sign in sign up
<<
Home , Denotational semantics, Game semantics

Game for Type Soundness

Tim Disney Cormac Flanagan University of California Santa Cruz University of California Santa Cruz

Abstract—The key idea of is that a term call mechanism that mediates the interactions between the can interact with its enclosing context via various events, such expression e and its enclosing context C[·] by appropriately as calls and returns. A trace is a sequence of such routing function calls and returns from e to its context and vice- interaction events. The meaning of the term is then naturally represented by the set of all event traces that the term can versa. We use the term event to denote a function call or return generate. Game semantics allows us to define the meaning of message sent from e to its context, or vice-versa. Then the both expressions and types in the same domain which enables semantics of e can be formalized as a (potentially infinite) set an interesting alternative to subject reduction for proving type of traces, denoted e k, where each trace is a finite sequence soundness. of such events. TheJ subscriptK k in e k denotes a This paper uses game semantics to define the meaning of and J K verify type soundness for a sequence of programming , channel on which to send the result of e’s computation to starting with a functional sequential (the call-by-value the context C. Thus, this transformation from program syntax simply-typed ), and then extending that proof to semantic traces in some ways follows the CPS transform. with subtyping, side effects, control effects, and concurrency. For simplicity, we assume here that e is closed, although our These proofs are reasonably short and fairly semantic in struc- semantic framework supports open terms. ture, focusing on the relationship between the meanings of each term and its corresponding type. In particular, we show To incorporate types from the simply typed λ-calculus, we that the typing and subtyping relations are both conservative formalize the meaning of each type A as an analogous set of approximations of alternating trace containment. traces A k, again with respect to a continuation channel k. LikeJ otherK , game semantics is com- I.INTRODUCTION positional, and so, for example, the meaning e1 e2 k of a Over the past 20 years, the syntactic approach [1] has function application is defined in terms of the meaningsJ K of the become established as the dominant method for proving type direct subexpressions e1 and e2. Like , soundness. The flexibility of this approach stems from its game semantics is fairly syntactic in flavor, primarily dealing exclusive reliance on syntactic methods, in which programs, with sets of (syntactic) traces. Thus, in some sense, game types, and intermediate computation states are all represented semantics is a compositional syntactic semantics, where the syntactically, and the typing and subtyping relations are defined syntax captures behavior (i.e. traces of interactions) rather than over syntactic items. The result is an elegant proof technique, state (as in operational semantics). but one in which types remain just pieces of syntax, with no By defining the meaning of both expressions and types in associated semantic meaning or . the same domain of trace sets, this approach enables us to The last two decades have also given birth to a new style capture the typing judgment ` e : A as an appropriate relation of denotational semantics called game semantics, in which the on the corresponding trace sets e k and A k. In particular, interaction between two modules in a system can be considered a trace in e k may contain bothJsendK eventsJ K (which transfer a game with alternating moves by the two modules. control fromJ Ke to its context) and receive events (which transfer This paper attempts to connect these two fields of type control from the context to e). If e has type A, then A k must systems and games semantics. The motivation for this work is permit any send event in e k (since any function returnJ K value to open up an important application domain for game semantics, sent by e must be permittedJ K by its type A); conversely by a while at the same time providing a formal foundation for contravariant argument e k must contain any receive event in intuitions about the typing and subtyping relations that are left A k. Thus, if J K informal under the syntactic approach. In comparison to the J K ` e : A polished syntactic proof machinery developed over the past two decades, we do not propose that the game semantic approach then the appropriate relation between the corresponding trace is better (in the sense of being simpler or more efficient). sets is alternating trace containment [2], denoted Nevertheless, the game semantic approach does appear to provide different benefits (outlined below), which suggest this e k @ A k J K J K approach merits further study. where A contains (non-strictly) more sends and (non- Our approach uses traces to formalize our game semantics, k strictly)J fewerK receives than e . Thus, typing conservatively and the starting point for our semantic development is the call- k approximates alternating containmentJ K on traces. by-value untyped λ-calculus. In particular, given a program C[e] in this language, we can imagine a remote procedure Theorem 1. If ` e : A then e k @ A k J K J K We next consider the subtyping relation A <: B. Again, we and terms, and is independent of the other rules in the can show that the type B must contain more sends and fewer system. receives than A, so subtyping also conservatively approximates We conjecture that trace semantics might provide helpful alternating trace containment. insights in the development and verification of other program analyses and type systems. As one example, the unification of Theorem 2. If A <: B then A k @ B k J K J K typing and subtyping as alternating trace containment relation One interesting aspect of trace-based type soundness proofs provides some semantic motivation for recent work on pure is that they are mostly