This paper was converted on www.awesomepapers.org from LaTeX by an anonymous user.
Want to know more? Visit the Converter page.

\lmcsdoi

2128 \lmcsheadingLABEL:LastPageSep. 27, 2021Apr. 24, 2025

[a] [b] [a]

A robust graph-based approach to observational equivalence

Dan R. Ghica\lmcsorcid0000-0002-4003-8893 Koko Muroya\lmcsorcid0000-0003-0454-6900  and  Todd Waugh Ambridge University of Birmingham, UK d.r.ghica@cs.bham.ac.uk, t.waughambridge@bham.ac.uk National Institute of Informatics, Japan kmuroya@nii.ac.jp
Abstract.

We propose a new step-wise approach to proving observational equivalence, and in particular reasoning about fragility of observational equivalence. Our approach is based on what we call local reasoning. The local reasoning exploits the graphical concept of neighbourhood, and it extracts a new, formal, concept of robustness as a key sufficient condition of observational equivalence. Moreover, our proof methodology is capable of proving a generalised notion of observational equivalence. The generalised notion can be quantified over syntactically restricted contexts instead of all contexts, and also quantitatively constrained in terms of the number of reduction steps. The operational machinery we use is given by a hypergraph-rewriting abstract machine inspired by Girard’s Geometry of Interaction. The behaviour of language features, including function abstraction and application, is provided by hypergraph-rewriting rules. We demonstrate our proof methodology using the call-by-value lambda-calculus equipped with (higher-order) state.

1. Introduction

1.1. Context and motivation

Observational equivalence [MJ69] is an old and central question in the study of programming languages. Two executable programs are observationally equivalent when they have the same behaviour. Observational equivalence between two program fragments (aka. terms) is the smallest congruence with respect to arbitrary program contexts. By formally establishing observational equivalence, one can justify compiler optimisation, and verify and validate programs.

There are two mathematical challenges in proving observational equivalence. Firstly, universal quantification over contexts is unwieldy. This has led to various indirect approaches to observational semantics. As an extremal case, denotational semantics provides a model-theoretic route to observational equivalence. There are also hybrid approaches that employ both denotational and operational techniques, such as Kripke logical relations [Sta85] and trace semantics [JR05]. Moreover, an operational and coinductive approach exists, under the name of applicative bisimilarity [Abr90].

The second challenge is fragility of observational equivalence. The richer a programming language is, the more discriminating power program contexts have and hence the less observational equivalences hold in the language. For example, the beta-law (λx.t)vt[v/x](\lambda x.t)\ v\simeq t[v/x] is regarded as the fundamental observational equivalence in functional programming. However, it can be violated in the presence of a memory inspection feature like the one provided by the OCaml garbage-collection (Gc) module. A function that returns the size of a given program enables contexts to distinguish (λx.0) 100(\lambda x.0)\ 100 from 0, for example111See a concrete example written in OCaml, on the online platform Try It Online: https://bit.ly/3TqnGOW.

The fragility of observational equivalence extends to its proof methodologies. There have been studies of the impact that language features have on semantics and hence on proof methodologies for observational equivalence. The development of game semantics made it possible to give combinatorial, syntax-independent and orthogonal characterisations for classes of features such as state and control, e.g. the so-called “Abramsky cube” [Abr97, Ghi23], or to replace the syntactic notion of context by an abstracted adversary [GT12]. A classification [DNB12] and characterisation [DNRB10] of language features and their impact on reasoning has also been undertaken using logical relations. Applicative bisimilarity has been enriched to handle effects such as algebraic effects, local state, names and continuations [SKS07, KLS11, DGL17, SV18].

1.2. Overview and contribution

What is missing and desirable seems a general semantical framework with which one can directly analyse fragility, or robustness, of observational equivalences. To this end, we introduce a graphical abstract machine that implements focussed hypernet rewriting. We then propose a radically new approach to proving observational equivalence that is based on step-wise and local reasoning and centred around a concept of robustness. All these concepts will be rigorously defined in the paper.

The main contribution of the paper is rather conceptual, showing how the graphical concept of neighbourhood can be exploited to reason about observational equivalence, in a new and advantageous way. The technical development of the paper might seem quite elaborate, but this is because we construct a whole new methodology from scratch: namely, focussed hypernet rewriting and reasoning principles for it. These reasoning principles enable us to analyse fragility, or robustness, of observational equivalences in a formal way.

We introduce and use hypernets to represent (functional) programs with effects. Hypernets are an anonymised version of abstract syntax trees, where variables are simply represented as connections. Formally, hypernets are given by hierarchical hypergraphs. Hierarchy allows a hypergraph to be an edge label recursively. An extensive introduction to hypernets and rewriting of them can be found in the literature [GZ23].

Given a hypernet that represents a term, its evaluation is modelled by step-by-step traversal and update of the hypernet. Traversal steps implement depth-first search on the hypernet for a redex, and each update step triggers application of a rewrite rule to the hypernet. Traversal and update are interwoven strategically using a focus that is simply a dedicated edge passed around the hypernet. Importantly, updates are always triggered by a certain focus, and designed to only happen around the focus. We call this model of evaluation focussed hypernet rewriting.

There are mainly two differences compared with conventional reduction semantics. The first difference is the use of hypernets instead of terms. This makes renaming of variables irrelevant. The second difference is the use of the focus instead of evaluation contexts. In conventional reduction semantics, redexes are identified using evaluation contexts. Whenever the focus triggers an update of a hypernet, its position in the hypernet coincides with where the hole is in an evaluation context.

A new step-wise approach.

This work takes a new coinductive, step-wise, approach to proving observational equivalence. We introduce a novel variant of the weak simulation dubbed counting simulation. We demonstrate that, to prove observational equivalence, it suffices to construct a counting simulation that is closed under contexts by definition. This approach is opposite to the known coinductive approach which uses applicative bisimilarity; one first constructs an applicative bisimulation and then proves that it is a congruence, typically using Howe’s method [How96].

Local reasoning.

In combination with our new step-wise approach, focussed hypernet rewriting facilitates what we call local reasoning. Our key observation is that, to obtain the counting simulation that is closed under contexts by definition, it suffices to simply trace sub-graphs and analyse their interaction with the focus. The interaction can namely be analysed by inspecting updates that happen around the focus and how these updates can interfere with the sub-graphs of interest. The reasoning principal here is the graphical concept of neighbourhood, or graph locality.

The local reasoning is a graph counterpart of analysing interaction between (sub-)terms and contexts using the conventional reduction semantics. In fact, it is not just a counterpart but an enhancement in two directions. Firstly, sub-graphs are more expressive than sub-terms; sub-graphs can represent parts of a program that are not necessarily well-formed. Secondly, the focus can indicate which part of a context is relevant in the interaction between the context and a term, which is not easy to make explicit in the conventional semantics that uses evaluation contexts.

Robustness.

Finally, local reasoning extracts a formal concept of robustness in proving observational equivalence. Robustness is identified as the key sufficient condition that ensures two sub-graphs that we wish to equate interact with updates of a hypernet, which is triggered by the focus, in the same way; for example, if one sub-graph is duplicated (or discarded), the other is also duplicated (or discarded).

The concept of robustness helps us gain insights into fragility of observational equivalence. If robustness of two sub-graphs G,HG,H fails, we obtain a counterexample, which is given by a rewrite rule that interferes with the two sub-graphs in different ways. Let G,HG^{\prime},H^{\prime} be the two different results of interference (i.e. GG^{\prime} is the result of updating GG, and HH^{\prime} is the result of updating HH). There are two possibilities.

  1. (1)

    The sub-graphs G,HG,H are actually observationally equivalent. In this case, the counterexample suggests that the two different results G,HG^{\prime},H^{\prime} should first be equated. The observational equivalence GHG\simeq H we wish to establish is likely to depend on the ancillary observational equivalence GHG^{\prime}\simeq H^{\prime}.

  2. (2)

    The observational equivalence GHG\simeq H fails too. In this case, the counterexample provides the particular computation that violates the equivalence, in terms of a rewrite rule. We can conclude that the language feature that induces the computation violates the observational equivalence.

Generalised contextual equivalence.

Using focussed hypernet rewriting, we propose a generalised notion of contextual equivalence. The notion has two parameters: a class of contexts and a preorder on natural numbers. The first parameter enables us to quantify over syntactically restricted contexts, instead of all contexts as in the standard notion. This can be used to identify a shape of contexts that respects or violates certain observational equivalences, given that not necessarily all arbitrarily generated contexts arise in program execution. The second parameter, a preorder on natural numbers, deals with numbers of steps it takes for program execution to terminate. Taking the universal relation recovers the standard notion of contextual equivalence. Another instance is contextual equivalence with respect to the greater-than-or-equal relation on natural numbers, which resembles the notion of improvement [San95, ADV20, ADV21] that is used to establish equivalence and also to compare efficiency of abstract machines. This instance of contextual equivalence is useful to establish that two programs have the same observable execution result, and also that one program terminates with fewer steps than the other.

1.3. Organisation of the paper

Section 2 provides a gentle introduction to our graph-based approach to modelling program evaluation, and reasoning about observational equivalence with the key concepts of locality and robustness. Section 3 formalises the graphs we use, namely hypernets. The rest of the paper is in two halves.

In the first half, we develop our reasoning framework, targeting the linear lambda-calculus. Although linear lambda-terms have restricted expressive power, they are simple enough to demonstrate the development throughout. Section 4 presents the hypernet representation of linear lambda-terms. Section 5 then presents our operational semantics, i.e. focussed hypernet rewriting. Section 6 formalises it as an abstract machine called universal abstract machine (UAM).

Section 7 sets the target of our proof methodology, introducing the generalised notion of contextual equivalence. Section 8 presents our main technical contributions: it formalises the concept of robustness, and presents our main technical result which is the sufficiency-of-robustness theorem (6).

In the second half, we extend our approach to the general (non-linear) lambda-calculus equipped with store. Section 9 describes how the hypernet representation can be adapted. Section 10 shows how the UAM can be extended accordingly, and presents the copying UAM. Section 11 formalises observational equivalence between lambda-terms by means of contextual equivalence between hypernets. Section 12 then demonstrates our approach by proving some example equivalences for the call-by-value lambda-calculus extended with state. The choice of the language here is pedagogical; our methodology can accommodate other effects as long as they are deterministic.

Finally, Section 13 discusses related and future work, concluding the paper. Some details of proofs are presented in Appendix.

2. A gentle introduction

2.1. Hypernets

Compilers and interpreters deal with programs mainly in the form of an abstract syntax tree (AST) rather than text. It is broadly accepted that such a data structure is easier to manipulate algorithmically. Somewhat curiously perhaps, reduction semantics (or small-step operational semantics), which is essentially a list of rules for program manipulation, is expressed using text rather than the tree form. In contrast, our graph-based semantics is expressed as algorithmic manipulations of the data structure that represents syntax.

Refer to caption
(a) ASTs
Refer to caption
(b) Hypernets
Refer to caption
(c) Decorated hypernets
Figure 1. The beta-law λy.(λx.(λy.yx)(λz.z))(λx.xy)λy.(λw.w(λx.xy))(λz.z){\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda y}.({\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}\lambda x}.({\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda y}.{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y}\;{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}x})\;(\lambda z.z))\;(\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y})\simeq{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda y}.({\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w}.{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}w}\;(\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y}))\;(\lambda z.z)

Let us demonstrate our graphical representation, using the beta-law

λy.(λx.(λy.yx)(λz.z))(λx.xy)λy.(λw.w(λx.xy))(λz.z){\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda y}.({\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}\lambda x}.({\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda y}.{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y}\;{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}x})\;(\lambda z.z))\;(\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y})\simeq{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda y}.({\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w}.{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}w}\;(\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y}))\;(\lambda z.z) (1)

in the linear lambda-calculus. We use colours to clarify some variable scopes. This law substitutes λx.xy\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y} for the variable x{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}x}, and in doing so, the bound variable y{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y} has to be renamed to w{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}w} so it does not capture the variable y{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y} in λx.xy\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y}.

Our first observation is that ASTs are not satisfactory to represent syntax, when it comes to define operational semantics. They contain more syntactic details than necessary, namely by representing variables using names. This makes an operation on terms like substitution a global affair. To avoid variable capturing, substitution needs to clarify the scope of each variable and appropriately rename some variables.

Figure 1a shows the beta-law (1) using ASTs. The scope of each variable is not obvious in the ASTs, which is why we keep using colours to distinguish variable scopes. The law deletes the four red nodes of the left AST, and connects two red arrows to represent substitution for x{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}x}. Additionally, all occurrences of the variable y{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y} has to be renamed to w{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}w}.

We propose hypernets as an alternative graph representation. Hypernets, inspired by proof nets [Gir87], replace variable names with virtual connection, and hence keep variables anonymous. Binding structures and scopes are made explicit by (dashed) boxes around sub-graphs.

Figure 1b shows the same beta-law (1) using hypernets instead of ASTs. Each bound variable is simply represented by an arrow that points at the left edge of the associated dashed box. For example, the upper one of the two red arrows in the left hypernet represents the bound variable x{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}x}. It points at the left edge of the red dashed box that represents the scope of the variable. The dashed box is connected to the corresponding binder (λ{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda}).

The beta-law requires relatively local changes to hypernets. In Figure 1b, the two red nodes are deleted, the associated red dashed box is also deleted, and the two red arrows are connected to represent substitution for x{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}x}. There is no need for renaming y{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y}, as it is simply represented by an anonymous arrow.

Remark 1 (Arrows representing bound variables).

In hypernets, the arrow representing a bound variable points at the left edge of the associated dashed box. In other graphical notations (e.g. proof nets [Gir87]), the bound variable would be connected to the corresponding binder (λ\lambda), as shown by red arrows in Figure 1c. We treat these red arrows as mere decorations, and exclude them from the formalisation of hypernets. We find that boxes suffice to delimit the scope of variables and sub-terms. Exclusion of decorations also simplifies the formalisation by reducing the number of loops in each hypernet. ∎

2.2. Focussed hypernet rewriting

The main difference between a law (an equation) and a reduction is that the former can be applied in any context, at any time, whereas the latter must be applied strategically, in a particular (evaluation) context and in a particular order. Different reduction strategies, for instance, make different programming languages out of the same calculus.

The question to be addressed here is how to define strategies for determining redexes in hypernets. Our operational semantics, i.e. focussed hypernet rewriting, combines graph traversal with update, and exploits the traversal to search for a redex.

Refer to caption
Figure 2. Reduction as graph traversal and update

Let us illustrate focussed hypernet rewriting, using the call-by-value reduction of the linear lambda-term (λx.x)((λy.y)(λz.z))(\lambda x.x)\;((\lambda y.y)\;(\lambda z.z)) as shown in Figure 2. The thicker green arrows are not part of the hypernets but they show the traversal. The reduction proceeds as follows.

  1. (1)

    The depth-first traversal witnesses that the abstraction λx.x\lambda x.x is a value, and that the sub-term (λy.y)(λz.z)(\lambda y.y)\;(\lambda z.z) contains two abstractions and it is ready for the beta-reduction. In the reduction, an application node (@@) and its matching abstraction node (λ\lambda) are deleted, and the associated dashed box is removed. The argument λz.z\lambda z.z is then connected to the bound variable yy, yielding the second hypernet.

  2. (2)

    The traversal continues on the resultant hypernet (representing (λx.x)(λz.z)(\lambda x.x)\;(\lambda z.z)), confirming that the result λz.z\lambda z.z of the beta-reduction is a value. Note that the abstraction λx.x\lambda x.x has already been inspected in the previous step, so the traversal does not repeat the inspection. It only witnesses the abstraction λz.z\lambda z.z at this stage. The beta-reduction is then triggered, yielding the third and final hypernet representing λz.z\lambda z.z.

  3. (3)

    The traversal confirms that the result λz.z\lambda z.z of the beta-reduction is a value, and it finishes.

Refer to caption
Refer to caption
Figure 3. Graph traversal and update with a focus

We implement focussed hypernet rewriting, in particular the graph traversal (the thick green arrows in Figure 2), using a dedicated node dubbed focus. A focus can be in three modes: searching (??), backtracking (\checkmark), and triggering (\lightning). The first two modes implement the depth-first traversal, and the last mode triggers update of the underlying hypernet. Figure 3 shows how focussed hypernet rewriting actually proceeds222An interpreter and visualiser can be accessed online at https://tnttodda.github.io/Spartan-Visualiser/, given the linear term (λx.x)((λy.y)(λz.z))(\lambda x.x)\;((\lambda y.y)\;(\lambda z.z)). The black nodes are the focus. The first eight steps \rightsquigarrow altogether implement the thick green arrow in the first part of Figure 2. At the end of these steps, the focus changes to \lightning, signalling that the hypernet is ready for the beta-reduction. What follows is an update of the hypernet, which resets the focus to the searching mode (??), so the traversal continues and triggers further update.

Evaluation of a program PP starts, when the ??-focus enters the hypernet representing PP from the bottom. Evaluation successfully finishes, when the \checkmark-focus exits a hypernet from the bottom.

We will formalise focussed hypernet rewriting as an abstract machine (see [Pit00] for a comprehensive introduction). The machine has two kinds of transitions: one for the traversal, and the other for the update. It is important that the focus governs transitions; a traversal transition or an update transition is selected according to the mode of the focus. It is the focus that implements the traversal, triggers the update, and hence realises the call-by-value reduction strategy.

2.3. Step-wise local reasoning, and robustness

Finally we overview the reasoning principle that focussed hypernet rewriting enables, which leads to our main theorem, sufficiency-of-robustness theorem (6).

Using focussed hypernet semantics, this work takes a new coinductive, step-wise, approach to proving observational equivalence. We will introduce a new variant of weak simulation dubbed counting simulation. A counting simulation is a relation on focussed hypernets that are hypernets with a focus. We write N˙{\dot{N}} to indicate that a hypernet NN contains a focus.

Our proof of an observational refinement NHN\preceq H, which is the asymmetric version of observational equivalence NHN\simeq H, proceeds as follows.

  1. (1)

    We start with the relation :={(N,H)}\mathit{\vartriangleleft}:=\{(N,H)\} on hypernets. We call it pre-template.

  2. (2)

    We take the contextual closure ¯\overline{\vartriangleleft} of the pre-template \vartriangleleft. It is defined by C˙[N,,N]¯C˙[H,,H]{\dot{C}}[N,\ldots,N]\mathrel{\overline{\vartriangleleft}}{\dot{C}}[H,\ldots,H] for an arbitrary focussed (multi-hole) context C˙{\dot{C}}.

  3. (3)

    We show that ¯\overline{\vartriangleleft} is a counting simulation.

Once we establish the counting simulation ¯\overline{\vartriangleleft}, soundness of counting simulation asserts that the pre-template NHN\vartriangleleft H implies observational refinement NHN\preceq H.

The key part of the observational refinement proof is therefore showing that ¯\overline{\vartriangleleft} is a counting simulation. Put simply, this amounts to show the following: for any C˙[N,,N]¯C˙[H,,H]{\dot{C}}[N,\ldots,N]\mathrel{\overline{\vartriangleleft}}{\dot{C}}[H,\ldots,H] and a transition C˙[N,,N]P˙{\dot{C}}[N,\ldots,N]\to{\dot{P}}, there exists a focussed context C˙{\dot{C^{\prime}}} that satisfies the following.

C˙[N,,N]\scriptstyle{{\dot{C}}[N,\ldots,N]\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}¯\scriptstyle{\overline{\vartriangleleft}}P˙\scriptstyle{{\dot{P}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}\scriptstyle{*}C˙[N,,N]\scriptstyle{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{C^{\prime}}}[N,\ldots,N]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}¯\scriptstyle{\overline{\vartriangleleft}}C˙[H,,H]\scriptstyle{{\dot{C}}[H,\ldots,H]\ignorespaces\ignorespaces\ignorespaces\ignorespaces}\scriptstyle{*}C˙[H,,H]\scriptstyle{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{C^{\prime}}}[H,\ldots,H]}} (2)

Above, black parts are universally quantified, and magenta parts are existentially quantified. The arrow \to^{*} represents an arbitrary number of transitions \to. This situation (2) asserts that, after a few transitions from P˙{\dot{P}} and C˙[H,,H]{\dot{C}}[H,\ldots,H], we can obtain two focussed hypernets that can be decomposed using the new context C˙{\dot{C^{\prime}}} and the sub-graphs N,HN,H.

CCFF
(a)
CCFF
(b)
CCNN
\rightsquigarrow
CCHH
(c)
CCFF
(d)
CCFF
\rightsquigarrow
CC^{\prime}FF
(e)
Figure 4. Example scenarios of case analysis for (2), where F{N,H}F\in\{N,H\}

Our important observation is that (2) can be established by elementary case analysis of interaction between the sub-graphs N,HN,H and what happens around the focus in C˙[N,,N]P˙{\dot{C}}[N,\ldots,N]\to{\dot{P}}. This is because updates of a hypernet always happen around the \lightning-focus, and the ??-focus and the \checkmark-focus (representing the graph traversal) move according to its neighbourhood. The analysis is hence centred around the graphical concept of neighbourhood, or graph locality. There are three possible cases of the interaction.

Case (i) Move inside the context:

The ??-focus or the \checkmark-focus, which implements the depth-first traversal, simply moves inside the context CC (see Figure 4a). Because any move of the focus is only according to its neighbourhood, the move solely depends on the context CC. In other words, the sub-graphs N,HN,H have no interaction with the focus. In this case, we can conclude that we are always in (2).

Case (ii) Visit to the sub-graphs:

The ??-focus visits the sub-graphs N,HN,H (see Figure 4b). This is the case where the ??-focus actually interacts with N,HN,H; what happens after entering of the focus depends on N,HN,H. We identify a sufficient condition of the pre-template \vartriangleleft, dubbed safety, for (2) to hold.

A typical example of safe pre-templates is the pre-templates that are induced by rewrite rules of hypernets. Figure 4c illustrates what happens to such a pre-template. The visit of the ??-focus to NN triggers the rewrite rule, and actually turns NN into HH.

Note that the case where the \checkmark-focus visits N,HN,H boils down to the visit of the ??-focus instead, because the \checkmark-focus implements backtracking of graph traversal.

Case (iii) Update of the hypernets:

The \lightning-focus triggers a rewrite rule and updates the hypernet (see Figure 4d). This is the case where the \lightning-focus interacts with N,HN,H; the update may involve N,HN,H in a non-trivial manner. We identify a sufficient condition of the pre-template \vartriangleleft, relative to the triggered rewrite rule, dubbed robustness, for (2) to hold.

An example scenario of robustness is where the update only affects parts of the context CC; see Figure 4e. In this scenario, the \lightning-focus does not really interact with N,HN,H. The sub-graphs N,HN,H are preserved, and we can take the new context CC^{\prime} with the same number of holes as CC that makes (2) hold.

Another example scenario of robustness is where the update duplicates (or eliminates) N,HN,H without breaking them. We can take the context CC^{\prime} that has more (or less) holes to make (2) hold. ∎

The above case analysis reveals sufficient conditions, namely safety and robustness, to make (2) hold and hence make the context closure ¯\overline{\vartriangleleft} a counting simulation. Combining this with soundness of counting simulation, we obtain our main theorem, sufficiency-of-robustness theorem (6). It can be informally stated as follows.

Theorem (Sufficiency-of-robustness theorem (6), informally).

A robust and safe pre-template NHN\vartriangleleft H induces observational refinement NHN\preceq H.

3. Preliminaries: Hypernets

We start formalising the ideas described in the previous section, by first defining hypernets. We opt for formalising hypernets as hypergraphs, following the literature [BGK+22a, BGK+22b, BGK+22c, AGSZ22] on categorically formalising string diagram rewriting using hypergraphs.

Let \mathbb{N} be the set of natural numbers. Given a set XX we write by XX^{*} the set of elements of the free monoid over XX. Given a function f:XYf:X\rightarrow Y we write f:XYf^{*}:X^{*}\rightarrow Y^{*} for the pointwise application (map) of ff to the elements of XX^{*}.

3.1. Monoidal hypergraphs and hypernets

Hypernets have a couple of distinctive features in comparison with ordinary graphs. The first feature of hypernets is that they have “dangling edges” (see Figure 1b); a hypernet has one incoming arrow with no source, and it may have outgoing arrows with no targets. To model this, we use hypergraphs—we formalise what we have been calling edges (i.e. arrows) as vertices and what we have been calling nodes (i.e. circled objects) as hyperedges (i.e. edges with arbitrary numbers of sources and targets). More specifically, we use what we call interfaced labelled monoidal hypergraphs that satisfies the following.

  1. (0)

    Each arrow (modelled as a vertex) and each circled object (modelled as a hyperedge) are labelled.

  2. (1)

    Each circled object (modelled as a hyperedge) is adjacent to distinct arrows (modelled as vertices).

  3. (2)

    Each arrow (modelled as a vertex) is adjacent to at most two circled objects (modelled as hyperedges).

  4. (3)

    The label of a circled object (modelled as a hyperedge) is always consistent with the number and labelling of its endpoints.

  5. (4)

    Dangling arrows are ordered, and each arrow has at least a source or a target.

{defi}

[Monoidal hypergraphs] A monoidal hypergraph is a pair (V,E)(V,E) of finite sets, vertices and (hyper)edges along with a pair of functions S:EVS:E\rightarrow V^{*}, T:EVT:E\rightarrow V^{*} defining the source list and target list, respectively, of an edge. {defi}[Interfaced labelled monoidal hypergraphs] An interfaced labelled monoidal hypergraph consists of a monoidal hypergraph, a set of vertex labels LVL_{V}, a set of edge labels LEL_{E}, and labelling functions fV:VLV,fE:ELEf_{V}\colon V\rightarrow L_{V},f_{E}\colon E\rightarrow L_{E} such that:

  1. (1)

    For any edge eEe\in E, its source list S(e)S(e) consists of distinct vertices, and its target list T(e)T(e) also consists of distinct vertices.

  2. (2)

    For any vertex vVv\in V there exists at most one edge eEe\in E such that vS(e)v\in S(e) and at most one edge eEe^{\prime}\in E such that vT(e)v\in T(e^{\prime}).

  3. (3)

    For any edges e1,e2Ee_{1},e_{2}\in E if fE(e1)=fE(e2)f_{E}(e_{1})=f_{E}(e_{2}) then fV(S(e1))=fV(S(e2))f_{V}^{*}\bigl{(}S(e_{1})\bigr{)}=f_{V}^{*}\bigl{(}S(e_{2})\bigr{)}, and fV(T(e1))=fV(T(e2))f_{V}^{*}\bigl{(}T(e_{1})\bigr{)}=f_{V}^{*}\bigl{(}T(e_{2})\bigr{)}.

  4. (4)

    If a vertex belongs to the target (resp. source) list of no edge we call it an input (resp. output). Inputs and outputs are respectively ordered, and no vertex is both an input and an output.

Notation 3.0 (Types of circled objects (i.e. hyperedges)).

Section 3.1 (3) makes it possible to use labels of arrows (i.e. vertices) as types for labels of circled objects (i.e. hyperedges). For each mLEm\in L_{E}, we can associate it a type and write m:xxm\colon x\Rightarrow x^{\prime}, where x,xLVx,x^{\prime}\in L_{V}^{*} satisfy x=fV(S(e))x=f_{V}^{*}\bigl{(}S(e)\bigr{)} and x=fV(T(e))x^{\prime}=f_{V}^{*}\bigl{(}T(e)\bigr{)} for any eEe\in E such that fE(e)=mf_{E}(e)=m.

Notation 3.0 (Types of interfaced labelled monoidal hypergraphs).

The concept of type can be extended to a whole interfaced labelled monoidal hypergraph GG. Let I,OI,O be the lists of inputs and outputs, respectively, of GG. We associate GG a type and write G:fV(I)fV(O)G\colon f_{V}^{*}(I)\Rightarrow f_{V}^{*}(O). In the syntax for lists of inputs and outputs we use \otimes to denote concatenation and define ϵ\epsilon to be the empty list, and A0:=ϵA^{\otimes 0}:=\epsilon, A(n+1):=AAnA^{\otimes(n+1)}:=A\otimes A^{\otimes n} for any label AA and nn\in\mathbb{N}.

In the sequel, when we say hypergraphs we always mean interfaced labelled monoidal hypergraphs.

We sometimes permute inputs and outputs of a hypergraph. Such permutation yields another hypergraph. {defi}[Interface permutation] Let GG be a hypergraph with an input list i1,,ini_{1},\ldots,i_{n} and an output list o1,,omo_{1},\ldots,o_{m}. Given two bijections ρ\rho and ρ\rho^{\prime} on sets {1,,n}\{1,\ldots,n\} and {1,,m}\{1,\ldots,m\}, respectively, we write Πρρ(G)\Pi^{\rho^{\prime}}_{\rho}(G) to denote the hypergraph that is defined by the same data as GG except for the input list iρ(1),,iρ(n)i_{\rho(1)},\ldots,i_{\rho(n)} and the output list oρ(1),,oρ(m)o_{\rho^{\prime}(1)},\ldots,o_{\rho^{\prime}(m)}.

The second distinctive feature of hypernets is that they have dashed boxes that indicate the scope of variable bindings (see Figure 1b). We formalise these dashed boxes by introducing hierarchy to hypergraphs. The hierarchy is implemented by allowing a hypergraph to be the label of a hyperedge. As a result, informally, hypernets are nested hypergraphs, up to some finite depth, using the same sets of labels. We here present a relatively intuitive definition of hypernets; Appendix A discusses an alternative definition of hypernets333Another, slightly different, definition of hypernets is given in [AGSZ23, Section 4]. The difference is motivated by desired support of categorical graph rewriting, which requires certain properties to hold. These properties are sensitive to the definition.. {defi}[Hypernets] Given a set of vertex labels LL and edge labels MM we write (L,M)\mathcal{H}(L,M) for the set of hypergraphs with these labels; we also call these level-0 hypernets 0(L,M)\mathcal{H}_{0}(L,M). We call level-(k+1)(k{+}1) hypernets the set of hypergraphs

k+1(L,M)=(L,Miki(L,M)).\mathcal{H}_{k+1}(L,M)=\mathcal{H}\Bigl{(}L,M\cup\bigcup_{i\leq k}\mathcal{H}_{i}(L,M)\Bigr{)}.

We call hypernets the set ω(L,M)=ii(L,M)\mathcal{H}_{\omega}(L,M)=\bigcup_{i\in\mathbb{N}}\mathcal{H}_{i}(L,M).

Terminology 3.0 (Boxes and depth).

An edge labelled with a hypergraph is called box edge, and a hypergraph labelling a box edge is called content. Edges of a hypernet GG are said to be shallow. Edges of nesting hypernets of GG, i.e. edges of hypernets that recursively appear as edge labels, are said to be deep edges of GG. Shallow edges and deep edges of a hypernet are altogether referred to as edges at any depth.

