Game semantics for interface middleweight Java

http://wrap.warwick.ac.uk/

Original citation:

Murawski, Andrzej S. and Tzevelekos, Nikos (2014) Game semantics for interface

middleweight Java. ACM SIGPLAN Notices, Volume 49 (Number 1). pp. 517-529.

Permanent WRAP url:

http://wrap.warwick.ac.uk/60292

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work of researchers of the

University of Warwick available open access under the following conditions. Copyright ©

and all moral rights to the version of the paper presented here belong to the individual

author(s) and/or other copyright owners. To the extent reasonable and practicable the

material made available in WRAP has been checked for eligibility before being made

available.

Copies of full items can be used for personal research or study, educational, or

not-for-profit purposes without prior permission or charge. Provided that the authors, title and

full bibliographic details are credited, a hyperlink and/or URL is given for the original

metadata page and the content is not changed in any way.

Publisher statement:

© Murawski, A. S. and Tzevelekos, N. This is the author’s version of the work. It is

posted here for your personal use. Not for redistribution. The definitive version was

published in ACM SIGPLAN Notices

http://dx.doi.org/10.1145/2535838.2535880

A note on versions:

The version presented here may differ from the published version or, version of record, if

you wish to cite this item you are advised to consult the publisher’s version. Please see

the ‘permanent WRAP url’ above for details on accessing the published version and note

that access may require a subscription.

Game Semantics for Interface Middleweight Java

⇤

Andrzej S. Murawski

DIMAP and Department of Computer Science University of Warwick

Nikos Tzevelekos

School of Electronic Engineering and Computer Science Queen Mary, University of London

Abstract

We consider an object calculus in which open terms interact with the environment through interfaces. The calculus is intended to capture the essence of contextual interactions of Middleweight Java code. Using game semantics, we provide fully abstract models for the induced notions of contextual approximation and equivalence. These are the first denotational models of this kind.

Categories and Subject Descriptors D.3.1 [Formal Definitions and Theory]: Semantics; F.3.2 [Semantics of Programming Lan-guages]: Denotational semantics

General Terms Languages, Theory

Keywords Full Abstraction, Game Semantics, Contextual Equiv-alence, Java

1. Introduction

Denotational semantics is charged with the construction of mathe-matical universes (denotations) that capture program behaviour. It concentrates on compositional, syntax-independent modelling with the aim of illuminating the structure of computation and facilitat-ing reasonfacilitat-ing about programs. Many developments in denotational semantics have been driven by the quest for full abstraction [21]: a model isfully abstractif the interpretations of two programs are the same precisely when the programs behave in the same way (i.e. are contextually equivalent). A faithful correspondence like this opens the path to a broad range of applications, such as compiler opti-misation and program transformation, in which the preservation of semantics is of paramount importance.

Recent years have seengame semanticsemerge as a robust de-notational paradigm [4, 6, 12]. It has been used to construct the first fully abstract models for a wide spectrum of programming lan-guages, previously out of reach of denotational semantics. Game semantics models computation as an exchange of moves between two players, representing respectively the program and its compu-tational environment. Accordingly, a program is interpreted as a

⇤_{Research supported by the Engineering and Physical Sciences Research}

Council (EP/J019577/1) and a Royal Academy of Engineering Research Fellowship (Tzevelekos).

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

POPL’14, January 22–24, 2014, San Diego, CA, USA.

Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2544-8/14/01. . . $15.00.

http://dx.doi.org/10.1145/http://dx.doi.org/10.1145/2535838.2535880

strategy in a game corresponding to its type. Intuitively, the plays that game semantics generates constitute the observable patterns that a program produces when interacting with its environment, and this is what underlies the full abstraction results. Game semantics is compositional: the strategy corresponding to a compound program phrase is obtained by canonical combinations of those correspond-ing to its sub-phrases. An important advance in game semantics was the development of nominal games [3, 17, 26], which under-pinned full abstraction results for languages with dynamic gener-ative behaviours, such as the⌫-calculus [3], higher-order concur-rency [18] and ML references [24]. A distinctive feature of nominal game models is the presence of names (e.g. memory locations, ref-erences names) in game moves, often along with some abstraction of the store.

The aim of the present paper is to extend the range of the game approach towards real-life programming languages, by fo-cussing on Java-style objects. To that end, we define an impera-tive object calculus, called Interface Middleweight Java (IMJ), in-tended to capture contextual interactions of code written in Mid-dleweight Java (MJ) [9], as specified by interfaces with inheritance. We present both equational (contextual equivalence) and inequa-tional (contextual approximation) full abstraction results for the language. To the best of our knowledge, these are the first deno-tational models of this kind.

Related Work While the operational semantics of Java has been researched extensively [7], there have been relatively few results regarding its denotational semantics. More generally, most existing models of object-oriented languages, such as [8, 15], have been based on global state and consequently could not be fully abstract. On the other hand, contextual equivalence in Java-like lan-guages has been studied successfully using operational approaches such as trace semantics [2, 13, 14] and environmental bisimu-lation [16]. The trace-based approaches are closest to ours and the three papers listed also provide characterizations of contextual equivalence. The main difference is that traces are derived opera-tionally through a carefully designed labelled transition system and, thus, do not admit an immediate compositional description in the style of denotational semantics.

However, similarities between traces and plays in game seman-tics indicate a deeper correspondence between the two areas, which also manifested itself in other cases, e.g. [20] vs [19]. At the time of writing, there is no general methodology for moving smoothly between the two approaches, but we believe that there is scope for unifying the two fields in the not so distant future.

| `x:✓(x:✓)2 | `a:I(a:I)2 | `skip:void | `null:II2dom( ) | `i:int

| `M :int | `M0_:int | `M M0_:int

| , x:✓0_{`M :✓ | `M}0_:✓0 | `letx=M0_inM:✓

| `M :<sub>I | `</sub>M0_:I | `M =M0_:int

| `M:_I0

| `(<sub>I</sub>)M :<sub>I</sub> `II

0 _ `I0I

| `M:int | `M0, M00:✓

| `ifMthenM0_elseM00:✓

| , x:I`M:⇥

| `new(x:_I;_M) :_I (I)Meths=⇥

| `M :I | `M0:✓

| `M.f:=M0:void (I).f=✓

| `M :_I

| `M.f:✓ (I).f=✓

| `M :<sub>I</sub> Vn<sub>i=1</sub>( <sub>| `</sub>Mi:✓i)

| `M.m(M1,· · ·, Mn) :✓

(I).m=~✓!✓

Vn

i=1( | ]{~xi:~✓i}`Mi:✓i)

| `M:⇥

⇥={mi:~✓i!✓i|1in}

M={mi: ~xi.Mi|1in}

Figure 1. Typing rules forIMJterms and method-set implementations

definitions of simple notions, such as well-bracketing, less direct, since the dependencies between moves are not given explicitly any more and need to be inferred from plays. The latter renders strategy composition non-standard. Because it is impossible to determine statically to which arena a move belongs, the switching conditions (cf. [6]) governing interactions become crucial for determining the strategy responsible for each move. Finally, it is worth noting that traditional copycat links are by definition excluded from our set-ting: a call/return move for a given object cannot be copycatted by the other player, as the move has a fixed polarity, determined by the ownership of the object. In fact, identity strategies contain plays of length at most two!

Further Directions In future work, we would like to look for automata-theoretic representations of fragments of our model in order to use them as a foundation for a program verification tool for Java programs. Our aim is to take advantage of the latest devel-opments in automata theory over infinite alphabets [10], and fresh-register automata in particular [23, 27], to account for the nominal features of the model.

2. The language

IMJ

We introduce an imperative object calculus, called Interface Mid-dleweight Java (IMJ), in which objects are typed using interfaces. The calculus is a stripped down version of Middleweight Java (MJ), expressive enough to expose the interactions ofMJ-style objects with the environment.