compositional, in that each type rule subtype systems, which also merge the typing and subtyping can be verified as admissible independent of the other rules relations [3], [4]. in the system. For example, we verify the admissibility of the Much prior work has explored various aspects of game function application rule: semantics, including developing fully abstract game semantics for various programming languages [5], [6], [7], [8]. In ` e : A → B ` e : A 1 2 closely related prior work, Chroboczek used game semantics ` e1 e2 : B to elegantly prove type soundness for the call-by-name λ- (ignoring the type environment here for simplicity) by proving calculus [9], [10], [11]. In contrast to that work, this paper a corresponding lemma: targets the call-by-value λ-calculus, which then enables us to extend this approach to address imperative features such as if e1 k1 @ A → B k1 call/cc and mutable references. J K J K and e2 k2 @ A k2 J K J K then e1 e2 k @ B k II.THE TRACE CALCULUS J K J K We start by formalizing the semantic domain of trace sets: Since e1 e2 k is defined compositionally in terms of e1 k1 J K J K see Figure 1. A trace α is a finite sequence of events. Each and e2 k2 (with respect to the appropriate channels k1 and event is either a send event x!y, which sends the channel list k2),J thisK lemma is independent of the subterms e1 and e2 and depends only on the semantics of function application and of y to x, or a receive event x?y, which receives y from x. Note function types. Consequently, any extension to the type or term that send events x!y and receive events x?y both bind the language is safe with respect to the above rule provided it does argument list y; these channels are then in scope in the rest not modify the meaning of function application or function of the trace and can be α-renamed in the usual fashion. Thus, types. for example, we consider the traces k!y . y?r and k!x . x?r to Our experience to date suggests that this approach provides a be α-equivalent. helpful semantic foundation for exploring typed programming The FS and FR functions identify the free sending and languages. In particular, some language extensions can be receiving channels in a trace, respectively. As an example, if developed and proven type sound independently, where the α = x!y . y?z . z!h then we have FS(α) = {x} and FR(α) = formalism precludes unintentional cross-cutting interference ∅. We consider traces to be equivalent modulo α-renaming, between language features. and thus we have for example x!y . y?z = x!w . w?z. To illustrate this benefit, this paper uses trace semantics to To provide an initial intuition of how traces capture program verify type soundness of a sequence of programming languages. semantics, consider the meaning of the higher-order function Section II first formalizes a calculus for composing and λf. f (λx. x) k, where the channel k represents the initial J K reasoning about trace sets. Section III illustrates our approach continuation for this code fragment. Since this code fragment by verifying type soundness for the simply typed λ-calculus. can interact with its context in arbitrary ways, it has infinitely We then enrich this language with subtyping (Section IV), first- many possible traces, but one possible trace is: class (Section V), imperative features (Section α = k!r . r?fh . f!yh0 . h0?z . h!z0 VI), and concurrent threads (Section VII), with compositional proofs for all extensions. In this trace: In summary, this paper provides the following contributions. 1) The first event k!r sends a fresh channel r to the context 1) It provides a compositional semantic meaning for types k providing a shared channel for the context to call this and terms as trace sets. function. 2) The typing relation (` e : A) naturally corresponds to 2) Next the event r?fh receives from the context two alternating trace containment on trace sets ( e k @ A k). channels; f, which represents the function argument, 3) The subtyping relation (A <: B) also correspondsJ K J toK al- and h, which represents the continuation for this call. 0 0 ternating trace containment on trace sets ( A k @ B k). 3) The event f!yh sends to f a channel y denoting the 4) Our initial soundness proof for the simplyJ K typedJ K λ- identity function λx. x and a continuation h0. calculus scales well to support concurrency, imperative 4) The call to f immediately returns to its continuation h0 features, and control effects of the term level, as well via h0?z. as subtyping at the type level, since the admissibility of 5) Finally, the function λf. f (λx. x) returns to its continu- each typing rule depends only on the semantics of types ation h, passing a fresh channel z0. Later message events Figure 1: The Trace Calculus

Grammar: x, y, g, h, k ∈ Chan π ∈ Event ::= x!y | x?y FC(α) = FS(α) ∪ FR(α) α ∈ Trace ::= π1 . ··· . πn BC(x!y) = BC(x?y) = {y} P, Q, R ∈ TraceSet = 2Trace FS() = ∅ FR() = ∅ FS(x?y . α) = FS(α) \{y} FR(x?y . α) = {x} ∪ FR(α) \{y} FS(x!y . α) = {x} ∪ FS(α) \{y} FR(x!y . α) = FR(α) \{y}

Traceset Operations and Constants: P ⊗ Q = S π . ((P \ π ⊗ Q) ∪ (P ⊗ Q \ π)) 1 = {} Sπ ¬(x!y) = x?y ∪ π νx.((P \ π) ⊗ (Q \ ¬π)) ¬(x?y) = x!y where x = BC(π) Sn π . P = {, π . α | α ∈ P } i Pi = P1 ∪ P2 ∪ · · · ∪ Pn Qn P \ π = {α | π . α ∈ P } i Pi = P1 × P2 × · · · × Pn `n νx.P = {α ∈ P | ∀x ∈ x. x 6∈ FC(α)} i Pi = P1 ⊗ P2 ⊗ · · · ⊗ Pn n Qn P ∪ Q = {α | α ∈ P or α ∈ Q} P = 1 P S ∗P = S∞ Qi P j P × Q = π π . ((P \ π × Q) ∪ (P × Q \ π)) i=1 j=1