3.2. Graphical conventions

Refer to caption
(a)
Refer to caption
(b)
Refer to caption
(c)
Refer to caption
(d)
Refer to caption
(e)
Refer to caption
(f)
Figure 5. The hypergraph GexG_{\mathrm{ex}}

A hypergraph GexG_{\mathrm{ex}} with vertices V={v0,v1,v2,v3,v4,v5}V=\{v_{0},v_{1},v_{2},v_{3},v_{4},v_{5}\} and edges E={e1,e2}E=\{e_{1},e_{2}\} such that

S(e0)\displaystyle S(e_{0}) ={v0,v1}\displaystyle=\{v_{0},v_{1}\}
T(e0)\displaystyle T(e_{0}) =S(e1)={v2,v3,v4}\displaystyle=S(e_{1})=\{v_{2},v_{3},v_{4}\}
T(e1)\displaystyle T(e_{1}) ={v5}\displaystyle=\{v_{5}\}
fV\displaystyle f_{V} ={v0m,v1m,v2l,v3l,v4l′′,v5k}\displaystyle=\{v_{0}\mapsto m,v_{1}\mapsto m^{\prime},v_{2}\mapsto l,v_{3}\mapsto l^{\prime},v_{4}\mapsto l^{\prime\prime},v_{5}\mapsto k\}
fE\displaystyle f_{E} ={e0X,e1Y}\displaystyle=\{e_{0}\mapsto X,e_{1}\mapsto Y\}

is normally represented as Figure 5a. However, we find this style of representing hypergraphs awkward for understanding their structure. We will often graphically represent hypergraphs as graphs, as in Figure 5b, by (i) marking vertices with their labels and mark hyperedges with their labels circled, and (ii) connecting input vertices and output vertices with a hyperedge using arrows.

Recall that node labels are often determined in hypergraphs, thanks to typing, e.g. X:mmlll′′X\colon m\otimes m^{\prime}\Rightarrow l\otimes l^{\prime}\otimes l^{\prime\prime}. We accordingly omit node labels to avoid clutter, as in Figure 5c, letting arrows connect circles directly.

Sometimes we draw a hypergraph by connecting its sub-graphs using extra arrows. Sub-graphs are depicted as boxes. For the hypergraph GexG_{\mathrm{ex}}, we can think of the sub-graph GX=({v0,v1,v2,v3,v4},{e0})G_{X}=(\{v_{0},v_{1},v_{2},v_{3},v_{4}\},\{e_{0}\}) and the sub-graph GY=({v2,v3,v4,v5},{e1})G_{Y}=(\{v_{2},v_{3},v_{4},v_{5}\},\{e_{1}\}). We may draw GexG_{\mathrm{ex}} in three ways, as in Figure 5d5f:

  • In Figure 5d, we use extra arrows connecting node labels l,l,l′′l,l^{\prime},l^{\prime\prime} directly, with intention that two occurrences of ll (or, l,l′′l^{\prime},l^{\prime\prime}) are graphical representations of the same node v2v_{2} (or v3,v4v_{3},v_{4}).

  • In Figure 5e, we omit node labels entirely, assuming that they are obvious from context.

  • In Figure 5f, we further replace the three extra arrows with a single arrow, given that the entire output type of GX:mmlll′′G_{X}\colon m\otimes m^{\prime}\Rightarrow l\otimes l^{\prime}\otimes l^{\prime\prime} matches the input type of GY:lll′′kG_{Y}\colon l\otimes l^{\prime}\otimes l^{\prime\prime}\Rightarrow k. The single arrow comes with a dash across, which indicates that the arrow represents a bunch of parallel arrows.

The final convention is about box edges; a box edge (i.e. an edge labelled by a hypernet) is depicted by a dashed box decorated with its content (i.e. the labelling hypernet).

4. Representation of the call-by-value untyped linear lambda-calculus

In this section we introduce specific label sets that we use to represent lambda-terms as hypernets. We begin with the untyped linear lambda-calculus extended with arithmetic. This is a fairly limited language in terms of expressive power. Although simple, it is interesting enough to demonstrate our reasoning framework. We present a translation ()(-)^{\dagger} of linear lambda-terms in this section, and will adapt it to the general lambda-terms in Section 9.

Lambda-terms are defined by the BNF t::=xλx.tttnt𝑜𝑝ut::=x\mid\lambda x.t\mid t\;t\mid n\mid t\mathop{\mathit{op}}u, where nn\in\mathbb{N} and 𝑜𝑝{+,}\mathit{op}\in\{+,-\}. We assume alpha-equivalence on terms, and assume that bound variables are distinct in a term. A term tt is linear when each variable appears exactly once in tt.

x=Refer to caption(λx.t)=Refer to caption(tu)=Refer to caption\displaystyle x^{\dagger}\ =\ \includegraphics[align=c,scale={.25}]{transl-linear-var}\hskip 40.00006pt(\lambda x.t)^{\dagger}\ =\ \includegraphics[align=c,scale={.25}]{transl-linear-abs}\hskip 40.00006pt(t\;u)^{\dagger}\ =\ \includegraphics[align=c,scale={.25}]{transl-linear-app}
n=Refer to caption(t𝑜𝑝u)=Refer to caption\displaystyle n^{\dagger}\ =\ \includegraphics[align=c,scale={.25}]{transl-pcf-nat}\hskip 40.00006pt(t\mathop{\mathit{op}}u)^{\dagger}\ =\ \includegraphics[align=c,scale={.25}]{transl-pcf-op}
Figure 6. Inductive translation ()(-)^{\dagger} of linear lambda-terms

First, recall that each edge label mMm\in M of a hypernet Gω(L,M)G\in\mathcal{H}_{\omega}(L,M) comes with a type m:XXm\colon X\Rightarrow X^{\prime} where X,XLX,X^{\prime}\in L^{*}. Even though lambda-terms are untyped here, we use edges to represent term constructors, and use edge types (i.e. node labels) to distinguish thunks from terms. Namely, the term type is denoted by \star, and a thunk type with nn bound variables is denoted by Tn()T^{n}(\star).

Figure 6 shows inductive translation of linear lambda-terms to hypernets ω(Llin,Mlin)\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}) where

Llin\displaystyle L_{\mathrm{lin}} ={}{Tn()n},\displaystyle=\{\star\}\cup\{T^{n}(\star)\mid n\in\mathbb{N}\}, (3)
Mlin\displaystyle M_{\mathrm{lin}} ={𝖵:,λ:T1(),@:2,+:2,:2}\displaystyle=\{\mathsf{V}\colon\star\Rightarrow\star,\;\lambda\colon\star\Rightarrow T^{1}(\star),\;\mathop{\overset{\rightarrow}{@}}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{+}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{-}\colon\star\Rightarrow\star^{\otimes 2}\}
{n:ϵn}.\displaystyle\quad\cup\{n\colon\star\Rightarrow\epsilon\mid n\in\mathbb{N}\}. (4)

In general, a term tt with nn free variables is translated into t:nt^{\dagger}\colon\star\Rightarrow\star^{\otimes n}. Each term constructor is turned into an edge as follows.

  • Any variable becomes an anonymous edge 𝖵:\mathsf{V}\colon\star\Rightarrow\star. We represented a variable as a single arrow in Section 2 (see e.g. Figure 1b and Figure 3), but this means a variable would become an empty graph (i.e. a hypernet with no edge). We rather use the anonymous edge 𝖵:\mathsf{V}\colon\star\Rightarrow\star to prevent an empty graph from labelling a box edge and hence being a box content. This is for technical reasons as they simplify our development.

  • Abstraction becomes λ:T1()\lambda\colon\star\Rightarrow T^{1}(\star); it constructs a term, taking one thunk that has one bound variable. A thunk that has one bound variable and nn free variables is represented by a box edge of type T1()nT^{1}(\star)\Rightarrow\star^{\otimes n} whose content is t:nt^{\dagger}\colon\star\Rightarrow\star\otimes\star^{\otimes n}. Note that the box has one less output than its content. We emphasise this graphically, by bending the arrow that is connected to the leftmost \star of the type n\star\otimes\star^{\otimes n}.

  • Application becomes @:2\mathop{\overset{\rightarrow}{@}}\colon\star\Rightarrow\star^{\otimes 2}; it constructs a term, taking two terms as arguments. This translation is for the call-by-value evaluation strategy; both of the arguments are not thunks, and hence they will be evaluated before the application is computed.

  • Each natural number nn\in\mathbb{N} becomes n:ϵn\colon\star\Rightarrow\epsilon; it is a term, taking no arguments.

  • Arithmetic operations becomes +:2\mathit{+}\colon\star\Rightarrow\star^{\otimes 2} and :2\mathit{-}\colon\star\Rightarrow\star^{\otimes 2}; they construct a term, taking two terms as arguments. The translation for these operations has the same shape as that for application.

Refer to caption
Figure 7. The hypernet (λy.(λx.(λy.yx)(λz.z))(λx.xy)):ϵ\bigl{(}{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}\lambda y}.({\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}\lambda x}.({\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda y}.{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}y}\;{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}x})\;(\lambda z.z))\;(\lambda x.x\;{\color[rgb]{0,0.5,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.5,0}y})\bigr{)}^{\dagger}\colon\star\Rightarrow\epsilon

Figure 7 shows an example of the translation. Note that this is different from the left hand side of Figure 1b; each variable is now represented by the anonymous 𝖵\mathsf{V}-edge.

5. Focussed hypernet rewriting—the Universal Abstract Machine

In this section we present focussed hypernet rewriting. It will be formalised as an abstract machine dubbed universal abstract machine (UAM). This abstract machine is “universal” in a sense of the word similar to the way it is used in “universal algebra” rather than in “universal Turing machine”. It is a general abstract framework in which a very wide range of concrete abstract machines can be instantiated by providing operations and their behaviour.

5.1. Operations and focus

The first parameter of the UAM is given by a set of operations 𝕆=𝕆𝕆\mathbb{O}=\mathbb{O}_{\checkmark}\uplus\mathbb{O}_{\lightning}. Operations are classified into two: passive operations 𝕆\mathbb{O}_{\checkmark} that construct evaluation results (i.e. values) and active operations 𝕆\mathbb{O}_{\lightning} that realise computation. We let ϕ,ϕ,ϕ\phi,\phi_{\checkmark},\phi_{\lightning} range over 𝕆,𝕆,𝕆\mathbb{O},\mathbb{O}_{\checkmark},\mathbb{O}_{\lightning} respectively. The edge labels in LlinL_{\mathrm{lin}} (4), except for 𝖵\mathsf{V}, are examples of operations:

passive operations active operations
λ:T1()\lambda\colon\star\Rightarrow T^{1}(\star) @:2\mathop{\overset{\rightarrow}{@}}\colon\star\Rightarrow\star^{\otimes 2}
n:ϵn\colon\star\Rightarrow\epsilon for each nn\in\mathbb{N} 𝑜𝑝:2\mathit{op}\colon\star\Rightarrow\star^{\otimes 2} where 𝑜𝑝{+,}\mathit{op}\in\{+,-\}

In general, each operation ϕ𝕆\phi\in\mathbb{O} has a type mi=1kTni()\star\Rightarrow\star^{\otimes m}\otimes\bigotimes_{i=1}^{k}T^{n_{i}}(\star) where m,k,n1,,m,k,n_{1},\ldots, nkn_{k}\in\mathbb{N}. This means that each operation takes mm arguments and kk thunks, and the ii-th thunk has nin_{i} bound variables.

Given the operation set 𝕆\mathbb{O}, the UAM acts on hypernets ω(Llin,Mlin(𝕆))\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})) where

Mlin(𝕆)=𝕆{𝖵:}{?:,:,:}.M_{\mathrm{lin}}(\mathbb{O})=\mathbb{O}\cup\{\mathsf{V}\colon\star\Rightarrow\star\}\cup\{?\colon\star\Rightarrow\star,\;\checkmark\colon\star\Rightarrow\star,\;\lightning\colon\star\Rightarrow\star\}. (5)

We let \ell range over LlinL_{\mathrm{lin}}. For box edges, we impose the following type discipline: each box edge must have a type Tn()mT^{n}(\star)\Rightarrow\star^{\otimes m} with its content having a type (n+m)\star\Rightarrow\star^{\otimes(n+m)}.

The last three elements of (5) are focuses. In the UAM, focuses are edges with the dedicated labels ?,,?,\checkmark,\lightning of type \star\Rightarrow\star. Each label represents one of the three modes of the focus:

label mode
?? searching
\checkmark backtracking
\lightning triggering an update

As illustrated in Section 2.2, focussed hypernet rewriting implements program evaluation by combining (i) depth-first graph traversal and (ii) update (rewrite) of a hypernet. Focuses are the key element of this combination; they determine which action (i.e. traversal or rewrite) to be taken next, and they indicate where a redex of the rewrite is.

We refer to a hypernet that contains one focus as focussed hypernet. Given a focussed hypernet, we refer to the hypernet without the focus as underlying hypernet.

5.2. Transitions—overview

transitions focus provenance
search transitions ?,?,\checkmark intrinsic
rewrite transitions substitution transitions \lightning
behaviour B𝕆B_{\mathbb{O}} extrinsic
(compute transitions)
Table 1. Transitions of the UAM

Table 1 summarises classifications of transitions of the UAM.

The first classification is according to the focuses: search transitions for the ??-focus and the \checkmark-focus, implementing the depth-first search of redexes, and rewrite transitions for the \lightning-focus, implementing rewrite of the underlying hypernet. Rewrite transitions are further classified into two: substitution transitions for edges labelled by 𝖵\mathsf{V}, and behaviour B𝕆B_{\mathbb{O}} for (active) operations.

The next classification is according to provenance: intrinsic transitions that are inherent to the UAM, and extrinsic transitions that are not. While search transitions and substitution transitions constitute intrinsic transitions, the behaviour B𝕆B_{\mathbb{O}} solely provides extrinsic transitions. In fact, the behaviour B𝕆B_{\mathbb{O}} is the second parameter of the UAM.

Refer to caption
Figure 8. An example of the UAM execution on ((λx.x) 1)((\lambda x.x)\;1)^{\dagger}

Figure 8 shows an example of the UAM execution. This evaluates the linear-term (λx.x) 1(\lambda x.x)\;1, and the execution starts with the underlying hypernet ((λx.x) 1)((\lambda x.x)\;1)^{\dagger}. It demonstrates all the three kinds of transitions: search transitions, substitution transitions, and the behaviour of application (@\mathop{\overset{\rightarrow}{@}}).

5.3. Intrinsic transitions

Refer to caption
(a)
Refer to caption
(b)
Refer to caption
(c)
Refer to caption
(d)
Refer to caption
(e)
Refer to caption
(f)
Figure 9. Interaction rules LABEL:sub@fig:interaction-VLABEL:sub@fig:interaction-opr-none and the substitution rule LABEL:sub@fig:subst-rule, where t{,}t\in\{\checkmark,\lightning\} and GSG_{S} is a hypernet

Search transitions are possible for the ??-focus and the \checkmark-focus, and they implement the depth-first search of redexes. They are specified by interaction rules depicted in Figure 9a9e. The ??-focus interacts with what is connected above, and the \checkmark-focus interacts with what is connected below. From the perspective of program evaluation, the interaction rules specify the left-to-right call-by-value evaluation of arguments.

Figure 9a:

When the ??-focus encounters a variable (𝖵\mathsf{V}), it changes to the \lightning-focus. What is connected above the variable will be substituted for the variable, in a subsequent substitute transition.

Figure 9b:

When the ??-focus encounters an operation ϕ\phi with at least one argument, it proceeds to the first argument.

Figure 9c:

After inspecting the (m+1)(m+1)-th argument, the \checkmark-focus changes to the ??-focus and proceeds to the next argument.

Figure 9d:

After inspecting all the arguments, the \checkmark-focus finishes redex search and changes to a focus depending on the operation ϕt\phi_{t}: to the \checkmark-focus for a passive operation ϕ\phi_{\checkmark}, and to the \lightning-focus for an active operation ϕ\phi_{\lightning}.

Figure 9e:

When the ??-focus encounters an operation that takes no arguments but only thunks, it immediately finishes redex search and changes to a focus depending on the operation ϕt\phi_{t}, like in Figure 9d.

The first kind of rewrite transitions, namely substitution transitions, implements substitution by simply removing a variable edge (𝖵\mathsf{V}). These transitions are specified by a substitution rule depicted in Figure 9f. What is connected above the variable edge (𝖵\mathsf{V}) is computation bound to the variable. By removing the variable edge, the bound computation gets directly connected to the ??-focus, ready for redex search.

5.4. Extrinsic transitions: behaviour of operations

The second kind of rewrite transitions are for operations 𝕆\mathbb{O}, in particular active operations 𝕆\mathbb{O}_{\lightning}. These transitions are extrinsic; they are given as the second parameter B𝕆B_{\mathbb{O}}, called behaviour of 𝕆\mathbb{O}, of the UAM.

Refer to caption
(a) Arithmetic
Refer to caption
(b) Micro-beta
Refer to caption
(c) 𝚜𝚝𝚊𝚝\mathtt{stat}
Figure 10. The example behaviour B{+,,@,𝚜𝚝𝚊𝚝}B_{\{+,-,\mathop{\overset{\rightarrow}{@}},\mathtt{stat}\}} where r=t𝑜𝑝u,𝑜𝑝{+,}r=t\mathop{\mathit{op}}u,\mathit{op}\in\{+,-\} and G,GSG,G_{S} are hypernets

Figure 10 shows an example of the behaviour, namely that for the following active operations:

+:2,:2,@:2,𝚜𝚝𝚊𝚝:ϵ.\mathit{+}\colon\star\Rightarrow\star^{\otimes 2},\quad\mathit{-}\colon\star\Rightarrow\star^{\otimes 2},\quad\mathop{\overset{\rightarrow}{@}}\colon\star\Rightarrow\star^{\otimes 2},\quad\mathtt{stat}\colon\star\Rightarrow\epsilon.

For some of these operations, their behaviour is specified locally by rewrite rules. The rewrite transitions for the four active operations are enabled when the \lightning-focus encounters one of the operations. The \lightning-focus then changes to the ??-focus and resumes redex search.

Figure 10a:

This rewrite rule specifies the behaviour of arithmetic (+,+,-). The rule eliminates all three edges (m,n,𝑜𝑝m,n,\mathit{op}) and replace them with a new edge (rr) such that r=t𝑜𝑝ur=t\mathop{\mathit{op}}u.

Figure 10b:

This rewrite rule specifies the behaviour of application (@\mathop{\overset{\rightarrow}{@}}), namely the (micro-) beta-reduction. It is micro in the sense that it delays substitution. It only eliminates the constructors (λ,@\lambda,@), opens the box whose content is GG, and connects GSG_{S} which represents a function argument to the body GG of the function.

Figure 10c:

This is a rewrite transition, not a rewrite rule. It is for the operation 𝚜𝚝𝚊𝚝\mathtt{stat} that inspects memory usage. Namely, 𝚜𝚝𝚊𝚝\mathtt{stat} counts the number size(G)\mathrm{size}(G) of edges in the hypernet GG. The transition replaces the operation edge (𝚜𝚝𝚊𝚝\mathtt{stat}) with the result (size(G)\mathrm{size}(G)) of counting.

6. A formal definition of the UAM

The UAM, and hence the definitions below, are all globally parameterised by the operation set 𝕆\mathbb{O} and its behaviour B𝕆B_{\mathbb{O}}.

6.1. Auxiliary definitions

We use the terms incoming and outgoing to characterise the incidence relation between neighbouring edges. Conventionally incidence is defined relative to nodes, but we find it helpful to extend this notion to edges. {defi}[Incoming and outgoing edges] An incoming edge of an edge ee has a target that is a source of the edge ee. An outgoing edge of the edge ee has a source that is a target of the edge ee.

The notions of path and reachability are standard. Our technical development will heavily rely on these graph-theoretic notions. Note that these are the notions that are difficult to translate back into the language of terms. {defi}[Paths and reachability]

  1. (1)

    A path in a hypergraph is given by a non-empty sequence of edges, where an edge ee is followed by an edge ee^{\prime} if the edge ee is an incoming edge of the edge ee^{\prime}.

  2. (2)

    A vertex vv^{\prime} is reachable from a vertex vv if v=vv=v^{\prime} holds, or there exists a path from the vertex vv to the vertex vv^{\prime}.

Note that, in general, the first edge (resp. the last edge) of a path may have no source (resp. target). A path is said to be from a vertex vv, if vv is a source of the first edge of the path. Similarly, a path is said to be to a vertex vv^{\prime}, if vv^{\prime} is a target of the last edge of the path. A hypergraph GG is itself said to be a path, if all edges of GG comprise a path from an input (if any) and an output (if any) and every vertex is an endpoint of an edge.

During focussed hypernet rewriting, operations are the only edges that the ??-focus can “leave behind”. The ??-focus is always at the end of an operation path. {defi}[Operation paths] A path whose edges are all labelled with operations is called operation path.

We shall introduce a few classes of hypernets below. The first is box hypernets that are simply single box edges. {defi}[Box hypernets] If a hypernet is a path of only one box edge, it is called box hypernet. The second is stable hypernets, in which a focus can never trigger a rewrite (i.e. a focus never changes to the \lightning-focus). Stable hypernets can be seen as a graph-based notion of values/normal form. For example, the hypernet that consists of an abstraction edge (λ\lambda) only is a stable hypernet. {defi}[Stable hypernets] A stable hypernet is a hypernet (G:i=1mi)(Llin,𝕆)(G:\star\Rightarrow\otimes_{i=1}^{m}\ell_{i})\in\mathcal{H}(L_{\mathrm{lin}},\mathbb{O}_{\checkmark}), such that i=1mi({Tn()n})m\otimes_{i=1}^{m}\ell_{i}\in(\{T^{n}(\star)\mid n\in\mathbb{N}\})^{m} and each vertex is reachable from the unique input. The last is one-way hypernets, which will play an important role in local reasoning. These specify sub-graphs to which a focus enters only from the bottom (i.e. the ??-focus through an input), never from the top (i.e. the \checkmark-focus through an output). Should the \checkmark-focus enter from the top, it must have traversed upwards the sub-graph and left an operation path behind. One-way hypernets are defined by ruling out such operation paths. {defi}[One-way hypernets] A hypernet HH is one-way if, for any pair (vi,vo)(v_{i},v_{o}) of an input and an output of HH such that viv_{i} and vov_{o} both have type \star, any path from viv_{i} to vov_{o} is not an operation path. For example, the underlying hypernet HH of the left hand side of the micro-beta rewrite rule (Figure 10b) is a one-way hypernet, if GSG_{S} is stable. Should the \checkmark-focus enters to HH from the top, it must be backtracking the depth-first search, and hence the ??-focus must have been visited HH from the bottom. In the presence of the micro-beta rewrite rule, such visit must result in a rewrite transition, and therefore, the backtracking of the \checkmark-focus cannot be possible.

6.2. Focussed hypernets

Focussed hypernets are those that contain a focus. We impose some extra conditions as below, to ensure that the focus is outside a box and not isolated. {defi}[Focussed hypernets]

  1. (1)

    A focus in a hypergraph is said to be exposed if its source is an input and its target is an output, and self-acyclic if its source and its target are different vertices.

  2. (2)

    Focussed hypernets (typically ranged over by G˙,H˙,N˙{\dot{G}},{\dot{H}},{\dot{N}}) are those that contain only one focus and the focus is shallow, self-acyclic and not exposed.

Focus-free hypernets are given by ω(Llin,Mlin(𝕆)\{?,,})\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})\backslash\{?,\checkmark,\lightning\}), i.e. hypernets without a focus.

Notation 6.0 (Removing, replacing and attaching a focus).
  1. (1)

    A focussed hypernet G˙{\dot{G}} can be turned into an underlying focus-free hypernet |G˙||{\dot{G}}| with the same type, by removing its unique focus and identifying the source and the target of the focus.

  2. (2)

    When a focussed hypernet G˙{\dot{G}} has a 𝗍\mathsf{t}-focus, then changing the focus label 𝗍\mathsf{t} to another one 𝗍\mathsf{t}^{\prime} yields a focussed hypernet denoted by G˙𝗍/𝗍\langle{\dot{G}}\rangle_{\mathsf{t}^{\prime}/\mathsf{t}}.

  3. (3)

    Given a focus-free hypernet GG, a focussed hypernet 𝗍;iG\mathsf{t};_{i}G with the same type can be yielded by connecting a 𝗍\mathsf{t}-focus to the ii-th input of GG if the input has type \star. Similarly, a focussed hypernet G;i𝗍G;_{i}\mathsf{t} with the same type can be yielded by connecting a 𝗍\mathsf{t}-focus to the ii-th output of GG if the output has type \star. If it is not ambiguous, we omit the index ii in the notation ;i;_{i}.

The source (resp. target) of a focus is called “focus source” (resp. “focus target”) in short.

6.3. Contexts

We next formalise a notion of context, which is hypernets with holes. We use a set 𝕄\mathbb{M} of hole labels, and contexts are allowed to contain an arbitrary number of holes. Hole labels are typed, and typically ranged over by χ:\chi:\vec{\ell}\Rightarrow\vec{\ell^{\prime}}. {defi}[(Simple) contexts]

  1. (1)

    Holed hypernets (typically ranged over by 𝒞\mathcal{C}) are given by ω(Llin,Mlin(𝕆)𝕄)\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})\cup\mathbb{M}), where the edge label set Mlin(𝕆)M_{\mathrm{lin}}(\mathbb{O}) is extended by the set 𝕄\mathbb{M}.

  2. (2)

    A holed hypernet 𝒞\mathcal{C} is said to be context if each hole label appears at most once (at any depth) in 𝒞\mathcal{C}.

  3. (3)

    A simple context is a context that contains a single hole, which is shallow.

By what we call plugging, we can replace a hole of a context with a hypernet, and obtain a new context. We here provide a description of plugging and fix a notation. A formal definition of plugging can be found in Appendix B.

Notation 6.0 (Plugging of contexts).
  1. (1)

    When χ\vec{\chi} gives a list of all and only hole labels that appear in a context 𝒞\mathcal{C}, the context can also be written as 𝒞[χ]\mathcal{C}[\vec{\chi}]. A hypernet in ω(Llin,Mlin(𝕆))\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})) can be seen as a context without a hole and written as 𝒞[]\mathcal{C}[\,].

  2. (2)

    Let 𝒞[χ1,χ,χ2]\mathcal{C}[\vec{\chi^{1}},\chi,\vec{\chi^{2}}] and 𝒞[χ3]\mathcal{C}^{\prime}[\vec{\chi^{3}}] be contexts, such that the hole χ\chi and the latter context 𝒞\mathcal{C}^{\prime} have the same type and χ1χ2χ3=\vec{\chi^{1}}\cap\vec{\chi^{2}}\cap\vec{\chi^{3}}=\emptyset. A new context 𝒞[χ1,𝒞,χ2]ω(Llin,Mlinχ1χ3χ2))\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}}]\in\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}\cup\vec{\chi^{1}}\cup\vec{\chi^{3}}\cup\vec{\chi^{2}})) can be obtained by plugging 𝒞\mathcal{C}^{\prime} into 𝒞\mathcal{C}: namely, by replacing the (possibly deep) hole edge of 𝒞\mathcal{C} that has label χ\chi with the context 𝒞\mathcal{C}^{\prime}, and by identifying each input (resp. output) of 𝒞\mathcal{C}^{\prime} with its corresponding source (resp. target) of the hole edge.

Each edge of the new context 𝒞[χ1,𝒞,χ3]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{3}}] is inherited from either 𝒞\mathcal{C} or 𝒞\mathcal{C}^{\prime}, keeping the type; this implies that the new context is indeed a context with hole labels χ1,χ3,χ2\vec{\chi^{1}},\vec{\chi^{3}},\vec{\chi^{2}}. Inputs and outputs of the new context coincide with those of the original context 𝒞\mathcal{C}, and hence these two contexts have the same type.

The plugging is associative in two senses: plugging two contexts into two holes of a context yields the same result regardless of the order, i.e. 𝒞[χ1,𝒞,χ2,𝒞′′,χ3]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}},\mathcal{C}^{\prime\prime},\vec{\chi^{3}}] is well-defined; and nested plugging yields the same result regardless of the order, i.e. 𝒞[χ1,𝒞[χ3,𝒞′′,χ4],χ2]=(𝒞[χ1,𝒞,χ2])[χ1,χ3,𝒞′′,χ4,χ2]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime}[\vec{\chi^{3}},\mathcal{C}^{\prime\prime},\vec{\chi^{4}}],\vec{\chi^{2}}]=(\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}}])[\vec{\chi^{1}},\vec{\chi^{3}},\mathcal{C}^{\prime\prime},\vec{\chi^{4}},\vec{\chi^{2}}].

The notions of focussed and focus-free hypernets can be naturally extended to contexts. We use the terms entering and exiting to refer to a focus that is adjacent to a hole. A focus may be both entering and exiting. {defi}[Entering/exiting focuses] In a focussed context 𝒞˙[χ]{\dot{\mathcal{C}}}[\vec{\chi}], the focus is said to be entering if it is an incoming edge of a hole, and exiting if it is an outgoing edge of a hole.

6.4. States and transitions

We now define the UAM as a state transition system. States are hypernets that represent closed terms and hence have type ϵ\star\Rightarrow\epsilon. {defi}[States]

  1. (1)

    A state is given by a focussed hypernet G˙ω(Llin,Mlin(𝕆)){\dot{G}}\in\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})) of type ϵ\star\Rightarrow\epsilon.

  2. (2)

    A state G˙{\dot{G}} is called initial if G˙=?;|G˙|{\dot{G}}=?;|{\dot{G}}|, and final if G˙=;|G˙|{\dot{G}}=\checkmark;|{\dot{G}}|.

The following will be apparent once transitions are defined: initial states are indeed initial in the sense that no search transition results in an initial state; and final states are indeed final in the sense that no transition is possible from a final state.

Intrinsic transitions, which consists of search transitions and substitution transitions, are specified by the interaction rules and the substitution rule in Figure 9. Each intrinsic transition applies a rule outside a box and at one place. {defi}[Intrinsic transitions]

  1. (1)

    For each interaction rule G˙G˙{\dot{G}}\overset{\bullet}{\mapsto}{\dot{G^{\prime}}}, if there exists a focus-free simple context 𝒞[χ]:ϵ\mathcal{C}[\chi]:\star\Rightarrow\epsilon such that 𝒞[G˙]\mathcal{C}[{\dot{G}}] and 𝒞[G˙]\mathcal{C}[{\dot{G^{\prime}}}] are states, 𝒞[G˙]𝒞[G˙]\mathcal{C}[{\dot{G}}]\to\mathcal{C}[{\dot{G^{\prime}}}] is a search transition.

  2. (2)

    For each substitution rule G˙𝖵G˙{\dot{G}}\overset{\mathsf{V}}{\mapsto}{\dot{G^{\prime}}}, if there exists a focus-free simple context 𝒞[χ]:ϵ\mathcal{C}[\chi]:\star\Rightarrow\epsilon such that 𝒞[G˙]\mathcal{C}[{\dot{G}}] and 𝒞[G˙]\mathcal{C}[{\dot{G^{\prime}}}] are states, 𝒞[G˙]𝒞[G˙]\mathcal{C}[{\dot{G}}]\to\mathcal{C}[{\dot{G^{\prime}}}] is a substitution transition.

When a sequence G˙G˙{\dot{G}}\to^{*}{\dot{G^{\prime}}} of transitions consists of search transitions only, it is annotated by the symbol \bullet as G˙G˙{\dot{G}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{G^{\prime}}}.

Extrinsic transitions B𝕆B_{\mathbb{O}} must have a specific form; namely they must be a compute transition. {defi}[Compute transitions] A transition G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} is a compute transition if: (i) the first state G˙{\dot{G}} has the \lightning-focus that is an incoming edge of an active operation edge; and (ii) the second state G˙{\dot{G^{\prime}}} has the ??-focus. We can observe that substitution transitions or compute transitions are possible if and only if a state has the \lightning-focus, and they always change the focus to the ??-focus. We refer to substitution transitions and compute transitions altogether as rewrite transitions (cf. Table 1).

