ocß E (A x A)+}
mumA = {(oc(a,a')(a',a")ß, oc(a,a")ß) I ocß E (AxA)* &a,a',a" E A}.

Let stutÄ and mumÄ denote the extensions of these relations (by iterated con-
catenation) to (A x A) 00 x (A x A) 00 • Intuitively, (oc, ß) E stutÄ when ß is
obtained by inserting stuttering steps between (some of) the steps of oc; sim-
ilarly (oc, ß> E mumÄ when ß arises by contracting adjacent steps of form
(a,a') and (a',a") along oc. If oc is infinite these Operations permit insertions
or contractions at infinitely many (non-overlapping) positions.
We say that a set T of traces over W is closed if
oc E T & (oc, ß) E Stutw ~ ßE T;
oc E T & (oc,ß) E mumw ~ ßE T.
Stephen Brookes 337
We write rt for the closure of T, that is, the smallest closed set of traces
containing T as a subset. Thus, commands denote closed sets of traces.
Let pt ( (W x W) 00 ) denote the set of closed sets of traces over W, ordered
by set inclusion. This forms a domain, in fact a complete lattice, with least
element 0, greatest element the set of all traces, and lubs given by unions.
For a morphism h = (f, Q): W - W', [comm]h should convert a set c of
traces over W to the set of traces over W' that "project back" via f to a trace
in c and respect the equivalence relation Q in each step. We therefore define
[comm]W = pt ((W x W) 00 ) ,
[comm](f,Q)c = {a' I map(f x f)a' E c &map(Q)a'},
where map(Q)a' indicates that each step in a' respects Q. 1t is Straightfor-
ward to check that this is indeed a functor.
4.2 Expressions
Our treatment of expressions is similar, using a slightly simpler form of trace
to reflect the assumption that expression evaluation does not cause side-
effects, but with enough structure to permit a fine-grained semantics in which
expression evaluation need not be atomic. We also allow for the possibility
that expression evaluation may be non-deterministic.
A finite trace of the form (woWt · · · Wn, v) represents an evaluation of an
expression during which the state is changed as indicated, terminating with
the result v. 1t suffices to allow such cases only when n is finite, since we
assume fair interaction between an expression and its environment: it is im-
possible for the environment to interrupt infinitely often in a finite amount
of time. On the other hand, if an expression evaluation falls to terminate the
state may be changed arbitrarily many times and no result value is obtained;
we represent such a case as an infinite trace in ww. Note in particular that
the trace w 00 represents divergence when evaluated in state w without inter-
ference.
Thus we will model the meaning of an expression of type T, in world W,
as a subset e of w+ x VT u W 00 ; this subsetwill be closed under the obvious
analogues of stuttering and mumbling. Let pt (W+ x VT u W00 ) denote the col-
lection of closed sets of expression traces, ordered by inclusion. Accordingly,
we define
[exp[T]]W = pt (W+ X VT u W00 ),
[exp[T]](f,Q)e= {(p',v) I (mapfp',v) Ee}
u {p' E W' 00 I mapfp' E e}.
4.3 Arrow types

We interpret arrow types using functor exponentiation, as in [OT95]. The do-
main [0- O']W consists of the families p(-) of functions, indexed by mor-
phisms from W, suchthat whenever h: W- W', p(h): [O]W' - [O']W'; and
whenever h': W' - W", p(h); [O']h' = [O]h'; p(h; h'). This unüormity con-
dition amounts to commutativity of the following diagram, for h: W - W' and
h':W'- W":
l l
[O]W' ----'p'-(_h)_ _ [O']W'
[Olh' [O'lh'
[O]W" [O']W"
p(h; h')
The domain [ 0 - 0'] W is ordered by
p(-) ~;;; q(-) ~ 'VW'. 'Vh:W- W'.p(h) ~;;; q(h),
the obvious parametrized version of the pointwise ordering.
The morphism part of [ 0 - 0'] is defined by:
[0- O'](h:W- W')p = ..\h':W'- W".p(h;h').
4.4 Variables
For variables we give an "object-oriented" semantics, in the style of Reynolds
and Oles. A variable of type T is a pair consisting of an "acceptor" (which
accepts a value of type T and returns a command) and an expression value.
This is modelled by:
[var[T]]W = (VT- [conun]W) X [exp[i]]W
[var[T]]h = ..\(a, e). (..\v. [comm]h(a v), [exp[T]]h e).
5 Semanlies of Phrases
A type environment rr determines a functor [ rr] as an indexed product. A
member u of [ rr] W is an environment mapping identifiers to values of the
appropriate type: ü rr(L) = 0 then u L E [O]W.
When rr f- P : 0 is a valid judgement, P denotes a natural transformation
[P] from [rr] to [0]. That is, for all environments u E [rr]W, whenever
h: W- W', [O]h([P]Wu) = [P]W'([rr]h u). This is expressed by commuta-
tivity of the following diagram for all h: W - W':
[ rr ]W ---=[=-P-=]_W_..... [ O]W
[rrlhl l[Olh
[rr]W' [P]W' [O]W'
We provide a denotational description of the semantics, beginning with the