Properties: Other properties: (TraceSet, ∪, ×, ∅, 1) is a commutative semiring 23. (P ∪ Q) \ π = P \ π ∪ Q \ π 1. P × Q = Q × P 24. (P × Q) \ π = (P \ π × Q) ∪ (P × Q \ π) 2. P × (Q × R) = (P × Q) × R 25. (∗P ) \ π = ∗P × (P \ π) 3. P × 1 = P 4. P × (Q ∪ R) = (P × Q) ∪ (P × R) 26. π . ∅ = ∅ 5. P × ∅ = ∅ 27. P \ π = ∅ for π 6∈ P (TraceSet, ∪, ⊗ , ∅, 1) is a commutative semiring 6. P ⊗ Q = Q ⊗ P 28. P ∪ ∅ = P 7. P ⊗ (Q ⊗ R) = (P ⊗ Q) ⊗ R 29. νx.∅ = ∅ 8. P ⊗ 1 = P 9. P ⊗ (Q ∪ R) = (P ⊗ Q) ∪ (P ⊗ R) 30. π . 1 = π 10. P ⊗ ∅ = ∅ 31. P ∪ 1 = P for P 6= ∅ ¬ distributes over ∪, ×, ⊗ and is an involution 32. νx.1 = 1 11. ¬(P ∪ Q) = ¬P ∪ ¬Q 33. ¬1 = 1 12. ¬(P × Q) = ¬P × ¬Q 13. ¬(P ⊗ Q) = ¬P ⊗ ¬Q 34. ∗P = ∗P × P 14. ¬¬P = P 35. ∗P = ∗P × ∗P ∗ distributes over × and is idempotent 15. ∗(P × Q) = ∗P × ∗Q 36. P @ Q ⇔ π.P @ π.Q 16. ∗ ∗ P = ∗P 37. (P @ Q) ∧ (P @ R) ⇒ P @ (Q ∪ R) is reflexive and trasitive; ∪, × and ∗ are monotonic; ¬ is anti-monotonic @ 38. π . (S × Q) @ S × π . Q 17. P @ P 39. S @ ∗S 18. (P @ Q) ∧ (Q @ R) ⇒ P @ R 0 0 40. P @ Q ⇒ P @ Q × S 19. P @ P ⇒ (P ∪ Q) @ (P ∪ Q) 0 0 if FC(P ) ∩ FC(S) = ∅ 20. P @ P ⇒ (P × Q) @ (P × Q) 21. P Q ⇒ ∗P ∗Q @ @ In 38, 39, 40 assume no trace in S starts 22. P Q ⇒ ¬Q ¬P @ @ with a receive event sent to z0 (if any) will be forwarded to z via the copycat event y!x, Q may receive the corresponding event y?x (or proxy (as described in Section II-D below). vice-versa), and computation proceeds with νx.((P \ y!x) ⊗ (Q \ y?x)). Note we assume that implicit α-renaming is used A. Operations on Tracesets to match up the bound channels in the send event y!x of P We use the term traceset to denote a prefix-closed set of with those in the receive event y?x of Q. For example, traces, and use the metavariables P, Q, R to range over tracesets. We often write tracesets as sets modulo prefix closure for νy.({y!z} ⊗ {y?x . x!}) = νy.({y!z} ⊗ {y?z . z!}) = {z!} brevity, and thus {x? . y!} abbreviates {, x?, x? . y!}. Here Qn `n x? is a receive event that receives zero arguments. We use the The n-ary operations i Pi and i Pi generalize interleav- notation π ∈ P to mean that P contains the single-event trace ing × and parallel composition ⊗ , respectively. The operations n π. For example, x! ∈ {, x!, x! . y?} but x! 6∈ {, y!, y! . x!}. P and ∗P denote the interleaving of n or arbitrarily many To define the meaning of expressions (and later types) copies of P respectively. compositionally, we present a collection of operations for By convention νx binds as far to the right as possible while defining and composing sets of traces in Figure 1. The constant ×, ∪, π . P , P \ π, ∗ and ¬ bind with decreasing proximity. 1 denotes the singleton set {} containing the empty trace. At So for example, an intuitive level, 1 denotes a computation that does nothing (a no-op), while the empty set ∅ denotes a computation that νx. ∗ π . P × Q ∪ R = νx.(((∗(π . P )) × Q) ∪ R) should never be executed. These operations on tracesets are closely related to the π- The operation ¬π swaps send and receives events, calculus [12], but with the restriction that send events only and negation extends in a pointwise manner to traces and transmit fresh channels (i.e. in the trace y!x . α the channel tracesets. x is bound in α), which yields a simpler semantic structure. The operation π . P prefixes each trace in P with the event Moreover, tracesets are (potentially infinite) sets of traces, π. For example, x! . {y? . z!} = {x! . y? . z!}. Conversely, the rather than finite pieces of syntax with an associated evaluation operation P \ π drops an initial event π from each trace in P , semantics. and drops traces in P that do not start with π; this operation yields the empty set if no trace in P starts with π. Thus, B. The Alternating Trace Containment Relation {z?, x? . y!}\ x? = {y!} As mentioned in the introduction, tracesets are naturally {z?, x? . y!}\ y! = ∅ ordered according to the alternating trace containment relation P Q P Q Note that, by sharing trace prefixes, a traceset P can be viewed @ , which holds provided every send in is also in , and Q P as a "trace tree", in which every edge is labelled with an event, conversely every receive in is also in . More specifically, if P α π π Q and the set of paths from the root to nodes in the tree captures includes a trace . where is a send, then if includes α Q α π the traces in P . From this perspective, P \ π corresponds to then must also include . (and vice versa). This relation P navigating down the π-labelled edge from the root of the trace allows a program component with traceset to be used safely Q tree for P . in a context that expects a traceset . The restriction operation νx.P denotes the traces in P where Furthermore, after sending or receiving matching events, P none of the channels in x appear free. Intuitively, this operation and Q must continue to satisfy this relation. introduces fresh channels and avoids channel collisions. For To facilitate inductive proofs, we first define the indexed example, alternating trace containment relation P @n Q, which holds if n = 0 (the base case), or if n > 0 and: νz.{z!, x!z . z?, y! . z?} = {x!z . z?, y!} 1) For all send events π ∈ P , then π ∈ Q and P \ π @n−1 where traces with free occurrences of z are removed. Q \ π The operation P ∪ Q performs set union on tracesets, and 2) For all receive events π ∈ Q , then π ∈ P and P \π @n−1 Sn Q \ π i=1 Pi abbreviates the n-ary union P1 ∪ · · · ∪ Pn. The operation P × Q denotes the non-deterministic inter- We then define P @ Q to hold if and only if P @n Q holds leaving of traces from P and Q. Thus, for all n. Thus, for example: {z!} × {x? . y!} = {z! . x? . y!, x? . z! . y!, x? . y! . z!} {x? . z?, y?} @ {x?, y?} @ {x?} @ 1 @ {x!} @ {x! . y!} For each event π, P × Q contains traces starting with π and C. The Algebra of Traces followed by traces in (P \ π) × Q or in P × (Q \ π); that is, it pulls the initial event π from either P or Q. Note that if These operations on tracesets enjoy a rich algebraic structure, π 6∈ P (i.e. the single-event trace π does not occur in P ) then as described in Figure 1. In particular, (TraceSet, ∪, ×, ∅, 1) P \ π and P \ π × Q are both ∅, and similarly if π 6∈ Q. and (TraceSet, ∪, ⊗ , ∅, 1) are both commutative semirings. The operation P ⊗ Q generalizes P × Q by also permitting Moreover, the operations ∪ and × are monotonic with regard communication between P and Q, where P may transmit an to @, and so for example if P @ Q then P × R @ Q × R. Unfortunately, monotonicity does not extend to parallel transmits (a copy θy1...n = θy1 ··· θyn of) existing channels y composition. As a counterexample, consider on channel x.