Definition1. LetInts,Flds andMethsbe sets ofinterface,field andmethodidentifiers. We range over them respectively byI,f,m

and variants. Thetypes✓ofIMJare given below, where~_{✓stands for} a sequence✓1, ...,✓nof types (for anyn). Aninterface definition

⇥is a finite set of typed fields and methods. Aninterface table is a finite assignment of interface definitions to interface identifiers.

Types₃ ✓ ::= void|int| I

IDfns ₃ ⇥ ::= _;|(f:✓),⇥_|(m:~✓_!✓),⇥ ITbls₃ ::= _;|(_I:⇥), _|(_IhIi:⇥),

We writeIhI0_{i:⇥forinterface extension: interfaceIextendsI}0

with fields and methods from⇥. We stipulate that the extension

relation must not lead to circular dependencies. Moreover, each identifierf,mcan appear at most once in each⇥, and eachIcan be defined at most once in (i.e. there is at most one element of of the formI:⇥orIhI0_{i:⇥). Thus, each⇥can be seen as a finite}

partial function⇥: (Flds_[Meths)*Types⇤_{. We write⇥.ffor} ⇥(f)and ⇥.mfor⇥(m). Similarly, defines a partial function

:Ints*IDfnsgiven by

(I) =

8 > < > :

⇥ (_I:⇥)₂ (_I0)_[⇥ (_IhI0_i:⇥)₂

undefined otherwise

An interface table iswell-formedif, for all interface typesI,_I0_: • ifI0_{appears in (I)thenI}0_{2dom( ),}

• if(IhI0_{i:⇥)2 thendom( (I}0_{))\dom(⇥) =;.}

Henceforth we assume that interface tables are well-formed. In-terface extensions yield a subtyping relation. Given a table , we define `✓1✓2by the following rules.

(IhI0_{i:⇥), `II}0

`✓✓

`✓1<sub></sub>✓2 <sub>`</sub>✓2_✓3 `✓1✓3

We might omit from subtyping judgements for economy.

Definition2. LetAbe a countably infinite set ofobject names, which we range over byaand variants.IMJtermsare listed below, where we letxrange over a set ofvariablesVars, andioverZ. Moreover, is selected from some set of binary numeric opera-tions.Mis amethod-set implementation. Again, we stipulate that eachmappear in eachMat most once.

M ::= x|a|skip|null|i|M M |letx=MinM |M =M |ifMthenMelseM |(I)M |new(x:I;M)

|M.f |M.f:=M |M.m(M!)

MImps_{3 M} ::= _;|(m: ~x.M),_M

The terms are typed in contexts comprising an interface table and a variable context = {x1 : ✓1,· · ·, xn : ✓n}[{a1 :

I1,· · ·, am:Im}such that any interface in occurs indom( ). The typing rules are given in Figure 1.

For the operational semantics, we define the sets ofterm values, heap configurationsandstatesby:

TVals₃ v ::= skip|i_|null|a HCnfs3 V ::= ;|(f:v), V

States3 S : A*Ints⇥(HCnfs⇥MImps)

IfS(a) = (_I,(V,_M))then we writeS(a) :_I, whileS(a).fand

(S, i i0) !(S, j),if j=i i0 (S,letx=vinM) !(S, M[v/x]) (S,(I)null) !(S,null)

(S,if0thenMelseM0) !(S, M0) (S,if1thenMelseM0) !(S, M) (S, a=a) !(S,1)

(S,(I)a) !(S, a), ifS(a) :I0 _{^ I}0_{I (S, a=a}0_{) !(S,0),if a6=a}0 _{(S, a.f) !(S, S(a).f)}

(S,new(x:I;M)) !(S]{(a,I,(VI,M[a/x]))}, a) (S, a.m(~v)) !(S, M[~v/~x]), if S(a).m= ~x.M

(S, a.f:=v) _!(S[a_7!(_I,(V[f7!v],_M)],skip),if S(a) = (_I,(V,_M))

(S, E[M]) _!(S0_{, E[M}0_{]),if (S, M) !(S}0_{, M}0₎

Figure 2. Operational semantics ofIMJ.

✓}, wherevvoid=skip,vint= 0andvI =null. The operational

se-mantics ofIMJis given by means of a small-step transition relation between terms-in-state. Terms are evaluated using theevaluation contextsgiven below.

E::= letx= inM _| M _|i _| =M _|a=

|if thenMelseM0 _|(_I) _| .f | .f:=M _|a.f:=

| .m(M!)_|a.m(v1,· · ·, vi, , Mi+2,· · ·, Mn)

The transition relation is presented in Figure 2. Given |; `

M :void, we writeM +if there existsSsuch that(;, M) !⇤

(S,skip).

Definition3. Given | ` Mi:✓(i = 1,2), we shall say that

| ` M1:✓contextually approximates | ` M2:✓ if, for all 0 _{◆ and all contextsCsuch that} 0_{|; `C[M}

i] :void, if

C[M1]+thenC[M2]+. We then write | `M1@<sub>⇠</sub>M2:✓. Two terms arecontextually equivalent(written | ` M1⇠=M2:✓) if they approximate each other.

For technical convenience, IMJ features the let construct, even though it is definable: given | , x:✓0 ` M:✓ and

| ` M0_:✓0_{, consider new(x:I;m: x.M).m(M}0_{), where} Iis a fresh interface with a single methodm:✓ _!✓0_{. As usual,}

we writeM;M0_forletx=MinM0_{, wherexis not free inM}0_.

AlthoughIMJdoes not have explicit local variables, they could easily be introduced by takinglet(x = new(y : _I✓; ))in· · ·,

whereI✓ has a single field of type ✓. In the same manner, one

can define variables and methods that areprivateto objects, and invisible to the environment through interfaces.

Example1 ([16]). Let ={Empty:;,Cell: (get:void!Empty,

set:Empty !void),VarE : (val:Empty),VarI : (val:int)} and consider the terms |; `Mi:Cell(i= 1,2) defined by

M1⌘ letv=new(x:VarE; )in new(x:Cell;M1)

M2⌘ letb=new(x:VarI; )in

letv1 =new(x:VarE; )in

letv2 =new(x:VarE; )in new(x:Cell;M2) with

M1= (get: ().v.val,

set: y.(v.val:=y))

M2= (get: ().if(b.val)then(b.val:= 0;v1.val)

else(b.val:= 1;v2.val),

set: y.(v1.val:=y;v2.val:=y)).

We have |; `M1⇠=M2:Cell. Intuitively, each of the two im-plementations ofCellcorresponds to recording a single value of typeEmpty(usingset) and providing access to it viaget. The dif-ference lies in the way the value is stored: a single private variable is used inM1, while two variables are used inM2. However, in the

latter case the variables always hold the same value, so it does not matter which of the variables is used to return the value.

The game semantics of the two terms will turn out to consist of plays of the shape⇤;_n⌃0_G⇤

0S1G⇤1 · · ·SkG⇤k, where

Gi =

(

calln.get(_⇤)⌃0 _{retn.get(nul)}⌃0 _{i= 0} calln.get(⇤)⌃i _retn.get(n

i)⌃i i >0

Si = calln.set(ni)⌃i retn.set(⇤)⌃i

and⌃i = _{n _7!(Cell,_;)_}[{nj 7!(Empty,;)|0< j i}. Intuitively, the plays describe all possible interactions of a Cell

object. The first two moves⇤;n⌃0 _{correspond to object creation.}

After that, theGisegments represent the environment reading the current content (initially having null value), while theSisegments correspond to updating the content with a reference name provided by the environment. The stores⌃iattached to moves consist of all names that have been introduced during the interaction so far.

It is worth noting that, because IMJ has explicit casting, a context can always guess the actual interface of an object and extract any information we may want to hide through casting.

Example2. Let =_{Empty:_;,PointhEmptyi: (x:int,y:int)_}

and consider the terms |; `Mi:Empty(i= 1,2) defined by:

M1⌘ new(x:Empty; ),

M2⌘ letp=new(x:Point; )in p.x:= 0;p.y:= 1; (Empty)p. In our model they will be interpreted by the strategies 1 =

{✏,_⇤;n{n7!(Empty,;)}_}and

2 = {✏,⇤;n{n7!(Point,{x7!0,y7!1})} respectively. Using e.g. the casting contextC _⌘(Point) ;skip, we can see that |; ` M26@<sub>⇠</sub>M1:Empty. On the other hand, Theorem 20 will imply |; `M1@_⇠M2:Empty.