definitions for the simple shared-variable language constructs, adapting the
definitions of [Bro93] to the functor category setting. Let ßw: W - W x W
denote the diagonal map: Aw(w) = (w, w).
Stephen Brookes 339
5.1 Expressions
We omit the semantic clauses for expressions, except for one representative
case to illustrate the use of expression traces. The following clause specifies
that addition is sequential and evaluates its arguments from left to right:
[E1 + E2]Wu =
HP1P2. v1 + v2) I (Plo v1) E [E1]Wu & (p2, v2) E [E2]Wu} t
u {PlP2 I (pl. VI) E [El]Wu & P2 E [E2]Wu n W00 } t
u {p E ww I p E [E1]Wu}t
5.2 skip
skip has only finite traces consisting of stuttering steps:
[skip]Wu = {(w, w) I w E w}t.
5.3 Assignment
We specify a non-atomic interpretation for assignment, in which the source
expression is evaluated first:
[X:=E]Wu =
{(map ~wp)ß I (p, v) E [E]Wu & ß E fst([X]Wu)v} t
u {map~wP I p E [E]WunW 00 }t.
5.4 Sequential composition
Sequential composition corresponds to concatenation of traces:
[P1 ;P2]Wu = {a1a2l tX1 E [P1]Wu&a2 E [P2]Wu}t.
5.5 Parallel composition
Parallel composition of commands corresponds to fair interleaving of traces.
For each set A we define the following sets:
bothA = {(a,ß, aß), (a,ß,ßa) I a, ß E A+}
oneA = {(a,€, a), (€, a, a) I a E A""}
fairmergeA = both~ · oneA u both'%,
where € represents the empty sequence and we use the obvious extension of
the concatenation operation on traces to sets of triples of traces:
to · t1 = {(aoai,ßoßiol'ol'd I (ao,ßo,)'o) E to & (aloßl,)'l) E td.
Similarly we use the obvious extensions of the Kleene iteration operators on
traces. Thus, for instance, both~ is the set of all triples obtained by concate-
nating together a finite sequence of triples from bothA. 1
1Equivalently, (airmergeA can be characterized as the greatest fixed point of the monotone
function F(t) = bothA ·tu oneA on the complete lattice :J'<A"' x A"' x A"'). The least fixed point
of this functional is the subset of triples (oc, ß, y) from (airmergeA in which either or both of oc
and ß are finite.
Intuitively, fairmergewxw is the set of triples (oc, ß, y) of traces over W

such that y is a fair merge of oc and ß. Note that fairmerge satisfies the
following "natural" property: for all functions f: A - B,
(oc,ß,y) E (airmergeA ~ (mapfoc,mapfß,mapfy) E fairmergeB.
We then define
[PI II Pz]Wu = {oc I 3(oc~o OCz, oc) E fairmergewxw·
OCI E [PI]Wu & OCz E [Pz]Wu} t .
Naturality of [PI II Pz] is easy to establish, assuming that [PI] and [Pz] are
natural.
5.6 Local variables