P = 1 def [ Q = {x!} x!!y = x!θy . ∗ ( θy?z . y!!z) R = {x? . y?} y∈y Then, The key property of a copycat is that is exhibits the same behavior on both its sides, since it simply copies events (with P ⊗ R = R @6 Q ⊗ R = {x! . x? . y?, x? . x! . y?, x? . y? . x!, y?} appropriate renaming) from one side to the other. Hence, if P is an appropriate specification for the behavior of one side, as the right side includes the receive event y? that is not on then ¬θP is a corresponding specification for the other side’s the left. Thus, the extra send x! in Q exposes an additional behavior, where θ performs appropriate channel renamings and receive y? in Q ⊗ R that is not in P ⊗ R. the negation operation (¬) changes receives on one side to Instead, we develop a Compositional Reasoning Lemma for sends on the other side, and vice-versa. a parallel composition νx.(P ⊗ Q) that requires specifying One caveat is that since the copycat may buffer events, we the protocol R and the channel x by which P communicates require that the specification P is invariant under buffering, to Q. If P satisfies the specification P 0 × R and Q satisfies the which essentially means it does not matter in what order we specification Q0 × ¬R, then the parallel composition νx.(P ⊗ remove events of the same direction (i.e. sends vs receives). Q) satisfies the interleaved specification P 0 × Q0. We assume More precisely, a traceset P is well-formed if for all events π that P and Q communicate only via the restricted channels x, 1 and π of the same direction, it is the case that P \ π \ π = where R mentions only x but P 0 and Q0 do not mention x. 2 1 2 P \ π2 \ π1 and P \ π1 is also well-formed. Lemma 1 (Compositional Reasoning). Suppose: The abbreviation x!!y satisfies the copycat lemma: for any well-formed specification P over y and any mapping 0 P @ P × R θ from y to fresh channels, the abbreviation x!!y satisfies the 0 Q @ Q × ¬R specification x!θy . (P × ¬θP ). FC(Q0) ∩ x = ∅ FC(P 0) ∩ x = ∅ Lemma 2 (Copycats Preserve Specifications). If P is well- FC(R) ⊆ x formed and FR(P ) = ∅ and FS(P ) ⊆ y then: FS(P ) ∩ FR(Q) ⊆ x x!!y x!θy (P × ¬θP ) FR(P ) ∩ FS(Q) ⊆ x @ . Proof. See the extended tech report [13]. Then: III.TYPE SOUNDNESSFORTHE SIMPLY TYPED LAMBDA 0 0 νx.(P ⊗ Q) @ P × Q CALCULUS Proof. See the extended tech report [13]. Based on the trace calculus properties and lemmas of the previous section, we are now in a position to study trace- As we will see, this lemma plays a critical role in our proofs. based soundness proofs for a range of programming languages, D. Copycat Sends starting with the simply typed λ-calculus. One central choice in our design is that a send event always A. STLC Syntax and Semantics transmits fresh channels. For example, in the trace k?y . x!y, the y in x!y is distinct from the y in k?y. This choice simplifies We summarize the STLC syntax as follows: some parts of our development, but does require that we set e ∈ Expr ::= x | λx. e | e e | unit up a mechanism to copy behavior from an existing channel A, B ∈ Type ::= Top | Unit | A → B to a fresh channel. In particular the copycat send abbreviation E ∈ Env ::= ∅ | E, x : A x!!y sends out a copy of y by: 1) First, sending a fresh channel y0 (the copy of y) along We define the meaning e k of each expression e with respect J K x. to a channel k as the following tracesets: 0 2) Receiving on y some (0, 1, or more) channels z. · : Expr × Chan → Traceset 0 · 3) A fresh copy z of the channels z is then passed along J K def to the original y, where |z0| = |z|. x k = k!!x J K def 4) Any further communication is appropriately copied in λx. e k = k!a . ∗ (a?xh . e h) a, h 6∈ FV(e) the same manner. J K def J K e1 e2 k = νk1.( e1 k1 k1, k2, x1, x2 6∈ FV(e1, e2) J K J K To precisely define how the copycat send works we introduce ⊗ ∗k1?x1 . νk2.( e2 k2 a bijection θ : Chan → Chan that maps a channel to its copy. ⊗ ∗J k2K?x2 . x1!!x2k)) def We can then define the copycat send abbreviation x!!y that unit k = k!a . ∗ (a?x . wrong!) J K The traceset x k simply sends a copy of x to k using a Figure 2: Typing Rules for STLC copycat send. WeJ unifyK variables in programs with channels in traces, and so the terms variable and channel are synonyms. The traceset λx. e k sends to k a fresh channel a, and then J K x : A ∈ E repeatedly receives on a an argument x and calling continuation [T-VAR] h, and then evaluates e sending the result to h. E ` x : A The traceset e1 e2 k evaluates e1 and receives the result along channel kJ1 in xK1, evaluates e2 and receives the result E, x : A ` e : B [T-ABS] in x2, and then sends to x1 the argument-continuation pair E ` λx. e : A → B x2k. (The replicated receives ∗k1?x1 ... and ∗k2?x2 ... permit subexpressions to return multiple times, to facilitate first-class [T-UNIT] continuations in Section V.) E ` unit : Unit We use the expression unit to represent a program “going wrong” if unit is ever applied to a term. The traceset unit k E ` e1 : A → BE ` e2 : A J K [T-APP] sends a channel a to its continuation, but if it ever receives an E ` e e : B event on a it performs a send on the channel wrong, signalling 1 2 that an error occurred. Thus, for example the following program trivially goes wrong.

(unit unit) k = {wrong!