Compute transitions may be specified locally, by rewrite rules, in the same manner as the intrinsic transitions. Figure 10a & 10b shows examples of rewrite rules. We leave it entirely open what the actual rewrite associated to some operation is, by having the behaviour B𝕆B_{\mathbb{O}} as parameter of the UAM as well as the operation set 𝕆\mathbb{O}. This is part of the semantic flexibility of our framework. We do not specify a meta-language for encoding effects as particular transitions. Any algorithmic state transformation (e.g. the compute transition for 𝚜𝚝𝚊𝚝\mathtt{stat} in Figure 10c) is acceptable.

We can now define the UAM as follows. {defi}[the UAM] Given two parameters 𝕆\mathbb{O} and B𝕆B_{\mathbb{O}}, the universal abstract machine (UAM) 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is given by data (S𝕆,TB𝕆)(S_{\mathbb{O}},T\uplus B_{\mathbb{O}}) such that:

  • S𝕆ω(Llin,Mlin(𝕆))S_{\mathbb{O}}\subseteq\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})) is a set of states,

  • TS𝕆×S𝕆T\subseteq S_{\mathbb{O}}\times S_{\mathbb{O}} is a set of intrinsic transitions, and

  • B𝕆S𝕆×S𝕆B_{\mathbb{O}}\subseteq S_{\mathbb{O}}\times S_{\mathbb{O}} is a set of compute transitions.

We refer to elements of B𝕆B_{\mathbb{O}} as extrinsic transitions, as well as compute transitions; we use these two terms interchangeably.

An execution of the UAM starts with a focus-free hypernet that represents a closed term, e.g. a result of the translation ()(-)^{\dagger} (cf. Figure 6). It is successful if it terminates with a final state, and not if it gets stuck with a non-final state. {defi}[Execution and stuck states]

  1. (1)

    An execution on a focus-free hypernet G:ϵG:\star\Rightarrow\epsilon is a sequence of transitions starting from the initial state ?;G?;{G}.

  2. (2)

    A state is said to be stuck if it is not final and cannot be followed by any transition.

Recall that we have a notion of stable hypernet (Section 6.1) that is a graphical counterpart of values. An execution on any stable hypernet terminates successfully at a final state, with only search transitions (cf. 33(1) which is proved for the “non-linear” UAM).

7. Contextual equivalence on hypernets

In this section, we set the target of our proof methodology. First, we define contextual equivalence in a general manner. Next, we clarify what kind of operations 𝕆\mathbb{O} our proof methodology applies to.

7.1. Generalised contextual equivalence

We propose notions of contextual refinement and equivalence that check for successful termination of execution444We opt for the very basic notion of contextual refinement that concerns termination only. Richer observation (e.g. evaluation results, output, probability, nondeterminism) would require different definitions of contextual refinement, and these are out of the scope of this paper. . Our notion of contextual refinement (and hence contextual equivalence) generalise the standard notions in two ways.

  • The notion of contextual refinement can be flexible in terms of a class of contexts in which it holds. Namely, contextual refinement is parameterised by a set ω(Llin,Mlin(𝕆)𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})\cup\mathbb{M}) of focus-free contexts. The standard contextual refinement can be recovered by setting \mathbb{C} to be the set of all focus-free contexts.

  • The notion of contextual refinement can count and compare the number of transitions. Namely, contextual refinement is parameterised by a preorder QQ on natural numbers. The standard contextual refinement can be obtained by setting QQ to be the total relation ×\mathbb{N}\times\mathbb{N}. Other typical examples of the preorder QQ are the greater-than-or-equal relation \geq_{\mathbb{N}} and the equality ==_{\mathbb{N}}. With these preorders, one can prove that two terms are contextually equivalent, and moreover, one takes a less number of transitions to terminate than the other (with \geq_{\mathbb{N}}) or the two terms take exactly the same number of transitions to terminate (with ==_{\mathbb{N}}).

We require the parameter \mathbb{C} to be closed under plugging, i.e. for any contexts 𝒞[χ1,χ,χ2],\mathcal{C}[\vec{\chi^{1}},\chi,\vec{\chi^{2}}], 𝒞\mathcal{C}^{\prime}\in\mathbb{C} such that 𝒞[χ1,𝒞,χ2]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}}] is defined, 𝒞[χ1,𝒞,χ2]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}}]\in\mathbb{C}. {defi}[State refinement and equivalence] Let QQ be a preorder on \mathbb{N}, and G1˙{\dot{G_{1}}} and G2˙{\dot{G_{2}}} be two states.

  • G1˙{\dot{G_{1}}} is said to refine G2˙{\dot{G_{2}}} up to QQ, written as B𝕆(G1˙˙QG2˙)B_{\mathbb{O}}\models({\dot{G_{1}}}\mathrel{\dot{\preceq}}_{Q}{\dot{G_{2}}}), if for any number k1k_{1}\in\mathbb{N} and any final state N1˙{\dot{N_{1}}} such that G1˙k1N1˙{\dot{G_{1}}}\to^{k_{1}}{\dot{N_{1}}}, there exist a number k2k_{2}\in\mathbb{N} and a final state N2˙{\dot{N_{2}}} such that k1𝑄k2k_{1}\mathrel{Q}k_{2} and G2˙k2N2˙{\dot{G_{2}}}\to^{k_{2}}{\dot{N_{2}}}.

  • G1˙{\dot{G_{1}}} and G2˙{\dot{G_{2}}} are said to be equivalent up to QQ, written as B𝕆(G1˙˙QG2˙)B_{\mathbb{O}}\models({\dot{G_{1}}}\mathrel{\dot{\simeq}}_{Q}{\dot{G_{2}}}), if B𝕆(G1˙˙QG2˙)B_{\mathbb{O}}\models({\dot{G_{1}}}\mathrel{\dot{\preceq}}_{Q}{\dot{G_{2}}}) and B𝕆(G2˙˙QG1˙)B_{\mathbb{O}}\models({\dot{G_{2}}}\mathrel{\dot{\preceq}}_{Q}{\dot{G_{1}}}).

{defi}

[Contextual refinement and equivalence] Let \mathbb{C} be a set of contexts that is closed under plugging, QQ be a preorder on \mathbb{N}, and H1H_{1} and H2H_{2} be focus-free hypernets of the same type.

  • H1H_{1} is said to contextually refine H2H_{2} in \mathbb{C} up to QQ, written as B𝕆(H1QH2)B_{\mathbb{O}}\models(H_{1}\preceq^{\mathbb{C}}_{Q}H_{2}), if any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C}, such that ?;𝒞[H1]?;\mathcal{C}[H_{1}] and ?;𝒞[H2]?;\mathcal{C}[H_{2}] are states, yields refinement B𝕆(?;𝒞[H1]˙Q?;𝒞[H2])B_{\mathbb{O}}\models({?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]}).

  • H1H_{1} and H2H_{2} are said to be contextually equivalent in \mathbb{C} up to QQ, written as B𝕆(H1QH2)B_{\mathbb{O}}\models(H_{1}\simeq^{\mathbb{C}}_{Q}H_{2}), if B𝕆(H1QH2)B_{\mathbb{O}}\models(H_{1}\preceq^{\mathbb{C}}_{Q}H_{2}) and B𝕆(H2QH1)B_{\mathbb{O}}\models(H_{2}\preceq^{\mathbb{C}}_{Q}H_{1}).

In the sequel, we simply write G1˙˙QG2˙{\dot{G_{1}}}\mathrel{\dot{\preceq}}_{Q}{\dot{G_{2}}} etc., making the parameter B𝕆B_{\mathbb{O}} implicit.

Because QQ is a preorder, ˙Q\mathrel{\dot{\preceq}}_{Q} and Q\preceq^{\mathbb{C}}_{Q} are indeed preorders, and accordingly, equivalences ˙Q\mathrel{\dot{\simeq}}_{Q} and Q\simeq^{\mathbb{C}}_{Q} are indeed equivalences (35).

When the relation QQ is the universal relation ×\mathbb{N}\times\mathbb{N}, the notions concern successful termination, and the number of transitions is irrelevant. If all compute transitions are deterministic, contextual equivalences \simeq^{\mathbb{C}}_{\geq_{\mathbb{N}}} and =\simeq^{\mathbb{C}}_{=_{\mathbb{N}}} coincide for any \mathbb{C} (as a consequence of 36).

Because \mathbb{C} is closed under plugging, the contextual notions Q\preceq^{\mathbb{C}}_{Q} and Q\simeq^{\mathbb{C}}_{Q} indeed become congruences. Namely, for any H1H2H_{1}\mathrel{\square}^{\mathbb{C}}H_{2} and 𝒞\mathcal{C}\in\mathbb{C} such that 𝒞[H1]\mathcal{C}[H_{1}] and 𝒞[H2]\mathcal{C}[H_{2}] are defined, 𝒞[H1]𝒞[H2]\mathcal{C}[H_{1}]\mathrel{\square}^{\mathbb{C}}\mathcal{C}[H_{2}], where {Q,Q}\square\in\{\preceq_{Q},\simeq_{Q}\}.

As the parameter \mathbb{C}, we will use the set 𝕆\mathbb{C}_{\mathbb{O}} of all focus-free contexts, for the time being. We will use another set in Section 11. The standard notions of contextual refinement and equivalence can be recovered as ×𝕆\preceq^{\mathbb{C}_{\mathbb{O}}}_{\mathbb{N}\times\mathbb{N}} and ×𝕆\simeq^{\mathbb{C}_{\mathbb{O}}}_{\mathbb{N}\times\mathbb{N}}.

7.2. Determinism and refocusing

We will focus on operations 𝕆\mathbb{O} whose behaviour B𝕆B_{\mathbb{O}} makes the UAM both deterministic and refocusing in the following sense. {defi}[Determinism and refocusing]

  1. (1)

    A UAM 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic if the following holds: if two transitions G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} and G˙G′′˙{\dot{G}}\to{\dot{G^{\prime\prime}}} are possible, it holds that G˙=G′′˙{\dot{G^{\prime}}}={\dot{G^{\prime\prime}}} up to graph isomorphism.

  2. (2)

    A state G˙{\dot{G}} is rooted if ?;|G˙|G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{G}}.

  3. (3)

    A UAM 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is refocusing if every transition preserves the rooted property.

In a refocusing UAM, the rooted property becomes an invariant, because any initial state is trivially rooted. The invariant ensures the following: starting the search process (i.e. a search transition) from a state N˙{\dot{N^{\prime}}} with the ??-focus can be seen as resuming the search process ?;|N˙|N˙?;|{\dot{N^{\prime}}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{N^{\prime}}}, from an initial state, on the underlying hypernet |N˙||{\dot{N^{\prime}}}|. Resuming redex search after a rewrite, rather than starting from scratch, is an important aspect of abstract machines. In the case of the lambda-calculus, enabling the resumption is identified as one of the key steps (called “refocusing”) to synthesise abstract machines from reduction semantics by Danvy et al. [DMMZ12]. In our setting, it is preservation of the rooted property that justifies the resumption.

For many rewrite transitions that are specified by a local rewrite rule, it suffices to check the shape of the rewrite rule, in order to conclude that the corresponding rewrite transition preserves the rooted property. Intuitively, a rewrite rule H˙H˙{\dot{H}}\mapsto{\dot{H^{\prime}}} (or the substitution rule) should satisfy the following.

  1. (1)

    No \checkmark-focus can encounter |H˙||{\dot{H}}| prior to application of the rewrite rule H˙H˙{\dot{H}}\mapsto{\dot{H^{\prime}}}.

  2. (2)

    The rewrite rule changes only edges above the \lightning-focus, and turns the focus into the ??-focus without moving it around.

  3. (3)

    If the ??-focus encounters |H˙||{\dot{H}}|, subsequent search transitions yield the \lightning-focus.

The above idea is formalised as a notion of stationary rewrite transition. If a rewrite transition is stationary in the following sense, it preserves the rooted property. {defi}[Stationary rewrite transitions] A rewrite transition G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} is stationary if there exist a focus-free simple context 𝒞\mathcal{C}, focus-free hypernets HH and HH^{\prime}, and a number ii\in\mathbb{N}, such that the following holds.

  1. (1)

    HH is one-way,

  2. (2)

    G˙=𝒞[;iH]{\dot{G}}=\mathcal{C}[\lightning;_{i}H] and G˙=𝒞[?;iH]{\dot{G^{\prime}}}=\mathcal{C}[?;_{i}H^{\prime}], and

  3. (3)

    for any j\{i}j\in\mathbb{N}\backslash\{i\}, such that 𝒞[?;jH]\mathcal{C}[?;_{j}H] is a state, there exists a state N˙{\dot{N}} with the \lightning-focus, such that 𝒞[?;jH]N˙\mathcal{C}[?;_{j}H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N}}.

Lemma 2 (27).

If a rewrite transition G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} is stationary, it preserves the rooted property, i.e. G˙{\dot{G}} being rooted implies G˙{\dot{G^{\prime}}} is also rooted.

Finally, determinism and refocusing of a UAM boil down to those of extrinsic transitions B𝕆B_{\mathbb{O}} under a mild condition.

Lemma 3 (Determinism and refocusing).
  • A universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic if extrinsic transitions B𝕆B_{\mathbb{O}} are deterministic.

  • Suppose that GSG_{S} in the substitution rule (Figure 9f) is a stable hypernet. A universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is refocusing if extrinsic transitions B𝕆B_{\mathbb{O}} preserve the rooted property.

Proof 7.1.

Intrinsic transitions and extrinsic transitions are mutually exclusive, and intrinsic transitions are all deterministic for the following reasons.

  • Search transitions are deterministic, because at most one interaction rule can be applied at any state.

  • Although two different substitution rules may be possible at a state, substitution transitions are still deterministic. Namely, if two different substitution rules G˙𝖵G˙{\dot{G}}\overset{\mathsf{V}}{\mapsto}{\dot{G^{\prime}}} and H˙𝖵H˙{\dot{H}}\overset{\mathsf{V}}{\mapsto}{\dot{H^{\prime}}} can be applied to the same state, i.e. there exist focus-free simple contexts 𝒞G\mathcal{C}_{G} and 𝒞H\mathcal{C}_{H} such that 𝒞G[G˙]=𝒞H[H˙]\mathcal{C}_{G}[{\dot{G}}]=\mathcal{C}_{H}[{\dot{H}}], then these two rules yield the same transition, by satisfying 𝒞G[G˙]=𝒞H[H˙]\mathcal{C}_{G}[{\dot{G^{\prime}}}]=\mathcal{C}_{H}[{\dot{H^{\prime}}}].

Therefore, if extrinsic transitions are deterministic, all transitions become deterministic.

Search transitions trivially preserve the rooted property. Substitution transitions also preserve the rooted property, because they are stationary, under the assumption that GSG_{S} in Figure 9f is stable. Therefore, all transitions but extrinsic transitions already preserve the rooted property.

8. A sufficiency-of-robustness theorem

In this section, we will state a sufficiency-of-robustness theorem (6), by identifying sufficient conditions (namely safety and robustness) for contextual refinement NQHN\preceq^{\mathbb{C}}_{Q}H. Throughout this section, we will use the micro-beta law, which looks like Figure 11, as a leading example. It is derived from the micro-beta rewrite rule (Figure 10b) by removing focuses, and it is the core of a graphical counterpart of the beta-law (λx.t)vt[v/x](\lambda x.t)\ v\preceq t[v/x]. We will introduce relevant notions and concepts (such as safety and robustness), by illustrating what it takes for the micro-beta law to hold.

8.1. Pre-templates and specimens

Refer to caption
Figure 11. The micro-beta pre-template, where GG is a hypernet and GSG_{S} is a stable hypernet

We begin with an observation that we are often interested in a family of contextual refinements. Syntactically, indeed, the beta-law (λx.t)vt[v/x](\lambda x.t)\ v\preceq t[v/x] represents a family of (concrete) contextual refinements such as (λx.x)(λy.y)λy.y(\lambda x.x)\ (\lambda y.y)\preceq\lambda y.y. Graphically, it is the same; the micro-beta law represents a family of (concrete) laws. In the micro-beta law (Figure 11), GG can be arbitrary and GSG_{S} can be any stable hypernet. The sufficiency-of-robustness theorem will therefore take a family \vartriangleleft of pairs of focus-free hypernets (i.e. a relation \vartriangleleft on focus-free hypernets), and identifies sufficient conditions for the family to imply a family of (concrete) contextual refinements.

Moreover, the relation \vartriangleleft must be well-typed, i.e. each pair (N,H)(N,H)\in\mathit{\vartriangleleft} must share the same type. This in particular means that, if NN represents a term (or a thunk), HH must represents a term (or resp. a thunk) with the same number of free variables. We therefore formalise \vartriangleleft as a type-indexed family of relations on focus-free hypernets, and call it pre-template. A pre-template is our candidate of (a family of) contextual refinement. {defi}[Pre-templates] A pre-template is given by a union :=II\mathord{\vartriangleleft}:={\cup_{I\in\mathcal{I}}\vartriangleleft_{I}} of a type-indexed family {I}I\{\vartriangleleft_{I}\}_{I\in\mathcal{I}}, where \mathcal{I} is a set of types. Each I\vartriangleleft_{I} is a binary relation on focus-free hypernets such that, for any G1IG2G_{1}\vartriangleleft_{I}G_{2} where II\in\mathcal{I}, G1G_{1} and G2G_{2} are focus-free hypernets with type G1:IG_{1}:I and G2:IG_{2}:I.

{exa}

[Micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}] As a leading example, we consider the micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}, depicted in Figure 11, derived from the micro-beta rewrite rule (Figure 10b). The pre-template additionally requires GSG_{S} to be stable, compared to the micro-beta rewrite rule; this amounts to require vv to be a value in the beta-law (λx.t)vt[v/x](\lambda x.t)\ v\preceq t[v/x]. For each N@HN\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}H, the hypernets NN and HH have the same type n\star\Rightarrow\star^{\otimes n}\otimes\vec{\ell}, where nn\in\mathbb{N} and the sequence \vec{\ell} of types can be arbitrary as long as GSG_{S} is stable. ∎

To directly prove that a pre-template NHN\vartriangleleft H implies contextual refinement NQHN\preceq^{\mathbb{C}}_{Q}H, one would need to compare states C˙[N],C˙[H]{\dot{C}}[N],{\dot{C}}[H] for any focussed context C˙{\dot{C}}. We use data dubbed specimen to provide such a pair. Sometimes we prefer relaxed comparison, between two states P1˙,P2˙{\dot{P_{1}}},{\dot{P_{2}}} such that P1˙𝑅C˙[N]{\dot{P_{1}}}\mathrel{R}{\dot{C}}[N] and C˙[H]RP2˙{\dot{C}}[H]\mathrel{R^{\prime}}{\dot{P_{2}}} for some binary relations R,RR,R^{\prime} on states. Such comparison can be specified by what we call quasi-specimen up to (R,R)(R,R^{\prime}). The notion of (quasi-)specimen is relative to the set \mathbb{C} of focus-free contexts, which is one of the parameters of contextual refinement. {defi}[(Quasi-)specimens] Let \vartriangleleft be a pre-template, and RR and RR^{\prime} be binary relations on states.

  1. (1)

    A triple (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\vec{\chi}];\vec{H^{1}};\vec{H^{2}}) is a \mathbb{C}-specimen of \vartriangleleft if the following hold:
    (A) |𝒞˙[χ]||{\dot{\mathcal{C}}}[\vec{\chi}]|\in\mathbb{C}, and the three sequences χ,H1,H2\vec{\chi},\vec{H^{1}},\vec{H^{2}} have the same length nn.
    (B) Hi1Hi2H^{1}_{i}\vartriangleleft H^{2}_{i} for each i{1,,n}i\in\{1,\ldots,n\}.
    (C) 𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}] is a state for each p{1,2}p\in\{1,2\}.

  2. (2)

    A pair (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) of states is a quasi-\mathbb{C}-specimen of \vartriangleleft up to (R,R)(R,R^{\prime}), if there exists a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) of \vartriangleleft such that the following hold:
    (A) The focuses of 𝒞˙{\dot{\mathcal{C}}}, N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} all have the same label.
    (B) If N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} are rooted, then 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] are also rooted, N1˙𝑅𝒞˙[H1]{\dot{N_{1}}}\mathrel{R}{\dot{\mathcal{C}}}[\vec{H^{1}}], and 𝒞˙[H2]RN2˙{\dot{\mathcal{C}}}[\vec{H^{2}}]\mathrel{R^{\prime}}{\dot{N_{2}}}.

  3. (3)

    A \mathbb{C}-specimen (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\vec{\chi}];\vec{H^{1}};\vec{H^{2}}) is said to be single if the sequence χ\vec{\chi} only has one element, i.e. the context 𝒞˙{\dot{\mathcal{C}}} has exactly one hole edge (at any depth).

We can refer to the focus label of a \mathbb{C}-specimen and a quasi-\mathbb{C}-specimen. Any \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) gives a quasi-\mathbb{C}-specimen (𝒞˙[H1],𝒞˙[H2])({\dot{\mathcal{C}}}[\vec{H^{1}}],{\dot{\mathcal{C}}}[\vec{H^{2}}]) up to (=,=)(=,=).

As described in Section 2.3, the key part of proving contextual refinement NQHN\preceq^{\mathbb{C}}_{Q}H for each NHN\vartriangleleft H is to show (2). With the notion of specimen in hand, (2) can be rephrased as follows:

  • for any \mathbb{C}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}}}[\vec{\chi}];\vec{N};\vec{H}) of \vartriangleleft and a transition 𝒞˙[N]P˙{\dot{\mathcal{C}}}[\vec{N}]\to{\dot{P}},

  • there exist a \mathbb{C}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}^{\prime}}}[\vec{\chi^{\prime}}];\vec{N^{\prime}};\vec{H^{\prime}}) and k,lk,l\in\mathbb{N} such that (1+k)𝑄l(1+k)\mathrel{Q}l and the following holds.

𝒞˙[N]\scriptstyle{{\dot{\mathcal{C}}}[\vec{N}]\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}¯\scriptstyle{\overline{\vartriangleleft}}P˙\scriptstyle{{\dot{P}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}k\scriptstyle{k}𝒞˙[N]\scriptstyle{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{\mathcal{C}^{\prime}}}[\vec{N^{\prime}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}¯\scriptstyle{\overline{\vartriangleleft}}𝒞˙[H]\scriptstyle{{\dot{\mathcal{C}}}[\vec{H}]\ignorespaces\ignorespaces\ignorespaces\ignorespaces}l\scriptstyle{l}𝒞˙[H]\scriptstyle{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime}}]}} (6)

To establish (6), it suffices to perform case analysis on the transition 𝒞˙[N]P˙{\dot{\mathcal{C}}}[\vec{N}]\to{\dot{P}}. As explained in Section 2.3, there are three possible cases. The first case is a trivial case, where the ??-focus or \checkmark-focus moves just inside the context |𝒞˙||{\dot{\mathcal{C}}}|. In this case, we can take the updated context 𝒞˙{\dot{\mathcal{C}^{\prime}}} such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}}}|=|{\dot{\mathcal{C}^{\prime}}}|. For the other two cases, we identify sufficient conditions for (6), namely safety and robustness.

8.2. Safety

The second case of case analysis for (6) is when the ??-focus or the \checkmark-focus encounters one of N\vec{N} (and H\vec{H}); see Figure 4b. Let us look at how the micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} (cf. Figure 10b; mind that the focuses are dropped in the pre-template) satisfies (6) in this case. Let Ni@HiN_{i}\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}H_{i} be the ones the focus is encountering. There are three sub-cases.

Case (ii-1) Searching:

The ??-focus enters Ni,HiN_{i},H_{i}, i.e. we have ?;Ni?;N_{i} and ?;Hi?;H_{i} inside states 𝒞˙[N],𝒞˙[H]{\dot{\mathcal{C}}}[\vec{N}],{\dot{\mathcal{C}}}[\vec{H}]. On ?;Ni?;N_{i}, a few search transitions will be followed by a compute transition that applies the micro-beta rewrite rule, because what is connected to the right target of the application edge (@@) (i.e. GSG_{S} in Figure 11) is required to be stable. The result is exactly ?;Hi?;H_{i}.

This means that we can take a \mathbb{C}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}^{\prime}}}[\vec{\chi^{\prime}}];\vec{N^{\prime}};\vec{H^{\prime}}) where: 𝒞˙{\dot{\mathcal{C}^{\prime}}} is obtained by replacing the ii-th hole of 𝒞˙{\dot{\mathcal{C}}} with HiH_{i}; and N,H\vec{N^{\prime}},\vec{H^{\prime}} are obtained by removing Ni,HiN_{i},H_{i} from N,H\vec{N},\vec{H}. One observation is that the focus in 𝒞˙{\dot{\mathcal{C}^{\prime}}} is not entering (i.e. pointing at a hole), because the focus is the ??-focus pointing at HiH_{i}.

Case (ii-2) Backtracking on the box:

The \checkmark-focus is on top of the box (i.e. GG in Figure 11). This case is in fact impossible in a refocusing UAM. To make states 𝒞˙[N],𝒞˙[H]{\dot{\mathcal{C}}}[\vec{N}],{\dot{\mathcal{C}}}[\vec{H}] rooted, the \checkmark-focus must be at the end of an operation path. However, the \checkmark-focus in the state 𝒞˙[N]{\dot{\mathcal{C}}}[\vec{N}] is adjacent to a box edge, and cannot be at the end of an operation path.

Case (ii-3) Backtracking on the stable argument:

The \checkmark-focus is on top of what is connected to the right target of the application edge (@@) (i.e. GSG_{S} in Figure 11). This case is also impossible, because of types. The stable hypernet GSG_{S} has type i=1mTni()\star\Rightarrow\otimes_{i=1}^{m}T^{n_{i}}(\star) (cf. Section 6.1), and the \checkmark-focus has type \star\Rightarrow\star. The \checkmark-focus cannot be on top of GSG_{S}.

From Case (ii-1), we extract a sufficient condition for (6), dubbed input-safety, as follows. The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} falls into (II) below. {defi}[Input-safety] A pre-template \vartriangleleft is (,Q,Q)(\mathbb{C},Q,Q^{\prime})-input-safe if, for any \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) of \vartriangleleft such that 𝒞˙{\dot{\mathcal{C}}} has the entering ??-focus, one of the following holds.
(I) There exist two stuck states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} such that 𝒞˙[Hp]Np˙{\dot{\mathcal{C}}}[\vec{H^{p}}]\to^{*}{\dot{N_{p}}} for each p{1,2}p\in\{1,2\}.
(II) There exist a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that the focus of 𝒞˙{\dot{\mathcal{C}^{\prime}}} is the \checkmark-focus or the non-entering ??-focus, (1+k1)𝑄k2(1+k_{1})\mathrel{Q}k_{2}, 𝒞˙[H1]1+k1𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]k2𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{k_{2}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}].
(III) There exist a quasi-\mathbb{C}-specimen (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) of \vartriangleleft up to (˙Q,˙Q)(\dot{\simeq}_{Q^{\prime}},\dot{\simeq}_{Q^{\prime}}), whose focus is not the \lightning-focus, and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that (1+k1)𝑄(1+k2)(1+k_{1})\mathrel{Q}(1+k_{2}), 𝒞˙[H1]1+k1N1˙{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{N_{1}}}, and 𝒞˙[H2]1+k2N2˙{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{1+k_{2}}{\dot{N_{2}}}.

Case (ii-2) and (ii-3) tells us that types and the rooted property prevents the \checkmark-focus from visiting Ni,HiN_{i},H_{i} such that Ni@HiN_{i}\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}H_{i}. This situation can be captured by one-way hypernets (Section 6.1), resulting in another sufficient condition dubbed output-closure. {defi}[Output-closure] A pre-template \vartriangleleft is output-closed if, for any hypernets H1H2H_{1}\vartriangleleft H_{2}, either H1H_{1} or H2H_{2} is one-way.

Input-safety and output-closure are the precise safety conditions. When a pre-template is safe, we simply call it template. {defi}[Templates] A pre-template \vartriangleleft is a (,Q,Q)(\mathbb{C},Q,Q^{\prime})-template, if it is (,Q,Q)(\mathbb{C},Q,Q^{\prime})-input-safe and also output-closed.

The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is indeed safe, and hence a template. The third parameter of input-safety is irrelevant here, and we can simply set it as the equality ==. Recall that 𝕆\mathbb{C}_{\mathbb{O}} is the set of all focus-free contexts using operations 𝕆\mathbb{O}.

Lemma 4 (Safety of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}).

Let 𝕆lin\mathbb{O}^{\mathrm{lin}}_{\checkmark} be the set {λ}\mathbb{N}\cup\{\lambda\}, 𝕆lin\mathbb{O}^{\mathrm{lin}}_{\lightning} be the set {+,,@,𝚜𝚝𝚊𝚝}\{+,-,\mathop{\overset{\rightarrow}{@}},\mathtt{stat}\}, and 𝕆lin=𝕆lin𝕆lin\mathbb{O}^{\mathrm{lin}}=\mathbb{O}^{\mathrm{lin}}_{\checkmark}\uplus\mathbb{O}^{\mathrm{lin}}_{\lightning}. The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is a (𝕆lin,,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}},\geq,=)-template. ∎

8.3. Robustness

The last case of case analysis for (6) is when the \lightning-focus triggers a rewrite transition in 𝒞˙{\dot{\mathcal{C}}} (and hence in 𝒞˙{\dot{\mathcal{C}^{\prime}}}). Does the micro-beta template satisfy (6) in this case? It depends on the rewrite transition 𝒞˙[N]P˙{\dot{\mathcal{C}}}[\vec{N}]\to{\dot{P}}. Let us consider an operation set 𝕆lin=𝕆lin𝕆lin\mathbb{O}^{\mathrm{lin}}=\mathbb{O}^{\mathrm{lin}}_{\checkmark}\uplus\mathbb{O}^{\mathrm{lin}}_{\lightning} where 𝕆lin={λ}\mathbb{O}^{\mathrm{lin}}_{\checkmark}=\mathbb{N}\cup\{\lambda\} and 𝕆lin={+,,@,𝚜𝚝𝚊𝚝}\mathbb{O}^{\mathrm{lin}}_{\lightning}=\{+,-,\mathop{\overset{\rightarrow}{@}},\mathtt{stat}\}. We can perform case analysis in terms of which rewrite is triggered by the \lightning-focus.

Case (iii-1) Substitution:

The \lightning-focus triggers application of the substitution rule (Figure 9f). The rule simply removes a variable edge (𝖵\mathsf{V}), and the same rule can be applied to both states 𝒞˙[N],𝒞˙[H]{\dot{\mathcal{C}}}[\vec{N}],{\dot{\mathcal{C}}}[\vec{H}]. Sub-graphs related by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} may be involved, as part of GSG_{S} in Figure 9f, but they are kept unchanged. Therefore we can take a 𝕆lin\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}^{\prime}}}[\vec{\chi^{\prime}}];\vec{N^{\prime}};\vec{H^{\prime}}) where 𝒞˙{\dot{\mathcal{C}^{\prime}}} has the same number of holes as 𝒞˙{\dot{\mathcal{C}}}.

Case (iii-2) Arithmetic:

The \lightning-focus triggers application of the arithmetic rewrite rule (Figure 10a). The rewrite rule only involves three edges, and it can never involves sub-graphs related by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}. We can also take a 𝕆lin\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}^{\prime}}}[\vec{\chi^{\prime}}];\vec{N^{\prime}};\vec{H^{\prime}}) where 𝒞˙{\dot{\mathcal{C}^{\prime}}} has the same number of holes as 𝒞˙{\dot{\mathcal{C}}}.