A trace of new[ T] L in P at world W should correspond to an execution of P in
the expanded world W x VT, with Lbound to a fresh variable of typeT; during
this execution, P may change this variable's value but no other command has
access to it. Only the changes to the W -component of the world should be
reflected in the overall trace. We say that a trace (wn. w~)~=O is interference-
free iff for each n, w~ = Wn+ I· Thus the traces of new[ T] L in P in world W and
environment u should have the form map(fst x fst) oc, where oc is a trace of P in
world W x VT (and suitably adjusted environment) suchthat map(snd x snd) oc
is interference-free:
[new[T] L in P]Wu
= {map(fst x fst)oc I map(snd x snd)oc interference-free &
oc E [P](W x VT)([rr](- x VT)u I t: (a,e))},
where the "fresh" variable (a, e) E [var[T]] (W x VT) is defined by:
a = A.v':VT.{((w,v),(w,v')) Iw E W&v E VT}t
e = {(p(w, v)p', v) I pp' E (W x VT )* & w E W & v E VT} t.

Naturality can be checked easily.
5.7 Conditional
For conditional phrases we define by induction on e,
fort E [exp[bool]]W
and PI.Pz E [O]W, an element if t then PI eise pz of [O]W.
• For e = comm, if t then PI eise P2 is
{(map ~wp)oci I (p, tt) E t & OCI E pdt u
{(map ~wp)ocz I (p,ff) E t & ocz E pz}t u
{map ~w p I p E t n ww}.
• For 9 = ( Oo - OI ), (if t then PI eise pz) (-) is the indexed family given
by
(if t then PI eise pz )(h) =
A.p.if [exp[bool]]h t then pi(h)p eise pz(h)p.
• For 9 = var[T], we define
Stephen Brookes 341
if t then (at. et) eise (a2, e2)

(.\v: VT.if t then a1 v eise a2v, if t then e1 eise e2).
We then defi.ne
[if B then P1 eise P2]Wu =
if [B]Wu then [P1]Wu eise [P2]Wu.
Naturality is easy to check, by induction on the type.
5.8 Conditional atornic action

We give a "busy wait" interpretation to an await command: if the test expres-
sion B evaluates to tt it executes the body P without allowing interference; if
the test evaluates to ff it waits and tries again; if evaluation of the test diverges
so does the await command.
[await B then P]Wu =
{(w,w') E [P]Wu I (w,tt) E [B]Wu}t
u {(w,w) I (w,ff) E [B]Wu} 00
u {map !:J.wp I p E [B]Wu () W00 } t.
Recall that P is assumed to be a finite sequence of assignments or skip, so
that [P]Wu is a set of finite traces.
5.9 .\-calculus
The semantic clauses for identifiers, abstraction, and application are standard:
[L]Wu = UL
[.\t:O.P]Wuh = .\a E [O]W'.[P]W'([rr]hu I t:a)

[P(Q)]Wu = [P]Wu(idw)([Q]Wu),
where, in the clause for abstraction, h ranges over morphisms from W to W'.
5.10 Recursion
It is possible to give a least-fixed-point interpretation for recursion, but this
would only account for finite traces and would therefore preclude reason-
ing about safety and liveness properlies of programs. lnstead we make use
of greatest fixed points to obtain a model containing both finite and infinite
traces. We know from Tarski's theorem [Tar55] that every monotone function
on a complete lattice has a greatest fixed point. This might suggest that we
begin by establishing that each domain [O]W is a complete lattice. Unfortu-
nately this is not generally true. Although [comm]W is a complete lattice for
each world W, the functions [comm]h do not generally preserve tops. For
instance, when h = (f,Q):W- W',
[comm]h(tOP[comm]W) [comm]h(:P((W X W) 00 ) )
{a' E [comm]W' I map(Q)a'}

* tOP[comm]W' ·
As a consequence, [ comm - comm] W is not a complete lattice, because