On the whole,IMJis a compact calculus that strips down Mid-dleweight Java to the essentials needed for interface-based interac-tion. Accordingly, we suppressed the introduction of explicit class hierarchy, as it would remain invisible to the environment anyway and any class-based internal computations can be represented using standard object encodings [1].

At the moment the calculus allows for single inheritance for interfaces only, but extending it to multiple inheritance is not prob-lematic. The following semantic developments only rely on the as-sumption thatmust not give rise to circularities.

3. The game model

them. Hence, all of our definitions preserve name-invariance, i.e. our objects are (strong)nominal sets[11, 26]. Note that we do not need the full power of the theory but mainly the basic notion of name-permutation. For an elementxbelonging to a (nominal) set X we write⌫(x)for its name-support, which is the set of names

occurring inx. Moreover, for anyx, y 2 X, we writex ⇠ yif

there is a permutation⇡such thatx=⇡·y.

We proceed to define a category of games. The objects of our category will bearenas, which are nominal sets carrying specific type information.

Definition4. Anarenais a pairA= (MA,⇠A)where:

•MAis a nominal set ofmoves;

•⇠A:MA!(A*Ints)is a nominaltyping function; such that, for allm2MA,dom(⇠A(m)) =⌫(m).

We start by defining the following basic arenas,

1 = ({⇤},{(⇤,;)}, Z= (Z,{(i,;)}, I= (_A[{nul},_{(nul,_;)_}[{(a, a,_I)_}),

for all interfacesI. Given arenasAandB, we can form the arena

A_⇥Bby:

MA⇥B ={(m, n)2MA⇥MB|a2⌫(m)\⌫(n)

=) ⇠A(m, a)⇠B(n, a)_⇠B(n, a)⇠A(m, a)}

⇠A⇥B((m, n), a) =

(

⇠A(m, a) ifa /₂⌫(n)_{_}⇠A(m, a)_⇠B(n, a) ⇠B(n, a) otherwise

Another important arena is#(I1,· · ·,In), with:

M_#(~_I)={(a1,· · ·, an)2An|ai’s distinct}

⇠_#(~_I)((a1,· · ·, an), ai) =Ii

for alln_2N. In particular,A#0_{= 1.}

For each type✓, we setVal✓to be the set ofsemantic valuesof

type✓, given by:

Valvoid=M1, Valint=MZ, ValI =MI.

For each type sequence~_{✓ =✓1,· · ·,✓n, we setVal~}

✓ =Val✓1⇥ · · ·⇥Val✓n.

We let astore⌃be a type-preserving finite partial function from names to object types and field assignments, that is,⌃ : _A *

Ints_⇥(Flds*Val)such that|⌃_|is finite and

⌃(a) :_I^ (_I).f=✓ =₎ ⌃(a).f=v_^⌃_`v_✓,

where the new notation is explained below. First, assuming⌃(a) = (_I0_{, ), the judgement⌃(a) : I holds iffI = I}0 _{and ⌃(a).f}

stands for (f). Next we define typing rules for values in store contexts:

v2Valvoid ⌃_`v:void

v2Valint ⌃_`v:int

⌃(v) :I_v=nul ⌃_`v:_I

and write⌃_{`</sub>v<sub></sub>✓for⌃<sub>`}v:✓_{_}(⌃_`v:_I0_^I0_✓). We letSto be the set of all stores. We writedom(⌃(a))for the set of allfsuch that⌃(a).fis defined. We letSto0contain all stores⌃such that:

8a₂dom(⌃),f2dom(⌃(a)).⌃(a).f2{⇤,0,nul}

and we call such a⌃adefault store.

Given arenasAandB, plays inABwill consist of sequences of moves (with store) which will be either moves fromMA[MB, or moves representing method calls and returns. Formally, we define:

MAB=MA[MB[Calls[Retns

where we set Calls = _{calla.m(~v)_|a_2A^~v₂Val⇤_} and Retns = {reta.m(v)|a2A^v2Val}.

Definition5. Alegal sequenceinABis a sequence of moves from MAB that adheres to the following grammar (Well-Bracketing), wheremAandmBrange overMAandMBrespectively.

LAB ::= ✏|mAX |mAY mBX

X ::= Y _|Y (calla.m(~v))X

Y ::= ✏|Y Y |(calla.m(~v))Y(reta.m(v))

We writeLAB for the set of legal sequences inAB. In the last clause above, we say thatcalla.m(~v)justifiesreta.m(v).

To eachs 2LABwe assign apolarityfunctionpfrom move occurrences insto the setPol1={O, P}. Polarities represent the two players in our game reading of programs: O is theOpponent and P is theProponentin the game. The latter corresponds to the modelled program, while the former models the possible computa-tional environments surrounding the program. Polarities are com-plemented viaO=_{P_}andP =_{O_}. In addition, the polarity function must satisfy the condition:

• For all mX 2 MX (X = A, B) occurring in s we have

p(mA) =Oandp(mB) =P; (O-starting)

• Ifmnare consecutive moves insthenp(n)₂p(m). ( Alterna-tion)

It follows that there is a uniquepfor each legal sequences, namely

the one which assignsOprecisely to those moves appearing in odd

positions ins.

Amove-with-storein AB is a pairm⌃ _with⌃

2 Sto and

m ₂ MAB. For each sequences of moves-with-store we define the set ofavailable namesofsby:

Av(✏) =;, Av(sm⌃) =⌃⇤(Av(s)[⌫(m))

where, for eachX✓A, we let ⌃⇤(X) =S_i⌃i(X), with

⌃0(X) =X, ⌃i+1(X) =⌫(⌃(⌃i(X))).

That is, a name is available insjust if it appears inside a move in

s, or it can be reached from an available name through some store ins. We writes for the underlying sequence of moves ofs(i.e. ⇡1(s)), and letvdenote the prefix relation between sequences. If

s0_m⌃

vsanda ₂ ⌫(m⌃₎

\⌫(s0_{)then we sayais introduced}

bym⌃_ins.1_{In such a case, we define theownerof the nameain}

s, writteno(a), to bep(m)(wherepis the polarity associated with

s). For each polarityX _2{O, P_}we let

X(s) =_{a₂⌫(s)_|o(a) =X_}

be the set of names insowned byX.

Definition6. Aplayin ABis a sequence of moves-with-stores

such thatsis a legal sequence and, moreover, for alls0_m⌃

vs:

• It holds thatdom(⌃) =Av(s0m⌃_{). (Frugality)}

• Ifa₂dom(⌃)with⌃(a) :_Ithen:

ifm₂MX, forX2{A, B}, thenI⇠X(m, a); for allnT_ins0_{, ifa2dom(T)thenT(a) :I;}

if (_I).m=~✓_!✓then:

ifm=calla.m(~v)then⌃_`~v:✓~0_{for some✓}~0_~_✓,

ifm=reta.m(v)then⌃_`v:✓0_{for some✓}0_✓.

(Well-classing)

1_{By abuse of notation, we frequently write instead “ais introduced bym} ins”. Recall also that⌫(s)collects all names appearing ins; in particular, ⌫(m⌃1

•Ifm=calla.m(~v)theno(a)2p(m). (Well-calling)

We writePABfor the set of plays inAB.

Note above that, because of well-bracketing and alternation, if

m = reta.m(v) then well-calling implieso(a) = p(m). Thus,

the frugality condition stipulates that names cannot appear in a play in unreachable parts of a store (cf. [17]). Moreover, well-classing ensures that the typing information in stores is consistent and adheres to the constraints imposed by and the underlying arenas. Finally, well-calling implements the specification that each player need only call the other player’s methods. This is because calls to each player’s own methods cannot in general be observed and so should not be accounted for in plays.