Case (iii-3) Micro-beta:

The \lightning-focus triggers application of the micro-beta rewrite rule (Figure 10b). Sub-graphs related by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} may be involved in the rewrite rule, as part of the box content GG in Figure 10b, but they are kept unchanged. We can also take a 𝕆lin\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}-specimen (𝒞˙[χ];N;H)({\dot{\mathcal{C}^{\prime}}}[\vec{\chi^{\prime}}];\vec{N^{\prime}};\vec{H^{\prime}}) where 𝒞˙{\dot{\mathcal{C}^{\prime}}} has the same number of holes as 𝒞˙{\dot{\mathcal{C}}}.

Case (iii-4) 𝚜𝚝𝚊𝚝\mathtt{stat}:

The \lightning-focus triggers application of the 𝚜𝚝𝚊𝚝\mathtt{stat} rewrite rule (Figure 10c). The rewrite rule inevitably involves sub-graphs related by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}, and as a result, can yield different results, i.e. size(|𝒞˙[N]|)\mathrm{size}(|{\dot{\mathcal{C}}}[\vec{N}]|) vs. size(|𝒞˙[H]|)\mathrm{size}(|{\dot{\mathcal{C}}}[\vec{H}]|). The same rewrite rule can be applied to states 𝒞˙[N],𝒞˙[H]{\dot{\mathcal{C}}}[\vec{N}],{\dot{\mathcal{C}}}[\vec{H}] and yield P˙,P˙{\dot{P}},{\dot{P^{\prime}}}, respectively, and these states P˙,P˙{\dot{P}},{\dot{P^{\prime}}} can contain different natural-number edges (i.e. nn vs. mm such that nmn\geq m). We cannot take a specimen of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} to make (6) happen. ∎

We can therefore observe the following: the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} satisfies (6) relative to active operations {+,,@}=𝕆lin\{𝚜𝚝𝚊𝚝}\{+,-,\mathop{\overset{\rightarrow}{@}}\}=\mathbb{O}^{\mathrm{lin}}_{\lightning}\backslash\{\mathtt{stat}\} (formalised in 5 below), and does not satisfy (6) relative to the active operation 𝚜𝚝𝚊𝚝\mathtt{stat}. We say the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is robust only relative to 𝕆lin\{𝚜𝚝𝚊𝚝}\mathbb{O}^{\mathrm{lin}}_{\lightning}\backslash\{\mathtt{stat}\}. Robustness, as a sufficient condition for (6), can be formalised as follows. {defi}[Robustness] A pre-template \vartriangleleft is (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to a rewrite transition N˙N˙{\dot{N}}\to{\dot{N^{\prime}}} if, for any \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) of \vartriangleleft, such that 𝒞˙[H1]=N˙{\dot{\mathcal{C}}}[\vec{H^{1}}]={\dot{N}} and the focus of 𝒞˙{\dot{\mathcal{C}}} is the \lightning-focus and not entering, one of the following holds.
(I) 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] or 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] is not rooted.
(II) There exists a stuck state N′′˙{\dot{N^{\prime\prime}}} such that N˙N′′˙{\dot{N^{\prime}}}\to^{*}{\dot{N^{\prime\prime}}}.
(III) There exist a quasi-\mathbb{C}-specimen (N1′′˙,N2′′˙)({\dot{N^{\prime\prime}_{1}}},{\dot{N^{\prime\prime}_{2}}}) of \vartriangleleft up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), whose focus is not the \lightning-focus, and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that (1+k1)𝑄k2(1+k_{1})\mathrel{Q}k_{2}, N˙k1N1′′˙{\dot{N^{\prime}}}\to^{k_{1}}{\dot{N^{\prime\prime}_{1}}}, and 𝒞˙[H2]k2N2′′˙{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{k_{2}}{\dot{N^{\prime\prime}_{2}}}.

We can now formally say that the micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is robust relative to the substitution transitions and the extrinsic transitions for 𝕆lin\{𝚜𝚝𝚊𝚝}\mathbb{O}^{\mathrm{lin}}\backslash\{\mathtt{stat}\}. The third and fourth parameters of robustness are irrelevant here555These parameters will be used in Section 12 (See Table 3)., and we can simply set them as the equality ==.

Lemma 5 (Robustness of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}).

The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is (𝕆lin\{𝚜𝚝𝚊𝚝},=,=,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}\backslash\{\mathtt{stat}\}},=,=,=)-robust relative to the substitution transitions and the extrinsic transitions for 𝕆lin\{𝚜𝚝𝚊𝚝}\mathbb{O}^{\mathrm{lin}}_{\lightning}\backslash\{\mathtt{stat}\}. ∎

8.4. A sufficiency-of-robustness theorem

We have collected definitions of safety and robustness. We can finally state the sufficiency-of-robustness theorem. The theorem incorporates the so-called up-to technique: it enables us to prove contextual refinement Q\preceq^{\mathbb{C}}_{Q} that depends on (or, that is up to) state refinements ˙Q\dot{\preceq}_{Q^{\prime}} and ˙Q′′\dot{\preceq}_{Q^{\prime\prime}}. Safety (Section 8.2) and robustness (Section 8.3) accordingly incorporates the up-to technique by means of quasi-specimens up-to. We cannot use arbitrary preorders Q,Q′′Q^{\prime},Q^{\prime\prime} in combination with the preorder QQ, though; they must be reasonable in the following sense.

{defi}

[Reasonable triples] A triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) of preorders on \mathbb{N} is reasonable if the following hold:
(A) QQ is closed under addition, i.e. any k1𝑄k2k_{1}\mathrel{Q}k_{2} and k1𝑄k2k^{\prime}_{1}\mathrel{Q}k^{\prime}_{2} satisfy (k1+k1)𝑄(k2+k2)(k_{1}+k^{\prime}_{1})\mathrel{Q}(k_{2}+k^{\prime}_{2}).
(B) QQ^{\prime}\subseteq\mathord{\geq_{\mathbb{N}}}, and QQ′′Q^{\prime}\subseteq Q^{\prime\prime}.
(C) QQQ′′QQ^{\prime}\circ Q\circ Q^{\prime\prime}\subseteq Q, where \circ denotes composition of binary relations. Examples of a reasonable triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) include: (×,,×)(\mathord{\mathbb{N}\times\mathbb{N}},\mathord{\geq_{\mathbb{N}}},\mathord{\mathbb{N}\times\mathbb{N}}), (×,,(\mathord{\mathbb{N}\times\mathbb{N}},\mathord{\geq_{\mathbb{N}}}, )\mathord{\geq_{\mathbb{N}}}), (×,=,=)(\mathord{\mathbb{N}\times\mathbb{N}},\mathord{=_{\mathbb{N}}},\mathord{=_{\mathbb{N}}}), (,,)(\mathord{\geq_{\mathbb{N}}},\mathord{\geq_{\mathbb{N}}},\mathord{\geq_{\mathbb{N}}}), (,=,)(\mathord{\geq_{\mathbb{N}}},\mathord{=_{\mathbb{N}}},\mathord{\geq_{\mathbb{N}}}), (,=,)(\mathord{\leq_{\mathbb{N}}},\mathord{=_{\mathbb{N}}},\mathord{\leq_{\mathbb{N}}}), (,=,=)(\mathord{\geq_{\mathbb{N}}},\mathord{=_{\mathbb{N}}},\mathord{=_{\mathbb{N}}}), (,=,(\mathord{\leq_{\mathbb{N}}},\mathord{=_{\mathbb{N}}}, =)\mathord{=_{\mathbb{N}}}), (=,=,=)(\mathord{=_{\mathbb{N}}},\mathord{=_{\mathbb{N}}},\mathord{=_{\mathbb{N}}}).

The sufficiency-of-robustness theorem has two clauses (1) and (2). To prove that a pre-template \vartriangleleft implies contextual equivalence (not refinement), one can use (1) twice with respect to \vartriangleleft and 1\vartriangleleft^{-1}, or alternatively use (1) and (2) with respect to \vartriangleleft. The alternative approach is often more economical. This is because it involves proving input-safety of \vartriangleleft for both parameters QQ and Q1Q^{-1}, which typically boils down to a single proof for the smaller one of Q,Q1Q,Q^{-1}, thanks to monotonicity of input-safety with respect to QQ.

Theorem 6 (Sufficiency-of-robustness theorem).

If an universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic and refocusing, it satisfies the following property. For any set ω(Llin,Mlin𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}\cup\mathbb{M}) of contexts that is closed under plugging, any reasonable triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}), and any pre-template \vartriangleleft on focus-free hypernets ω(Llin,Mlin(𝕆)\{?,,})\mathcal{H}_{\omega}(L_{\mathrm{lin}},M_{\mathrm{lin}}(\mathbb{O})\backslash\{?,\checkmark,\lightning\}):

  1. (1)

    If \vartriangleleft is a (,Q,Q)(\mathbb{C},Q,Q^{\prime})-template and (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, then \vartriangleleft implies contextual refinement in \mathbb{C} up to QQ, i.e. any G1G2G_{1}\vartriangleleft G_{2} implies G1QG2G_{1}\preceq^{\mathbb{C}}_{Q}G_{2}.

  2. (2)

    If \vartriangleleft is a (,Q1,Q)(\mathbb{C},Q^{-1},Q^{\prime})-template and the converse 1\vartriangleleft^{-1} is (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, then 1\vartriangleleft^{-1} implies contextual refinement in \mathbb{C} up to QQ, i.e. any G1G2G_{1}\vartriangleleft G_{2} implies G2QG1G_{2}\preceq^{\mathbb{C}}_{Q}G_{1}.

Proof 8.1.

This is a consequence of 40, 37 and 38 in Appendix F.

The proof is centred around a notion of counting simulation (Appendix F). We first prove that, for each robust template \vartriangleleft, its contextual closure ¯\overline{\vartriangleleft} is a counting simulation (40). We then prove soundness of counting simulation with respect to state refinement (37). We can further prove that, if ¯\overline{\vartriangleleft} implies state refinement, \vartriangleleft implies contextual refinement (38).

We can use 6 (1) to conclude that the micro-beta pre-template implies contextual refinement 𝕆lin\{𝚜𝚝𝚊𝚝}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}\backslash\{\mathtt{stat}\}}}_{\geq_{\mathbb{N}}}. Note that The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is (𝕆,=,=,=)(\mathbb{C}_{\mathbb{O}},=,=,\linebreak[5]=)-robust, and therefore (𝕆,,=,=)(\mathbb{C}_{\mathbb{O}},\geq,=,=)-robust as well, because =\mathit{=}\subseteq\mathit{\geq}.

Proposition 7.

For the operation set 𝕆lin\{𝚜𝚝𝚊𝚝}\mathbb{O}^{\mathrm{lin}}\backslash\{\mathtt{stat}\}, the micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} implies contextual refinement 𝕆lin\{𝚜𝚝𝚊𝚝}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}\backslash\{\mathtt{stat}\}}}_{\geq_{\mathbb{N}}}. ∎

The above proposition establishes contextual refinement in the absence of the operation 𝚜𝚝𝚊𝚝\mathtt{stat}. This is due to the observation that the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is not robust relative to the rewrite rule of 𝚜𝚝𝚊𝚝\mathtt{stat} (Figure 10c). Can we say more than just failure of robustness, in the presence of 𝚜𝚝𝚊𝚝\mathtt{stat}?

Refer to caption
Figure 12. An auxiliary pre-template, where n,mn,m\in\mathbb{N}

The answer is yes. For the specific operation set 𝕆lin\mathbb{O}^{\mathrm{lin}}, we can actually show that the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} implies contextual refinement 𝕆lin\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{\geq_{\mathbb{N}}}.

Lemma 8 (Robustness of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}).

The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is (𝕆lin,=,=,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}},=,=,=)-robust relative to the rewrite transitions for 𝚜𝚝𝚊𝚝\mathtt{stat}.

Proof 8.2.

To prove robustness, we use the auxiliary pre-template \vartriangleleft^{\mathbb{N}}, shown in Figure 12, that identifies all natural number edges. The pre-template is a (𝕆lin,=,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}},=,=)-template, and it is (𝕆lin,=,=,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}},=,=,=)-robust relative to the substitution transitions and the extrinsic transitions for 𝕆lin\mathbb{O}^{\mathrm{lin}}_{\lightning} including 𝚜𝚝𝚊𝚝\mathtt{stat}. Therefore, by 6 (1), it implies contextual refinement =𝕆lin\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{=_{\mathbb{N}}}. The pre-template is symmetric, and consequently, it implies contextual equivalence =𝕆lin\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{=_{\mathbb{N}}}.

In Case (iii-4) in Section 8.3, we could not take a specimen of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} that induces the states P˙,P˙{\dot{P}},{\dot{P^{\prime}}}. The difference between these states is given by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} as well as different natural number edges; in other words, the difference is given by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} and \vartriangleleft^{\mathbb{N}}.

In fact, we can take a quasi-specimen of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} up to (˙=𝕆lin,˙=𝕆lin)(\dot{\simeq}^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{=_{\mathbb{N}}},\dot{\simeq}^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{=_{\mathbb{N}}}), which is namely the pair (P˙,P˙)({\dot{P}},{\dot{P^{\prime}}}). There exists a state P′′˙{\dot{P^{\prime\prime}}} such that: (a) P˙˙=𝕆linP′′˙{\dot{P}}\mathrel{\dot{\simeq}}^{\mathbb{C}_{\mathbb{O}^{\mathrm{lin}}}}_{=_{\mathbb{N}}}{\dot{P^{\prime\prime}}} thanks to the symmetric robust template \vartriangleleft^{\mathbb{N}}, and (b) the pair (P′′˙,P˙)({\dot{P^{\prime\prime}}},{\dot{P^{\prime}}}) is induced by a specimen of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}.

As a result, with the help of the symmetric robust template \vartriangleleft^{\mathbb{N}}, the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is robust also relative to 𝚜𝚝𝚊𝚝\mathtt{stat}.

In the presence of conditional branching and divergence, however, the micro-beta template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} would not be robust relative to 𝚜𝚝𝚊𝚝\mathtt{stat}. The above lemma crucially relies on robustness of the auxiliary template \vartriangleleft^{\mathbb{N}}, which would be violated by conditional branching; in other words, the template \vartriangleleft^{\mathbb{N}} would not be robust relative to conditional branching. Conditional branching and divergence, combined with 𝚜𝚝𝚊𝚝\mathtt{stat}, would enable us to construct a specific context that distinguishes the left- and the right hand sides of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}.

9. Representation of variable sharing and store

Constants: c::=n\displaystyle c\mathrel{::=}n (natural numbers)
𝚝𝚝𝚏𝚏\displaystyle\hskip 15.00002pt\mid\mathtt{tt}\mid\mathtt{ff} (booleans)
()\displaystyle\hskip 15.00002pt\mid() (unit value)
Unary operations: $1::=1\displaystyle\$_{1}\mathrel{::=}-_{1} (negation of natural numbers)
𝚛𝚎𝚏\displaystyle\hskip 20.00003pt\mid\mathtt{ref} (reference creation)
!\displaystyle\hskip 20.00003pt\mid\mathit{!} (dereferencing)
Binary operations: $2::=+\displaystyle\$_{2}\mathrel{::=}+\mid- (summation/subtraction of natural numbers)
:=\displaystyle\hskip 20.00003pt\mid\mathit{:=} (assignment)
=\displaystyle\hskip 20.00003pt\mid\mathit{=} (equality testing of atoms)
Terms: t,u::=xλx.ttu\displaystyle t,u\mathrel{::=}x\mid\lambda x.\,t\mid t\ u (the lambda-calculus terms)
a\displaystyle\hskip 25.00003pt\mid a (atoms)
c$1tt$2u\displaystyle\hskip 25.00003pt\mid c\mid\mathop{\$_{1}}t\mid t\mathbin{\$_{2}}u (constants, unary/binary operations)
Formation rules: Γ1,x,Γ2ΔxΓΔ1,a,Δ2a\displaystyle\Gamma_{1},x,\Gamma_{2}\mid\Delta\vdash x\qquad\Gamma\mid\Delta_{1},a,\Delta_{2}\vdash a
x,ΓΔtΓΔλx.tΓΔtΓΔuΓΔtuΓΔc\displaystyle\Gamma\mid\Delta\vdash\lambda x.\,tx,\Gamma\mid\Delta\vdash t\qquad\Gamma\mid\Delta\vdash t\ u\lx@proof@logical@and\Gamma\mid\Delta\vdash t\Gamma\mid\Delta\vdash u\qquad\Gamma\mid\Delta\vdash c
ΓΔtΓΔ$1tΓΔtΓΔuΓΔt$2u\displaystyle\Gamma\mid\Delta\vdash\mathop{\$_{1}}t\Gamma\mid\Delta\vdash t\quad\Gamma\mid\Delta\vdash t\mathbin{\$_{2}}u\lx@proof@logical@and\Gamma\mid\Delta\vdash t\Gamma\mid\Delta\vdash u
Syntactic sugar: 𝚕𝚎𝚝x=u𝚒𝚗t=𝑑𝑒𝑓(λx.t)u\displaystyle\mathtt{let}\ {x}={u}\ \mathtt{in}\ {t}\enspace\stackrel{{\scriptstyle\mathit{def}}}{{=}}\enspace(\lambda x.\,t)\ u
u;t=𝑑𝑒𝑓(λz.t)u(where z is a fresh variable)\displaystyle u;t\enspace\stackrel{{\scriptstyle\mathit{def}}}{{=}}\enspace(\lambda z.\,t)\ u\qquad\text{(where $z$ is a fresh variable)}
Figure 13. An extended call-by-value lambda-calculus with variable sharing and store

This section adapts the translation ()(-)^{\dagger} of the linear lambda-calculus, presented in Section 4, to accommodate variable sharing and (general, untyped) store. Figure 13 shows an extension of the untyped call-by-value lambda-calculus that accommodates arithmetic as well as:

  • atoms (or, locations of store) aa,

  • reference-related operations: reference creation 𝚛𝚎𝚏\mathtt{ref}, dereferencing !!, assignment :=:=, equality testing of atoms ==,

  • and their return values: booleans 𝚝𝚝,𝚏𝚏\mathtt{tt},\mathtt{ff} and the unit value ()().

In Figure 13, Γ\Gamma is a finite sequence of (free) variables and Δ\Delta is a finite sequence of (free) atoms.

9.1. Variable sharing

In an arbitrary term, a variable may occur many times, or it may not occur at all. To let sub-terms share and discard a variable, we introduce contraction edges 𝖢:2\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}}\colon\star^{\otimes 2}\Rightarrow\star and weakening edges 𝖶:ϵ\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{W}}\colon\epsilon\Rightarrow\star. We can construct a binary tree with an arbitrary number of leaves using these contraction and weakening edges. We call such a tree contraction tree.

There are many ways to construct a contraction tree of mm leaves, but we fix a canonical666Each D1,mD_{1,m}^{\star} is canonical, in the sense that any contraction tree that contains at least one weakening and has mm leaves can be simplified to D1,mD_{1,m}^{\star} using the laws in Figure 21 (namely @Assoc,@Comm,@Idem\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}\mathrm{Assoc}},\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}\mathrm{Comm}},\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}\mathrm{Idem}}). tree D1,m:mD_{1,m}^{\star}\colon\star^{\otimes m}\Rightarrow\star as below.

D1,0=[Uncaptioned image]D1,1=[Uncaptioned image]D1,m+2=[Uncaptioned image]D_{1,0}^{\star}=\includegraphics[align=c,scale={.25}]{dist-1-0}\hskip 40.00006ptD_{1,1}^{\star}=\includegraphics[align=c,scale={.25}]{dist-1-1}\hskip 40.00006ptD_{1,m+2}^{\star}=\includegraphics[align=c,scale={.25}]{dist-1-m1}

Every canonical tree D1,mD_{1,m}^{\star} contains exactly one weakening edge and mm contraction edges.

Refer to caption
(a) Original
Refer to caption
(b) Simplified
Figure 14. The hypernet (f(λx.fxx)(λx.fxx)):\bigl{(}f\vdash(\lambda x.{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}f}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x})\;(\lambda x.{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}f}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x})\bigr{)}^{\ddagger}\colon\star\Rightarrow\star and its simplification

The translation ()(-)^{\dagger} of linear lambda-terms needs to be adapted to yield a translation ()(-)^{\ddagger} of general lambda-terms. The adaptation amounts to inserting canonical trees appropriately. Additionally, we replace the edges 𝖵:\mathsf{V}\colon\star\Rightarrow\star with canonical trees D1,1D_{1,1}^{\star}, to obtain uniform translation.

We will present the exact translation ()(-)^{\ddagger} in Section 9.3 (see Figure 16), and here we just show an example in Figure 14. Figure 14a shows the hypernet (f(λx.fxx)(λx.fxx)):\bigl{(}f\vdash(\lambda x.{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}f}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x})\;(\lambda x.{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}f}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x}\;{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}x})\bigr{)}^{\ddagger}\colon \star\Rightarrow\star. Canonical trees D1,0,D1,1,D1,2D_{1,0}^{\star},D_{1,1}^{\star},D_{1,2}^{\star} are inserted for each term constructor, but among those, coloured canonical trees D1,1D_{1,1}^{\star} replace the edges 𝖵:\mathsf{V}\colon\star\Rightarrow\star that would represent variable occurrences in the linear translation ()(-)^{\dagger}. Figure 14b shows a possible simplification of the hypernet; such simplification is validated only by proving certain observational equivalences on contraction trees (namely, those in Figure 21).

9.2. Store and atom sharing

Refer to caption
(a) The term alone
Refer to caption
(b) With store
Figure 15. The hypernet (aa:=(!a+1)):(a\vdash a:=(!a+1))^{\ddagger}\colon\star\Rightarrow\diamond with store {a0}\{a\mapsto 0\}, simplified

We next look at terms that contain references to store. An example term is a:=(!a+1)a:=(!a+1) that increments the value stored at atom (location) aa. We represent such a term, together with store (e.g. {a0}\{a\mapsto 0\}), altogether as a single hypernet; see Figure 15. The hypernets in the figure are simplified in the same manner as Figure 14b.

To represent store and atom sharing, we begin with an observation about the difference between variable sharing and atom sharing. Atoms, like variables, may occur arbitrarily many times in a single term. However, whereas terms bound to a variable can be duplicated, each store associated to the atom should not be duplicated. For example, the atom aa appears twice in the term a:=(!a+1)a:=(!a+1), but this does not mean the store {a0}\{a\mapsto 0\} is accordingly duplicated. Both occurrences of the atom aa points at the single store {a0}\{a\mapsto 0\}.

This observation leads us to introduce one new vertex label, and some edge labels, of our hypernets. Firstly, we introduce a new vertex label \diamond that represents store, in addition to the labels we have used (i.e. \star for terms and Tn()T^{n}(\star) for thunks with nn bound variables). While terms and thunks can both be duplicated, store cannot be duplicated; this is the reason why we need a new vertex label.

Secondly, we introduce another version of contraction and weakening, namely 𝖢:2\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}}\colon\diamond^{\otimes 2}\Rightarrow\diamond and 𝖶:ϵ\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{W}}\colon\epsilon\Rightarrow\diamond, for the type \diamond. We call these contraction and weakening as well. Contractions and weakenings for \star and \diamond appear the same, but they will have different behaviours (see Section 10.1).

Finally, we introduce edge labels for type conversion between \star and \diamond: namely, anonymous atom edges called instance 𝖨:\mathsf{I}\colon\star\Rightarrow\diamond, and anonymous store edges :\circ\colon\diamond\Rightarrow\star. Their roles in the hypernet representation are best understood looking at the example in Figure 15. Each occurrence of an atom is represented by the anonymous instance edge ‘𝖨\mathsf{I}’, and instances of the same atom is connected to a contraction tree of type \diamond. The contraction tree is then connected to the part of the hypernet in Figure 15b that represents the store {a0}\{a\mapsto 0\}, which consists of the store edge ‘\circ’ and the stored value 0. In Figure 15b, the part of the hypernet that is typed by \diamond connects instances of an atom to its stored value.

To represent sharing of (instances of) atoms, we will use canonical contraction trees D1,mD_{1,m}^{\diamond} that are constructed in the same manner as the canonical trees D1,mD_{1,m}^{\star}. Every canonical tree D1,mD_{1,m}^{\diamond} again contains exactly one weakening edge and mm contraction edges.

9.3. Inductive translation ()(-)^{\ddagger}

(Γ1,x,Γ2Δx)=Refer to caption(ΓΔc)=Refer to caption\displaystyle(\Gamma_{1},x,\Gamma_{2}\mid\Delta\vdash x)^{\ddagger}\ =\ \includegraphics[align=c,scale={.2}]{transl-general-var}\hskip 40.00006pt(\Gamma\mid\Delta\vdash c)^{\ddagger}\ ~=\ \includegraphics[align=c,scale={.2}]{transl-general-const}
(ΓΔ1,a,Δ2a)=Refer to caption\displaystyle(\Gamma\mid\Delta_{1},a,\Delta_{2}\vdash a)^{\ddagger}\ =\ \includegraphics[align=c,scale={.2}]{transl-general-atom}
(ΓΔλx.t)=Refer to caption(ΓΔtu)=Refer to caption\displaystyle(\Gamma\mid\Delta\vdash\lambda x.\,t)^{\ddagger}\ ~=\ \includegraphics[align=c,scale={.2}]{transl-general-abs}\hskip 40.00006pt(\Gamma\mid\Delta\vdash t\ u)^{\ddagger}\ ~=\ \includegraphics[align=c,scale={.2}]{transl-general-app}
(ΓΔ$1t)=Refer to caption(ΓΔt$2u)=Refer to caption\displaystyle(\Gamma\mid\Delta\vdash\mathop{\$_{1}}t)^{\ddagger}\ ~=\ \includegraphics[align=c,scale={.2}]{transl-general-opr1}\hskip 40.00006pt(\Gamma\mid\Delta\vdash t\mathbin{\$_{2}}u)^{\ddagger}\ ~=\ \includegraphics[align=c,scale={.2}]{transl-general-opr2}

where k,k1,k2,h,h1,h2k,k_{1},k_{2},h,h_{1},h_{2} are the lengths of Γ,Γ1,Γ2,Δ,Δ1,Δ2\Gamma,\Gamma_{1},\Gamma_{2},\Delta,\Delta_{1},\Delta_{2} respectively.

Figure 16. Inductive translation ()(-)^{\ddagger} of well-formed lambda-terms

We now present the translation ()(-)^{\ddagger} of the extended lambda-terms into hypernets ω(Lgen,Mgen)\mathcal{H}_{\omega}(L_{\mathrm{gen}},M_{\mathrm{gen}}) where

Lgen\displaystyle L_{\mathrm{gen}} ={,}{Tn()n},\displaystyle=\{\star,\diamond\}\cup\{T^{n}(\star)\mid n\in\mathbb{N}\}, (7)
Mgen\displaystyle M_{\mathrm{gen}} ={λ:T1(),@:2,+:2,2:2,1:,}\displaystyle=\{\lambda\colon\star\Rightarrow T^{1}(\star),\;\mathop{\overset{\rightarrow}{@}}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{+}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{-}_{2}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{-}_{1}\colon\star\Rightarrow\star,\}
{𝚛𝚎𝚏:,!:,=:2,:=:2}\displaystyle\quad\cup\{\mathtt{ref}\colon\star\Rightarrow\star,\;\mathit{!}\colon\star\Rightarrow\star,\;\mathit{=}\colon\star\Rightarrow\star^{\otimes 2},\;\mathit{:=}\colon\star\Rightarrow\star^{\otimes 2}\}
{𝚝𝚝:ϵ,𝚏𝚏:ϵ,():ϵ}\displaystyle\quad\cup\{\mathtt{tt}\colon\star\Rightarrow\epsilon,\;\mathtt{ff}\colon\star\Rightarrow\epsilon,\;()\colon\star\Rightarrow\epsilon\}
{n:ϵn}\displaystyle\quad\cup\{n\colon\star\Rightarrow\epsilon\mid n\in\mathbb{N}\}
{𝖢:2,𝖶:ϵ,𝖢:2,𝖶:ϵ}.\displaystyle\quad\cup\{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}}\colon\star^{\otimes 2}\Rightarrow\star,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{W}}\colon\epsilon\Rightarrow\star,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}}\colon\diamond^{\otimes 2}\Rightarrow\diamond,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{W}}\colon\epsilon\Rightarrow\diamond\}. (8)

In general, a judgement ΓΔt\Gamma\mid\Delta\vdash t is translated into t:kht^{\ddagger}\colon\star\Rightarrow\star^{\otimes k}\otimes\diamond^{\otimes h} where the lengths of Γ,Δ\Gamma,\Delta are k,hk,h respectively.

The translation ()(-)^{\ddagger} uses a generalisation of canonical trees D1,m:mD^{\ell}_{1,m}\colon\ell^{\otimes m}\Rightarrow\ell (where {,}\ell\in\{\star,\diamond\}), namely a forest Dk,mD^{\ell}_{k,m} of canonical trees dubbed distributor. A distributor Dk,m:kmkD^{\ell}_{k,m}\colon\ell^{\otimes km}\Rightarrow\ell^{\otimes k} is a forest of kk canonical trees D1,mD^{\ell}_{1,m} with some permutation of inputs. It is inserted in the translation for sharing kk variables/atoms (depending on {,}\ell\in\{\star,\diamond\}) among mm sub-terms. For instance,

D3,2= [Uncaptioned image]  and D4,0=[Uncaptioned image].D^{\diamond}_{3,2}=\vbox{\hbox{\includegraphics[scale={.25}]{dist-3-2}}}\text{ and }D^{\star}_{4,0}=\vbox{\hbox{\includegraphics[scale={.25}]{dist-4-0}}}.

The precise definition of distributors will be given in Section 10.2.

10. The copying UAM

10.1. New behaviour

We equip the UAM with copying, which is the behaviour of contraction edges 𝖢:2\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}}\colon\star^{\otimes 2}\Rightarrow\star. The copying UAM 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) acts on hypernets ω(Lgen,Mgen(𝕆))\mathcal{H}_{\omega}(L_{\mathrm{gen}},M_{\mathrm{gen}}(\mathbb{O})) where

Mgen(𝕆)\displaystyle M_{\mathrm{gen}}(\mathbb{O}) =𝕆{?:,:,:}\displaystyle=\mathbb{O}\cup\{?\colon\star\Rightarrow\star,\;\checkmark\colon\star\Rightarrow\star,\;\lightning\colon\star\Rightarrow\star\} (9)
{𝖢:2,𝖶:ϵ,𝖢:2,𝖶:ϵ}.\displaystyle\quad\cup\{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}}\colon\star^{\otimes 2}\Rightarrow\star,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{W}}\colon\epsilon\Rightarrow\star,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}}\colon\diamond^{\otimes 2}\Rightarrow\diamond,\;\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{W}}\colon\epsilon\Rightarrow\diamond\}.