it does not possess a top. The obvious order-theoretic candidate for top of
[comm- comm]W, i.e., the family top(-) suchthat for all h: W - W',
top(h) = .\d': [comm]W'. tOP[comm]W'•
lacks the naturality property required for membership in [ comm - comm] W.
Furthermore, the obvious natural candidate for tophood, i.e., the family top(-)
given by
top(h) = .\d' E [comm]W'. [comm]h(tOP[comm]W ),
is not the order-theoretic top, since it does not dominate the identity family
id(h) = .\d': [comm]W'.d'.
The resolution of this dilemma is suggested by the operational behavior
of the command rec t. t; this command simply diverges, without ever chang-
ing the state, no matter how its environment tries to interfere. Its trace set
should therefore consist of the infinite stuttering sequences. This trace set is
not the greatest fixed point of the identity function on [comm]W, as might
be suggested by the syntactic form of the command. Instead it can be char-
acterized as (the closure oO the greatest fixed point of the monotone fune-
rtonal .\c. {(w, w)oc I w E W & oc E c}, operating on the complete lattice
P((W x W)"'} of arbitrary trace sets; intuitively, the extra initial stutter mirn-
ies an operational step in which the recursion is unwound. It is easy to prove
that the greatest fixed point of this functional does indeed consist of the infi-
nite stuttering sequences. Clearly this trace set is also closed under stuttering
and mumbling, so belongs to the sublattice pt ((W x W)"'). Moreover, when
h:W- W' wehave
[comm]h([rec t. t]Wu) [comm]h( {(w, w) I w E W} 00 )
{(w', w') I w' E W'} 00
[rec t.t]W'([rr]hu),
so that [rec t. t] is indeed a natural transformation.
A similar argument can be given for a general recursive phrase rec t. P at
general type 0. The key to a general defi.nition of [rec L.P]W is to embed
each [O]W in a suitable lattice [O]W, and generalize the insertion of an initial
stutter, and the notion of closure, to all phrase types. We introduce functors
[0] from worlds to the category of complete lattices; intuitively, [O]W is like
[ 0] W without the closure requirements at ground types and naturality re-
quirements at arrow types. We define natural transformations stuto from [0]
to [0], and closo from [0] to [0]. Stuttering at a procedure type produces
a procedure that inserts an initial stutter in its result whenever called; clo-
sure at a procedure type produces a procedure that returns a closed result.
The semantic definitions given earlier (minus the use of closure) yield natural
transformations [P] from [rr] to [0], suchthat [P]Wu = closoW([P]Wu) for
all u E [rr]W. When TT, t: 0 f- P: 0, and U E [rr]W, the function
F = .\x E [O]W.stutoW([P]W(u I t:x))
is a monotone map on the complete lattice [O]W. Its greatest fixed point,
which we denote by vx.F(x), is in [O]W, and the closure of this fixed point is
Stephen Brookes 343
in [O]W. We therefore take

[rec t.P]Wu = closeW(vx.stuteW([P]W(u I t:x)).
This definition is natural: [O]h([rec t.P]Wu) = [rec t.P]W' ([rr]h u); stut-
tering plays a crucial role in the proof of this result.
Note that this semantic definition does indeed provide the command rec L. L
with the desired denotation. Moreover, the analogous recursion at procedure
type comm - comm denotes the family
.\h:W- W' . .\a E [comm]W'. {(w', w') I w' E W'}w,
corresponding to a procedure that causes divergence whenever called.
It is also easy to verify that the meaning given to
rec c.ü B then C; c else skip
coincides with the expected semantics of the loop while B do C, provided
c rt= FV(C). In particular,
[while true do skip]Wu = {(w, w) Iw E W}w.
5.11 Laws of equivalence

The semantics supports compositional reasoning about safety and liveness
properties, and validates a number of natural laws of program equivalence,
including (when L does not occur free in P'):
new[T] L in P' = P'
new[T] L in (P II P') = (new[T] L in P) II P'
new[T] L in (P; P') = (new[T] L in P); P'.
The semantics also validates familiar laws of functional programming, such
as:
(.\t: O.P)(Q) = P[Q/ L]
rec L.P = P[rec L.P/L],
where P [ Q 1L] is the phrase obtained by replacing every free occurrence of L in
P by Q, with renaming when necessary to avoid capture.
6 Relational Parametricity
Although the above semantics validates many laws of program equivalence re-
lated to locality in parallel programming, there remain equivalences for which
we can give convincing informal justification, yet which are not valid in this
model. Consider for example the following phrase:
new[int] L in (t:=O; P(t:=t + 1)),
where P is a free identifier of type comm - comm. No matter how P is instan-
tiated this should have the same effect as P(skip). As observed by O'Hearn
and Tennent, this equivalence holds for the sequential language yet is not
validated by the sequential possible-worlds semantics. O'Hearn and Tennent
formulated a more refined semantics embodying "relational parametricity", in