Given arenas A, B, C, next we define interaction sequences, which show how plays fromABandBCcan interact to produce a play inAC. The sequences will rely on moves with stores, where the moves come from the set:

MABC=MA[MB[MC[Calls[Retns. The moves will be assigned polarities from the set:

Pol2={OL, PL, OLPR, PLOR, OR, PR}.

The indexLstands for “left”, whileRmeans “right”. The indices

indicate which part of the interaction (A, BorC) a move comes

from, and what polarity it has therein. We also consider an auxiliary notion ofpseudo-polarities:

OO=_{OL, OR}, P O={PL, PLOR}, OP ={PR, OLPR}. Each polarity has an opposite pseudo-polarity determined by:

OL=OLPR=P O, OR=PLOR=OP, PL=PR=OO. Finally, eachX 2{AB, BC, AC}has a designated set of polari-ties given by:

p(AB) ={OL, PL, OLPR, PLOR},

p(BC) =_{OR, PR, OLPR, PLOR},

p(AC) =_{OL, PL, OR, PR}.

Note the slight abuse of notation withp, as it is also used for move polarities.

Suppose X _{2 {}AB, BC, AC_}. Consider a sequence s of moves-with-store fromABC (i.e. a sequence with elementsm⌃

withm 2MABC) along with an assignmentpof polarities from

Pol2to moves ofs. Lets Xbe the subsequence ofscontaining those moves-with-storem⌃_{ofsfor whichp(m)}

2 p(X). Addi-tionally, we defines X to be (s X), where the function acts on moves-with-store by restricting the domains of stores to available names:

(✏) =✏, (sm⌃) = (s)m⌃Av(sm⌃).

Definition7. Aninteraction sequenceinABCis a sequencesof moves-with-store inABC such that the following conditions are satisfied.

•For eachs0m⌃

vs, dom(⌃) =Av(s0m⌃_{). (Frugality)}

•Ifs0m⌃vsanda2dom(⌃)with⌃(a) :Ithen: ifm₂MX, forX2{A, B, C}, thenI⇠X(m, a); for allnT_ins0_{, ifa2dom(T)thenT(a) :I;}

if (_I).m=✓~_!✓then:

ifm=calla.m(~v)then⌃_`~v:✓~0_{for some}~_✓0_~_✓,

ifm=reta.m(v)then⌃_`v:✓0_{for some✓}0_✓.

(Well-classing)

•There is a polarity functionpfrom move occurrences insto Pol2such that:

OO

OL OR

P O

PL

H

H

PLOR

,

,_OP

OLPR

l

l

PR

V

V

Figure 3. Interaction diagram forInt(ABC). The diagram spec-ifies the alternation of polarities in interaction sequences. Transi-tions are labelled by move polarities, whileOOis the initial state.

For allmX 2MX(X =A, B, C) occurring inswe have

p(mA) =OL,p(mB) =PLORandp(mC) =PR; Ifmnare consecutive moves insthenp(n)₂p(m). (Alternation)

• Ifs0_m⌃

v sthenm = calla.m(v) implieso(a) ₂ p(m). (Well-calling)

• For eachX2{AB, BC, AC}, s X2LX. (Projecting)

• Ifs0_m⌃

vsandm=reta.m(v)then there is a movenT _in

s0_{such that, for allXsuch thatp(m)2p(X),nis the justifier}

ofmins X. (Well-returning)

• Laird’s conditions[17]:

P(s AB)\P(s BC) =;;

(P(s AB)_[P(s BC))_\O(s AC) =_;;

For eachs0_{vsending inm}⌃_nT_{and eacha}

2dom(T), if

p(m)₂P Oanda /₂⌫(s0 AB), orp(m)₂OPanda /₂⌫(s0 _BC),

orp(m)2OOanda /2⌫(s0 AC),

then⌃(a) =T(a).

We writeInt(ABC)for the set of interaction sequences inABC.

Note that, by projecting and well-returning, each return move in s has a unique justifier. Next we show that the polarities of

moves inside an interaction sequence are uniquely determined by theinteraction diagramof Figure 3. The diagram can be seen as an automaton acceptings, for eachs ₂ Int(ABC). The edges represent moves by their polarities, while the labels of vertices specify the polarity of the next (outgoing) move. For example, from

OOwe can only have a movemwithp(m)_2{OL, OR}, for any

p.

Lemma 1. Eachs₂Int(ABC)has a unique polarity functionp. Proof.Supposes ₂ Int(ABC). We claim that the alternation, well-calling, projecting and well-returning conditions uniquely specifyp. Consider the interaction diagram of Figure 3, which we read as an automaton acceptings, call itA. The edges represent moves by their polarities, while the labels of vertices specify the polarity of the next (outgoing) move. By projecting we obtain that the first element ofsis somemAand, by alternation, its polarity is

OL. Thus,OOis the initial state.

We now use induction on|s|to show thatAhas a unique run on

s. The base case is trivial, so supposes=s0m. By induction

hy-pothesis,Ahas a unique run ons0, which reaches some stateX.

We do a case analysis onm. Ifm₂MA[MB[MCthen there is a unique edge acceptingmand, by alternation, this edge must depart fromX. If, on the other hand,m = calla.m(~v)then the fact thato(a)₂ p(m)gives two possible edges for acceptingm. But observe that no combination of such edges can depart fromX. Finally, letm=reta.m(v)be justified by somenins0_{. Then, by}

the edge acceptingmmust be the opposite of the one acceptingn

(e.g. ifmis accepted byOLthennis accepted byPL).

Next we show that interaction sequences project to plays. The projection of interaction sequences inABConAB,BCandAC

leads to the following definition of projections of polarities, ⇡AB(XL) =X ⇡AB(XLYR) =X ⇡AB(YR) =undef. ⇡BC(XL) =undef. ⇡BC(XLYR) =Y ⇡BC(YR) =Y ⇡AC(XL) =X ⇡AC(XLYR) =undef. ⇡AC(YR) =Y whereX, Y 2{O, P}. We can now show the following.

Lemma 2. Lets₂Int(ABC). Then, for eachX_2{AB, BC, AC_} and eachm⌃_{ins, ifp(m)}

2 p(X)then⇡X(p(m)) = pX(m),

wherepXis the polarity function ofs X.

Proof. We show this forX = AB, the other cases are proven similarly, by induction on |s_| 0; the base case is trivial. For the inductive case, if m is the first move in s with polarity in

p(AB)then, by projecting,m₂ MAand thereforep(m) = OL and pAB(m) = O, as required. Otherwise, let n be the last move inswith polarity inp(AB)beforem. By IH,pAB(n) = ⇡AB(p(n)). Now, by projecting,pAB(m) =pAB(n)and observe that, for allX ₂ p(n),⇡AB(X) = ⇡AB(p(n)), so in particular ⇡AB(p(m)) =⇡AB(p(n)) =pAB(n) =pAB(m).

The following lemma formulates a taxonomy on names appear-ing in interaction sequences.

Lemma 3. Lets2Int(ABC). Then,

1.⌫(s) =O(s AC)_]P(s AB)_]P(s BC); 2. ifs=tm⌃and:

• p(m)₂OOands AC=t0_m⌃0_,

• orp(m)₂P Oands AB=t0_m⌃0_,

• orp(m)2OPands BC=t0m⌃0, then⌫(t)_\⌫(m⌃0₎

✓⌫(t0)and, in particular, ifmintroduces nameaint0m⌃0thenmintroducesains.

Proof. For 1, by definition of interactions we have that these sets are disjoint. It therefore suffices to show the left-to-right inclusion. Suppose that a ₂ ⌫(s) is introduced in some m⌃ _{in s, with}

p(m) ₂ P O, and lets AB = _{· · ·}m⌃0

· · ·. Ifa ₂ ⌫(m⌃0₎

thena 2 P(s AB), as required. Otherwise, by Laird’s last set of conditions,ais copied from the store of the move preceding m⌃_{ins, a contradiction to its being introduced atm}⌃_{. Similarly}

ifp(m) ₂ OP. Finally, ifp(m) ₂ OO then we work similarly, consideringO(s AC).