} J K We now address the meaning of types and type environments, Note that our traceset meanings for Top and Unit coincide, starting with the meaning A k of a type A with respect to ( Top k = Unit k = ∗k!a), since no operations can be a continuation k, which simplyJ K sends a fresh channel a to k, performedJ K onJ a valueK of either static type. Despite this traceset and then stands ready to receive operations on a according to equivalence, these two types are still distinct and we will treat the type A. them differently when we extend the language with subtyping in section IV. For example, Unit <: Top but not vice-versa. · · : Type × Chan → Traceset J K def Thus, these two types play different useful roles in the type A k = ∗k!a . ¬ a : A system. J K J K Next, we define the meaning of a single-entry environment Finally, the meaning of a type environment with multiple x : A by case analysis on A: bindings is the interleaving of the meanings of each individual J K binding: · : Env → Traceset J K def def x : A → B = ∗x!yk . (¬ y : A × ¬ B k) x1 : A1, ··· , xn : An = x1 : A1 × · · · × xn : An J K def J K J K J K J K J K x : Top = 1 B. STLC Typing and Type Soundness J K def u : Unit = 1 J K If an expression e has type A, then the traceset e k should If the environment contains a function binding x, then code in generate at most those output events permitted byJ KA k, and that environment can repeatedly send argument-continuation should receive at least those input events in A k. Thus,J K ` e : pairs yk to x, after which the code should be ready to receive A must imply a corresponding alternating traceJ K containment (via ¬) B-values on k, and also receive (again via ¬) requests relation e k @ A k on tracesets. on y according to its type A. Note that, since × denotes If e containsJ K J freeK variables with types defined by an arbitrary interleaving, requests on y may be received both environment E, then e can also interact with its environment before and after returns on k. according to the traceset specification E . In this case we J K Our type language includes Top, since there are no opera- have that E ` e : A must imply e k @ A k × E tions on values of this type, an environment binding of type We prove this traceset correspondenceJ K propertyJ K byJ inductionK Top has the no-op trace 1. on the typing derivation E ` e : A. For each typing rule, In addition, to prevent well-typed programs from going we show that if this traceset correspondence holds for the wrong, the type Unit has no operations and thus is the no-op antecedents in the rule then it also holds for the conclusion of trace 1. the rule; in this case we say the rule is admissible. Note that we use the channel wrong only in the meaning of Theorem 3 (Type Soundness). If E ` e : A where each rule terms, not in types. Thus, if e k @ A k, then since wrong in this derivation is admissible, then e k A k × E . does not appear in A k, theJ termK e JisK guaranteed not to go @ J K J K J K J K wrong (i.e. send to the channel wrong) provided it is used in Proof. By induction on the derivation E ` e : A. accordance with its type specification A. Our type soundness theorem in the next section will prove that well-typed terms Figure 2 summarizes the standard STLC typing rules, and behave according to their types and thus do not go wrong. the following lemma verifies that all these rules are admissible. Lemma 3. The STLC typing rules are admissible. By induction L2 @ A k2 × E and by Lemma 2 with P = x2 : A × B Jk weK have:J K Proof. J K J K R2 • Case [T-VAR] where x : A ∈ E and E ` x : A. We show @ ∗k2?x2 . (P × ¬θP ) x k @ A k × E . ∗k ?x . (P × x !θx θk . (¬θP )) J K J K J K @ 2 2 1 2 (Prop 38) x k @ ∗k2?x2 . (P × ∗x1!θx2θk . (¬θP )) = Jk!!Kx (Prop 39) @ k!θx . ( x : A × ¬ θx : A ) (Lem 2) = ∗k2?x2 . ( x2 : A × B k × x1 : A → B ) J K J K J K J K J K @ x : A × k!θx . ¬ θx : A (Prop 38) @ (∗k2?x2 . x2 : A ) × ∗ B k × ∗ x1 : A → B J K J K J K J K J K @ x : A × ∗k!θx . ¬ θx : A (Prop 39) (Prop 38) = Jx : AK × A k J K (def) = (∗k2?x2 . x2 : A ) × B k × x1 : A → B J K J K J K J K J K @ x : A × A k × E \ (x : A) (Prop 40) (Prop 16) = JA k ×K EJ K J K (since x : A ∈ E) = ¬(∗k2!x2 . ¬ x2 : A ) × B k × x1 : A → B J K J K (Prop 14) J K J K J K

= ¬ A k2 × x1 : A → B × B k • Case [T-UNIT] J K J K J K By Lemma 1 νk2.(L2 ⊗ R2) @ x1 : A → B × B k × J K J K unit k = k!a . ∗ (a?x . wrong!) E . So: J K ∗k!a . 1 (Prop 39) J K @ R1 = Unit k (def) ∗k ?x . ( x : A → B × B × E ) J K @ 1 1 1 k @ Unit k × E (Prop 40) (∗k ?x . Jx : A → BK) ×J ∗ KB ×J ∗K E (Prop 38) J K J K @ 1 1 1 k = (∗k1?x1 . Jx1 : A → BK) × BJ kK × EJ K (Prop 16) • Case [T-ABS] where E ` λx. e : A → B via antecedent = ¬(∗k1!x1 J. ¬ x1 : A →KB )J× KB k J× KE (Prop 14) J K J K J K E, x : A ` e : B. We show λx. e k @ A → B k × E . = ¬ A → B k1 × B k × E J K J K J K J K J K J K By induction L1 @ A → B k1 × E so by Lemma 1 λx. e k we have e1 e2 k JB k × KE . J K 0 @ = Jk!a . ∗K(a?xk . e k0 ) J K J K J K 0 J K @ k!a . ∗ (a?xk . ( B k0 × E, x : A )) (*) 0 = k!a . ∗ (a?xk . (JBKk0 × Jx : A ×K E )) This trace-based proof has a fairly “semantic” proof structure 0 J K J K J K @ k!a . ∗ (a?xk . ( B k0 × x : A ) × E ) that mostly focuses on the syntactic representation of behavior, (Prop 38) J K J K J K in contrast to traditional subject reduction proofs, which focus 0 @ k!a . (∗a?xk . ( B k0 × x : A ) × ∗ E ) on the syntactic representation of program state. This trace- (Prop 15) J K J K J K based proof does depend on the various lemmas and properties 0 = k!a . (∗a?xk . ( B k0 × x : A ) × E ) of the trace calculus, but those results are not language-specific (Prop 16) J K J K J K and so can be reused in a variety of soundness proofs. 0 @ k!a . ∗ (a?xk . ( B k0 × x : A )) × E Having developed a type soundness proof for STLC, we (Prop 38) J K J K J K next explore how well this proof supports extensions to the 0 @ ∗k!a . ∗ (a?xk . ( B k0 × x : A )) × E language or type system. (Prop 39) J K J K J K IV. TYPE SOUNDNESSFOR SUBTYPING = A → B k × E (def) J K J K As our first extension, we enrich the type system with subtyping by adding the subsumption rule: The (*) step is justified because by induction e k0 @ B k0 × E, x : A and both prefix and replicationJ K are E ` e : B B <: A [T-SUB] JmonotonicK J (PropertiesK 36 and 21). E ` e : A • Case [T-APP] where E ` e e : B via antecedents E ` 1 2 along with the standard subtyping rules defined in Figure 3. e : A → B and E ` e : A. We begin by letting: 1 2 As mentioned in the introduction, subtyping conservatively approximates the alternating trace containment relation. e1 e2 k = νk1.L1 ⊗ R1 J K Lemma 4 (Subtyping Implies Alternating Trace Containment). L = e 1 1 k1 If A <: B then A B . J K k @ k R1 = ∗k1?x1 . νk2.(L2 ⊗ R2) J K J K Proof. By induction on the subtyping derivation. L2 = e2 k2 J K • [S-REFL] and [S-TRANS] follow from Properties 17 and R2 = ∗k2?x2 . x1!!x2k 18. Figure 3: Subtyping rules type A to its continuation. Thus, the type rule for call/cc is as follows, where the unconstrained type B indicates that the continuation function k never returns.