which values of procedure type are constrained by certain parametricity prop-
erties that guarantee good behavior. The above counterexample is equally rel-
evant in the parallel setting, motivating us to develop a relationally parametric
semantics for the parallellanguage. We first summarize some background
material from [OT95].
We introduce a category whose objects are relations R between worlds; we
write R: W - W' or R ~ W x W'. For each world W we let ßw: W - W denote
the identity relation on W, i.e., ßw = {(w, w) I w E W}. A morphism from
R: Wo - W1 toS: Xo - X1 isapair (ho: Wo - Xo, h1: W1 - X1) of morphisms in
W, suchthat
• for all (xo,XI) ES, (foxo,fixd ER;
• for all (Xo,Xl) ES, X~ E Xo and X~ E X1. if (X~,Xo) E Qo & (X~, XI) E Ql
then (x~,x~) ES.
We represent such a morphism in the following diagrammatic form:
ho
Wo ---=-+-Xo
Rl Js
The identity morphism from R to R corresponds to the diagram

idw0
w1 idw1
w1
Composition in this category of relations is defined in the obvious way, build-
ing on composition in the category of worlds.
For each type (} we define a parametric functor [ 0] from worlds to predo-
mains, i.e., a functor [0] from W toP equipped with an action on relations,
such that:
• whenever R: Wo- W1. [O]R: [O]Wo - [O]W1;
• for all W, [O]ßw = ß[e]w;
• whenever
Stephen Brookes 345
holds then so does

[O]Wo [O]ho [O]Xo
[81Rj j[eJs
[O]W1 -[-O]-h-
1 -+ [O]X1
by which we mean that
(do, di) E [O]R => ([O]hodo, [O]h1dd E [O]S.
The first two conditions above say that [ 0] constitutes a "relator" [MS93,
AJ91]. The last condition is a parametricity constraint.
Each well-typed phrase denotes a parametric natural transformation [P]
between the parametric functors [rr] and [0], i.e., a natural transforma-
tion obeying the following parametricity constraints: whenever R: Wo - W1o
(uo, ui) E [rr]R => ([P]Wouo, [P]W1ud E [O]R, as expressed by the fol-
lowing diagram:
[rr]Wo [P]Wo [O]Wo
[rrJRI j[O]R
[rr]W1 -[P_]_W-1-+ [O]W1
Parametrie natural transformations compose in the usual pointwise man-
ner. The category having all parametric functors from W to P as ob-
jects, and all parametric natural transformations as morphisms, is cartesian
closed [OT95] 2 •
To adapt these ideas to the parallel setting, we must give trace-theoretic
interpretations to types comm, var[T], and exp[T]. (Here we will cover
only comm.) We define [comm]W and [comm]h as before. To de-
fine [comm]R: [comm]Wo- [comm]W1 when R: Wo - W1o we first Iet
map(R)!;;;; Wö x Wi be the obvious extension of R to sequences of the same
length; we then define (co, c1) E [comm]R iff, for all (po, Pl) E map(R),
(V' oco E co. map fst oco = Po =>
3ocl E c1.map fst oc1 = P1 & (map snd oc 0 , map snd oci) E map(R))
& (V' oc1 E c1. map fst oc1 = P1 =>
3oco E co.map fst oco =Po & (map snd oco, map snd oci) E map(R))
This is intended to capture the following intuition: [comm]R relates two com-
mand meanings iff, whenever started in states related by R and interrupted in
related ways, the commands respond in related ways.
2 Technically, we actually work with the full subcategory consisting of the functors F such that:
for all W, FW is a domain; and for all h: W - W', Fh is strict. This subcategory is also cartesian
closed.
1t is Straightforward to verify that [ comm] is indeed a parametric functor.