For 2, we show the first case, and the other cases are similar. It suffices to show that(⌫(m⌃0₎

\⌫(t0_{))\⌫(t) = ;. So suppose} a ₂ ⌫(m⌃0₎

\⌫(t0), therefore a ₂ O(s AC). But then we cannot havea ₂ ⌫(t) as the latter, by item 1, would imply

a₂P(s AB)_[P(s BC).

Proposition 4. For alls₂Int(ABC), the projectionss AB, s BCands ACare plays inAB,BCandACrespectively.

Proof. By frugality ofsand application of , all projections satisfy frugality. Moreover, well-classing is preserved by projections. For well-calling, letm = calla.m(~v)be a move insand letnT be

the move introducing a in s. Supposep(m) ₂ p(AB) and let us assumepAB(m) = O. We need to show thatoAB(m) = P. BypAB(m) = Owe obtain thatp(m) 2 {OL, OLPR}and, by well-calling ofs, we have thato(a) ₂ P O. Thus,p(n) ₂ P O

and, by Lemma 3, n introduces a in s AB and therefore

oAB(n) = P, as required. If, on the other hand,pAB(m) = P then we obtainp(n) 2 OO[OP and therefore, by Lemma 3, a 2 P(s BC)[O(s AC). Thus, by the same lemma,

a /2P(s AB)and henceoAB(a) =O. The cases for the other projections are shown similarly.

In our setting programs will be represented bystrategies be-tween arenas. We shall introduce them next after a few auxiliary definitions. Intuitively, strategies capture the observable computa-tional patterns produced by a program.

Let us define the following notion of subtyping between stores. For⌃,⌃0₂Sto,⌃_⌃0holds if, for all namesa,

⌃0(a) :_I0 =₎ ⌃(a)_I0_^8f2dom(⌃0(a)).⌃(a).f=⌃0(a).f

In particular, ifa is in the domain of⌃0_{,⌃ may contain more}

information aboutabecause of assigning toaa larger interface. Accordingly, for playss, s0_{2PAB, we say thatsis anO-extension}

ofs0_ifsands0 _{agree on their underlying sequences, while their}

stores may differ due to subtyping related to O-names. Where such subtyping leads toshaving stores with more fields than those ins0, P is assumed to copy the values of those fields. Formally,s_O s0 is defined by the rules:

✏_O ✏

s_Os0 ⌃⌃0 ⌃ P(sm⌃)✓⌃0

sm⌃_Os0_m⌃0 p(m)=O

snT Os0 ⌃⌃0 ⌃extends⌃0byT

snT_m⌃_{O s}0_m⌃0 p(m)=P

where⌃extends⌃0_byTif:

• for alla2dom(⌃)\dom(⌃0),⌃(a) =T(a);

• for allaandf2dom(⌃(a))\dom(⌃0(a)),⌃(a).f=T(a).f. The utility of O-extension is to express semantically the fact that the environment of a program may use up-casting to inject in its objects additional fields (and methods) not accessible to the program.

Definition8. Astrategy inABis a non-empty set of even-length

plays fromPABsatisfying the conditions:

• Ifsm⌃_nT

2 thens₂ . (Even-prefix closure)

• Ifsm⌃_{, sn}T

2 thensm⌃

⇠snT_{. (Determinacy)}

• Ifs₂ ands_⇠tthent₂ . (Equivariance)2

• Ifs₂ andt_Osthent2 . (O-extension)

We write :A!Bwhen is a strategy inAB. If :A!B

and⌧ :B!C, we define theircomposition ;⌧by:

;⌧=_{s AC _| s_{2 k}⌧_}

where k⌧ =_{s₂Int(ABC)_|s AB_{2 ^}s BC₂⌧_}.

In definitions of strategies we may often leave the presence of the empty sequence implicit, as the latter is a member of every strategy. For example, for each arenaA, we define the strategy:

idA:A!A={m⌃Am⌃A 2PAA}

The next series of lemmata allow us to show that strategy com-position is well defined.

Lemma 5. Ifsm⌃_{, sn}T

2 k⌧withp(m) ₂/ OOthensm⌃

⇠

snT_{. Hence, ifs}

1m⌃, s2nT 2 k⌧withp(m)2/OOands1⇠s2

thens1m⌃⇠s2nT.

s1m⌃⇠s2nT.

Now, for the former part, suppose WLOG that p(m) 2 P O.

Then, by the interaction diagram, we also havep(n) 2 P O. As sm⌃_{, sn}T _AB

2 , by determinacy of we gets0_m⌃0

⇠s0_nT0_, withs0m⌃0 _=sm⌃ _ABands0_nT0 _=snT _{AB. We} there-fore have(s0, m⌃0) ⇠ (s0, nT) and, trivially,(s, s0) ⇠ (s, s0).

Moreover, by Lemma 3,⌫(m⌃0₎

\⌫(s) _✓ ⌫(s0_)and⌫(nT0₎ \ ⌫(s) _✓ ⌫(s0_{)hence, by Strong Support Lemma [26],sm}⌃0

⇠

snT0_{. By Laird’s last set of conditions, the remaining values of} ⌃, Tare determined by the last store ins, hencesm⌃

⇠snT_.

Lemma 6. Ifs1, s22 k⌧end in moves with polarities inp(AC)

ands1 AC=s2 ACthens1⇠s2.

Proof. By induction on|s1 AC|>0. The base case is encom-passed insi=s0im⌃iwithp(m)2OO,i= 1,2, where note that by IHmwill have the same polarity ins1, s2. Then, by IH we get

s0

1 =⇡·s02, for some⇡. Lets00im⌃

0

=si AC, fori= 1,2, so in particulars00

1 =⇡·s002 and therefore(s01, s001)⇠(s02, s002). More-over, by hypothesis, we trivially have(m⌃0_{, s}00

1)⇠(m⌃

0 , s002)and hence, by Lemma 3 and Strong Support Lemma [26], we obtain

s0

1m⌃

0

⇠s0

2m⌃

0

which impliess1 ⇠ s2 by Laird’s conditions. Suppose nowsi=s0is00im⌃i,i= 1,2, withp(m)2P(AC)\OO and the last move ins0ibeing the last move ins0is00i having polarity inp(AC). By IH,s01 ⇠ s02. Then, by consecutive applications of Lemma 5, we obtains1⇠s2.

Proposition 7. If :A_!Band⌧:B_!Cthen ;⌧ :A_!C. Proof. We show that ;⌧ is a strategy. Even-prefix closure and equivariance are clear. Moreover, since eachs _{2 k}⌧ has even-length projections inABandBC, we can show that its projection inACis even-length too. For O-extension, ifs₂ ;⌧andt_Os withs=u ACandu_{2 k}⌧, we can constructv₂Int(ABC)

such thatt = v AC and v _O u, whereO is defined for interaction sequences in an analogous way as for plays (with conditionp(m) = Oreplaced byp(m) 2 OO, and p(m) =

P by p(m) 2 P O [OP). Moreover, v AB O u

AB and v BC O u BC, sot 2 ;⌧. Finally, for

determinacy, letsm⌃_{, sn}T

2 ;⌧be due tos1s01m⌃

0 , s2s02nT

0

2 k⌧ respectively, wheres1, s2 both end in the last move of s. Then, by Lemma 6, we haves1 ⇠ s2 and thus, by consecutive applications of Lemma 5, we obtain s1s01m⌃

0

⇠ s2s02nT

0 , so

sm⌃

⇠snT_.

The above result shows that strategies are closed under com-position. We can prove that composition is associative and, conse-quently, obtain a category of games.

Proposition 8. For all⇢:A!B, :B!Cand⌧ :C!D,

(⇢; );⌧=⇢; ( ;⌧).

Definition9. Given a class table , we define the categoryG

having arenas as objects and strategies as morphisms. Identity morphisms are given byidA, for each arenaA.

Note that neutrality of identity strategies easily follows from the definitions and, hence,G is well defined. In the sequel, when can be inferred from the context, we shall writeG simply asG. As a final note, for class tables ✓ 0, we can define a functor

/ 0:G !G 0

which acts as the identity map on arenas, and sends each :A!