For box edges, we impose the following type discipline: each box edge must have a type Tn()mhT^{n}(\star)\Rightarrow\star^{\otimes m}\otimes\diamond^{\otimes h} with its content having a type (n+m)h\star\Rightarrow\star^{\otimes(n+m)}\otimes\diamond^{\otimes h}.

transitions focus provenance
search transitions ?,?,\checkmark intrinsic
rewrite transitions copy transitions \lightning
behaviour B𝕆B_{\mathbb{O}} extrinsic
(compute transitions)
Table 2. Transitions of the copying UAM
Refer to caption
Figure 17. The copy rule where HH is a copyable hypernet
Refer to caption
(a)
Refer to caption
(b)
Refer to caption
(c)
Figure 18. Extra interaction rules

Table 2 summarises transitions of the copying UAM. The copying UAM has copy transitions instead of substitution transitions (cf. Table 1). Copy transitions are specified by the copy rule shown in Figure 17. The copy rule duplicates a copyable hypernet, and inserts distributors and a weakening edge. A copyable hypernet consists of instance edges, operation edges, and box edges. The precise definition of copyable hypernets will be given in Section 10.2. Note that the copy rule only applies to contraction of type \star; contraction of type \diamond, which are for atoms, do not have a corresponding copy rule. This reflects the fact that atoms are never duplicated unless it is inside a thunk.

Accordingly, the copying UAM has extra search transitions concerning contractions (‘\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}’) and instances (‘𝖨\mathsf{I}’). These are specified by the interaction rules shown in Figure 18.

Refer to caption
(a) Reference creation
Refer to caption
(b) Dereferencing
Refer to caption
(c) Assignment
Refer to caption
(d) Equality testing
Figure 19. The example behaviour B{𝚛𝚎𝚏,!,:=,=}B_{\{\mathtt{ref},\mathit{!},\mathit{:=},\mathit{=}\}} where C,CC,C^{\prime} are contraction trees and GSG_{S} is a hypernet

Figure 19 shows an example of the behaviour B𝕆B_{\mathbb{O}}, namely that for the following active operations for store:

𝚛𝚎𝚏:,!:,:=:2,=:2.\mathtt{ref}\colon\star\Rightarrow\star,\quad\mathit{!}\colon\star\Rightarrow\star,\quad\mathit{:=}\colon\star\Rightarrow\star^{\otimes 2},\quad\mathit{=}\colon\star\Rightarrow\star^{\otimes 2}.

Their behaviour is specified locally by rewrite rules.

Figure 19a:

This rewrite rule specifies the behaviour of reference creation. The rule introduces store (‘\circ’) and its instance (‘𝖨\mathsf{I}’). In between these two edges, a canonical tree D1,1D^{\diamond}_{1,1} is inserted so that there is always a contraction tree between any store and instances.

Figure 19b:

This rewrite rule specifies the behaviour of dereferencing. When dereferencing is triggered, the store edge (‘\circ’) gets attached to a canonical tree D1,2D^{\star}_{1,2}, so that its stored value will be copied by subsequent transitions.

Figure 19c:

This rewrite rule specifies the behaviour of assignment. It identifies the store edge (‘\circ’) by tracing the contraction tree CC connected to the instance edge (‘𝖨\mathsf{I}’). Once the store edge is identified, the current stored value gets disconnected and the new value GSG_{S} gets connected to the store edge. Note that the value GSG_{S} may contain other instances referring to the same store; this means the rewrite rule may introduce a cycle (via h2\diamond^{\otimes h_{2}}).

Figure 19d:

This rewrite rule specifies the behaviour of equality testing for atoms. It determines whether two instance edges (‘𝖨\mathsf{I}’) are connected to the same store edge (‘\circ’) or not, by tracing contraction trees C,CC,C^{\prime}. If they are connected to the same store, the result 𝚝𝚝\mathtt{tt} is introduced and attached to the ??-focus. If not, the result 𝚏𝚏\mathtt{ff} is introduced instead.

10.2. Auxiliary definitions

We here present a few definitions of the concepts introduced so far. The first is distributors. A distributor Dk,mD^{\ell}_{k,m} ({,}\ell\in\{\star,\diamond\}) is given by a forest of canonical trees D1,mD^{\ell}_{1,m} whose inputs are permuted. The permutation is realised by interface permutation (Section 3.1). {defi}[Distributors and canonical trees] For {,}\ell\in\{\star,\diamond\} and k,mk,m\in\mathbb{N}, a distributor is defined inductively as follows.

D0,m=D1,0=[Uncaptioned image]D1,1=[Uncaptioned image]D1,m+2=[Uncaptioned image]\displaystyle D_{0,m}^{\ell}=\emptyset\hskip 40.00006ptD_{1,0}^{\ell}=\includegraphics[align=c,scale={.25}]{dist-ell-1-0}\hskip 40.00006ptD_{1,1}^{\ell}=\includegraphics[align=c,scale={.25}]{dist-ell-1-1}\hskip 40.00006ptD_{1,m+2}^{\ell}=\includegraphics[align=c,scale={.25}]{dist-ell-1-m1}
Dk+1,m=Πρid([Uncaptioned image])\displaystyle D_{k+1,m}^{\ell}=\Pi_{\rho}^{\mathrm{id}}\left(\vbox{\hbox{\includegraphics[align=c,scale={.25}]{dist-ell-k1-m}}}\right)

where \emptyset denotes the empty hypernet, id\mathrm{id} is the identity map, and ρ\rho is a bijection such that, for each j{1,,k}j\in\{1,\ldots,k\} and i{1,,m}i\in\{1,\ldots,m\}, ρ(j+(k+1)(i1))=j+k(i1)\rho(j+(k+1)(i-1))=j+k(i-1) and ρ((k+1)i)=km+i\rho((k+1)i)=km+i.

When k=1k=1, the distributor D1,mD^{\ell}_{1,m} is called canonical tree.

The second is copyable hypernets. The copy rule (Figure 17) duplicates a single copyable hypernet at a time. {defi}[Copyable hypernets] A hypernet H:khH:\star\Rightarrow\star^{\otimes k}\otimes\diamond^{\otimes h} is called copyable if it is given by

[Uncaptioned image] or [Uncaptioned image]

where ϕ𝕆\phi\in\mathbb{O} and i=1mBi\boxtimes_{i=1}^{m^{\prime}}B_{i} is a (possibly empty) parallel juxtaposition of box hypernets.

Finally, the notion of stable hypernet (Section 6.1), which corresponds to values, needs to change to incorporate store. {defi}[Stable hypernets] A stable hypernet is a hypernet (G:i=1mi)(Lgen,{𝖨}𝕆)(G:\star\Rightarrow\otimes_{i=1}^{m}\ell_{i})\in\mathcal{H}(L_{\mathrm{gen}},\{\mathsf{I}\}\cup\mathbb{O}_{\checkmark}), such that i=1mi({}{Tn()n})m\otimes_{i=1}^{m}\ell_{i}\in(\{\diamond\}\cup\{T^{n}(\star)\mid n\in\mathbb{N}\})^{m} and each vertex is reachable from the unique input.

10.3. Determinism and refocusing

The properties of determinism and refocusing can be defined for the copying UAM in the same way as the original UAM (cf. Section 7.2). We can again use the stationary property as a sufficient condition for refocusing (2). Determinism and refocusing of a copying UAM also boil down to those of extrinsic transitions B𝕆B_{\mathbb{O}} under a mild condition.

Lemma 9 (Determinism and refocusing).
  • A copying universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic if extrinsic transitions B𝕆B_{\mathbb{O}} are deterministic.

  • Suppose that GSG_{S} in the substitution rule (Figure 9f) is a stable hypernet. A copying universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is refocusing if extrinsic transitions B𝕆B_{\mathbb{O}} preserve the rooted property.

Proof 10.1.

The proof is that of 3 equipped with analysis of copying transitions. Copy transitions are all deterministic, because different contraction rules applied to a single state result in the same state. The choice of the contraction tree (CC in Figure 17) is irrelevant. Copy transitions are stationary, and hence they preserve the rooted property.

11. Observational equivalence on lambda-terms

Let 𝕆ex=𝕆ex𝕆ex\mathbb{O}^{\mathrm{ex}}=\mathbb{O}^{\mathrm{ex}}_{\checkmark}\uplus\mathbb{O}^{\mathrm{ex}}_{\lightning} be the set of operations given by 𝕆ex={λ,𝚝𝚝,𝚏𝚏,()}\mathbb{O}^{\mathrm{ex}}_{\checkmark}=\mathbb{N}\cup\{\lambda,\mathtt{tt},\mathtt{ff},()\} and 𝕆ex={+,,1,@,𝚛𝚎𝚏,!,:=,=}\mathbb{O}^{\mathrm{ex}}_{\lightning}=\{+,-,-_{1},\mathop{\overset{\rightarrow}{@}},\mathtt{ref},\mathit{!},\mathit{:=},\mathit{=}\}. The copying UAM 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}}^{\mathrm{ex}}) provides operational semantics of the extended lambda-calculus (Figure 13). Using contextual equivalence on hypernets (Section 7.1), we can define a notion of observational equivalence on lambda-terms. The notion only concerns the coincidence of termination, which is standard given that the extended lambda-calculus is untyped. {defi}[Observational equivalence on lambda-terms] Let ΓΔt\Gamma\mid\Delta\vdash t and ΓΔu\Gamma\mid\Delta\vdash u be two derivable judgements. The lambda-terms tt and uu are said to be observationally equivalent, written as ΓΔtu\Gamma\mid\Delta\vDash t\simeq^{\ddagger}u, if (ΓΔt)×𝕆ex-bf(ΓΔt)(\Gamma\mid\Delta\vdash t)^{\ddagger}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}}(\Gamma\mid\Delta\vdash t)^{\ddagger} holds.

This definition uses the specific contextual equivalence ×𝕆ex-bf\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}}. Firstly, the use of the universal relation ×\mathbb{N}\times\mathbb{N} makes the number of transitions until termination irrelevant. Secondly, the set 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} is the set of all binding-free contexts. {defi}[Binding-free contexts] A focus-free context 𝒞\mathcal{C} is said to be binding-free if there exists no path, at any depth, from a source of a contraction, atom, box or hole edge, to a source of a hole edge. For example,

[Uncaptioned image]

is a binding-free context where χ\chi is a hole. Syntactically it would coincide with a context (λx.x)(\lambda x.x)\ \square.

Note that the contextual equivalence ×𝕆ex-bf\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}} is a larger relation than the contextual equivalence ×𝕆ex\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\mathbb{N}\times\mathbb{N}} with respect to the set 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}} of all contexts.

The restriction to binding-free contexts can be justified by the fact that the observational equivalence \simeq^{\ddagger} is a congruence relation with respect to lambda-contexts defined by the following grammar:

C::=[]λx.CCttC$1CC$2tt$2C\displaystyle C\mathrel{::=}[\,]\mid\lambda x.\,C\mid C\ t\mid t\ C\mid\mathop{\$_{1}}C\mid C\mathbin{\$_{2}}t\mid t\mathbin{\$_{2}}C

where $1{𝚛𝚎𝚏,!,1}\mathord{\$_{1}}\in\{\mathtt{ref},\mathord{!},\mathord{-_{1}}\} and $2{=,:=,+,-}\mathord{\$_{2}}\in\{\mathord{=},\mathord{:=},\mathord{+},\mathord{-}\}. This congruence property will be formalised as 10 below.

We can extend the translation ()(-)^{\ddagger} to accommodate lambda-contexts. To do so, we first adapt the formation rules of lambda-terms in Figure 13 to lambda-contexts, by annotating the hole ‘[][\,]’ as ‘[]ΓΔ[\,]_{\Gamma\mid\Delta}’ and adding a formation rule ΓΔ[]ΓΔ\Gamma\mid\Delta\vdash[\,]_{\Gamma\mid\Delta}. We write C[]ΓΔC[\,]_{\Gamma\mid\Delta} when the hole of CC is annotated with ΓΔ\Gamma\mid\Delta. The translation ()(-)^{\ddagger} of lambda-terms into hypernets in Figure 14 can then be extended accordingly, by translating the additional formation rule ΓΔ[]ΓΔ\Gamma\mid\Delta\vdash[\,]_{\Gamma\mid\Delta} into a path hypernet χ:kh\chi:\star\Rightarrow\star^{\otimes k}\otimes\diamond^{\otimes h}, where kk and hh are the length of Γ\Gamma and Δ\Delta respectively.

The translation of lambda-contexts yields hypernets that are binding-free contexts, and consequently, the observational equivalence \simeq^{\ddagger} on lambda-terms is indeed a congruence relation with respect to lambda-contexts.

Lemma 10.

Let ΓΔt\Gamma\mid\Delta\vdash t and ΓΔu\Gamma\mid\Delta\vdash u be two derivable judgements. If ΓΔtu\Gamma\mid\Delta\vDash t\simeq^{\ddagger}u holds, then for any lambda-context CC such that ΓΔΛC[]ΓΔ\Gamma^{\prime}\mid\Delta^{\prime}\vdash_{\Lambda}C[\,]_{\Gamma\mid\Delta} is derivable, ΓΔC[t]C[u]\Gamma^{\prime}\mid\Delta^{\prime}\vDash C[t]\simeq^{\ddagger}C[u] holds.

Proof 11.1 (Proof outline).

The proof is a combination of the congruence property of the contextual equivalence ×𝕆ex-bf\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}} with respect to binding-free contexts, with two key properties of the translation of lambda-contexts. The two properties, stated below, can be proved by induction on lambda-contexts.

The first property is that the translation (ΓΔC[]ΓΔ)(\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[\,]_{\Gamma\mid\Delta})^{\ddagger} is a binding-free context (as a hypernet). To check this property, one needs to examine paths to the sole source of the unique hole edge that appears in the translation. These paths are in fact always operation paths, noting that paths never go across the boundary of boxes (by Section 6.1 (1)).

The second property is that ΓΔC[t]\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[t] and ΓΔC[u]\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[u] are both derivable, and moreover, their translations can be decomposed as follows:

(ΓΔC[t])\displaystyle(\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[t])^{\ddagger} =(ΓΔC[]ΓΔ)[(ΓΔt)],\displaystyle=(\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[\,]_{\Gamma\mid\Delta})^{\ddagger}[(\Gamma\mid\Delta\vdash t)^{\ddagger}],
(ΓΔC[u])\displaystyle(\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[u])^{\ddagger} =(ΓΔC[]ΓΔ)[(ΓΔu)].\displaystyle=(\Gamma^{\prime}\mid\Delta^{\prime}\vdash C[\,]_{\Gamma\mid\Delta})^{\ddagger}[(\Gamma\mid\Delta\vdash u)^{\ddagger}].

12. Example equivalences

In this section we use the sufficiency-of-robustness theorem (6) and prove some example equivalences. The first kind of example is Weakening laws.

Proposition 11 (Weakening laws).
  • Given a derivable judgement Γ1,x,Γ2Δt\Gamma_{1},x,\Gamma_{2}\mid\Delta\vdash t such that xFV(t)x\notin\mathrm{FV}(t),

    [Uncaptioned image]=𝕆ex[Uncaptioned image]\includegraphics[align=c,scale={.25}]{weak-x-l}\ \simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}\ \includegraphics[align=c,scale={.25}]{weak-x-r}
  • Given a derivable judgement ΓΔ1,a,Δ2t\Gamma\mid\Delta_{1},a,\Delta_{2}\vdash t such that aFA(t)a\notin\mathrm{FA}(t),

    [Uncaptioned image]=𝕆ex[Uncaptioned image]\includegraphics[align=c,scale={.25}]{weak-a-l}\ \simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}\ \includegraphics[align=c,scale={.25}]{weak-a-r}

where k,k1,k2,h,h1,h2k,k_{1},k_{2},h,h_{1},h_{2} are the lengths of Γ,Γ1,Γ2,Δ,Δ1,Δ2\Gamma,\Gamma_{1},\Gamma_{2},\Delta,\Delta_{1},\Delta_{2}, respectively.

The next example equivalence is an instance of parametricity. This example originates in the Idealised Algol literature [OT97], a call-by-name language with ground-type local variables, although we state the example for the untyped call-by-value lambda-calculus extended primarily with store (Figure 13). Note that the example uses the standard call-by-value variable binding ‘𝚕𝚎𝚝\mathtt{let}’ and sequential composition ‘;’, which are both defined by syntactic sugar (see Figure 13).

Proposition 12.

For any finite sequence of distinct variables Γ\Gamma and any finite sequence of distinct variables Δ\Delta,

ΓΔ𝚕𝚎𝚝x=𝚛𝚎𝚏 1𝚒𝚗λf.(f();!x)λf.(f();1).\Gamma\mid\Delta\vDash\mathtt{let}\ {x}={\mathtt{ref}\ 1}\ \mathtt{in}\ {\lambda f.\,(f\ ();!x)}\ \simeq^{\ddagger}\ \lambda f.\,(f\ ();1). (10)

In the left hand side (lhs) of (10), a store is created by ‘𝚛𝚎𝚏 1\mathtt{ref}\ 1’, and any access to the store simply fetches the stored value, due to ‘!x!x’, without modifying it. As a consequence, the fetched value is always expected to be the original stored value ‘11’, and hence the whole computation involving the particular state is expected to have the same result as just having the value ‘11’ in the first place as in the right hand side (rhs) of (10).

The equivalence (10) is a typical challenging example in the literature [OT97], which has been proved using parametricity. We take a different approach based on step-wise local reasoning. The equivalence is not an example that is meant to show the full power of our approach; it is a simple yet motivating example that requires building of a whole proof infrastructure and a non-trivial proof methodology.

The rest of this section is organised as follows. Section 12.1 shows prerequisites on the copying UAM 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}). Section 12.2 defines necessary pre-templates, and proves that these imply contextual refinements, using the sufficiency-of-robustness theorem (6). Section 12.3 then combines the resultant contextual refinements to prove the example equivalences (11 & 12). Finally, Section 12.4 describes design process of some of the pre-templates.

12.1. Prerequisites

Here we establish that the particular copying UAM 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}) is deterministic and refocusing, which enables us to apply the sufficiency-of-robustness theorem (6). {defi}[the behaviour B𝕆exB_{\mathbb{O}^{\mathrm{ex}}}] The behaviour B𝕆exB_{\mathbb{O}^{\mathrm{ex}}} is defined locally via the following rewrite rules.

  • Rewrite rules for function application are in Figure 10b, where GSG_{S} is additionally required to be stable.

  • Rewrite rules for reference manipulation are in Figure 19, where GSG_{S} is additionally required to be stable.

  • Rewrite rules for arithmetic are in Figure 10a.

The extra requirement of stable hypernets reflects the call-by-value nature of the extended lambda-calculus.

Lemma 13.

The copying UAM 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}) is deterministic and refocusing.

Proof 12.1.

The proof boils down to show determinism, and preservation of the rooted property, of the compute transitions for 𝕆ex\mathbb{O}^{\mathrm{ex}}_{\lightning}, thanks to 9.

Compute transitions of operations {@,𝚛𝚎𝚏,+,-,1}\{\mathop{\overset{\rightarrow}{@}},\mathtt{ref},\mathord{+},\mathord{-},\mathord{-_{1}}\} are deterministic, because at most one rewrite rule can be applied to each state. In particular, the stable hypernet GSG_{S} in the figures is uniquely determined (by 29(3)).

Compute transitions of name-accessing operations {=,:=,!}\{\mathord{=},\mathord{:=},\mathord{!}\} are deterministic for the same reason as copy transitions (see the proof of 9).

Compute transitions of all the operations 𝕆ex\mathbb{O}^{\mathrm{ex}}_{\lightning} are stationary, and hence they preserve the rooted property. The stationary property can be checked using local rewrite rules. Namely, in each rewrite rule H˙H˙{\dot{H}}\mapsto{\dot{H^{\prime}}} of the operations, only one input of |H˙||{\dot{H}}| has type \star, and H˙=;|H˙|{\dot{H}}={\lightning;|{\dot{H}}|} and H˙=?;|H˙|{\dot{H^{\prime}}}={?;|{\dot{H^{\prime}}}|}. Moreover, any output of |H˙||{\dot{H}}| with type \star is a target of an atom edge or a box edge (by definition of stable hypernets), which implies |H˙||{\dot{H}}| is one-way.

Remark 14 (Requirement of stable hypernets in Section 12.1).

Because any initial state is rooted, given that all transitions preserve the rooted property, we can safely assume that any state that arises in an execution is rooted. This means that the additional requirement of stable hypernets in Section 12.1 is in fact guaranteed to be satisfied in any execution (by 24, 33 and 31). ∎

12.2. Pre-templates and robustness

Refer to caption
Figure 20. The parametricity pre-template where CC is a contraction tree
Refer to caption
Refer to caption
Refer to caption
Figure 21. Structural pre-templates where C:ϵC:\epsilon\Rightarrow\star is a contraction tree, HH is a copyable hypernet, GG is a hypernet, and (ρ,ρ)(\rho,\rho^{\prime}) is a box-permutation pair

We now define necessary pre-templates, which are the parametricity pre-template Param\vartriangleleft^{\mathrm{Param}}, two operational pre-templates 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} and @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}, and structural pre-templates. {defi}[Pre-templates]

  • The parametricity pre-template Param\vartriangleleft^{\mathrm{Param}} is as shown in Figure 20.

  • The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is derived from rewrite rules as follows: |G1˙|@|G2˙||{\dot{G_{1}}}|\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}|{\dot{G_{2}}}| if G1˙G2˙{\dot{G_{1}}}\mapsto{\dot{G_{2}}} is a micro-beta rewrite rule (Figure 10b) where GSG_{S} (see the figure) is not an arbitrary hypernet but a stable hypernet.

  • The reference-creation pre-template 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} is derived from rewrite rules as follows: |G1˙|𝚛𝚎𝚏|G2˙||{\dot{G_{1}}}|\vartriangleleft^{\mathtt{ref}}|{\dot{G_{2}}}| if G1˙G2˙{\dot{G_{1}}}\mapsto{\dot{G_{2}}} is a reference-creation rewrite rule (Figure 19a) where GSG_{S} (see the figure) is not an arbitrary hypernet but a stable hypernet.

  • Structural pre-templates are as shown in Figure 21, using the following notion of box-permutation pair.

{defi}

[Box-permutation pair] For any n,k,hn,k,h\in\mathbb{N}, let ρ\rho and ρ\rho^{\prime} be bijections on sets {1,,n+k+h}\{1,\ldots,n+k+h\} and {1,,k+h}\{1,\ldots,k+h\}, respectively. These bijections form a box-permutation pair (ρ,ρ)(\rho,\rho^{\prime}) if, for each i{1,,n+k+h}i\in\{1,\ldots,n+k+h\}, the following holds:

  1. (1)

    ρ(i)=i\rho(i)=i if 1in1\leq i\leq n,

  2. (2)

    ρ(i)=ρ(in)\rho(i)=\rho^{\prime}(i-n) if n<in+k+hn<i\leq n+k+h,

  3. (3)

    1ρ(in)k1\leq\rho^{\prime}(i-n)\leq k if n<in+kn<i\leq n+k,

  4. (4)

    k<ρ(in)k+hk<\rho^{\prime}(i-n)\leq k+h if n+k<in+k+hn+k<i\leq n+k+h.

The rhs of Param\vartriangleleft^{\mathrm{Param}} is straightforward. It simply consists of a bunch of encodings of two function abstractions, namely ‘λf.(λw. 1)(f())\lambda f.\,(\lambda w.\,1)\ (f\ ())’ and ‘λw. 1\lambda w.\,1’. The empty store becomes absent in the graphical representation.

The lhs of Param\vartriangleleft^{\mathrm{Param}} contains a bunch of encodings of two function abstractions, i.e. ‘λf.(λw.!x)(f())\lambda f.\,(\lambda w.\,!x)\ (f\ ())’ and ‘λw.!x\lambda w.\,!x’, and also the graphical representation of the store ‘{a1}\{a\mapsto 1\}’ that consists of an atom edge and an edge labelled with the value ‘11’. The variable ‘xx’ refers to the name ‘aa’, and therefore, the encodings of function abstractions are all connected to the atom edge via a contraction tree.

All structural pre-templates (Figure 21) but BPerm\vartriangleleft^{\mathrm{BPerm}} concern contractions and weakenings. The pre-template BPerm\vartriangleleft^{\mathrm{BPerm}} lets us permute outputs of a box.

template robustness
(input-safety) of \vartriangleleft of 1\vartriangleleft^{-1} dependency implication of H1H2H_{1}\vartriangleleft H_{2}
Assoc\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}} 𝕆ex,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} 𝕆ex,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} ,,\square,\square,\square 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} 𝕆ex,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=} 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=} 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=},= AssocComm\begin{array}[]{c}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}}\\ \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}}\end{array} H1𝕆exH2,H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\geq_{\mathbb{N}}}H_{2},
H2𝕆exH1H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\leq_{\mathbb{N}}}H_{1}
GC\vartriangleleft^{\mathrm{GC}} ,,\square,\square,\square 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
BPerm\vartriangleleft^{\mathrm{BPerm}} ,,\square,\square,\square 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,= H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
BPullC\vartriangleleft^{\mathrm{BPullC}} ,,\square,\square,\square 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=} 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=},= AssocCommIdem\begin{array}[]{c}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}}\\ \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}}\\ \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}}\end{array} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
BPullW\vartriangleleft^{\mathrm{BPullW}} ,,\square,\square,\square 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=} 𝕆ex,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}=},= Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2}
@\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} 𝕆ex,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq,= 𝕆ex-bf,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},=,=,= 𝕆ex-bf,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},=,=,= H1𝕆ex-bfH2,H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\geq_{\mathbb{N}}}H_{2},
𝕆ex-bf,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},\geq,= H2𝕆ex-bfH1H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\leq_{\mathbb{N}}}H_{1}
𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} 𝕆ex,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq,= 𝕆ex-bf,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},=,=,= 𝕆ex-bf,=,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},=,=,= H1𝕆ex-bfH2,H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\geq_{\mathbb{N}}}H_{2},
𝕆ex-bf,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}},\geq,= H2𝕆ex-bfH1H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\leq_{\mathbb{N}}}H_{1}
Param\vartriangleleft^{\mathrm{Param}} 𝕆ex,=,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=,= 𝕆ex,,,=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}\geq},= 𝕆ex,,=,\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\leq,=,{\color[rgb]{0,0.7,0.7}\definecolor[named]{pgfstrokecolor}{rgb}{0,0.7,0.7}\pgfsys@color@cmyk@stroke{0.7}{0}{0}{0.3}\pgfsys@color@cmyk@fill{0.7}{0}{0}{0.3}\leq} AssocIdem\begin{array}[]{c}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}}\\ \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}}\end{array} H1𝕆exH2H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\geq_{\mathbb{N}}}H_{2}
𝕆ex,,,\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq,\geq,\geq GC\begin{array}[]{c}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}\\ \vartriangleleft^{\mathrm{GC}}\end{array} H2𝕆exH1H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\leq_{\mathbb{N}}}H_{1}
Table 3. Templates, with their robustness and implied contextual refinements/equivalences (\square denotes anything)

Thanks to 13, we can apply the sufficiency-of-robustness theorem (6) and obtain contextual equivalences (on hypernets) as follows.

Lemma 15.
  1. (1)

    The micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} implies contextual equivalence ×𝕆ex-bf\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}}.

  2. (2)

    The reference-creation pre-template 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} implies contextual equivalence ×𝕆ex-bf\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}}.

  3. (3)

    Each structural pre-template implies contextual equivalence ×𝕆ex\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\mathbb{N}\times\mathbb{N}}.

Proof 12.2 (Proof outline).

Table 3 summarises how we use 6 on the pre-templates. For example, \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} is a (𝕆ex,,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},\geq_{\mathbb{N}},=_{\mathbb{N}})-template, as shown in the “template” column, and both itself and its converse are (𝕆ex,=,=,=)(\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}},=_{\mathbb{N}},=_{\mathbb{N}},=_{\mathbb{N}})-robust relative to all rewrite transitions, as shown in the “robustness” columns. Thanks to monotonicity of robustness with respect to QQ, we can then use 6(1) with a reasonable triple (,=,=)(\geq_{\mathbb{N}},=_{\mathbb{N}},=_{\mathbb{N}}), and 6(2) with a reasonable triple (,=,=)(\leq_{\mathbb{N}},=_{\mathbb{N}},=_{\mathbb{N}}). Consequently, H1H2H_{1}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}H_{2} implies H1𝕆exH2H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\geq_{\mathbb{N}}}H_{2} and H2𝕆exH1H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\leq_{\mathbb{N}}}H_{1}, which is shown in the “implication of H1H2H_{1}\vartriangleleft H_{2}” column.

Output-closure of the pre-templates can be easily checked, typically by spotting that an input or an output, of type \star, is a source or a target of a contraction, atom or box edge.

Pre-templates that relate hypernets with no input of type \star are trivially a (,Q,Q)(\mathbb{C},Q,Q^{\prime})-template for any \mathbb{C}, QQ and QQ^{\prime}. The table uses ‘,,\square,\square,\square’ to represent this situation.

Typically, a reasonable triple for a pre-template can be found by selecting “bigger” parameters from those of input-safety and robustness, thanks to monotonicity of input-safety and robustness with respect to (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}). However, the parametricity pre-template Param\vartriangleleft^{\mathrm{Param}} requires non-trivial use of the monotonicity. This is because the parameter (,,=)(\geq,\geq,=) that makes the pre-template robust, as the upper row in the “robustness” column shows, is not itself a reasonable triple. The lower row shows the alternative, bigger, parameter (,,)(\geq,\geq,\geq) to which 6 can be applied.

In the table, cyan symbols indicate where a proof of input-safety or robustness relies on contextual refinement. The “dependency” column indicates which pre-templates can be used to prove the necessary contextual refinement, given that these pre-templates imply contextual refinement as shown elsewhere in the table. This reliance specifically happens in finding a quasi-specimen, using contextual refinements/equivalences via 42. In the case of \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}, its input-safety and robustness are proved under the assumption that Assoc\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}} and Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} imply contextual equivalence =𝕆ex\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}.

Detailed proofs of input-safety and robustness are in Section H.2 and Section H.3.

Remark 16 (Necessity of binding-free contexts).

The restriction to binding-free contexts plays a crucial role only in robustness regarding the operational pre-templates @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} and 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}}. In fact, these pre-templates are input-safe with respect to both 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}} and 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}. This gap reflects duplication behaviour on atom edges, which is only encountered in a proof of robustness.

In fact, robustness of the micro-beta pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is not guaranteed in the presence of copy transitions, which apply contraction rules. Starting from a pair of states given by a specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}), it may be the case that some copy transitions are possible without reaching another (quasi-)specimen. An example scenario is when the specimen yields the following two states, where the context 𝒞˙{\dot{\mathcal{C}}} is indicated by magenta:

𝒞˙[H1]=[Uncaptioned image],𝒞˙[H2]=[Uncaptioned image].{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{\mathcal{C}}}}[\vec{H^{1}}]=\includegraphics[align=c,scale={.2}]{ctxt-nbf-H1}\quad,\qquad{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}{\dot{\mathcal{C}}}}[\vec{H^{2}}]=\includegraphics[align=c,scale={.2}]{ctxt-nbf-H2}\quad.

Transitions from the state 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] eventually duplicate the application edge (@@), the abstraction edge (λ\lambda) and also the entire box connected to the abstraction edge. In particular, these transitions duplicate the atom edge contained in the box. However, transitions from the state 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] can never duplicate the atom edge, because the edge is shallow in this state. This mismatch of duplication prevents the micro-beta pre-template from being robust relative to a copy transition.