The semantics given in the previous section can be adapted to the paramet-
ric setting; in the full paper we verify that each phrase denotes a parametric
natural transformation. For instance, one can easily show that if (p0 , q0 ) E
[ comm]R and (Pit ql) E [ comm]R then (Po II Plt qo II qi) E [ comm]R. Re-
cursion requires a careful argument based on co-inductive properties of great-
est fixed points. To show the parametricity of recursion, let rr, t:O f- P : (} and
assume that P denotes a parametric natural transformation. We need to show
that for all R: Wo - W1o whenever (uo, uJ) E [rr]R,
([rec t.P]Wouo, [rec t.P]W1ud E [9]R.
This may be achieved by means of a temporary detour using the parametric
analogues of the functors [9] used earlier. Let Fo and F1 be given by:
Fo(Po) = stuteWo([P]Wo(uo I t:po)),
Fdpd = stuteW1([P]Wdu1 I t:pJ)).
By the assumption on P, whenever (p 0 , pd E [O]R it follows that
(Fo(Po),Fdpd) E [O]R. Consequently the functional
F: [O]Wo x [O]W1 - [(}]Wo x [O]W1
given by F(po.Pd = (Fo(Po),FdPI)) is a monotone function on a com-
plete lattice, and maps [O]R into itself. We then show that the clo-
sure of its greatest fixed point is in [O]R, and coincides with the pair
([rec t.P]Wouo, [rec t.P]W1ud.
6.1 Examples of reasoning
In addition to the laws listed earlier, the relationally parametric semantics also
validates the following equivalences (where P is an identifier of suitable type):
new[int] L in (t:=l;P(t)) = P(l)
new[int] L in (t:=O; P(t:=t + 1)) = P(skip),
thus dealing satisfactorily with the problematic equivalence discussed earlier.
The subtle differences between sequential and parallel settings are illustrated
by the following examples.
Let P be an identifier of type comm - comm. The phrases
new[int] x in (x:=O; P(x:=x + 1; x:=x + 1))
and
new[int] x in (x:=O; P(x:=x + 2))
are equivalent in sequential ALGOL and in PARALLEL ALGOL, even though the
commands x:=x + 1 ; x:=x + 1 and x:=x + 2 are not semantically equivalent in
the parallel model; no matter how P uses its argument, the only differences
involve the local variable, whose value is ignored. To establish the equivalence,
one can use therelationR:W- WxVmt givenby (w, (w',z)) ER = w = w'.
In contrast the phrases
new[int] x in
(x:=O; P(x:=x + 1; x:=x + 1);
if even(x) then diverge eise skip)
Stephen Brookes 347
and
new[int] x in
(x:=O; P(x:=x + 2);
if even(x) then diverge eise skip),
where diverge is a divergent command, are equivalent in sequential ALGOL but
not in PARALLEL ALGOL. For example, if P is ,\c. c II c, then the first phrase has
an execution in which each argument thread reads x as 0, then each sets x to 1,
and then the two final increments occur sequentially, leaving x with the value
3, causing termination; the other phrase, however, must diverge. The relation
(w, (w', z)) E R = w = w' & even(z) works for the sequential model but
not for the parallel.
Indeed, in sequential ALGOL, the phrase
new[int] x in
(x:=O; P(x:=x + 2);
if even(x) then diverge eise skip)
discussed above is equivalent to diverge. For PARALLEL ALGOL, this equiva-
lence falls because our semantics "observes" intermediate states during exe-
cution. Instead the phrase is equivalent to P(skip);diverge.
In the O'Hearn-Tennent model
if x = 0 then f(x) eise 1
and
if x = 0 then f(O) eise 1
fall to be semantically equivalent, because the model includes procedure
meanings that violate the irreversibility of state change [OT95], yet the phrases
behave identically in all sequential contexts. In contrast the equivalence
should (and does) fall in our parallel model, because expression evaluation
may not be atomic. For example, if f is ,\y. y and the phrase is evaluated in
parallel with a command that may change the value of x from 0 to 2, the first
case might yield the result 2.
7 Conclusions
Our semantics inherit both the advantages and limitations of the correspond-
ing sequential models and of the trace model for the simple shared-variable
language. At ground type comm we retain the analogue of the full abstraction
properties of [Bro93]: two commands have the same meaning if and only if
they may be interchanged in all contexts without affecting the behavior of the
overall program. The extra discriminatory power provided by the ,\-calculus
facilities does not affect this. However, like their sequential forebears, our
models still include procedure values that violate the irreversibility of state
change [OR95], preventing full abstraction at higher types. Recent work of
Reddy [Red93], O'Heam and Reynolds [OR95] incorporating ideas from linear
logic appears to handle irreversibility for sequential ALGOL; we conjecture that
similar ideas may also work for the parallellanguage, with suitable generaliza-
tion.
Acknowledgements
Much of this work was developed during a three-month visit Uuly-September 1995)
to the Isaac Newton Institute for the Mathematical Sciences, Cambridge, England, as
part of a research programme on Semantics of Computation. Thanks to Peter O'Hearn,
John Reynolds, Edmund Robinson, Pino Rosolini, Philip Scott, Bob Tennent, and Glynn
Winskel for helpful discussions and comments.
This work was sponsored in part by the Office of Naval Research, under Grant No.
N00014-95-1-0567, andin part by the National Science Foundation, under Grant No.
CCR-9412980.
References
[AJ91] S. Abramsky and T. P. Jensen. A relational approach to strictness analysis for
higher-order polymorphic functions. In Conf. Record 18th ACM Symposium
on Principles of Programming Languages, pages 49-54. ACM Press, 1991.
[Bro93] S. Brookes. Full abstraction for a shared-variable parallellanguage. In Proc.
ffh AnnualiEEE Symposium on Logic in Computer Science, pages 98-109.
IEEE Computer Society Press, June 1993.
[HMT83] j. Y. Halpern, A. R. Meyer, and B. A. Trakhtenbrot. The semantics of local
storage, or What makes the free Iist free? In ACM Symposium on Principles
of Programming Languages, pages 245-257, 1983.
[MS93] j. C. Mitchell and A. Scedrov. Notes on sconing and relators. In E. Boerger,
editor, Computer Science Logic '92, Selected Papers, volume 702 of Lecture
Notes in Computer Science, pages 352-378. Springer-Verlag, 1993.
[Ole82] F. J. Oles. A Category-Theoretic Approach to the Semantics of Programming
Languages. PhD thesis, Syracuse University, 1982. See Chapter 11.
[OR95] P. W. O'Hearn and j.C. Reynolds. From ALGOL to Polymorphie Linear Lambda-
calculus. Talk given at Isaac Newton Institute for Mathematical Sciences,
Cambridge, August, 1995.
[OT95] P. W. O'Hearn and R. D. Tennent. Parametricity and local variables. ]. ACM,
42(3):658-709, May 1995. See Chapter 16.
[Par79] D. Park. On the semantics of fair parallelism. In D. Bjomer, editor, Ab-
stract Software Speci{ications, volume 86 of Lecture Notes in Computer Sci-
ence, pages 504-526. Springer-Verlag, 1979.
[Red93] U. S. Reddy. Global state considered unnecessary: object-based semantics
of interference-free imperative programming. In ACM SIGPLAN Workshop
on State in Programming Languages. Technical Report YALEU/DCS/RR-968,
Department of Computer Science, Yale University, 1993. See Chapter 19.
[Rey81] J. C. Reynolds. The essence of ALGOL In Algorithmic Languages, pages 345-
372. North-Holland, Amsterdam, 1981. See Chapter 3.
[Rey83] J. C. Reynolds. Types, abstraction, and parametric polymorphism. In Infor-
mation Processing 83, pages 513-523. North-Holland, Amsterdam, 1983.
[Tar55] A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Paci{ic
Journal o( Mathematics, 5, 1955.
Contents of Volume 1
Contributors vü
Introduction 1
Part I IHSTORICAL BACKGROUND 17