BofG to:

( / 0)( ) =_{s₂PAB0 |9t2 . sOt}

wherePAB0 refers to plays inG 0. In the other direction, we can define a strategy transformation:

( 0/ )( ) = \PAB

which satisfies 0_{/ ( /} 0_{( )) = .}

4. Soundness

Here we introduce constructions that will allow us to build a model ofIMJ. We begin by defining a special class of strategies. A strategy

:A!Bis calledevaluatedif there is a functionf :MA!

MBsuch that:

={m⌃Am⌃B 2PAB|mB =f (mA)}.

Note that equivariance of implies that, for allmA 2 MA and permutations⇡, it holds that⇡·f (mA) =f (⇡·mA). Thus, in particular,⌫(f (mA))✓⌫(mA).

Recall that, for arenasA and B, we can construct a product arenaA_⇥B. We can also define projection strategies:

⇡1:A⇥B!A={(mA, mB)⌃m⌃A 2P(A⇥B)A} and, analogously,⇡2 :A⇥B !B. Note that the projections are

evaluated. Moreover, for each objectA,

!A={m⌃A⇤⌃ |m⌃A 2PA1} is the unique evaluated strategy of typeA_!1.

Given strategies :A_!Band⌧:A_!C, with⌧evaluated, we define:

h ,⌧_i:A_!B_⇥C=_{m⌃As[(mB, f⌧(mA))/mB]|m⌃As2 } where we writes[m0/mB]for the sequence obtained froms by replacing any occurrences ofmBin it bym0(note that there can be at most one occurrence ofmBins).

The above structure yields products for evaluated strategies.

Lemma 9. Evaluated strategies form a wide subcategory of G which has finite products, given by the above constructions. Moreover, for all :A !Band⌧ :A !Cwith⌧ evaluated, h ,⌧i;⇡1= andh ,⌧i=h ,idAi;h⇡1,⇡2;⌧i.

Using the above result, we can extend pairings to general :

A!Band⌧:A!Cby:

h ,⌧_i = A h ,idAi

!B_⇥A h⇡2;⌧,⇡1i

!C_⇥B ⇠=_!B_⇥C

where ⇠= is the isomorphism h⇡2,⇡1i. The above represents a notion ofleft-pairingof and⌧, where the effects of precede those of⌧. We can also define aleft-tensorbetween strategies:

⇥⌧ = A_⇥B h⇡1; ,⇡2i

!A0_⇥B h⇡1,⇡2;⌧i

!A0_⇥B0

for any :A_!A0and⌧ :B_!B0.

Lemma 10. Let⌧0 _{: A}0 _{! A, : A ! B1,⌧ : A ! B2,}

1:B1⇥B2!C1and 2:B2!C2, with⌧and⌧0evaluated.

Then⌧0;_h ,⌧_i;_h 1,⇡2; 2i=h⌧0;h ,⌧i; 1,⌧0;⌧; 2i.

Proof.The result follows from the simpler statements:

⌧;_h ,idi=_h⌧; ,⌧_i, _h ,idi;_h 0,⇡2_i=_hh ;idi; 0,idi,

for all appropriately typed , 0_{,⌧, with⌧evaluated, and Lemma 9.}

An immediate consequence of the above is:

A h ;⌧_!i B1⇥B2 1⇥!2 C1⇥C2 = A h

; 1,⌧; 2i

We also introduce the following weak notion of coproduct. Given strategies ,⌧ :A!B, we define:

[ ,⌧] :_Z⇥A_!B=_{(1, mA)⌃s|m⌃As2 }

[{(0, mA)⌃s|m⌃As2⌧} Settingˆ_{i : 1 ! Z = {⇤i}, for eachi 2 Z, we can show the}

following.

Lemma 11. For all strategies 0_:A0_{!Aand ,⌧ :A!B,} •h!; ˆ0,idi; [ ,⌧] =⌧andh!; ˆ1,idi; [ ,⌧] = ;

•if 0_{is evaluated then(idZ⇥} 0_{); [ ,⌧] = [} 0_{; ,} 0_;⌧].

Method definitions inIMJinduce a form of exponentiation:

Vn

i=1( | ]{~xi:~✓i}`Mi:✓i)

| `M:⇥

⇥={mi:✓~i!✓i|1in}

^M={mi: ~xi.Mi|1in}

the modelling of which requires some extra semantic machinery. Traditionally, in call-by-value game models, exponentiation leads to ‘effectless’ strategies, corresponding to higher-order value terms. In our case, higher-order values are methods, manifesting them-selves via the objects they may inhabit. Hence, exponentiation nec-essarily passes through generation of fresh object names containing these values. These considerations give rise to two classes of strate-gies introduced below.

We say that an even-length plays₂PABistotalif it is either empty ors=m⌃

Am⌃B]Ts0and:

•T ₂Sto0and⌫(mB)\⌫(⌃)✓⌫(mA),

•ifs0=s00m⌃0nT0anda2dom(⌃)\⌫( (m⌃0

A m

⌃0]T

B s0)), for ⌃0₂Sto0, thena /2⌫(n)andT0(a) =⌃0(a).

We writePt

ABfor the set of total plays inAB. Thus, in total plays, the initial movemAis immediately followed by a movemB, and the initial store⌃isinvisibleto P in the sense that P cannot use its names nor their values. A strategy :A_!Bis called single-threadedif it consists of total plays and satisfies the conditions:3

•for allm⌃

A 2PABthere ism⌃AmTB2 ;

•ifm⌃

Am⌃B]Ts2 then (m⌃A0m

⌃0]T

B s)2 , for⌃02Sto0;

•ifm⌃

Am⌃B]Tscalla.m(~v)⌃

0

s0₂ anda₂⌫(T)thens=✏.

Thus, single-threaded strategies reply to every initial move m⌃

A with a movemTBwhich depends only onmA(i.e. P does notread before playing). Moreover,mT

Bdoes not change the values of⌃(P does notwrite) and may introduce some fresh objects, albeit with default values. Finally, plays of single-threaded strategies consist of just onethread, where a thread is a total play in which there can be at most one call to names introduced by its second move.

Conversely, given a total play starting withm⌃

Am⌃B]T, we can extract its threads by tracing back for each move insthe method call of the objecta₂⌫(T)it is related to. Formally, for each total plays = m⌃

Am⌃B]Ts0 with|s0| > 0, thethreader move ofs, writtenthrr(s), is given by induction:

•thrr(s0m⌃0_{) =thrr(s}0_{), ifp(m) =P;}

•thrr(s0_calla.m(~v)⌃0_{) =}

calla.m(~v)⌃0, ifa₂⌫(T);

•thrr(s0nT0s00calla.m(~v)⌃0) =thrr(s0nT0), ifa2P(s)\⌫(T)

andnintroducesa.

•thrr(s0nTs000m⌃0) =thrr(s0nT0), ifp(m) =Oandnjustifiesm.

3_{Note that the use of the term “thread” here is internal to game semantics} parlance and in particular should not be confused with Java threads.

Ifs = s0nT0s00with|s0| 2, we setthrr(nT0) = thrr(s0nT0).

Then, thecurrent threadofsis the subsequence ofscontaining only moves with the same threader move ass, that is, ifthrr(s) =

m⌃0_ands=m⌃

Am⌃B]Ts0then

ds_e=m⌃AmB⌃]T(s0 m⌃

0

)

where the restriction retains only those movesnT0 ofs0such that

thrr(nT0) =m⌃0. We extend this to the case of|s|2by setting dse=s. Finally, we call a total plays2PABthread-independent if for alls0m⌃0veven_swith

|s0|>2:

• if (_ds0m⌃0

e) =s00m⌃00_then⌫(⌃00_)\⌫(s0_)✓⌫(s00_); • ifs0ends in somenT0_anda

2dom(⌃0)_\⌫( (_ds0m⌃0

e))then ⌃0(a) =T0(a).