[S-REFL] A <: A [T-CALL/CC] E ` call/cc : ((A → B) → A) → A A <: B B <: C [S-TRANS] A <: C The semantics for call/cc receives any call/cc invocation a?fh and immediately calls f via f!gh0 passing a function g and a continuation h0. Values x sent to g or h0 are then copycat [S-TOP] A <: Top sent to the original continuation h:

def 0 0 call/cc k = k!a . ∗ (a?fh . f!gh . ( ∗ (g?xk . h!!x) B1 <: A1 A2 <: B2 [S-ARROW] J K 0 A1 → A2 <: B1 → B2 × ∗ (h ?x . h!!x)))

Theorem 5. The rule [T-CALL/CC] is admissible. Proof. By Lemma 2 with P = x : A : J K • Case A <: Top via [S-TOP]. Directly from the definition h!!x of Top. @ h!θx . ( x : A × ¬ θx : A ) J K J K • Case A1 → A2 <: B1 → B2 via [S-ARROW]. @ x : A × h!θx . ¬ θx : A (Prop 38) J K J K From the induction hypothesis we have B1 k @ A1 k @ x : A × ∗h!θx . ¬ θx : A (Prop 39) J K J K J K J K and A2 k @ B2 k. = x : A × A h (*) J K J K J K J K @ x : A × A h × B k0 (Prop 40, **) A1 → A2 k J K J K J K = ∗Jk!x . ¬ x K: A1 → A2 From (**) and Prop 36: = ∗k!x . ∗Jx?ah . ( a : AK × A ) 1 2 h 0 ∗k!x . ∗ x?ah . (Ja : A K × JB K ) ∗g?xk . h!!x @ 1 2 h 0 (IH, 36, 20, 21) J K J K @ ∗g?xk . ( x : A × A h × B k0 ) 0 J K J K J K = ∗k!x . ∗ ¬x!ah . (¬ a : A × ¬ B ) @ ∗g?xk . ( x : A × B k0 ) × ∗ A h (Prop 38) 1 2 h J K J K J K (Prop 14) J K J K = ¬ g : A → B × ∗ A h = ¬Jg : A → BK × AJ hK (Prop 16) @ ∗k!x . ∗ ¬x!ah . (¬ a : B1 × ¬ B2 h) J K J K J K J K (IH, Prop 22) From (*) and Prop 36: = ∗k!x . ¬ x : B1 → B2 0 = B1 → BJ 2 k K ∗h ?x . h!!x J K 0 @ ∗h ?x . ( x : A × A h) 0 J K J K @ ∗h ?x . x : A × ∗ A h (Prop 38) Since subtyping implies alternating trace containment, it is = ¬ A h0 J× ∗ AK h J K straightforward to show that the [T-SUB] rule is admissible and = ¬JAKh0 × AJ hK (Prop 16) thus that STLC with subtyping is still sound. J K J K So we have: Theorem 4. The rule [T-SUB] is admissible. f!gh0 . (∗(g?xk0 . h!!x) × ∗(h0?x . h!!x)) Proof. Suppose E ` e : A via [T-SUB] from E ` e : B and 0 @ f!gh . (¬ g : A → B × A h × A h × ¬ A h0 ) 0 B <:A. By Lemma 4 B k @ A k and by assumption e k @ = f!gh . (¬Jg : A → BK × ¬J AK h0 ×J KA h)) J K (Prop 35) B × E . Thus byJ PropertyK J 20K we get e A J×K E . 0 J K J K J K k k @ k @ f!gh . (¬ g : A → B × ¬ A h0 ) × A h (Prop 38) J K J K J K J K J K 0 J K J K J K @ ∗f!gh . (¬ g : A → B × ¬ A h0 ) × A h (Prop 39) = f :(A → JB) → A ×K A hJ K J K V. TYPE SOUNDNESSFORCALL/CC J K J K We add control-effects to the language in the form of first- Thus: class continuations. call/cc k J K e ::= ... | call/cc @ k!a . ∗ a?fh . ( f :(A → B) → A × A h) J K J K @ ∗k!a . ∗ a?fh . ( f :(A → B) → A × A h) (Prop 39) The operation (call/cc f) calls the function f passing the = ((A → B) → AJ) → A k K J K current continuation k as an argument. The function f may J K @ ((A → B) → A) → A k × E (Prop 40) either return a value of some type A or may call k passing an J K J K argument of type A; in either case call/cc returns a value of VI.TYPE SOUNDNESSFOR REFERENCE CELLS initial value of x. It returns a channel p (of type Ref C) to We next introduce side-effects, in the form of mutable, h, and initializes a traceset Rx, with channels get and set, to dynamically allocated reference cells. record the current value of the reference cell. When p receives a function f1 of type (Unit → C) → (C → Unit) → C, it e ::= ... | ref simply sends get and set to f1. We take an “interface-oriented” view to reference cells, as The following lemma shows that the traceset Rx is approxi- proposed by Reynolds [14], whereby a reference cell of type mated by the types of the exported get and set functions, and Ref C is encoded as a pair of a getter function (of type Unit → of the imported variable x. C) and a setter function (of type C → Unit) for reading and Lemma 5 (Reference Cell Specification). updating the reference cell, respectively. For simplicity, we use a Church-like encoding of pairs so the full type of a reference Rx @ ¬ get : Unit → C, set : C → Unit × x : C cell is: J K J K Proof. Let RHS = ¬ get : Unit → C, set : C → Unit × x : Ref C = Pair (Unit → C)(C → Unit) C . We prove by inductionJ on n that K J = ((Unit → C) → (C → Unit) → C) → C K Rx @n RHS The new primitive operation ref is a function that takes a value of type C and returns a new reference cell of type Ref C: Note that there are no sends in Rx. We have two receive events in RHS to consider:

[T-REF] • get?uk ∈ RHS. We have: E ` ref : C → Ref C Rx \ get?uk = (k!!x × Rx) To help use these interface-oriented reference cells, we intro- 0 0 @ k!x . ( x : C × ¬ x : C ) × Rx (Lem 2) duce the abbreviations: 0 J 0 K J K @ ∗k!x . ¬ x : C × Rx def J K let x = e1 in e2 = (λx. e2) e1 def RHS \ get?uk e1; e2 = (λx. e2) e1 x 6∈ FV(e2) = RHS × u : Unit × C !e def= e (λgs. g unit) k = RHS × ∗Jk!x0 ¬ Kx0 : JC K def . e1 := e2 = e1 (λgs. let t = e2 in s t; t) J K Since, by induction Rx @n−1 RHS we have Rx \ Thus, for example, the following code fragment yields the get?uk RHS \ get?uk. expected behavior: @n−1 • set?yk ∈ RHS. We have: let r = ref x in r := y; Rx \ set?yk = k!u × Ry !r; @ ∗k!u × Ry As a starting point for defining the semantics of ref, we first define a reference cell traceset Rx that can receive and process RHS \ set?yk = RHS × y : C × Unit k J K J K events on the channels get and set. = RHS × y : C × ∗k!u . ¬ u : Unit J K J K Rx = get?uk . (k!!x × Rx) = RHS × y : C × ∗k!u J K ∪ set?yk . (k!u × Ry) Since, by induction Ry @n−1 ¬ get : Unit → C, set : J The event get?uk causes Rx to copycat send x to the C → Unit × y : C we have Rx \ π @n−1 RHS \ π K J K continuation k, and then continue behaving as Rx. The event set?yk causes Rx to send a dummy unit value to k, and continue as Ry so that subsequent get events receive y rather With this lemma we show that the type rule for reference than x. cells is admissible. The traceset of ref then essentially wraps R in the x Theorem 6. The [T-REF] rule is admissible. appropriate interface. Proof. Let P = get : Unit → C × (C → Unit) → C . ref k2 k Then: J K J K def J K = k!a . ∗ (a?xh . h!p . νset, get. f1!!get, k2 (Rx| ∗ p?f1k1 . νk2 . (f1!!get, k2 f1!θget, θk2 . (P × ¬θP ) | ∗ k2?g . g!!set, k1))) @ @ ∗f1!θget, θk2 . (P × ¬θP ) This traceset sends a to the ref continuation and then repeatedly @ f1 : ((Unit → C) → (C → Unit) → C) receives requests a?xh to create a new reference cell with an J K × get : Unit → C × (C → Unit) → C k2 J K J K Let Q = set : C → Unit × C k1 . Then: operations on reference cells execute atomically. The following J K J K proof shows that this language extension with concurrency g!!set, k 1 preserves type soundness. @ g!θset, θk1 . (Q × ¬θQ) @ ∗g!θset, θk1 . (Q × ¬θQ) Theorem 7. The rule [T-FORK] is admissible. @ g :(C → Unit) → C × set : C → Unit × C k1 J K J K J K Proof.