1 Revised Report on the Algorithmic Language ALGOL 60 19
Peter Naur (editor), ]. W. Backus, F. L. Bauer,]. Green, C. Katz,
]. McCarthy, A. ]. Perlis, H. Rutishauser, K. Samelson, B. Vauquois,
]. H. Wegstein, A. van Wüngaarden and M. Woodger
2 The Varieties of Programming Language 51

Christopher Strachey
Part ll BASIC PRINCIPLES 65

3 The Essence of ALGOL 67
]ohn C. Reynolds
4 ALGOL and Functional Programming 89

Peter W. O'Hearn
5 Orthogonality of Assignments and Procedures in ALGOL 101

Matthias Felleisen and Stephen Weeks
6 IDEAUZED ALGOL and its Specifi.cation l..ogic 125

]ohn C. Reynolds
7 Towards Fully Abstract Semantics for I..ocal Variables 157
Albert R. Meyer and Kurt Sieber
Part m LANGUAGE DESIGN 171

8 Design of the Programming Language FORSYTHE 173
]ohn C. Reynolds
9 Assignments for Applicative Languages 235

Vipin Swarup, Uday S. Reddy, and Evan Ireland
10 Syntactic Control of Interference 273

]ohn C. Reynolds
Contents of Volume 2 287

Alg

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Alg

Uploaded by

Copyright:

Available Formats

Progress in Theoretical Computer Science

Springer Science+Business Media, LLC

Library of Congress Cataloging-in-Publication Data

ALGOL-like languages I Peter W. O'Hearn, Robert D. Tennent, editors.