This is why we restrict contexts to be binding-free, when it comes to robustness of operational pre-templates. If the context |𝒞˙||{\dot{\mathcal{C}}}| is binding-free, the situation explained above would never happen. Application of a contraction rule can involve the hypernets H1\vec{H^{1}} and H2\vec{H^{2}} only as a part of box contents that are duplicated as a whole. Any specimen of @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is therefore turned into another specimen whose context possibly has more holes, by a single copy transition. Note that this also explains why we allow the context of a specimen to have multiple holes. ∎

12.3. Combining templates

We now combine the contextual equivalences and prove 11 and 12. We start with combining the structural templates Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} and BPullW\vartriangleleft^{\mathrm{BPullW}}, and prove the Weakening laws.

Proof 12.3 (Proof outline of 11).

The proof is by induction on derivations. Base cases are for variables, atoms and constants. The proof for these cases are trivial, because any distributor Dk,0D^{\ell}_{k,0} with no inputs is simply a bunch of weakening edges (see Section 10.2).

In inductive cases, we need to identify a single weakening edge with a certain (sub-)hypernet, namely: (i) a distributor D1,1D^{\ell}_{1,1} whose sole input is connected to a weakening edge, (ii) a distributor D1,2D^{\ell}_{1,2} whose two inputs are connected to weakening edges, and (iii) a distributor D1,1D^{\ell}_{1,1} whose sole input is connected to a box edge, in which a weakening edge is connected to the corresponding output. The first two situations are for unary/binary operations and function application. These can be handled with the contextual equivalence =𝕆ex\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}} implied by Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}}. The third situation is for function abstraction, and it boils down to the first situation, thanks to the contextual equivalence =𝕆ex\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}} implied by BPullW\vartriangleleft^{\mathrm{BPullW}}.

We can then prove the equivalence (10) as follows.

((λx.λf.(λw.!x)(f()))(𝚛𝚎𝚏 1))=\displaystyle\bigl{(}-\mid-\vdash\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ (\mathtt{ref}\ 1)\bigr{)}^{\ddagger}=
Refer to caption𝕆ex(AssocCommIdemBPermBPullCBPullW)Refer to caption𝕆ex-bf(𝚛𝚎𝚏)Refer to caption\displaystyle\includegraphics[align=c,scale={.15}]{param-ch-1}\begin{array}[]{c}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}\\ \left(\begin{array}[]{c}\vartriangleleft^{\otimes\mathrm{Assoc}}\\ \vartriangleleft^{\otimes\mathrm{Comm}}\\ \vartriangleleft^{\otimes\mathrm{Idem}}\\ \vartriangleleft^{\mathrm{BPerm}}\\ \vartriangleleft^{\mathrm{BPullC}}\\ \vartriangleleft^{\mathrm{BPullW}}\end{array}\right)\end{array}\includegraphics[align=c,scale={.15}]{param-ch-2}\begin{array}[]{c}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}\\ \left(\begin{array}[]{c}\vartriangleleft^{\mathtt{ref}}\end{array}\right)\end{array}\includegraphics[align=c,scale={.15}]{param-ch-3}
𝕆ex-bf(@)Refer to caption𝕆ex(Param)Refer to caption𝕆ex(AssocCommIdemBPullW)Refer to caption\displaystyle\begin{array}[]{c}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}\\ \left(\begin{array}[]{c}\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}\end{array}\right)\end{array}\includegraphics[align=c,scale={.15}]{param-ch-4}\begin{array}[]{c}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}\\ \left(\begin{array}[]{c}\vartriangleleft^{\mathrm{Param}}\end{array}\right)\end{array}\includegraphics[align=c,scale={.15}]{param-ch-5}\begin{array}[]{c}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}\\ \left(\begin{array}[]{c}\vartriangleleft^{\otimes\mathrm{Assoc}}\\ \vartriangleleft^{\otimes\mathrm{Comm}}\\ \vartriangleleft^{\otimes\mathrm{Idem}}\\ \vartriangleleft^{\mathrm{BPullW}}\end{array}\right)\end{array}\includegraphics[align=c,scale={.15}]{param-ch-6}
=(λf.(λw. 1)(f()))\displaystyle=(-\mid-\vdash\lambda f.\,(\lambda w.\,1)\ (f\ ()))^{\ddagger}
Figure 22. A proof illustration of 12, for the empty environment
Proof 12.4 (Proof of 12).

Let P𝖫P_{\mathsf{L}} and P𝖱P_{\mathsf{R}} be the de-sugared version of the left-hand side and the right-hand side of (10), i.e.:

P𝖫\displaystyle P_{\mathsf{L}} (λx.λf.(λw.!x)(f()))(𝚛𝚎𝚏 1)\displaystyle\equiv\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ (\mathtt{ref}\ 1)
P𝖱\displaystyle P_{\mathsf{R}} λf.(λw. 1)(f()).\displaystyle\equiv\lambda f.\,(\lambda w.\,1)\ (f\ ()).

The equivalence (10) can be obtained as a chain of contextual equivalences whose outline is as follows.

[Uncaptioned image]=𝕆ex[Uncaptioned image]×𝕆ex-bf[Uncaptioned image]=𝕆ex[Uncaptioned image]\includegraphics[align=c,scale={.25}]{param-tch-1}\ \simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}\ \includegraphics[align=c,scale={.25}]{param-tch-2}\ \simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}}_{\mathbb{N}\times\mathbb{N}}\ \includegraphics[align=c,scale={.25}]{param-tch-3}\ \simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}\ \includegraphics[align=c,scale={.25}]{param-tch-4} (11)

The leftmost and rightmost contextual equivalences are consequences of the Weakening laws (11), because the terms P𝖫P_{\mathsf{L}} and P𝖱P_{\mathsf{R}} have no free variables nor free atoms. The middle contextual equivalence follows from the special case of (10) where the environment is empty, i.e. P𝖫P𝖱-\mid-\vDash P_{\mathsf{L}}\simeq^{\ddagger}P_{\mathsf{R}}. This contextual equivalence is namely derived from another chain of contextual equivalences that is shown in Figure 22, via the binding-free context that consists of a hole of type ϵ\star\Rightarrow\epsilon and weakening edges (i.e. Dk,0D^{\star}_{k,0} and Dh,0D^{\diamond}_{h,0}). In Figure 22, each contextual equivalence is accompanied by relevant templates, and preorders on natural numbers are omitted.

Assoc{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}} Comm{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} Idem{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} {\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} GC{\mathrm{GC}} BPerm{\mathrm{BPerm}} BPullC{\mathrm{BPullC}} BPullW{\mathrm{BPullW}} @{\mathop{\overset{\rightarrow}{@}}} 𝚛𝚎𝚏{\mathtt{ref}} Param{\mathrm{Param}}
11 \circ \circ
12 \circ \circ \circ, (W) \bullet \bullet \circ \circ \circ, (W) \circ \circ \circ
Table 4. Dependency of example equivalences on templates

This concludes our development leading to the proof our example equivalences.

Table 4 summarises dependency of the example equivalences on templates, which can be observed in the above proofs. The symbol ‘\circ’ indicates direct dependency on templates, in the sense that an equivalence can be proved by combining contextual equivalences implied by these templates. For example, the Weakening laws are obtained by combining two templates Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} and BPullW\vartriangleleft^{\mathrm{BPullW}}. Because the proof of 12 uses the Weakening law, it also depends on these two templates, which is indicated by ‘(W)’ in the table.

Note that two templates \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} and GC\vartriangleleft^{\mathrm{GC}} do not directly appear in the proof of 12, in particular in the chain shown in Figure 22. They are however necessary for robustness of the parametricity template (see Table 3). 12 depends on the two templates only indirectly, which is indicated by the symbol ‘\bullet’ in Table 4.

12.4. Designing pre-templates

Chosen terms and contexts:

P𝖫\displaystyle P_{\mathsf{L}} (λx.λf.(λw.!x)(f()))(𝚛𝚎𝚏 1)\displaystyle\equiv\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ (\mathtt{ref}\ 1) (de-sugared version of the lhs of the law)
P𝖱\displaystyle P_{\mathsf{R}} λf.(λw. 1)(f())\displaystyle\equiv\lambda f.\,(\lambda w.\,1)\ (f\ ()) (de-sugared version of the rhs of the law)
C𝟣\displaystyle C_{\mathsf{1}} (λg.(g(λy.y))+(g(λz. 0)))[]\displaystyle\equiv\bigl{(}\lambda g.\,(g\ (\lambda y.\,y))+(g\ (\lambda z.\,0))\bigr{)}\ [\,]

Informal reduction of a program C𝟣[P𝖫]C_{\mathsf{1}}[P_{\mathsf{L}}] with empty store \emptyset:

L0(λg.(g(λy.y))+(g(λz. 0)))((λx.λf.(λw.!x)(f()))(𝚛𝚎𝚏 1)),L0’(λg.(g(λy.y))+(g(λz. 0)))((λx.λf.(λw.!x)(f()))a),{a1}L1(λg.(g(λy.y))+(g(λz. 0)))(λf.(λw.!a)(f())),{a1}L2((λf.(λw.!a)(f()))(λy.y))+((λf.(λw.!a)(f()))(λz. 0)),{a1}L3((λw.!a)((λy.y)()))+((λf.(λw.!a)(f()))(λz. 0)),{a1}L4((λw.!a)())+((λf.(λw.!a)(f()))(λz. 0)),{a1}L4’!a+((λf.(λw.!a)(f()))(λz. 0)),{a1}L51+((λf.(λw.!a)(f()))(λz. 0)),{a1}L61+((λw.!a)((λz. 0)())),{a1}L71+((λw.!a) 0),{a1}L7’1+!a,{a1}L81+1,{a1}L92,{a1}\begin{array}[]{l|lcc}\hline\cr\texttt{L0}&\bigl{(}\lambda g.\,(g\ (\lambda y.\,y))+(g\ (\lambda z.\,0))\bigr{)}\ \Bigl{(}\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ (\mathtt{ref}\ 1)\Bigr{)}\hfill,&\emptyset&\dashrightarrow\\ \texttt{L0'}&\bigl{(}\lambda g.\,(g\ (\lambda y.\,y))+(g\ (\lambda z.\,0))\bigr{)}\ \Bigl{(}\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ a\Bigr{)}\hfill,&\{a\mapsto 1\}&\dashrightarrow\\ \texttt{L1}&\bigl{(}\lambda g.\,(g\ (\lambda y.\,y))+(g\ (\lambda z.\,0))\bigr{)}\ {\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L2}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\ (\lambda y.\,y)\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L3}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,!a)}\ ((\lambda y.\,y)\ ())\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L4}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,!a)}\ ()\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L4'}&{!a}+\bigl{(}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}\ (\lambda z.\,0)\bigr{)}\hfill,&\{a\mapsto 1\}&\dashrightarrow\\ \texttt{L5}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,!a)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L6}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,!a)}\ ((\lambda z.\,0)\ ())\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L7}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,!a)}\ 0\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L7'}&1+{!a}\hfill,&\{a\mapsto 1\}&\dashrightarrow\\ \texttt{L8}&1+1\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\dashrightarrow\\ \hline\cr\texttt{L9}&2\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}&\\ \hline\cr\end{array}

Informal reduction of a program C𝟣[P𝖱]C_{\mathsf{1}}[P_{\mathsf{R}}] with empty store \emptyset:

R1(λg.(g(λy.y))+(g(λz. 0)))(λf.(λw. 1)(f())),R2((λf.(λw. 1)(f()))(λy.y))+((λf.(λw. 1)(f()))(λz. 0)),R3((λw. 1)((λy.y)()))+((λf.(λw. 1)(f()))(λz. 0)),R4((λw. 1)())+((λf.(λw. 1)(f()))(λz. 0)),R51+((λf.(λw. 1)(f()))(λz. 0)),R61+((λw. 1)((λz. 0)())),R71+((λw. 1) 0),R81+1,R92,\begin{array}[]{l|lcc}\hline\cr\texttt{R1}&\bigl{(}\lambda g.\,(g\ (\lambda y.\,y))+(g\ (\lambda z.\,0))\bigr{)}\ {\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R2}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\ (\lambda y.\,y)\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R3}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,1)}\ ((\lambda y.\,y)\ ())\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R4}&\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,1)}\ ()\bigr{)}+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R5}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\bigl{(}\lambda f.\,(\lambda w.\,1)\ (f\ ())\bigr{)}}\ (\lambda z.\,0)\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R6}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,1)}\ ((\lambda z.\,0)\ ())\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R7}&1+\bigl{(}{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}(\lambda w.\,1)}\ 0\bigr{)}\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R8}&1+1\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}&\dashrightarrow\\ \hline\cr\texttt{R9}&2\hfill,&{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}\\ \hline\cr\end{array}
Figure 23. The equivalence (10): an example scenario

We conclude this section with informal description of how some of the pre-templates are designed, using conventional reduction semantics. This description will reveal how graphical representation is better suited for local reasoning compared to textual representation (see e.g. (12)).

Instead of turning (10) directly into a single pre-template, we decompose the equivalence into several, more primitive, pre-templates. Once we apply the sufficiency-of-robustness theorem to the pre-templates, the obtained contextual equivalences can be composed to yield (10), as we saw in Section 12.3. This approach increases the possibility of reusing parts of a proof of one law in a proof of another law. For example, most of the pre-templates that are used to prove (10) can be reused for proving the call-by-value Beta law (see [Mur20, Section 4.5] for details).

The idea of the pre-templates is that they can describe all the possible differences that may arise during execution of any two programs whose differences is given precisely by (10). As an illustration of the design process, we compare informal reduction sequences of two example programs, as summarised in Figure 23.

We choose the context C𝟣C_{\mathsf{1}}, which expects a function in the hole and uses it twice. It generates two programs, by receiving the terms P𝖫P_{\mathsf{L}} and P𝖱P_{\mathsf{R}} that are a de-sugared version of the two sides of (10).

Each informal reduction step \dashrightarrow updates a term and its associated store. The step is either the standard call-by-value beta-reduction, addition of numbers (for ‘++’), reference creation (for ‘𝚛𝚎𝚏\mathtt{ref}’), or dereferencing (for ‘!!’). Reference creation is the only step that modifies store. It replaces a (sub-)term of the form ‘𝚛𝚎𝚏n\mathtt{ref}\ n’ with a fresh name, say ‘aa’, and extends the store with ‘ana\mapsto n’. The empty store is denoted by ‘\emptyset’. Each reduction step in Figure 23 is given a tag, such as L0, L0’, R1. We use the tags for referring to a corresponding term and store, and also to the reduction step, if any, from the term and store.

Before explaining the colouring scheme of Figure 23, let us observe the (in-)corre-spondence between the reduction sequences of C𝟣[P𝖫]C_{\mathsf{1}}[P_{\mathsf{L}}] and C𝟣[P𝖱]C_{\mathsf{1}}[P_{\mathsf{R}}]. The reduction sequence of C𝟣[P𝖱]C_{\mathsf{1}}[P_{\mathsf{R}}] consists of seven beta-reduction steps (R1R7) and one addition step (R8). The other reduction sequence, of C𝟣[P𝖫]C_{\mathsf{1}}[P_{\mathsf{L}}], in fact contains steps that correspond to these seven beta-reduction steps and the addition step, as suggested by the tags (L1, L2, L3, L4, L5, L6, L7, L8). The sequence has four additional steps, namely: one reference-creation step (L0), one application step (L0’) of a function to the created name ‘aa’, and two dereferencing steps (L4’, L7’). The two sequences result in the same term, but in different store (L9, R9).

The colouring scheme is as follows. In the eight matching steps and the final result, differences between two sides (e.g. L1 and R1) are highlighted in magenta. Note that it is not the minimum difference that are highlighted. Highlighted parts are chosen in such a way that they capture the smallest difference “on the surface”. Sub-terms on the surface are those that are outside of any lambda-abstraction, which can be graphically represented by sub-hypernets that are outside of any boxes. For example, after the name creation (i.e. in L1, R1), the function abstractions (‘λf.(λw.!a)(f())\lambda f.\,(\lambda w.\,!a)\ (f\ ())’, ‘λf.(λw. 1)(f())\lambda f.\,(\lambda w.\,1)\ (f\ ())’) are highlighted, instead of the minimum difference (‘!a!a’, ‘11’).

In summary, the reduction sequences of C𝟣[P𝖫]C_{\mathsf{1}}[P_{\mathsf{L}}] and C𝟣[P𝖱]C_{\mathsf{1}}[P_{\mathsf{R}}] have eight steps corresponding with each other (L1L8, R1R8) where the differences of their results can be described by means of store and sub-terms on the surface. The extracted differences are namely function abstractions (‘λf.(λw.!a)(f())\lambda f.\,(\lambda w.\,!a)\ (f\ ())’ and ‘λw.!a\lambda w.\,!a’, against ‘λf.(λw. 1)(f())\lambda f.\,(\lambda w.\,1)\ (f\ ())’ and ‘λw. 1\lambda w.\,1’) and store (‘{a1}\{a\mapsto 1\}’ against ‘\emptyset’). By simply collecting these differences, we can obtain our first pre-template: parametricity pre-template Param\vartriangleleft^{\mathrm{Param}}. It is the essential, key, pre-template for (10). Textually, and intuitively, it looks like the following.

λf.(λw.!a)(f()),,λf.(λw.!a)(f()),λw.!a,,λw.!a,{a1}Paramλf.(λw. 1)(f()),,λf.(λw. 1)(f()),λw. 1,,λw. 1,{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda f.\,(\lambda w.\,!a)\ (f\ ())},\enspace\ldots,\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda f.\,(\lambda w.\,!a)\ (f\ ())},\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w.\,!a},\enspace\ldots,\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w.\,!a},\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\{a\mapsto 1\}}}\\ \quad\vartriangleleft^{\mathrm{Param}}\quad{{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda f.\,(\lambda w.\,1)\ (f\ ())},\enspace\ldots,\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda f.\,(\lambda w.\,1)\ (f\ ())},\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w.\,1},\enspace\ldots,\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\lambda w.\,1},\enspace{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\emptyset}} (12)

Graphically, the parametricity pre-template is simply a relation between hypernets (Figure 20). In particular, the lhs of the pre-template can be represented as a single hypernet, thanks to the graphical representation where mentions of a name ‘aa’ become connection. Hypernets of the function abstractions are all connected to the hypernet of the store ‘{a1}\{a\mapsto 1\}’. This graphical representation naturally entails the crucial piece of information, which is invisible in the informal textual representation (12), that the function abstractions are the all and only parts of a program that have access to the name ‘aa’.

The choice of smallest differences on the surface, instead of absolute minimum difference, also plays a key role here. Should we choose minimum differences that may be inside lambda-abstraction, their hypernet representations cannot be directly combined to yield a single valid hypernet. This is due to the box structure of hypernets, which are used to represent function abstraction. In other words, to connect the hypernet of the store ‘{a1}\{a\mapsto 1\}’ to the hypernet of the sub-term ‘!a!a’ that appears inside the function abstraction ‘λw.!a\lambda w.\,!a’, we must first make a connection to the hypernet of the whole function abstraction, which contains the hypernet of ‘!a!a’ inside a box.

Recall that the parametricity pre-template Param\vartriangleleft^{\mathrm{Param}} collects differences in matching steps (eight steps each, i.e. L1L8, R1R8). From the first two unmatched steps (L0, L0’), we extract the two operational pre-templates 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} and @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}. These are both induced by the reductions, namely: 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} by reference creation (L0) and @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} by beta-reduction (L0’). For instance, these pre-templates relate the sub-terms that are yielded by the two reductions (L0, L0’), informally as follows.

𝚛𝚎𝚏 1,\displaystyle{\mathtt{ref}\ 1,\enspace\emptyset} 𝚛𝚎𝚏a,{a1}\displaystyle\quad\vartriangleleft^{\mathtt{ref}}\quad{a,\enspace\{a\mapsto 1\}}
(λx.λf.(λw.!x)(f()))a\displaystyle{\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ a} @λf.(λw.!a)(f())\displaystyle\quad\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}\quad\lambda f.\,(\lambda w.\,!a)\ (f\ ())

The three pre-templates Param\vartriangleleft^{\mathrm{Param}}, 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}}, @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} are all the key pre-templates we needed for (10). Once the sufficiency-of-robustness theorem is applied to these pre-templates, the equivalence can be obtained as a chain of the induced contextual equivalences. The chain roughly looks as follows for the particular programs C𝟣[P𝖫]C_{\mathsf{1}}[P_{\mathsf{L}}] and C𝟣[P𝖱]C_{\mathsf{1}}[P_{\mathsf{R}}], where we use \simeq to denote the informal textual counterpart of contextual equivalence that is between terms accompanied by store.

C𝟣[P𝖫],\displaystyle C_{\mathsf{1}}[P_{\mathsf{L}}],\enspace\emptyset C𝟣[(λx.λf.(λw.!x)(f()))(𝚛𝚎𝚏 1)],\displaystyle\quad\equiv\quad C_{\mathsf{1}}[\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ (\mathtt{ref}1)],\enspace\emptyset (13)
C𝟣[(λx.λf.(λw.!x)(f()))a],{a1}\displaystyle\quad\simeq\quad C_{\mathsf{1}}[\bigl{(}\lambda x.\,\lambda f.\,(\lambda w.\,!x)\ (f\ ())\bigr{)}\ a],\enspace\{a\mapsto 1\} (induced by 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}})
C𝟣[λf.(λw.!a)(f())],{a1}\displaystyle\quad\simeq\quad C_{\mathsf{1}}[\lambda f.\,(\lambda w.\,!a)\ (f\ ())],\enspace\{a\mapsto 1\} (induced by @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}})
C𝟣[λf.(λw. 1)(f())],\displaystyle\quad\simeq\quad C_{\mathsf{1}}[\lambda f.\,(\lambda w1)\ (f\ ())],\enspace\emptyset (induced by Param\vartriangleleft^{\mathrm{Param}})
C𝟣[P𝖱],\displaystyle\quad\equiv\quad C_{\mathsf{1}}[P_{\mathsf{R}}],\enspace\emptyset

Finally, in the formal proof that uses hypernets and focussed graph rewriting rather than terms and reductions, we additionally needed auxiliary, structural pre-templates (Figure 21). These enable us to simplify or identify certain contractions and weakenings, which are not present in the textual representation but important in the graphical representation as hypernets. Contextual equivalences induced by the structural pre-templates enable simplification of certain hypernets that involve contractions and weakenings. The simplification appeared in the formal counterpart of the chain (13), which is shown in Figure 22. It primarily applies to the hypernets produced by the encoding ()(-)^{\ddagger}. Additionally, the pre-templates helped us prove input-safety and robustness of other pre-templates.

13. Related and future work

13.1. Proof methodologies for observational equivalence

This work deals with fragility of observational equivalence and of its proof methodologies. Dreyer et al. address this issue by carefully distinguishing between various kinds of operations (state vs. control) [DNB12]. Dreyer et al. [DNRB10] use Kripke relations to go beyond an enumerative classification of effects; they use characterisation of effects in the aid of reasoning. Their notion of island has similar intuitions to our robustness property. More radical approaches are down to replacing the concept of syntactic context with an epistemic context, akin to a Dolev-Yao-style attacker [GT12], and characterising combinatorially the interaction between a term and its context as is the case with the game semantics [AJM00, HO00] or the trace semantics [JR05]. We propose a new approach to the problem of fragility, namely directly reasoning about robustness of observational equivalence, using a uniform graph representation of a program and its context.

We are not the first one to take a coinductive approach to observational equivalence. Applicative bisimilarity and its successor, environmental bisimilarity, have been successfully used to prove observational equivalence in various effectful settings [Abr90, KLS11, DGL17, SV18]. Typically, one first constructs an applicative (or environmental) bisimulation, and then proves it is a congruence using Howe’s method [How96]. In contrast, in our approach, one first constructs a relation that is closed, by definition, under term (graph) construction, and then proves it is a counting simulation up-to. Our approach does not need Howe’s method.

We argue that our approach is both flexible and elementary. A specific version [MCG18] of this formalism has been used to prove, for example, the soundness of exotic operations involved in (a functional version of) Google’s TensorFlow machine learning library. Even though the proofs can seem complicated, this is in part due to the graph-based formalism being new, and in part due to the fact that proofs of equivalences are lengthy case-based analyses. However, herein lies the simplicity and the robustness of the approach, avoiding the discovery of clever-but-fragile language invariants which can be used to streamline proofs.

Our tedious-but-elementary proofs on the other hand seem highly suitable for automation. The idea of elementary case analysis can be adopted in term rewriting, instead of hypernet rewriting, for a call-by-value lambda-calculus equipped with effect handlers [Pre15]. In this setting, the case analysis can be formalised as critical pair analysis, which is a fundamental and automatable technique in term rewriting, and indeed automated [MH24].

13.2. Focussed hypernet rewriting

Focussed hypernet rewriting is a radically new approach to defining effectful programming languages and proving observational equivalence. We are not so much interested in simulated effects, which are essentially the encoding of effectful behaviour into pure languages, and which can be achieved via monads [Wad98], but we are interested in genuine native effects which happen outside of the language. Semantically this has been introduced by Plotkin and Power [PP08] and more recently developed by Møgelberg and Staton [MS11]. The (copying) UAM takes the idea to the extreme by situating all operations (pure or effectful) outside of the primitives, and by keeping as intrinsic to the language only the structural aspects of copying vs. sharing, and scheduling of computation via thunking.

The (copying) UAM presented in this paper is an extension of the Dynamic Geometry of Interaction Machine (DGoIM) [MG17] to effects. The DGoIM builds on operational machinery [DR96, Mac95, HMH14, MHH16] inspired by Girard’s Geometry of Interaction (GoI) [Gir89]. Unlike these “conventional” GoI-inspired operational semantics, the DGoIM and hence the UAM are modified so that the underlying hypernet can be rewritten during execution.

The original motivation of the DGoIM was to produce an abstract machine that expresses the computational intuitions of the GoI while correctly modelling the cost of evaluation, particularly for call-by-value and call-by-need. The ability to rewrite its own hypernet makes the DGoIM efficient, in the sense of Accattoli et al. [ABM14], for common reduction strategies (namely, call-by-value and call-by-need). It also gives the DGoIM the ability to model exotic effects, e.g. transforming stateful into pure computation by abstracting the state [MCG18]. As an extension of the DGoIM, the UAM is designed for new reasoning principles and methods that arise out of GoI-inspired operational semantics.

Although the UAM does not aim at efficiency at the moment, one can think of a cost model of the UAM in a similar way as the DGoIM. Moreover, the indexing of observational equivalence with a preorder representing the number of steps gives a direct avenue for modelling and comparing computation costs. For example, the micro-beta law induced by the pre-template @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} is indexed by the normal order \geq on \mathbb{N} (cf. Table 3), which indicates that one side always requires fewer steps than the other in the evaluation process. The only details to be resolved are associating costs (time and space) with steps, in particular different costs for different operations.

The UAM is motivated by a need for a flexible and expressive framework in which a wide variety of effects can be given a cost-accurate model. As discussed, the UAM opens the door to a uniform study of operations and their interactions. Defining new styles of abstract machines is a rich and attractive vein of research. The monoidal computer of Pavlovic [Pav13] or the evolving algebras of Gurevich [Gur18] are such examples. What sets the UAM apart is the fact that it can be used, rather conveniently, for reasoning robustly about observational equivalence.

13.3. Hypernets

The hierarchy of hypernets is inspired by the exponential boxes of proof nets, a graphical representation of linear logic proofs [Gir87] and have an informal connection to Milner’s bigraphs [Mil01]. Exponential boxes can be formalised by parameterising an agent (which corresponds to an edge in our setting) by a net, as indicated by Lafont [Laf95]. In the framework of interaction nets [Laf90] that subsume proof nets, agents can be coordinated to represent a boundary of a box, as suggested by Mackie [Mac98]. An alternative representation of boxes that use extra links between agents is proposed by Accattoli and Guerrini [AG09].

Our graphical formulation of boxes shares the idea with the first parameterising approach, but we have flexibility regarding types of a box edge itself and its content (i.e. the hypernet that labels it). We use box edges to represent thunks, and a box edge can have less targets than outputs of its contents, reflecting the number of bound variables a thunk has. This generalised box structure is also studied by Drewes et al. [DHP02] as hierarchical graphs, in the context of double-pushout graph transformation (DPO) [Roz97], an well-established algebraic approach to graph rewriting. More recently, Alvarez-Picallo et al. have formulated DPO rewriting for a class of hypernets similar to those used here [AGSZ22]; their work further relates hypernets with string diagrams with functorial boxes in the style of Melliès [Mel06].

Interaction nets are another established framework of graph rewriting, in which various evaluations of pure lambda-calculus can be implemented [Sin05, Sin06]. The idea of having the token to represent an evaluation strategy can be found in loc. cit., which suggests that our focussed rewriting on hypernets could be implemented using interaction nets. However, the local reasoning we are aiming at with focussed rewriting does not seem easy in the setting of interaction nets, because of technical subtleties observed in loc. cit.; namely, a status of evaluation is remembered by not only the token but also some other agents around an interaction net.

13.4. Future work

One direction is the introduction of a more meaningful type system for hypernets. The current type system of hypernets is very weak, just ensuring well-formedness. We consider it a strength of the approach that equivalences can be proved without the aid of a powerful type infrastructure. On the other hand, in order to avoid stuck configurations and ensure safety of evaluation, more expressive types are required. The usage of more expressive types is perfectly compatible with focussed hypernet rewriting, and is something we intend to explore. In particular we would like to study notions of typing which are germane to focussed hypernet rewriting, capturing its concepts of locality and robustness.

Beyond types, if we look at logics there are some appealing similarities between hypernet rewriting and separation logic [Rey02]. The division of nodes into copying nodes via variables and sharing nodes via atoms is not accidental, and their different contraction properties match those from bunched implications [OP99]. On a deeper level, the concepts of locality and in particular robustness developed here are related to the frame rule of separation logic.

Finally, our formulation of equivalence has some self-imposed limitations needed to limit the complexity of the technical presentation. We are hereby concerned with sequential and deterministic computation. Future work will show how these restrictions can be relaxed. Parallelism and concurrency can be naturally simulated using multi-token reductions, as inspired by the multi-token GoI machine of Dal Lago et al. [DTY17], whereas nondeterminism (or probabilistic evaluation) requires no changes to the machinery but rather a new definition of observational equivalence. This is work we are aiming to undertake in the future. A first step towards nondeterminism has been made [MSU24] in which the notion of counting simulation is extended from branching-free transition systems to nondeterministic automata.