We writePABti for the set of thread-independent plays inAB. We can now define strategies which occur as interleavings of single-threaded ones. Let :A_!Bbe a single-threaded strategy. We define: †_={s2Pti

AB|8s0vevens. (ds0e)2 }.

Lemma 12. †_{is a strategy, for each single-threaded .}

Proof.Equivariance, Even-prefix closure and O-extension fol-low from the corresponding conditions on . For determinacy, ifsm⌃_{, sn}T

2 † _{with|s| > 0then, using determinacy of}

and the fact that P-moves do not change the current thread, nor do they modify or use names from other threads, we can show that

sm⌃_⇠snT_.

We say that a strategy isthread-independentif = ⌧†for some single-threaded strategy⌧. Thus, thread-independent strate-gies do not depend on initial stores and behave in each of their threads in an independent manner. Note in particular that evaluated strategies are thread-independent (and single-threaded).

Lemma 13. Let :A!Band⌧ :A!Cbe strategies with⌧

thread-independent. Then,h ,⌧_i;⇡1= and:

h ,⌧_i = A h⌧,_!i C_⇥B ⇠=_!B_⇥C .

Proof.The former claim is straightforward. For the latter, we ob-serve that the initial effects of and⌧ commute: on initial move

m⌃

A, ⌧ does not read the store updates that includes in its re-sponsem⌃B0, while cannot access the names created by⌧ in its second movem⌃0]T

C .

It is worth noting that the above lemma does not suffice for ob-taining categorical products. Allowing thread-independent strate-gies to create fresh names in their second move breaks universality of pairings. Considering, for example, the strategy:

: 1_!I⇥I=_{⇤(a, a)⌃₂P1(I⇥I)|⌃2Sto0}

we can see that 6=_h ;⇡1, ;⇡2_i, as the right-hand-side contains plays of the form⇤(a, b)T_witha

6

=b.

We can now define an appropriate notion of exponential for our games. Let us assume a translation assigning an arenaJ~✓Kto each type sequence~_{✓. Moreover, letIbe an interface such that}

(I) Meths={m1:~✓1!✓1,· · ·,mn:~✓n!✓n}

where~_{✓i = ✓i1,· · ·,✓im}

i, for eachi. For any arenaA, given

single-threaded strategies 1,· · ·, n:A!Isuch that, for each

i, ifm⌃

Aa⌃]Ts2 ithen

we can group them into one single-threaded strategy:

hh 1, . . . , nii:A!I=

[n i=1 i. Note that theaabove is fresh for eachm⌃

A (i.e.a /2⌫(m⌃A)). Let now 1,· · ·, nbe strategies with i :A⇥J✓iK~ !J✓iK. For eachi, we define the single-threaded strategy⇤( i) :A!I:

⇤( i) ={m⌃Aa⌃]Tcalla.mi(~v)⌃

0

s₂PAtI| ((mA,~v)⌃

0 s)₂ i}

[{m⌃Aa⌃]Tcalla.mi(~v)⌃

0

sreta.mi(v)T

0

s0₂PAtI|

((mA,~v)⌃

0

s vT0s0)₂ i}[{m⌃Aa⌃]T2PAtI}

wherea /₂ ⌫(⌃,~v, v, s, s0_,⌃0_{, T}0_{)andT(a) : I. By definition,} ⇤( i)is single-threaded. Therefore, setting

⇤( 1, . . . , n) =hh⇤( 1), . . . ,⇤( n)ii†:A!I, we obtain a thread-independent strategy implementing a simultane-ous currying of 1,· · ·, n. In particular, given translationsJMiK for each method in a method-set implementationM, we can con-struct:

JMK:J K!I=⇤(JM1K,_{· · ·},JMnK).

Finally, we defineevaluation strategiesevmi:I⇥J~✓iK!J✓iKby

(taking even-length prefixes of):

evmi={(a,~v)

⌃

calla.mi(~v)⌃reta.mi(v)TvT2PAi|⌃(a)I}

whereAi= (I⇥J✓i~K)J✓iK. We can now show the following natural mapping from groups of strategies inA⇥J✓iK~ !J✓iKto thread-independent ones inA!I.

Lemma 14. Let 1,· · ·, nbe as above, and let⌧ :A0 !Abe

evaluated. Then,

•⇤( 1, . . . , n)⇥id;evmi= i,

•⌧;⇤( 1, . . . , n) =⇤((⌧⇥id); 1, . . . ,(⌧⇥id); n).

Apart from dealing with exponentials, in order to complete our translation we need also to address the appearance ofx:Iin the rule4

, x:I, `M:⇥

, `new(x:I;M) :I (I)Meths=⇥.

Recall that

JMK:J K⇥I!I (1)

is obtained using exponentiation. Thus, the second move ofJMK will appear in the right-hand-sideIabove and will be a fresh name

bwhich will serve as a handle to the methods ofM: in order to invokem : ~x.M on input~v, the Opponent would have to call

b.m(~v). The remaining challenge is to merge the two occurrences ofIin (1). We achieve this as follows. Let us assume a well-formed extension 0_{of :}

0_{= (I}0_{: (f}0_:I)),

that is,I0contains a single fieldf0of typeI. We next define the strategy_I: 1_!I0_⇥IofG 0:

I={⇤(a0, a)⌃0calla.m(~v)⌃callb.m(~v)⌃retb.m(v)Treta.m(v)T}†

wherem 2 dom( (I)),b = ⌃(a0).f0, and⌃0 2 Sto0 is such that⌃0(a) :Iand⌃0(a0) :I0_{. We letJnew(x:I;M)Kbe the}

strategy:5

J K hid,!;Ii;⇠=

!I0⇥J K⇥I id⇥hJMK,⇡2i

!I0⇥I⇥I (asnf0⇥id);⇡2

!I

4_{Note thatxmay appear free inM; it stands for the keywordthisof Java.} 5_{Here we omit wrappingJMKinside /} 0_{, as well as wrapping the whole}

Jnew(x:I;M)Kin 0_{/ , for conciseness.}

andasnfis the assignment strategy:

asnf:I⇥J✓K!1 ={(a, v)⌃⇤⌃[a.f7!v]2P(I⇥J✓K)1}, for each fieldf. Thus, object creation involves creating a pair of names(a0, a)witha :_Ianda0 :_I0, whereais the name of the object we want to return. The namea0serves as a store where the

handle of the method implementations, that is, the name created by the second move of JMK, will be passed. The strategy I,

upon receiving a requestcalla.m(~v)⌃, simply forwards it to the respective method of a0_.f0 _{and, once it receives a return value,}

copies it back as the return value of the original call. Let#(~_I) : !_{I !} #(!_I) = _{~a⌃_~a⌃

|ais distinct}, for each sequence of interfaces!I. The latter has a right inverse#(~_I) r_: #(!I)!!I with the same plays. We can now define the semantic translation of terms.

Definition10. The semantic translation is given as follows.

• Contexts =_{x1:✓1,· · ·, xn:✓n}[{a1 :I1,· · ·, am:Im} are translated into arenas by

J K=J✓1K⇥· · ·⇥J✓nK⇥#(I1,· · ·,Im), whereJvoidK= 1,JintK=_ZandJIK=_I.

• Terms are translated as in Figure 4 (top part).

In order to prove that the semantics is sound, we will also need to interpret terms inside state contexts. Let ` M : ✓, with = 1[ 2, where 1contains only variables anddom( 2) =

dom(S). A term-in-state-context(S, M)is translated into the

strat-egy:

J 1`(S, M)K=J 1K J SK

!J 1K⇥!I id⇥#(~I!) J K JM!K J✓K.

The semantic translation of states (Figure 4, lower part), comprises two stages:

J 1`SK=J 1K J SK1

!J 1K⇥!I J SK2

!J 1K⇥!I. The first stage,JSK1, creates the objects indom(S)and implements their methods. The second stage of the translation,JSK2, initialises the fields of the newly created objects.