Printedon acid-free paper

Permission to photocopy for internal or personal use of specific clients is granted by

Typeset by the Authors in 1EX.

Part IV FUNCTOR-cATEGORY SEMANTICS 1

12 Using Functor Categories to Generate Intermediate Code 13

Part V SPECIFICATION LOGIC 39

14 Semantical Analysis of Specification Logic, 2 65

Part VI PROCEDURES AND LOCAL VARIABLES 95

16 Parametridty and Local Variables 109

17 Operationally-Based Reasoning About Local Variables 165

Part VII INTERFERENCE, IRREVERSffiiLITY, AND CONCURRENCY 187

20 Linearity, Sharing and State 297

21 The Essence of PARALLEL ALGOL 331

Contents of Volume 1 349

2 The Utility of Functor Categories

P. W. O’Hearn et al. (eds.), Algol -like Languages

of the meaning of .f can be applied to this expansion to obtain an element of

3 A Category of Store Shapes

where x,x' E X and y E Y. We may read (D) loosely as replacing x with

is given by (oc--+- ß) f = ß o f o oc, where f E Y--.. W. (So --.. is just the

For (~2), we compute

Finally, for (B), we have

Consider in Set the diagram

Hence ;y makes the diagram commute. Suppose also that

So ;y = ;y', and we are done. I

To construct a compiler for a modern higher-level programming languagel one

2 Types and Syntax

An ALGOL-like language is a typed lambda calculus with an unusual repertoire

A type assignment is a mapping from some finite set of identifiers into

calculus operations of application and abstractionl and the inference rules

When rr 1- p: 0, the semantics of the phrase p, with respect to rr and 0, is

where the semicolon denotes the composition of morphisms in X (in diagram-

rr 1- p : 0 rather than on the syntactic structure of p. This has the advan-

of S, may be needed to specify variables in the actual parameter of the call.

(Sr,Sd) !> (S(,Sd) iff Sr< S( or (Sr= S( andSd !> Sd).

5 The Intermediate I..anguage

The intermediate language into which we translate programs can be described

fully executed when the current stack descriptor is S:

6 From Semantics to Compilation

The translation of assignment commands is described by an equation that

On the other band, the translation of a unary expressionsuch as -e is ob-

The equation for [ -e] can be written succinctly as

Since the environment fj maps L into (a, e) E [intvar]S", it must belong

10 Boolean Expressionsand Conditionals

In this approach the translation of constants is trivial:

(simple type} ::= compll intcompll (simple type} - (simple type)

1. the subroutine to be called,

2. the global frame Iist to be used during execution of the subroutine,

3. a Iist of the arguments, which are themselves subroutines.

call i f (ai. ... , an),

}·· '-. }··

13 Compiling Subroutines and their Calls

when applied to appropriate arguments yields a call) by

where :N denotes the set of positive integers. Specifically mk-argcallcpS j 1

and when cp = 'Pl - ( · · · - (cpn - compl) · · ·) for some n ~ 1:

mk-callcpSiS 1(al E [cp1]S 1) · · ·Sn(an E [cpn]Sn) =

mk-argcallcpS j S 1(al E [ 'Pl ]S 1) · · · sn (an E [ 'Pn]Sn) =

and when cp = cp 1 - ( · · · - (cpn- intcompl) · · ·) for some n ~ 1:

mk-call<PS i 5 1(a1 E ['PI ]5 1) · · · S" (an E [ 'Pn ]S" )S' (r E (Rs')) =

mk-argcall<PSjS 1(a 1 E [cpi]S 1) · · · S"(an E [cpn]S")S'(r E (Rs')) =