References

  • [ABM14] Beniamino Accattoli, Pablo Barenbaum, and Damiano Mazza. Distilling abstract machines. In 19th ACM SIGPLAN International Conference on Functional Programming, ICFP 2014, September 1-3 2014, Gothenburg, Sweden, pages 363–376, 2014. doi:10.1145/2628136.2628154.
  • [Abr90] Samson Abramsky. The lazy lambda-calculus, page 65–117. Addison Wesley, 1990.
  • [Abr97] Samson Abramsky. Game semantics for programming languages. In 22nd International Symposium on Mathematical Foundations of Computer Science, MFCS 1997, August 25-29 1997, Bratislava, Slovakia, pages 3–4, 1997. doi:10.1007/BFb0029944.
  • [ADV20] Beniamino Accattoli, Ugo Dal Lago, and Gabriele Vanoni. The machinery of interaction. In PPDP 2020, pages 4:1–4:15. ACM, 2020.
  • [ADV21] Beniamino Accattoli, Ugo Dal Lago, and Gabriele Vanoni. The (in)efficiency of interaction. Proc. ACM Program. Lang., 5(POPL):1–33, 2021. doi:10.1145/3434332.
  • [AG09] Beniamino Accattoli and Stefano Guerrini. Jumping boxes. In CSL 2009, volume 5771 of Lect. Notes Comp. Sci., pages 55–70. Springer, 2009. doi:10.1007/978-3-642-04027-6_7.
  • [AGSZ22] Mario Alvarez-Picallo, Dan R. Ghica, David Sprunger, and Fabio Zanasi. Rewriting for monoidal closed categories. In Amy P. Felty, editor, 7th International Conference on Formal Structures for Computation and Deduction, FSCD 2022, August 2-5, 2022, Haifa, Israel, volume 228 of LIPIcs, pages 29:1–29:20. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2022. doi:10.4230/LIPICS.FSCD.2022.29.
  • [AGSZ23] Mario Alvarez-Picallo, Dan R. Ghica, David Sprunger, and Fabio Zanasi. Functorial string diagrams for reverse-mode automatic differentiation. In Bartek Klin and Elaine Pimentel, editors, 31st EACSL Annual Conference on Computer Science Logic, CSL 2023, February 13-16, 2023, Warsaw, Poland, volume 252 of LIPIcs, pages 6:1–6:20. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2023. doi:10.4230/LIPICS.CSL.2023.6.
  • [AJM00] Samson Abramsky, Radha Jagadeesan, and Pasquale Malacaria. Full abstraction for PCF. Inf. Comput., 163(2):409–470, 2000. doi:10.1006/INCO.2000.2930.
  • [BGK+22a] Filippo Bonchi, Fabio Gadducci, Aleks Kissinger, Pawel Sobocinski, and Fabio Zanasi. String diagram rewrite theory I: rewriting with frobenius structure. J. ACM, 69(2):14:1–14:58, 2022. doi:10.1145/3502719.
  • [BGK+22b] Filippo Bonchi, Fabio Gadducci, Aleks Kissinger, Pawel Sobocinski, and Fabio Zanasi. String diagram rewrite theory II: rewriting with symmetric monoidal structure. Math. Struct. Comput. Sci., 32(4):511–541, 2022. doi:10.1017/S0960129522000317.
  • [BGK+22c] Filippo Bonchi, Fabio Gadducci, Aleks Kissinger, Pawel Sobocinski, and Fabio Zanasi. String diagram rewrite theory III: confluence with and without frobenius. Math. Struct. Comput. Sci., 32(7):829–869, 2022. doi:10.1017/S0960129522000123.
  • [BPPR17] Filippo Bonchi, Daniela Petrisan, Damien Pous, and Jurriaan Rot. A general account of coinduction up-to. Acta Inf., 54(2):127–190, 2017. doi:10.1007/s00236-016-0271-4.
  • [DGL17] Ugo Dal Lago, Francesco Gavazzo, and Paul Blain Levy. Effectful applicative bisimilarity: Monads, relators, and howe’s method. In 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017, pages 1–12. IEEE Computer Society, 2017. doi:10.1109/LICS.2017.8005117.
  • [DHP02] Frank Drewes, Berthold Hoffmann, and Detlef Plump. Hierarchical graph transformation. J. Comput. Syst. Sci., 64(2):249–283, 2002. doi:10.1006/jcss.2001.1790.
  • [DMMZ12] Olivier Danvy, Kevin Millikin, Johan Munk, and Ian Zerny. On inter-deriving small-step and big-step semantics: A case study for storeless call-by-need evaluation. Theor. Comput. Sci., 435:21–42, 2012. doi:10.1016/j.tcs.2012.02.023.
  • [DNB12] Derek Dreyer, Georg Neis, and Lars Birkedal. The impact of higher-order state and control effects on local relational reasoning. J. Funct. Program., 22(4-5):477–528, 2012. doi:10.1017/S095679681200024X.
  • [DNRB10] Derek Dreyer, Georg Neis, Andreas Rossberg, and Lars Birkedal. A relational modal logic for higher-order stateful adts. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’10, pages 185–198, New York, NY, USA, 2010. ACM. doi:10.1145/1706299.1706323.
  • [DR96] Vincent Danos and Laurent Regnier. Reversible, irreversible and optimal lambda-machines. Elect. Notes in Theor. Comp. Sci., 3:40–60, 1996.
  • [DTY17] Ugo Dal Lago, Ryo Tanaka, and Akira Yoshimizu. The geometry of concurrent interaction: Handling multiple ports by way of multiple tokens. In 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017, pages 1–12, 2017. doi:10.1109/LICS.2017.8005112.
  • [Ghi23] Dan R. Ghica. The far side of the cube. In Alessandra Palmigiano and Mehrnoosh Sadrzadeh, editors, Samson Abramsky on Logic and Structure in Computer Science and Beyond, pages 219–250. Springer Verlag, 2023.
  • [Gir87] Jean-Yves Girard. Linear logic. Theor. Comput. Sci., 50:1–102, 1987. doi:10.1016/0304-3975(87)90045-4.
  • [Gir89] Jean-Yves Girard. Geometry of Interaction I: interpretation of system F. In Logic Colloquium 1988, volume 127 of Studies in Logic & Found. Math., pages 221–260. Elsevier, 1989.
  • [GT12] Dan R. Ghica and Nikos Tzevelekos. A system-level game semantics. Electr. Notes Theor. Comput. Sci., 286:191–211, 2012. doi:10.1016/j.entcs.2012.08.013.
  • [Gur18] Yuri Gurevich. Evolving algebras 1993: Lipari guide. arXiv preprint arXiv:1808.06255, 2018.
  • [GZ23] Dan Ghica and Fabio Zanasi. String diagrams for λ\lambda-calculi and functional computation. arXiv preprint arXiv:2305.18945, 2023.
  • [HMH14] Naohiko Hoshino, Koko Muroya, and Ichiro Hasuo. Memoryful geometry of interaction: from coalgebraic components to algebraic effects. In Joint Meeting of the 23rd EACSL Annual Conference on Computer Science Logic (CSL) and the 29th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), CSL-LICS 2014, July 14-18 2014, Vienna, Austria, pages 52:1–52:10, 2014. doi:10.1145/2603088.2603124.
  • [HO00] J. M. E. Hyland and C.-H. Luke Ong. On full abstraction for PCF: I, II, and III. Inf. Comput., 163(2):285–408, 2000. doi:10.1006/inco.2000.2917.
  • [How96] Douglas J. Howe. Proving congruence of bisimulation in functional programming languages. Inf. Comput., 124(2):103–112, 1996. doi:10.1006/INCO.1996.0008.
  • [JR05] Alan Jeffrey and Julian Rathke. Java jr: Fully abstract trace semantics for a core java language. In 14th European Symposium on Programming, ESOP 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, April 4-8 2005, Edinburgh, UK, pages 423–438, 2005. doi:10.1007/978-3-540-31987-0\_29.
  • [KLS11] Vasileios Koutavas, Paul Blain Levy, and Eijiro Sumii. From applicative to environmental bisimulation. In Michael W. Mislove and Joël Ouaknine, editors, Twenty-seventh Conference on the Mathematical Foundations of Programming Semantics, MFPS 2011, Pittsburgh, PA, USA, May 25-28, 2011, volume 276 of Electronic Notes in Theoretical Computer Science, pages 215–235. Elsevier, 2011. doi:10.1016/J.ENTCS.2011.09.023.
  • [Laf90] Yves Lafont. Interaction nets. In 17th Annual ACM Symposium on Principles of Programming Languages, POPL 1990, January 1990, San Francisco, California, USA, pages 95–108, 1990. doi:10.1145/96709.96718.
  • [Laf95] Yves Lafont. From proof nets to interaction nets, page 225–248. London Mathematical Society Lecture Note Series. Cambridge University Press, 1995. doi:10.1017/CBO9780511629150.012.
  • [Mac95] Ian Mackie. The Geometry of Interaction machine. In POPL 1995, pages 198–208. ACM, 1995.
  • [Mac98] Ian Mackie. Linear logic With boxes. In 13th IEEE Symposium on Logic in Computer Science, June 21-24 1998, Indianapolis, IN, USA, pages 309–320, 1998. doi:10.1109/LICS.1998.705667.
  • [MCG18] Koko Muroya, Steven W. T. Cheung, and Dan R. Ghica. The geometry of computation-graph abstraction. In Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12 2018, pages 749–758, 2018. doi:10.1145/3209108.3209127.
  • [Mel06] Paul-André Melliès. Functorial boxes in string diagrams. In 20th International Workshop on Computer Science Logic, CSL 2006, 15th Annual Conference of the EACSL, September 25-29 2006, Szeged, Hungary, pages 1–30, 2006. doi:10.1007/11874683\_1.
  • [MG17] Koko Muroya and Dan R. Ghica. The dynamic geometry of interaction machine: A call-by-need graph rewriter. In 26th EACSL Annual Conference on Computer Science Logic, CSL 2017, August 20-24 2017, Stockholm, Sweden, pages 32:1–32:15, 2017. doi:10.4230/LIPIcs.CSL.2017.32.
  • [MH24] Koko Muroya and Makoto Hamana. Term evaluation systems with refinements: First-order, second-order, and contextual improvement. In Jeremy Gibbons and Dale Miller, editors, Functional and Logic Programming - 17th International Symposium, FLOPS 2024, Kumamoto, Japan, May 15-17, 2024, Proceedings, volume 14659 of Lecture Notes in Computer Science, pages 31–61. Springer, 2024. doi:10.1007/978-981-97-2300-3\_3.
  • [MHH16] Koko Muroya, Naohiko Hoshino, and Ichiro Hasuo. Memoryful geometry of interaction II: recursion and adequacy. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, FL, USA, January 20-22 2016, pages 748–760, 2016. doi:10.1145/2837614.2837672.
  • [Mil01] Robin Milner. Bigraphical reactive systems. In International Conference on Concurrency Theory, pages 16–35. Springer, 2001. doi:10.1007/3-540-44685-0_2.
  • [MJ69] James Hiram Morris Jr. Lambda-calculus models of programming languages. PhD thesis, Massachusetts Institute of Technology, 1969. URL: https://dspace.mit.edu/handle/1721.1/64850.
  • [MS11] Rasmus Ejlers Møgelberg and Sam Staton. Linearly-used state in models of call-by-value. In 4th International Conference on Algebra and Coalgebra in Computer Science, CALCO 2011, August 30 - September 2 2011, Winchester, UK, pages 298–313, 2011. doi:10.1007/978-3-642-22944-2\_21.
  • [MSU24] Koko Muroya, Takahiro Sanada, and Natsuki Urabe. Preorder-constrained simulations for program refinement with effects. In CMCS 2024, 2024. To appear.
  • [Mur20] Koko Muroya. Hypernet Semantics of Programming Languages. PhD thesis, University of Birmingham, 2020.
  • [OP99] Peter W O’Hearn and David J Pym. The logic of bunched implications. Bulletin of Symbolic Logic, 5(2):215–244, 1999. doi:10.2307/421090.
  • [OT97] Peter O’Hearn and Robert Tennent, editors. Algol-like languages. Progress in theoretical computer science. Birkhauser, 1997. doi:10.1007/978-1-4612-4118-8.
  • [Pav13] Dusko Pavlovic. Monoidal computer I: Basic computability by string diagrams. Information and Computation, 226:94–116, 2013. doi:10.1016/j.ic.2013.03.007.
  • [Pit00] Andrew M. Pitts. Operational semantics and program equivalence. In Gilles Barthe, Peter Dybjer, Luís Pinto, and João Saraiva, editors, Applied Semantics, International Summer School, APPSEM 2000, Caminha, Portugal, September 9-15, 2000, Advanced Lectures, volume 2395 of Lecture Notes in Computer Science, pages 378–412. Springer, 2000. doi:10.1007/3-540-45699-6\_8.
  • [PP08] Gordon D. Plotkin and John Power. Tensors of comodels and models for operational semantics. Electr. Notes Theor. Comput. Sci., 218:295–311, 2008. doi:10.1016/j.entcs.2008.10.018.
  • [Pre15] Matija Pretnar. An introduction to algebraic effects and handlers. invited tutorial paper. Elect. Notes in Theor. Comp. Sci., 319:19–35, 2015.
  • [Rey02] John C Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pages 55–74. IEEE, 2002. doi:10.1109/LICS.2002.1029817.
  • [Roz97] Grzegorz Rozenberg, editor. Handbook of graph grammars and computing by graph transformations, volume 1: foundations. World Scientific, 1997.
  • [San95] David Sands. Total correctness by local improvement in program transformation. In Ron K. Cytron and Peter Lee, editors, Conference Record of POPL’95: 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Francisco, California, USA, January 23-25, 1995, pages 221–232. ACM Press, 1995. doi:10.1145/199448.199485.
  • [Sin05] François-Régis Sinot. Call-by-name and call-by-value as token-passing interaction nets. In 7th International Conference on Typed Lambda Calculi and Applications, TLCA 2005, April 21-23 2005, Nara, Japan, pages 386–400, 2005. doi:10.1007/11417170\_28.
  • [Sin06] François-Régis Sinot. Call-by-need in token-passing nets. Mathematical Structures in Computer Science, 16(4):639–666, 2006. doi:10.1017/S0960129506005408.
  • [SKS07] Davide Sangiorgi, Naoki Kobayashi, and Eijiro Sumii. Environmental bisimulations for higher-order languages. In LICS 2007, pages 293–302. IEEE Computer Society, 2007.
  • [Sta85] Richard Statman. Logical relations and the typed lambda-calculus. Information and Control, 65(2/3):85–97, 1985. doi:10.1016/S0019-9958(85)80001-2.
  • [SV18] Alex Simpson and Niels F. W. Voorneveld. Behavioural equivalence via modalities for algebraic effects. In Amal Ahmed, editor, Programming Languages and Systems - 27th European Symposium on Programming, ESOP 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings, volume 10801 of Lecture Notes in Computer Science, pages 300–326. Springer, 2018. doi:10.1007/978-3-319-89884-1\_11.
  • [Wad98] Philip Wadler. The marriage of effects and monads. In ACM SIGPLAN Notices, volume 34:1, pages 63–74. ACM, 1998. doi:10.1145/289423.289429.

Appendix A An alternative definition of hypernets

Informally, hypernets are nested hypergraphs, and one hypernet can contain nested hypergraphs up to different depths. This intuition is reflected by footnote 3 of hypernets, in particular the big union in k+1(L,M)=(L,Miki(L,M))\mathcal{H}_{k+1}(L,M)=\mathcal{H}\Bigl{(}L,M\cup\bigcup_{i\leq k}\mathcal{H}_{i}(L,M)\Bigr{)}. In fact, the definition can be replaced by a simpler, but possibly less intuitive, definition below that does not explicitly deal with the different depths of nesting. {defi} Given sets LL and MM, a set k(L,M)\mathcal{H}^{\prime}_{k}(L,M) is defined by induction on kk\in\mathbb{N}:

0(L,M)\displaystyle\mathcal{H}^{\prime}_{0}(L,M) :=(L,M)\displaystyle:=\mathcal{H}(L,M)
k+1(L,M)\displaystyle\mathcal{H}^{\prime}_{k+1}(L,M) :=(L,Mk(L,M))\displaystyle:=\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k}(L,M)\Bigr{)}

and hence a set ω(L,M):=ii(L,M)\mathcal{H}^{\prime}_{\omega}(L,M):=\bigcup_{i\in\mathbb{N}}\mathcal{H}^{\prime}_{i}(L,M).

Lemma 17.

Given arbitrary sets LL and MM, any two numbers k,kk,k^{\prime}\in\mathbb{N} satisfy k(L,M)k+k(L,M)\mathcal{H}^{\prime}_{k}(L,M)\subseteq\mathcal{H}^{\prime}_{k+k^{\prime}}(L,M).

Proof A.1.

If k=0k^{\prime}=0, the inclusion trivially holds. If not, i.e. k>0k^{\prime}>0, it can be proved by induction on kk\in\mathbb{N}. The key reasoning principle we use is that MMM\subseteq M^{\prime} implies (L,M)(L,M)\mathcal{H}(L,M)\subseteq\mathcal{H}(L,M^{\prime}).

In the base case, when k=0k=0 (and k>0k^{\prime}>0), we have

0(L,M)\displaystyle\mathcal{H}^{\prime}_{0}(L,M) =(L,M)\displaystyle=\mathcal{H}(L,M)
(L,Mk1(L,M))=k(L,M).\displaystyle\subseteq\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k^{\prime}-1}(L,M)\Bigr{)}=\mathcal{H}^{\prime}_{k^{\prime}}(L,M).

In the inductive case, when k>0k>0 (and k>0k^{\prime}>0), we have

k(L,M)\displaystyle\mathcal{H}^{\prime}_{k}(L,M) =(L,Mk1(L,M))\displaystyle=\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k-1}(L,M)\Bigr{)}
(L,Mk1+k(L,M))=k+k(L,M)\displaystyle\subseteq\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k-1+k^{\prime}}(L,M)\Bigr{)}=\mathcal{H}^{\prime}_{k+k^{\prime}}(L,M)

where the inclusion is by induction hypothesis on k1k-1.

Proposition 18.

Any sets LL and MM satisfy k(L,M)=k(L,M)\mathcal{H}_{k}(L,M)=\mathcal{H}^{\prime}_{k}(L,M) for any kk\in\mathbb{N}, and hence ω(L,M)=ω(L,M)\mathcal{H}_{\omega}(L,M)=\mathcal{H}^{\prime}_{\omega}(L,M).

Proof A.2.

We first prove k(L,M)k(L,M)\mathcal{H}_{k}(L,M)\subseteq\mathcal{H}^{\prime}_{k}(L,M) by induction on kk\in\mathbb{N}. The base case, when k=0k=0, is trivial. In the inductive case, when k>0k>0, we have

k(L,M)\displaystyle\mathcal{H}_{k}(L,M) =(L,Mik1i(L,M))\displaystyle=\mathcal{H}\Bigl{(}L,M\cup\bigcup_{i\leq k-1}\mathcal{H}_{i}(L,M)\Bigr{)}
(L,Mik1i(L,M))\displaystyle\subseteq\mathcal{H}\Bigl{(}L,M\cup\bigcup_{i\leq k-1}\mathcal{H}^{\prime}_{i}(L,M)\Bigr{)} (by I.H.)
=(L,Mk1(L,M))\displaystyle=\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k-1}(L,M)\Bigr{)} (by 17)
=k(L,M).\displaystyle=\mathcal{H}^{\prime}_{k}(L,M).

The other direction, i.e. k(L,M)k(L,M)\mathcal{H}^{\prime}_{k}(L,M)\subseteq\mathcal{H}_{k}(L,M), can be also proved by induction on kk\in\mathbb{N}. The base case, when k=0k=0, is again trivial. In the inductive case, we have

k(L,M)\displaystyle\mathcal{H}^{\prime}_{k}(L,M) =(L,Mk1(L,M))\displaystyle=\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}^{\prime}_{k-1}(L,M)\Bigr{)}
(L,Mk1(L,M))\displaystyle\subseteq\mathcal{H}\Bigl{(}L,M\cup\mathcal{H}_{k-1}(L,M)\Bigr{)} (by I.H.)
(L,Mik1i(L,M))\displaystyle\subseteq\mathcal{H}\Bigl{(}L,M\cup\bigcup_{i\leq k-1}\mathcal{H}_{i}(L,M)\Bigr{)}
=k(L,M).\displaystyle=\mathcal{H}_{k}(L,M).

Given a hypernet GG, by 17 and 18, there exists a minimum number kk such that Gk(L,M)G\in\mathcal{H}^{\prime}_{k}(L,M), which we call the “minimum level” of GG.

Lemma 19.

Any hypernet has a finite number of shallow edges, and a finite number of deep edges.

Proof A.3.

Any hypernet has a finite number of shallow edges by definition. We prove that any hypernet GG has a finite number of deep edges, by induction on minimum level kk of the hypernet.

When k=0k=0, the hypernet has ho deep edges.

When k>0k>0, each hypernet HH that labels a shallow edge of GG belongs to k1(L,M)\mathcal{H}^{\prime}_{k-1}(L,M), and therefore its minimum level is less than kk. By induction hypothesis, the labelling hypernet HH has a finite number of deep edges, and also a finite number of shallow edges. Deep edges of GG are given by edges, at any depth, of any hypernet that labels a shallow edge of GG. Because there is a finite number of the hypernets that label the shallow edges of GG, the number of deep edges of GG is finite.

Appendix B Plugging

An interfaced labelled monoidal hypergraph can be given by data of the following form: ((VIO,E),(S,T),(fV,fE))((V\uplus I\uplus O,E),(S,T),(f_{V},f_{E})) where II is the input list, OO is the output list, VV is the set of all the other vertices, EE is the set of edges, (S,T)(S,T) defines source and target lists, and (fV,fE)(f_{V},f_{E}) is labelling functions. {defi}[Plugging] Let 𝒞[χ1,χ,χ2]=((VIO,E),(S,T),(fV,fE))\mathcal{C}[\vec{\chi^{1}},\chi,\vec{\chi^{2}}]=((V\uplus I\uplus O,E),(S,T),(f_{V},f_{E})) and 𝒞[χ3]=((VIO,E),(S,T),(fV,fE))\mathcal{C}^{\prime}[\vec{\chi^{3}}]=((V^{\prime}\uplus I^{\prime}\uplus O^{\prime},E^{\prime}),(S^{\prime},T^{\prime}),(f^{\prime}_{V},f^{\prime}_{E})) be contexts, such that the hole χ\chi and the latter context 𝒞\mathcal{C}^{\prime} have the same type and χ1χ2χ3=\vec{\chi^{1}}\cap\vec{\chi^{2}}\cap\vec{\chi^{3}}=\emptyset. The plugging 𝒞[χ1,𝒞,χ2]\mathcal{C}[\vec{\chi^{1}},\mathcal{C}^{\prime},\vec{\chi^{2}}] is a hypernet given by data ((V^,E^),(S^,T^),(f^V,f^E))((\hat{V},\hat{E}),(\hat{S},\hat{T}),(\hat{f}_{V},\hat{f}_{E})) such that:

V^\displaystyle\hat{V} =VVIO\displaystyle=V\uplus V^{\prime}\uplus I\uplus O
E^\displaystyle\hat{E} =(E\{eχ})E\displaystyle=(E\backslash\{e_{\chi}\})\uplus E^{\prime}
S^(e)\displaystyle\hat{S}(e) ={S(e)(if eE\{eχ})g(S(e))(if eE)\displaystyle=\begin{cases}S(e)&\text{(if $e\in E\backslash\{e_{\chi}\}$)}\\ g^{*}(S^{\prime}(e))&\text{(if $e\in E^{\prime}$)}\end{cases}
T^(e)\displaystyle\hat{T}(e) ={T(e)(if eE\{eχ})g(T(e))(if eE)\displaystyle=\begin{cases}T(e)&\text{(if $e\in E\backslash\{e_{\chi}\}$)}\\ g^{*}(T^{\prime}(e))&\text{(if $e\in E^{\prime}$)}\end{cases}
g(v)\displaystyle g(v) ={v(if vV)(S(eχ))i(if v=(I)i)(T(eχ))i(if v=(O)i)\displaystyle=\begin{cases}v&\text{(if $v\in V^{\prime}$)}\\ (S(e_{\chi}))_{i}&\text{(if $v=(I^{\prime})_{i}$)}\\ (T(e_{\chi}))_{i}&\text{(if $v=(O^{\prime})_{i}$)}\end{cases}
f^V(v)\displaystyle\hat{f}_{V}(v) ={fV(v)(if vV)fV(v)(if vV)\displaystyle=\begin{cases}f_{V}(v)&\text{(if $v\in V$)}\\ f^{\prime}_{V}(v)&\text{(if $v\in V^{\prime}$)}\end{cases}
f^E(e)\displaystyle\hat{f}_{E}(e) ={fE(e)(if eE\{eχ})fE(e)(if eE)\displaystyle=\begin{cases}f_{E}(e)&\text{(if $e\in E\backslash\{e_{\chi}\}$)}\\ f^{\prime}_{E}(e)&\text{(if $e\in E^{\prime}$)}\end{cases}

where eχEe_{\chi}\in E is the hole edge labelled with χ\chi, and ()i(-)_{i} denotes the ii-th element of a list.

In the resulting context 𝒞[χ,𝒞,χ′′]\mathcal{C}[\vec{\chi^{\prime}},\mathcal{C}^{\prime},\vec{\chi^{\prime\prime}}], each edge comes from either 𝒞\mathcal{C} or 𝒞\mathcal{C}^{\prime}. If a path in 𝒞\mathcal{C} does not contain the hole edge eχe_{\chi}, the path gives a path in 𝒞[χ,𝒞,χ′′]\mathcal{C}[\vec{\chi^{\prime}},\mathcal{C}^{\prime},\vec{\chi^{\prime\prime}}]. Conversely, if a path in 𝒞[χ,𝒞,χ′′]\mathcal{C}[\vec{\chi^{\prime}},\mathcal{C}^{\prime},\vec{\chi^{\prime\prime}}] consists of edges from 𝒞\mathcal{C} only, the path gives a path in 𝒞\mathcal{C}.

Any path in 𝒞\mathcal{C}^{\prime} gives a path in 𝒞[χ,𝒞,χ′′]\mathcal{C}[\vec{\chi^{\prime}},\mathcal{C}^{\prime},\vec{\chi^{\prime\prime}}]. However, if a path in 𝒞[χ,𝒞,χ′′]\mathcal{C}[\vec{\chi^{\prime}},\mathcal{C}^{\prime},\vec{\chi^{\prime\prime}}] consists of edges from 𝒞\mathcal{C}^{\prime} only, the path does not necessarily give a path in 𝒞\mathcal{C}^{\prime}. The path indeed gives a path in 𝒞\mathcal{C}^{\prime}, if sources and targets of the hole edge eχe_{\chi} are distinct in 𝒞\mathcal{C} (i.e. the hole edge eχe_{\chi} is not a self-loop).

Appendix C Rooted states

Lemma 20.

Let (X,)(X,\rightarrowtriangle) is an abstract rewriting system that is deterministic.

  1. (1)

    For any x,y,yXx,y,y^{\prime}\in X such that yy and yy^{\prime} are normal forms, and for any k,hk,h\in\mathbb{N}, if there exist two sequences xkyx\rightarrowtriangle^{k}y and xhyx\rightarrowtriangle^{h}y^{\prime}, then these sequences are exactly the same.

  2. (2)

    For any x,yXx,y\in X such that yy is a normal form, and for any i,j,ki,j,k\in\mathbb{N} such that iji\neq j and i,j{1,,k}i,j\in\{1,\ldots,k\}, if there exists a sequence xkyx\rightarrowtriangle^{k}y, then its ii-th rewrite zzz\rightarrowtriangle z^{\prime} and jj-th rewrite www\rightarrowtriangle w^{\prime} satisfy zwz\neq w.

Proof C.1.

The point (1) is proved by induction on k+hk+h\in\mathbb{N}. In the base case, when k+h=0k+h=0 (i.e. k=h=0k=h=0), the two sequences are both the empty sequence, and x=y=yx=y=y^{\prime}. The inductive case, when k+h>0k+h>0, falls into one of the following two situations. The first situation, where k=0k=0 or h=0h=0, boils down to the base case, because xx must be a normal form itself, which means k=h=0k=h=0. In the second situation, where k>0k>0 and h>0h>0, there exist elements z,zXz,z^{\prime}\in X such that xzk1yx\rightarrowtriangle z\rightarrowtriangle^{k-1}y and xzh1yx\rightarrowtriangle z^{\prime}\rightarrowtriangle^{h-1}y^{\prime}. Because \rightarrowtriangle is deterministic, z=zz=z^{\prime} follows, and hence by induction hypothesis on (k1)+(h1)(k-1)+(h-1), these two sequences are the same.

The point (2) is proved by contradiction. The sequence xkyx\rightarrowtriangle^{k}y from xx to the normal form yy is unique, by the point (1). If its ii-th rewrite zzz\rightarrowtriangle z^{\prime} and jj-th rewrite www\rightarrowtriangle w^{\prime} satisfy z=wz=w, determinism of the system implies that these two rewrites are the same. This means that the sequence xkyx\rightarrowtriangle^{k}y has a cyclic sub-sequence, and by repeating the cycle different times, one can yield different sequences of rewrites xyx\rightarrowtriangle^{*}y from xx to yy. This contradicts the uniqueness of the original sequence xkyx\rightarrowtriangle^{k}y.

Lemma 21.

If a state G˙{\dot{G}} is rooted, a search sequence ?;|G˙|G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{G}} from the initial state ?;|G˙|?;|{\dot{G}}| to the state G˙{\dot{G}} is unique. Moreover, for any ii-th search transition and jj-th search transition in the sequence such that iji\neq j, these transitions do not result in the same state.

Proof C.2.

Let XX be the set of states with the ??-focus or the \checkmark-focus. We can define an abstract rewriting system (X,)(X,\rightarrowtriangle) of “reverse search” by: H˙H˙{\dot{H}}\rightarrowtriangle{\dot{H^{\prime}}} if H˙H˙{\dot{H^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{H}}. Any search sequence corresponds to a sequence of rewrites in this rewriting system.

The rewriting system is deterministic, i.e. if H˙H˙{\dot{H^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{H}} and H′′˙H˙{\dot{H^{\prime\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{H}} then H˙=H′′˙{\dot{H^{\prime}}}={\dot{H^{\prime\prime}}}, because the inverse 1\mapsto^{-1} of the interaction rules (Figure 9) is deterministic.

If a search transition changes a focus to the ??-focus, the resulting ??-focus always has an incoming operation edge. This means that, in the rewriting system (X,)(X,\rightarrowtriangle), initial states are normal forms. Therefore, by 20(1), if there exist two search sequences from the initial state ?;|G˙|?;|{\dot{G}}| to the state G˙{\dot{G}}, these search sequences are exactly the same. The rest is a consequence of 20(2).

Lemma 22.

For any hypernet NN, if there exists an operation path from an input to a vertex, the path is unique. Moreover, no edge appears twice in the operation path.

Proof C.3.

Given the hypernet NN whose set of (shallow) vertices is XX, we can define an abstract rewriting system (X,)(X,\rightarrowtriangle) of “reverse connection” by: vvv\rightarrowtriangle v^{\prime} if there exists an operation edge whose unique source is vv^{\prime} and targets include vv. Any operation path from an input to a vertex in NN corresponds to a sequence of rewrites in this rewriting system.

This rewriting system is deterministic, because each vertex can have at most one incoming edge in a hypergraph (Section 3.1) and each operation edge has exactly one source. Because inputs of the hypernet NN have no incoming edges, they are normal forms in this rewriting system. Therefore, by 20(1), an operation path from any input to any vertex is unique.

The rest is proved by contradiction. We assume that, in an operation path PP from an input to a vertex, the same operation edge ee appears twice. The edge ee has one source, which either is an input of the hypernet NN or has an incoming edge. In the former case, the edge ee can only appear as the first edge of the operation path PP, which is a contradiction. In the latter case, the operation edge ee has exactly one incoming edge ee^{\prime} in the hypernet NN. In the operation path PP, each appearance of the operation edge ee must be preceded by this edge ee^{\prime} via the same vertex. This contradicts 20(2).

Lemma 23.

For any rooted state G˙{\dot{G}}, if its focus source (i.e. the source of the focus) does not coincide with the unique input, then there exists an operation path from the input to the focus source.

Proof C.4.

By 21, the rooted state G˙{\dot{G}} has a unique search sequence ?;|G˙|G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{G}}. The proof is by the length kk of this sequence.

In the base case, where k=0k=0, the state G˙{\dot{G}} itself is an initial state, which means the input and focus source coincide in G˙{\dot{G}}.