∗k2?g . g!!set, k1 fork k J K @ ∗k2?g . ( set : C → Unit × C k1 = k!a . ∗ a?xh . h!u . x!uh . h?y . 1 J K J K × g :(C → Unit) → C ) @ k!a . ∗ a?xh . h!u . x!uh . (¬ u : Unit × ¬ Unit h) J K J K J K @ ¬ (C → Unit) → C k2 × set : C → Unit × C k1 @ k!a . ∗ a?xh . h!u . x : Unit → Unit J K J K J K J K @ k!a . ∗ a?xh . h!u . ( x : Unit → Unit × ¬ u : Unit ) From this we have: J K J K @ k!a . ∗ a?xh . ( x : Unit → Unit × h!u . ¬ u : Unit ) ∗p?f k . νk .(f !!get, k ) ⊗ (∗k ?g . g!!set, k ) J K J K 1 1 2 1 2 2 1 @ k!a . ∗ a?xh . ( x : Unit → Unit × ∗h!u . ¬ u : Unit ) @ ∗p?f1k1 . ( get : Unit → C × set : C → Unit × C k1 = k!a . ∗ a?xh . (Jx : Unit → UnitK × Unit J) K J K J K J K h × f1 : ((Unit → C) → (C → Unit) → C) ) (Unit → Unit)J → Unit × EK J K J K @ k @ ¬ p : Ref C × get : Unit → C, set : C → Unit J K J K J K J K By Lemma 5, Rx @ get : Unit → C, set : C → Unit × x : C . Thus: J K J VIII.RELATED AND FUTURE WORK K Wright and Felleisen [1] introduced subject reduction as a ref k J K technique for proving soundness of type systems by showing @ k!a . ∗ (a?xh . h!p . ( x : C × ¬ p : Ref C )) (Lem 1) J K J K that evaluation preserves typing: if a program state S is well- @ k!a . ∗ (a?xh.( x : C × h!p . ¬ p : Ref C )) typed ` S and S evaluates to S0 (written S → S0) then k!a . ∗ (a?xh . (J x : CK × Ref JC h)) K @ 0 0 = k!a . a : C → RefJ C K J K S is also well-typed ` S . This proof technique has proven J K highly flexible, in large part due to the global nature of the @ ∗k!a . a : C → Ref C evaluation relation →, which can observe or mutate any part = C →JRef C k K J K of the program state. For example, side-effects and control- @ C → Ref C k × E J K J K effects manipulate the global store and evaluation context, respectively [15], [16], [17]. VII.TYPE SOUNDNESSFOR FORK Before subject reduction, many type soundness proofs were based on denotational semantics [18], [19], [20], [21], Our final language extension adds multiple concurrent [22], typically with different domain equations or different threads, via an operation (fork f) that evaluates the thunk proof techniques. Even when two soundness proofs addressed f in a new thread of control. As we will see, even though con- extensions of a common language, it was not clear whether currency (like side-effects) is a significant language extension, or how different proofs could be merged to yield a proof it requires only local extensions to the language semantics. The for the combined system. By using the semantic framework syntactic extension and corresponding type rule for fork are of rewriting-based operational semantics, subject reduction straightforward: provided a common proof structure that could accommodate a e ::= ... | fork wide range of languages and type systems. This paper takes this work one step further—by formalizing types (A), terms (e), [T-FORK] E ` fork : (Unit → Unit) → Unit and typing judgments (` e : A) all in the common framework of tracesets, the admissibility of each typing rule can now be verified independently. Thus, we adapt the ideas of subject Rather surprisingly, extending the language semantics with reduction to focus on syntactic representations of behavior concurrency is also straightforward: (formalized as tracesets) rather than on syntactic representations def of program states. fork k = k!a . ∗ a?fh . h!u . f!uh . h?y . 1 J K Much prior work has studied the denotational semantics of Here, the channel a (representing the fork value) is immedi- higher-order languages, often with the goal of developing fully ately returned to fork’s continuation. When a later receives a abstract denotational semantics [5], [6], in which observable fork request a?fh, it immediately returns a unit channel u to equivalence implies denotational equivalence. Game semantics the continuation h, but also calls the given thunk f. Thus, the has emerged as an appealing foundation for developing fully two consecutive send events performed by fork are sufficient abstract denotational models. For example, fully abstract to initiate concurrent evaluation. Finally, if f later returns via game semantics have been developed for PCF [7], [8] or for h?y its result is discarded and its thread is terminated. languages with features such as call-by-value [23], general We can use reference cells to implement inter-thread synchro- references [24], and exceptions [25], [26] to name just a nization primitives such as semaphores, since read and write few. Game semantics has also been used as a foundation for language design [27], [28]. Compositional game semantics [12] R. Milner, Communicating and Mobile Systems: The π-Calculus. Cam- also facilitate compositional verification [29]. bridge University Press, 1999. [13] T. Disney and C. Flanagan, “Game Semantics for Type Systems,” As mentioned earlier, our trace calculus notably resembles University of California Santa Cruz, Tech. Rep., May 2015. the π-calculus [30], [31], [32], but with some differences. The [14] J. C. Reynolds, The essence of ALGOL. Cambridge, MA, USA: trace calculus consists of a collection of operators and relations Birkhauser Boston Inc., 1997, pp. 67–88. [15] M. Felleisen and D. P. Friedman, “Control operators, the SECD-machine, over tracesets, with associated axioms, rather than syntactic and the lambda-calculus,” in 3rd Working Conference on the Formal constructors. Moreover, traces support negation since send and Description of Programming Concepts, 1986, pp. 193–219. receive events both bind their argument channels, which allow [16] ——, “A syntactic theory of sequential state,” Indiana University, Bloomington, Indiana, Dept. Technical Report 230, us to express contravariance in types as negation on tracesets. 