In the rest of this section we show soundness of the seman-tics. Let us call NEW, FIELDUP, FIELDACand METHODCL re-spectively the transition rules in Figure 2 which involve state. Given a ruler, we write(S, M) r! (S0, M0) if the transition (S, M) _!(S0_{, M}0_{)involves applyingrand context rules.}

Proposition 15 (Correctness). Let (S, M) be a term-in-state-context and suppose(S, M) r_!(S0_{, M}0_).

1. If the transitionris not stateful thenJMK=JM0K.

2. Ifris one ofFIELDACorFIELDUPthenJSK2; (id⇥#(~I));JMK= JS0K2; (id⇥#(~I));JM0K.

3. Ifris one ofMETHODCLorNEWthenJ(S, M)K=J(S0_{, M}0_)K. Thus, in every case,J(S, M)K=J(S0, M0)K.

Proof.Claim 1 is proved by using the naturality results of this section. For thelet construct, we show by induction onM that

JM[v/x]K=hid,JvKi;JMK. For 2 we use the following properties of field assignment and access:

hasnf,⇡1i;⇡2;drff=hasnf,⇡2i;⇡2:I⇥J✓K!J✓K

•J `xi:✓iK=J K

⇡i

!J✓iK; • J `ai:IiK=J K

⇡n+1

!#(!_I) #(~I)

r

!!I ⇡i

!Ii;

•J `skip:voidK=J K!! 1; • J `null:_IK=J K !; ˆnul!I, where_nulˆ : 1_!I=_{⇤nul};

•J `i:intK=J K !;ˆ!i Z; • J `letx=M0_{inM:✓K=J K} hid,JM0K_!i _{J K⇥J✓}0_K JM_!K _J✓K;

•J `(_I)M :_IK=J K JM!K I0 stpI0I

!I, wherestp_I0_I:I0!I={nul nul}[{a⌃a⌃2PI0_I|⌃(a)I};

•J `M M0_{:intK=J K} hJMK,JM0K_!i _{Z⇥Z !Z, where :Z⇥Z!Z={(i, j) (i j)};}

•J `M=M0_{:intK=J K} hJMK,JM0K_!i _I⇥I eq

!Z, whereeq=_{(a, a)⌃₁⌃

2P(I⇥I)Z}[{(a, b)⌃0⌃2P(I⇥I)Z|a6=b};

•J `ifMthenM0_elseM00_{:✓K=J K} hJMK,id_!i _{Z⇥J K} [JM0K,JM00K_!] _J✓K;

•J `new(x:_I;_M) :_IK=J K hid,!;Ii;⇠=

!I0_{⇥J K⇥I} id⇥hJMK,⇡2i

!I0_⇥I⇥I asnf0⇥id

!1_⇥I ⇡2

!I, whereJMK=J K⇥I ⇤(JM1K,...,JMnK)

!IifM=_{m1: ~x1.M1,· · ·,mn: ~xn.Mn};

•J `M.f:=M0:voidK=J K hJMK,JM0K!i I⇥J✓K asnf

!1;

•J `M.f:✓K=J K JM!K I drff

!J✓K, wheredrff:I!J✓K={a⌃v⌃2PIJ✓K|⌃(a).f=v};

•J `M.m(M!) :✓_K=_{J K} hJMK,JM!K_!i _I⇥J~✓_K evm

!J✓_K, whereJM!_K=_hhhJM1K,JM2Ki,· · ·i,JMnKi.

•J 1`SK=J 1K h

id,!_Ii

!J 1K⇥(_I0_⇥!_I) ⇠=

!!I0_{⇥(J 1K⇥}!_I) id⇥h⇡2;JM!K,idi

!!I0_⇥!_{I⇥(J 1K⇥}!_I) ⇠=⇥id

!(_I0_⇥!_{I)⇥(J 1K⇥}!_I)

(asn!_f0⇥id);⇡2

!J 1K⇥!I h

id,h!id,J!VKii

!(J 1K⇥!I)_⇥!!_{I ⇥}J!!✓K id⇥⇠=

!(J 1K⇥!I)⇥

! !

(_I⇥J✓K) (id⇥ !asnf);⇡1

!J 1K⇥!I,

wheredom(S) =_{a1,· · ·, an},!I=hI1,· · ·,Ini,S(ai) :Ii,

!

I0 _=I0

1⇥· · ·⇥In0,!I =I1⇥· · ·⇥In,M!= (M1,· · ·,Mn),

Mi=S(ai) MImps,JM!K=hJM1K,· · ·,JMnKi,asnf0=asnf0

1⇥· · ·⇥asnfn0,

!_{V = (V}

1,· · ·, Vn),Vi=S(ai) HCnfs,J!VK= hJV1K,· · ·,JVnKi,Vi= (fi1:v1i,· · ·,fini:v

ni

i ),JViK=hJvi1K,· · ·,JvniiKi,asn!f=asnfi⇥· · ·⇥asnfn,asnfi =asnf1

i⇥· · ·⇥asnfini.

Figure 4. The semantic translation ofIMJ.

two assignments in a row have the same effect as just the last one). The final claim follows by showing that the diagrams below commute (we writeAforJ K⇥!I),

!

I0_⇥A⇥J~_✓K id⇥JM!K⇥id_//

id⇥hJM!K,JMiKi⇥id

✏

✏

!

I0_⇥!_I⇥J~_✓Kh⇠=,⇡2;⇡ii⇥id

/

/(_I0_⇥!_I)⇥Ii⇥J~_✓K

(asn!_f0⇥evm);⇡2

✏

✏

!

I0⇥!I⇥Ii⇥J~✓K

⇠

=⇥id

/

/(_I0_⇥!_I)_⇥Ii⇥J~✓K

(asn!_f0⇥evm);⇡2

/

/J✓K

J 1K

✏

✏

!

I0_⇥A⇥Aid⇥h⇡2;⇡i, 0i

/

/

id⇥ 0

✏

✏

!

I0_{⇥A⇥Ii⇥J}~_✓Kid⇥JM!K⇥id_//!_I0_⇥!_I⇥Ii⇥J~_✓K

⇠

=⇥id

✏

✏

!

I0_⇥A⇥J✓~_K

id⇥JM!K⇥id

✏

✏

!

(I0_{⇥I)⇥Ii⇥J}~_✓K

(asn!_f0⇥evm);⇡2

✏

✏

!

I0⇥!I⇥J~_✓Kh⇠=,⇡2;⇡ii⇥id

/

/(_I0_⇥!_I)_⇥Ii⇥J~✓K

(asn!_f0⇥evm);⇡2

/

/J✓K where 0_:A!J✓~_{Ka combination of values and assignments, and}

=J 1K hid,!Ii

!J 1K⇥!I0⇥!I (⇥id⇥);⇠=!!I0⇥A_⇥A

with =_hid,idi. The former diagram says that, assigning method implementationsM!to object stores~a0 _{and callingMion some}

methodmis the same as assigningM!to~a0_{and evaluating instead}

a new copy ofMi onm. The reason the diagram commutes is that the copy ofMi differs from the original just in the handle name (the one returned in the codomain ofJMiK), but the latter is hidden via composition withevm. The latter diagram stipulates that if we create~awith methodsM!, then callingai onmis the same as callingMionm. The latter holds because of the way that Iimanipulates calls inside the interaction, by delegating calls to

methods ofaitoMi.

Proposition 16(Computational Soundness). For all `M:void, ifM ₊thenJMK=_{{⇤ ⇤}}(i.e.JMK=JskipK).

Proof.This directly follows from Correctness.

Proposition 17(Computational Adequacy). For all ` M:void, ifJMK={⇤ ⇤}thenM+.

Proof.Suppose, for the sake of contradiction, thatJMK =_{{⇤ ⇤}}

and M 6+. We notice that, by definition of the translation for blocking constructs (castings and conditionals may block) and due to Correctness, ifM 6+ were due to some reduction step being blocked then the semantics would also block. Thus,M 6+ must be due to divergence. Now, the reduction relation restricted to all rules but METHODCLis strongly normalising, as each transition

decreases the size of the term. Hence, ifM diverges then it must involve infinitely many METHODCLreductions and our argument

below shows that the latter would implyJMK=_{✏_}.