1987. Nonetheless, this connection deserves further exploration, and [17] M. Felleisen and R. Hieb, “The revised report on the syntactic theories perhaps existing results from the π-calculus could facilitate or of sequential control and state,” Theoretical computer science, vol. 103, no. 2, pp. 235–271, 1992. simplify our type soundness proofs. [18] Milner, R, “A theory of type polymorphism in programming,” J. Comput. A number of type systems have been developed for the Syst. Sci., vol. 17, pp. 348–375, 1978. π-calculus [33], [34], [35], [36]. For our purposes, tracesets [19] L. Damas and R. Milner, “Principal type-schemes for functional programs,” in Proceedings of the 9th ACM SIGPLAN-SIGACT symposium themselves are sufficient both for describing implementations on Principles of programming languages. ACM, 1982, pp. 207–212. (e.g. e k) and also specifications (e.g. A k), and thus we [20] M. Abadi, L. Cardelli, B. Pierce, and G. Plotkin, “Dynamic typing in a have notJ K needed an extra type specificationJ languageK for traces. statically-typed language,” in Symposium on Principles of Programming Languages, 1989, pp. 213–227. In this work we give a semantics for untyped terms (λx. e) [21] L. M. M. Damas, “Type assignment in programming languages,” Ph.D. but a clear topic for future work is to give a traceset semantics dissertation, University of Edinburgh, 1985. for typed terms (λx:A. e) and dependent types (Πx:A. B), and [22] B. Duba, R. Harper, and D. MacQueen, “Typing first-class continuations in ml,” in Proceedings of the 18th ACM SIGPLAN-SIGACT symposium to extend this proof technique to additional language constructs on Principles of programming languages. ACM, 1991, pp. 163–173. (e.g. constants, primitive operations, and data constructors) and [23] S. Abramsky and G. McCusker, “Call-by-value games,” in CSL, 1997, to richer type systems (e.g. with polymorphism, bounded quan- pp. 1–17. [24] S. Abramsky, K. Honda, and G. McCusker, “A fully abstract game tification, dependent types, etc.). Several interesting questions semantics for general references,” in LICS, 1998, pp. 334–344. immediately arise, for example, what is the trace semantic [25] R. Cartwright, P.-L. Curien, and M. Felleisen, “Fully abstract semantics for observably sequential languages,” Inf. Comput., vol. 111, no. 2, pp. meaning ∀X.A k of a polymorphic type? J K 297–401, 1994. Another important direction is the relationship between [26] J. Laird, “A fully abstract game semantics of local exceptions,” in higher-order dynamic contracts [37], [38] (which filter be- in Computer Science, Washington, DC, USA, 2001. [Online]. Available: haviors) and static types (which specify behavior), and perhaps http://portal.acm.org/citation.cfm?id=871816.871866 [27] J. Longley and N. Wolverson, “Eriskay: a based expressing both in the common framework of tracesets could on game semantics,” in Games for Logic and Programming Languages help elucidate this relationship. III Workshop. Citeseer, 2008. Acknowledgments We thank Philippa Gardner, Scott Smith, [28] N. Wolverson, “Game semantics for an object-oriented language,” 2009. [29] S. Abramsky, D. R. Ghica, A. S. Murawski, and C.-H. L. Ong, “Applying DeLesley Hutchins, Philip Wadler, Jeremy Siek, and Martin game semantics to compositional software modeling and verification,” Abadi for helpful conversations on this work in TACAS, 2004, pp. 421–435. [30] R. Milner, “The polyadic π-calculus: A tutorial,” Logic and Algebra of REFERENCES Specification, vol. 94, 1991. [31] B. Pierce, “Foundational calculi for programming languages,” Handbook [1] A. Wright and M. Felleisen, “A syntactic approach to type soundness,” of Computer Science and Engineering, pp. 2190–2207, 1995. Info. Comput., vol. 115, no. 1, pp. 38–94, 1994. [32] R. Milner, J. Parrow, and D. Walker, “A calculus of mobile processes, I,” [2] R. Alur, T. Henzinger, O. Kupferman, and M. Vardi, “Alternating Information and computation, vol. 100, no. 1, pp. 1–40, 1992. refinement relations,” CONCUR’98 Concurrency Theory, pp. 163–178, [33] B. Pierce and D. Sangiorgi, “Typing and subtyping for mobile processes,” 1998. [Online]. Available: http://dx.doi.org/10.1007/BFb0055622 in Logic in Computer Science, 1993. LICS’93., Proceedings of Eighth [3] D. Hutchins, “Pure subtype systems: A for extensible Annual IEEE Symposium on. IEEE, 1993, pp. 376–385. software,” 2009. [34] Y. Deng and D. Sangiorgi, “Towards an algebraic theory of typed mobile [4] ——, “Pure subtype systems,” in Symposium on Principles of Program- processes,” Automata, Languages and Programming, pp. 445–456, 2004. ming Languages, vol. 45, no. 1. ACM, 2010, pp. 287–298. [35] N. Kobayashi, B. Pierce, and D. Turner, “Linearity and the π-calculus,” [5] R. Cartwright and M. Felleisen, “Observable sequentiality and full ACM Transactions on Programming Languages and Systems (TOPLAS), abstraction,” in Proceedings of the 19th ACM SIGPLAN-SIGACT vol. 21, no. 5, pp. 914–947, 1999. symposium on Principles of programming languages. ACM, 1992, [36] J. Laird, “A game semantics of the asynchronous π-calculus,” CONCUR pp. 328–342. 2005–Concurrency Theory, pp. 51–65, 2005. [6] D. Hopkins and C. Ong, “Homer: A higher-order observational equiva- [37] R. B. Findler and M. Felleisen, “Contracts for higher-order functions,” in lence model checker,” in Computer Aided Verification. Springer, 2009, Proceedings of the International Conference on , pp. 654–660. 2002, pp. 48–59. [7] S. Abramsky, R. Jagadeesan, and P. Malacaria, “Full abstraction for PCF,” [38] R. Back and J. Von Wright, “Contracts, games, and refinement,” Information and Computation, vol. 163, pp. 409–470, 1996. Information and Computation, vol. 156, no. 1, pp. 25–45, 2000. [8] J. M. E. Hyland and C.-H. L. Ong, “On full abstraction for PCF: I, II, and III,” Inf. Comput., vol. 163, no. 2, pp. 285–408, 2000. [9] J. Chroboczek, “Game semantics and subtyping,” in Logic in Computer Science, 2000. Proceedings. 15th Annual IEEE Symposium on. IEEE, 2000, pp. 192–203. [10] ——, “Subtyping recursive games,” in Typed Lambda Calculi and Applications. Springer, 2001, pp. 61–75. [11] ——, “Game semantics and subtyping,” Ph.D. dissertation, 2003.