In the inductive case, where k>0k>0, there exists a state G˙{\dot{G^{\prime}}} such that ?;|G˙|k1G˙G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}. The proof here is by case analysis on the interaction rule used in G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}.

  • When the interaction rules in Figure 18a18b18c9e are used, the transition G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}} only changes a focus label.

  • When the interaction rule in Figure 9b is used, the transition G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}} turns the focus and its outgoing operation edge eGe_{G^{\prime}} into an operation edge eGe_{G} and its outgoing focus. By induction hypothesis on G˙{\dot{G^{\prime}}}, the focus source coincides with its input, or there exists an operation path from the input to the focus source, in G˙{\dot{G^{\prime}}}.

    In the former case, in G˙{\dot{G}}, the source of the operation edge eGe_{G} coincides with the input. The edge eGe_{G} itself gives the desired operation path in G˙{\dot{G}}.

    In the latter case, the operation path PGP_{G^{\prime}} from the input to the focus source in G˙{\dot{G^{\prime}}} does not contain the outgoing operation edge eGe_{G^{\prime}} of the focus; otherwise, the edge eGe_{G^{\prime}} must be preceded by the focus edge in the operation path PGP_{G^{\prime}}, which is a contradiction. Therefore, the operation path PGP_{G^{\prime}} in G˙{\dot{G^{\prime}}} is inherited in G˙{\dot{G}}, becoming a path PGP_{G} from the input to the source of the incoming operation edge eGe_{G} of the focus. In the state G˙{\dot{G}}, the path PGP_{G} followed by the edge eGe_{G} yields the desired operation path.

  • When the interaction rule in Figure 9c is used, the transition G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}} changes the focus from a (k+1)(k+1)-th outgoing edge of an operation edge ee to a (k+2)(k+2)-th outgoing edge of the same operation edge ee, for some kk\in\mathbb{N}. In G˙{\dot{G^{\prime}}}, the focus source is not an input, and therefore, there exists an operation path PGP_{G^{\prime}} from the input to the focus source, by induction hypothesis.

    The operation path PGP_{G^{\prime}} ends with the operation edge ee, and no outgoing edge of the edge ee is involved in the path PGP_{G^{\prime}}; otherwise, the edge ee must appear more than once in the path PGP_{G^{\prime}}, which is a contradiction by 22. Therefore, the path PGP_{G^{\prime}} is inherited exactly as it is in G˙{\dot{G}}, and it gives the desired operation path.

  • When the interaction rule in Figure 9d is used, by the same reasoning as in the case of Figure 9c, G˙{\dot{G^{\prime}}} has an operation path PGP_{G^{\prime}} from the input to the focus source, where the incoming operation edge eGe_{G^{\prime}} of the focus appears exactly once, at the end. Removing the edge eGe_{G^{\prime}} from the path PGP_{G^{\prime}} yields another operation path PP from the input in G˙{\dot{G^{\prime}}}, and it also gives an operation path from the input to the focus source in G˙{\dot{G}}.

Lemma 24.

For any state G˙{\dot{G}} with a 𝗍\mathsf{t}-focus such that 𝗍?\mathsf{t}\neq\mathord{?}, if G˙{\dot{G}} is rooted, then there exists a search sequence ?;|G˙|G˙?/𝗍+G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G}}\rangle_{?/\mathsf{t}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}{\dot{G}}.

Proof C.5.

By 21, the rooted state G˙{\dot{G}} has a unique search sequence ?;|G˙|G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{G}}. The proof is to show that a transition from the state G˙?/𝗍\langle{\dot{G}}\rangle_{?/\mathsf{t}} appears in this search sequence, and it is by the length kk of the search sequence.

Because G˙{\dot{G}} does not have the ??-focus, k=0k=0 is impossible, and therefore the base case is when k=1k=1. The search transition ?;|G˙|G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}} must use one of the interaction rules in Figure 18a18b18c9e. This means ?;|G˙|=G˙?/𝗍?;|{\dot{G}}|=\langle{\dot{G}}\rangle_{?/\mathsf{t}}.

In the inductive case, where k>0k>0, there exists a state G˙{\dot{G^{\prime}}} such that ?;|G˙|k1G˙G˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}. The proof here is by case analysis on the interaction rule used in G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}.

  • When the interaction rule in Figure 18a18b18c9e is used, ?;|G˙|=G˙?/𝗍?;|{\dot{G}}|=\langle{\dot{G}}\rangle_{?/\mathsf{t}}.

  • Because G˙{\dot{G}} does not have the ??-focus, the interaction rules in Figure 9b9c can be never used in G˙G˙{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}.

  • When the interaction rule in Figure 9d is used, G˙{\dot{G^{\prime}}} has the \checkmark-focus, which is a (k+1)(k+1)-th outgoing edge of an operation edge ee, for some kk\in\mathbb{N}. The operation edge ee becomes the outgoing edge of the focus in G˙{\dot{G}}. By induction hypothesis on G˙{\dot{G^{\prime}}}, we have

    ?;|G˙|G˙?/+G˙G˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G^{\prime}}}\rangle_{?/\checkmark}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}. (A)

    If k=0k=0, in G˙{\dot{G^{\prime}}}, the focus is the only outgoing edge of the operation edge ee. Because G˙?/\langle{\dot{G^{\prime}}}\rangle_{?/\checkmark} is not an initial state, it must be a result of the interaction rule in Figure 9b, which means the search sequence (A) is factored through as:

    ?;|G˙|G˙?/𝗍G˙?/+G˙G˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G}}\rangle_{?/\mathsf{t}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{G^{\prime}}}\rangle_{?/\checkmark}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}{\dot{G^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{G}}.

    If k>0k>0, for each m{0,,k}m\in\{0,\ldots,k\}, let Nm˙{\dot{N_{m}}} be a state with the ??-focus, such that |Nm˙|=|G˙||{\dot{N_{m}}}|=|{\dot{G^{\prime}}}| and the focus is an (m+1)(m+1)-th outgoing edge of the operation edge ee. This means Nk˙=G˙?/{\dot{N_{k}}}=\langle{\dot{G^{\prime}}}\rangle_{?/\checkmark}. The proof concludes by combining the following internal lemma with (A), taking kk as mm.

    Lemma 25.

    For any m{0,,k}m\in\{0,\ldots,k\}, if there exists h<kh<k such that ?;|G˙|hNm˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{h}{\dot{N_{m}}}, then it is factored through as ?;|G˙|G˙?/𝗍+Nm˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G}}\rangle_{?/\mathsf{t}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}{\dot{N_{m}}}.

    Proof C.6.

    By induction on mm. In the base case, when m=0m=0, the focus of Nm˙{\dot{N_{m}}} is the first outgoing edge of the operation edge ee. This state is not initial, and therefore must be a result of the interaction rule in Figure 9b, which means

    ?;|G˙|G˙?/𝗍Nm˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G}}\rangle_{?/\mathsf{t}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N_{m}}}.

    In the inductive case, when m>0m>0, the state Nm˙{\dot{N_{m}}} is not an initial state and must be a result of the interaction rule in Figure 9c, which means

    ?;|G˙|Nm1˙/?Nm˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{N_{m-1}}}\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N_{m}}}.

    The first half of this search sequence, namely ?;|G˙|Nm1˙/??;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{N_{m-1}}}\rangle_{\checkmark/?}, consists of h1<kh-1<k transitions. Therefore, by (outer) induction hypothesis on h1h-1, we have

    ?;|G˙|Nm1˙+Nm1˙/?Nm˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{N_{m-1}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle{\dot{N_{m-1}}}\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N_{m}}}.

    The first part, namely ?;|G˙|Nm1˙?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{N_{m-1}}}, consists of less than kk transitions. Therefore, by (inner) induction hypothesis on m1m-1, we have

    ?;|G˙|G˙?/𝗍+Nm1˙+Nm1˙/?Nm˙.?;|{\dot{G}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{G}}\rangle_{?/\mathsf{t}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}{\dot{N_{m-1}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle{\dot{N_{m-1}}}\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N_{m}}}.
Lemma 26.
  1. (1)

    For any state N˙{\dot{N}}, if it has a path to the focus source that is not an operation path, then it is not rooted.

  2. (2)

    For any focus-free hypernet HH and any focussed context 𝒞˙[χ]{\dot{\mathcal{C}}}[\chi] with one hole edge, such that 𝒞˙[H]{\dot{\mathcal{C}}}[H] is a state, if the hypernet HH is one-way and the context 𝒞˙{\dot{\mathcal{C}}} has a path to the focus source that is not an operation path, then the state 𝒞˙[H]{\dot{\mathcal{C}}}[H] is not rooted.

  3. (3)

    For any \mathbb{C}-specimen (𝒞˙[χ];G;H)({\dot{\mathcal{C}}}[\vec{\chi}];\vec{G};\vec{H}) of an output-closed pre-template \vartriangleleft, if the context 𝒞˙[χ]{\dot{\mathcal{C}}}[\vec{\chi}] has a path to the focus source that is not an operation path, then at least one of the states 𝒞˙[G]{\dot{\mathcal{C}}}[\vec{G}] and 𝒞˙[H]{\dot{\mathcal{C}}}[\vec{H}] is not rooted.

Proof C.7 (Proof of the point (1)).

Let PP be the path in N˙{\dot{N}} to the focus source that is not an operation path. The proof is by contradiction; we assume that N˙{\dot{N}} is a rooted state.

Because of PP, the focus source is not an input. Therefore by 23, the state N˙{\dot{N}} has an operation path from its unique input to the focus source. This operation path contradicts the path PP, which is not an operation path, because each operation edge has only one source and each vertex has at most one incoming edge.

Proof C.8 (Proof of the point (2)).

Let PP be the path in 𝒞˙{\dot{\mathcal{C}}} to the focus source that is not an operation path.

If the path PP contains no hole edge, it gives a path in the state 𝒞˙[H]{\dot{\mathcal{C}}}[H] to the focus source that is not an operation path. By the point (1), the state is not rooted.

Otherwise, i.e. if the path PP contains a hole edge, we give a proof by contradiction; we assume that the state 𝒞˙[H]{\dot{\mathcal{C}}}[H] is rooted. We can take a suffix of the path PP, so that it gives a path from a target of a hole edge to the focus source in 𝒞˙{\dot{\mathcal{C}}}, and moreover, gives a path PP^{\prime} from a source of an edge from HH to the focus source in 𝒞˙[H]{\dot{\mathcal{C}}}[H]. This implies the focus source is not an input, and therefore by 23, the state 𝒞˙[H]{\dot{\mathcal{C}}}[H] has an operation path from its unique input to the focus source. This operation path must have PP^{\prime} has a suffix, meaning PP^{\prime} is also an operation path, because each operation edge has only one source and each vertex has at most one incoming edge. Moreover, HH must have an operation path from an input to an output, such that the input and the output have type \star and the path ends with the first edge of the path PP^{\prime}. This contradicts HH being one-way.

Proof C.9 (Proof of the point (3)).

Let PP be the path in 𝒞˙{\dot{\mathcal{C}}} to the focus source that is not an operation path.

If the path PP contains no hole edge, it gives a path in the states 𝒞˙[G]{\dot{\mathcal{C}}}[\vec{G}] and 𝒞˙[H]{\dot{\mathcal{C}}}[\vec{H}] to the focus source that is not an operation path. By the point (1), the states are not rooted.

Otherwise, i.e. if the path PP contains a hole edge, we can take a suffix of PP that gives a path PP^{\prime} from a source of a hole edge ee to the focus source in 𝒞˙{\dot{\mathcal{C}}}, so that the path PP^{\prime} does not contain any hole edge. We can assume that the hole edge ee is labelled with χ1\chi_{1}, without loss of generality. The path PP^{\prime} gives paths PGP^{\prime}_{G} and PHP^{\prime}_{H} to the focus source, in contexts 𝒞˙[χ1,G\{G1}]{\dot{\mathcal{C}}}[\chi_{1},\vec{G}\backslash\{G_{1}\}] and 𝒞˙[χ1,H\{H1}]{\dot{\mathcal{C}}}[\chi_{1},\vec{H}\backslash\{H_{1}\}], respectively. The paths PGP^{\prime}_{G} and PHP^{\prime}_{H} are not an operation path, because they start with the hole edge ee labelled with χ1\chi_{1}.

Because \vartriangleleft is output-closed, G1G_{1} or H1H_{1} is one-way. By the point (2), at least one of the states 𝒞˙[G]{\dot{\mathcal{C}}}[\vec{G}] and 𝒞˙[H]{\dot{\mathcal{C}}}[\vec{H}] is not rooted.

Lemma 27.

If a rewrite transition G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} is stationary, it preserves the rooted property, i.e. G˙{\dot{G}} being rooted implies G˙{\dot{G^{\prime}}} is also rooted.

Proof C.10.

The stationary rewrite transition G˙G˙{\dot{G}}\to{\dot{G^{\prime}}} is in the form of 𝒞[;iH]𝒞[?;iH]\mathcal{C}[\lightning;_{i}H]\to\mathcal{C}[?;_{i}H^{\prime}], where 𝒞\mathcal{C} is a focus-free simple context, HH is a focus-free one-way hypernet, HH^{\prime} is a focus-free hypernet and ii\in\mathbb{N}. We assume 𝒞[;iH]\mathcal{C}[\lightning;_{i}H] is rooted, and prove that 𝒞[?;iH]\mathcal{C}[?;_{i}H^{\prime}] is rooted, i.e. ?;𝒞[H]𝒞[?;iH]{?;\mathcal{C}[H^{\prime}]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\mathcal{C}[?;_{i}H^{\prime}]. By 24, there exists a number kk\in\mathbb{N} such that:

?;𝒞[H]k𝒞[?;iH]+𝒞[;iH].{?;\mathcal{C}[H]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}\mathcal{C}[?;_{i}H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\mathcal{C}[\lightning;_{i}H].

The rest of the proof is by case analysis on the number kk.

  • When k=0k=0, i.e. ?;𝒞[H]=𝒞[?;iH]{?;\mathcal{C}[H]}=\mathcal{C}[?;_{i}H], the unique input and the ii-th source of the hole coincide in the simple context 𝒞\mathcal{C}. Therefore, ?;𝒞[H]=𝒞[?;iH]{?;\mathcal{C}[H^{\prime}]}=\mathcal{C}[?;_{i}H^{\prime}], which means 𝒞[?;iH]\mathcal{C}[?;_{i}H^{\prime}] is rooted.

  • When k>0k>0, there exists a state N˙{\dot{N}} such that ?;𝒞[H]k1N˙𝒞[?;iH]{?;\mathcal{C}[H]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[?;_{i}H]. By the following internal lemma (28), there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}}, whose focus is not entering nor exiting, and we have two search sequences:

    ?;𝒞[H]\displaystyle{?;\mathcal{C}[H]} k1𝒞N˙[H]𝒞[?;iH],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{\mathcal{C}_{N}}}[H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[?;_{i}H],
    ?;𝒞[H]\displaystyle{?;\mathcal{C}[H^{\prime}]} k1𝒞N˙[H].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{\mathcal{C}_{N}}}[H^{\prime}].

    The last search transition 𝒞N˙[H]𝒞[?;iH]{\dot{\mathcal{C}_{N}}}[H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[?;_{i}H], which yields the ??-focus, must use the interaction rule in Figure 9b9c. Because the focus is not entering nor exiting in the simple context 𝒞N˙{\dot{\mathcal{C}_{N}}}, either of the two interaction rules acts on the focus and an edge of the context. This means that the same interaction is possible in the state 𝒞N˙[H]{\dot{\mathcal{C}_{N}}}[H^{\prime}], yielding:

    ?;𝒞[H]k1𝒞N˙[H]𝒞[?;iH],{?;\mathcal{C}[H^{\prime}]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-1}{\dot{\mathcal{C}_{N}}}[H^{\prime}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[?;_{i}H^{\prime}],

    which means 𝒞[?;iH]\mathcal{C}[?;_{i}H^{\prime}] is rooted.

    Lemma 28.

    For any m{0,,k1}m\in\{0,\ldots,k-1\} and any state N˙{\dot{N}} such that ?;𝒞[H]mN˙km𝒞[?;iH]{?;\mathcal{C}[H]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m}{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}\mathcal{C}[?;_{i}H], the following holds.

    (A) If there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}} such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H], the focus of the context 𝒞N˙{\dot{\mathcal{C}_{N}}} is not entering.

    (B) If there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}} such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H], the focus of the context 𝒞N˙{\dot{\mathcal{C}_{N}}} is not exiting.

    (C) There exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}} such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H], and ?;𝒞[H]m𝒞N˙[H]{?;\mathcal{C}[H^{\prime}]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m}{\dot{\mathcal{C}_{N}}}[H^{\prime}] holds.

    Proof C.11.

    Firstly, because search transitions do not change an underlying hypernet, if there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}} such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H], |𝒞N˙|=𝒞|{\dot{\mathcal{C}_{N}}}|=\mathcal{C} necessarily holds.

    The point (A) is proved by contradiction; we assume that the context 𝒞N˙{\dot{\mathcal{C}_{N}}} has an entering focus. This means that there exist a number pp\in\mathbb{N} and a focus label 𝗍{?,,}\mathsf{t}\in\{\mathord{?},\mathord{\checkmark},\mathord{\lightning}\} such that 𝒞N˙=𝒞[𝗍;pH]{\dot{\mathcal{C}_{N}}}=\mathcal{C}[\mathsf{t};_{p}H]. By 24, there exists a number hh such that hmh\leq m and:

    ?;𝒞[H]h𝒞[?;pH]kh𝒞[?;iH].{?;\mathcal{C}[H]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{h}\mathcal{C}[?;_{p}H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-h}\mathcal{C}[?;_{i}H]. ($\$)

    We derive a contradiction by case analysis on the numbers pp and hh.

    • If p=ip=i and h=0h=0, the state 𝒞[?;iH]\mathcal{C}[?;_{i}H] must be initial, but it is a result of a search transition because kh>0k-h>0. This is a contradiction.

    • If p=ip=i and h>0h>0, two different transitions in the search sequence ($\$) result in the same state, because of h>0h>0 and kh>0k-h>0, which contradicts 21.

    • If pip\neq i, by Section 7.2, there exists a state N˙{\dot{N^{\prime}}} with the \lightning-focus such that 𝒞[?;pH]N˙\mathcal{C}[?;_{p}H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N^{\prime}}}. This contradicts the search sequence ($\$), because kh>0k-h>0 and search transitions are deterministic.

    The point (B) follows from the contraposition of 26(2), because HH is one-way and N˙{\dot{N}} is rooted. The rooted property of N˙{\dot{N}} follows from the fact that search transitions do not change underlying hypernets.

    The point (C) is proved by induction on m{0,,k1}m\in\{0,\ldots,k-1\}. In the base case, when m=0m=0, we have ?;𝒞[H]=N˙?;\mathcal{C}[H]={\dot{N}}, and therefore the context ?;𝒞?;\mathcal{C} can be taken as 𝒞N˙{\dot{\mathcal{C}_{N}}}. This means ?;𝒞[H]=𝒞N˙[H]?;\mathcal{C}[H^{\prime}]={\dot{\mathcal{C}_{N}}}[H^{\prime}].

    In the inductive case, when m>0m>0, there exists a state N˙{\dot{N^{\prime}}} such that

    ?;𝒞[H]m1N˙N˙km𝒞[?;iH].{?;\mathcal{C}[H]}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{N^{\prime}}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}\mathcal{C}[?;_{i}H].

    By the induction hypothesis, there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N^{\prime}}}} such that N˙=𝒞N˙[H]{\dot{N^{\prime}}}={\dot{\mathcal{C}_{N^{\prime}}}}[H] and

    ?;𝒞[H]\displaystyle{?;\mathcal{C}[H]} m1𝒞N˙[H]N˙km𝒞[?;iH],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}_{N^{\prime}}}}[H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}\mathcal{C}[?;_{i}H],
    ?;𝒞[H]\displaystyle{?;\mathcal{C}[H^{\prime}]} m1𝒞N˙[H].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}_{N^{\prime}}}}[H^{\prime}].

    Our goal here is to find a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}}, such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H] and 𝒞N˙[H]𝒞N˙[H]{\dot{\mathcal{C}_{N^{\prime}}}}[H^{\prime}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{\mathcal{C}_{N}}}[H^{\prime}].

    In the search transition 𝒞N˙[H]N˙{\dot{\mathcal{C}_{N^{\prime}}}}[H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N}}, the only change happens to the focus and its incoming or outgoing edge ee in the state 𝒞N˙[H]{\dot{\mathcal{C}_{N^{\prime}}}}[H]. By the points (A) and (B), the focus is not entering nor exiting in the context 𝒞N˙{\dot{\mathcal{C}_{N^{\prime}}}}, which means the edge ee must be from the context, not from HH.

    Now that no edge from HH is changed in 𝒞N˙[H]N˙{\dot{\mathcal{C}_{N^{\prime}}}}[H]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{N}}, there exists a focussed simple context 𝒞N˙{\dot{\mathcal{C}_{N}}} such that N˙=𝒞N˙[H]{\dot{N}}={\dot{\mathcal{C}_{N}}}[H], and moreover, 𝒞N˙[H]𝒞N˙[H]{\dot{\mathcal{C}_{N^{\prime}}}}[H^{\prime}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{\mathcal{C}_{N}}}[H^{\prime}].

Appendix D Stable hypernets

{defi}

[Accessible paths]

  • A path of a hypernet is said to be accessible if it consists of edges whose all sources have type \star.

  • An accessible path is called stable if the labels of its edges are included in {𝖨}𝕆\{\mathsf{I}\}\cup\mathbb{O}_{\checkmark}.

  • An accessible path is called active if it starts with one active operation edge and possibly followed by a stable path.

A stable hypernet always has at least one edge, and any non-output vertex is labelled with \star. It has a tree-like shape.

Lemma 29 (Shape of stable hypernets).
  1. (1)

    In any stable hypernet, if a vertex vv^{\prime} is reachable from another vertex vv such that vvv\neq v^{\prime}, there exists a unique path from the vertex vv to the vertex vv^{\prime}.

  2. (2)

    Any stable hypernet has no cyclic path, i.e. a path from a vertex to itself.

  3. (3)

    Let 𝒞:i=1mi\mathcal{C}:\star\Rightarrow\otimes_{i=1}^{m}\ell_{i} be a simple context such that: its hole has one source and at least one outgoing edge; and its unique input is the hole’s source. There are no two stable hypernets GG and GG^{\prime} that satisfy G=𝒞[G]G=\mathcal{C}[G^{\prime}].

Proof D.1.

To prove the point (1), assume there are two different paths from the vertex vv to the vertex vv^{\prime}. These paths, i.e. non-empty sequences of edges, have to involve an edge with more than one source, or two different edges that share the same target. However, neither of these is possible in a stable hypernet, because both a passive operation edge and an instance edge have only one source and vertices can have at most one incoming edge. The point (1) follows from this by contradiction.

If a stable hypernet has a cyclic path from a vertex vv to itself, there must be infinitely many paths from the input to the vertex vv, depending on how many times the cycle is included. This contradicts the point (1).

The point (3) is also proved by contradiction. Assume that there exist two stable hypernets GG and GG^{\prime} that satisfy G=𝒞[G]G=\mathcal{C}[G^{\prime}] for the simple context 𝒞\mathcal{C}. In the stable hypernet GG, a vertex is always labelled with \star if it is not an output. However, in the simple context 𝒞\mathcal{C}, there exists at least one target of the hole that is not an output of the context but not labelled with \star either. This contradicts 𝒞[G]\mathcal{C}[G^{\prime}] being a stable hypernet.

Lemma 30.

For any state N˙{\dot{N}}, and its vertex vv, such that the vertex vv is not a target of an instance edge or a passive operation edge, if an accessible path from the vertex vv is stable or active, then the path has no multiple occurrences of a single edge.

Proof D.2.

Any stable or active path consists of edges that has only one source. As a consequence, except for the first edge, no edge appears twice in the stable path. If the stable path is from the vertex vv, its first edge also does not appear twice, because vv is not a target of an instance edge or a passive operation edge.

Lemma 31.

For any state N˙{\dot{N}}, and its vertex vv, such that the vertex vv is not a target of an instance edge or a passive operation edge, the following are equivalent.

(A) There exist a focussed simple context 𝒞˙[χ]{\dot{\mathcal{C}}}[\chi] and a stable hypernet GG, such that N˙=𝒞˙[G]{\dot{N}}={\dot{\mathcal{C}}}[G], where the vertex vv of N˙{\dot{N}} corresponds to a unique source of the hole edge in 𝒞˙{\dot{\mathcal{C}}}.

(B) Any accessible path from the vertex vv in N˙{\dot{N}} is a stable path.

Proof D.3 (Proof of (A) \Rightarrow (B)).

Because no output of a stable hypernet has type \star, any path from the vertex vv in 𝒞˙[G]{\dot{\mathcal{C}}}[G] gives a path from the unique input in GG. In the stable hypernet GG, any path from the unique input is a stable path.

Proof D.4 (Proof of (B) \Rightarrow (A)).

In the state N˙{\dot{N}}, the focus target has to be a source of an edge, which forms an accessible path itself. By 30, in the state N˙{\dot{N}}, we can take maximal stable paths from the vertex vv, in the sense that appending any edge to these paths, if possible, does not give a stable path.

If any of these maximal stable paths is to some vertex, the vertex does not have type \star; this can be confirmed as follows. If the vertex has type \star, it is not an output, so it is a source of an instance, focus, operation or contraction edge. The case of an instance or passive operation edge contradicts the maximality. The other case yields a non-stable accessible path that contradicts the assumption (B).

Collecting all edges contained by the maximal stable paths, therefore, gives the desired hypernet GG. These edges are necessarily all shallow, because of the vertex vv of N˙{\dot{N}}. The focussed context 𝒞˙[χ]{\dot{\mathcal{C}}}[\chi], whose hole is shallow, can be made of all the other edges (at any depth) of the state N˙{\dot{N}}.

Lemma 32.

Let N˙{\dot{N}} be a state, where the focus is an incoming edge of an operation edge ee, whose label ϕ\phi takes at least one eager arguments. Let kk denote the number of eager arguments of ϕ\phi.

For each i{1,,k}i\in\{1,\ldots,k\}, let 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) be a state such that: both states 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) and N˙{\dot{N}} have the same focus label and the same underlying hypernet, and the focus in 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) is the ii-th outgoing edge of the operation edge ee.

For each i{1,,k}i\in\{1,\ldots,k\}, the following are equivalent.

(A) In N˙{\dot{N}}, any accessible path from an ii-th target of the operation edge ee is a stable (resp. active) path.

(B) In 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}), any accessible path from the focus target is a stable (resp. active) path.

Proof D.5.

The only difference between N˙{\dot{N}} and 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) is the swap of the focus with the operation edge ee, and these two edges form an accessible path in the states N˙{\dot{N}} and 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}), individually or together (in an appropriate order). Therefore, there is one-to-one correspondence between accessible paths from an ii-th target of the edge ee in N˙{\dot{N}}, and accessible paths from the focus target in 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}).

When (A) is the case, in N˙{\dot{N}}, any accessible paths from an ii-th target of the edge ee does not contain the focus nor the edge ee; otherwise there would be an accessible path that contains the focus and hence not stable nor active, which is a contradiction. This means that, in 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}), any accessible path from the focus target also does not contain the focus nor the edge ee, and the path must be a stable (resp. active) path.

When (B) is the case, the proof takes the same reasoning in the reverse way.

Lemma 33.

Let N˙{\dot{N}} be a rooted state with the ??-focus, such that the focus is not an incoming edge of a contraction edge.

  1. (1)

    N˙+N˙/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle{\dot{N}}\rangle_{\checkmark/?}, if and only if any accessible path from the focus target in N˙{\dot{N}} is a stable path.

  2. (2)

    N˙+N˙/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle{\dot{N}}\rangle_{\lightning/?}, if and only if any accessible path from the focus target in N˙{\dot{N}} is an active path.

Proof D.6 (Proof of the forward direction).

Let 𝗍\mathsf{t} be either ‘\checkmark’ or ‘\lightning’. The assumption is N˙N˙𝗍/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{N}}\rangle_{\mathsf{t}/?}. We prove the following, by induction on the length nn of this search sequence:

  • any accessible path from the focus target in N˙{\dot{N}} is a stable path, when 𝗍=\mathsf{t}=\mathord{\checkmark}, and

  • any accessible path from the focus target in N˙{\dot{N}} is an active path, when 𝗍=\mathsf{t}=\mathord{\lightning}.

In the base case, where n=1n=1, because the focus is not an incoming edge of a contraction edge, the focus target is a source of an instance edge, or an operation edge labelled with ϕ𝕆𝗍\phi\in\mathbb{O}_{\mathsf{t}} that takes no eager argument. In either situation, the outgoing edge of the focus gives the only possible accessible path from the focus target. The path is stable when 𝗍=\mathsf{t}=\mathord{\checkmark}, and active when 𝗍=\mathsf{t}=\mathord{\lightning}.

In the inductive case, where n>1n>1, the focus target is a source of an operation edge eϕe_{\phi} labelled with an operation ϕ𝕆𝗍\phi\in\mathbb{O}_{\mathsf{t}} that takes at least one eager argument.

Let kk denote the number of eager arguments of ϕ𝗍\phi_{\mathsf{t}}, and ii be an arbitrary number in {1,,k}\{1,\ldots,k\}. Let 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) be the state as defined in 32. Because N˙{\dot{N}} is rooted, by 24, the given search sequence gives the following search sequence (proof by induction on kik-i):

?;|N˙|N˙+𝑠𝑤i(N˙)+𝑠𝑤i(N˙)/?+N˙𝗍/?.?;|{\dot{N}}|\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\mathit{sw}_{i}({\dot{N}})\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle\mathit{sw}_{i}({\dot{N}})\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle{\dot{N}}\rangle_{\mathsf{t}/?}.

By induction hypothesis on the intermediate sequence 𝑠𝑤i(N˙)+𝑠𝑤i(N˙)/?\mathit{sw}_{i}({\dot{N}})\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{+}\langle\mathit{sw}_{i}({\dot{N}})\rangle_{\checkmark/?}, any accessible path from the focus target in 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) is a stable path. By 32, any accessible path from an ii-th target of the operation edge eϕe_{\phi} in N˙{\dot{N}} is a stable path.

In N˙{\dot{N}}, any accessible path from the focus target is given by the operation edge eϕe_{\phi} followed by an accessible path, which is proved to be stable above, from a target of eϕe_{\phi}. Any accessible path from the focus target is therefore stable when 𝗍=\mathsf{t}=\mathord{\checkmark}, and active when 𝗍=\mathsf{t}=\mathord{\lightning}.

Proof D.7 (Proof of the backward direction).

Let 𝗍\mathsf{t} be either ‘\checkmark’ or ‘\lightning’. The assumption is the following:

  • any accessible path from the focus target in N˙{\dot{N}} is a stable path, when 𝗍=\mathsf{t}=\mathord{\checkmark}, and

  • any accessible path from the focus target in N˙{\dot{N}} is an active path, when 𝗍=\mathsf{t}=\mathord{\lightning}.

Our goal is to show N˙N˙𝗍/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{N}}\rangle_{\mathsf{t}/?}.

In the state N˙{\dot{N}}, the focus target has to be a source of an edge, which forms an accessible path itself. By 30, we can define r(N˙)r({\dot{N}}) by the maximum length of stable paths from the focus target. This number r(N˙)r({\dot{N}}) is well-defined and positive. We prove N˙N˙𝗍/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle{\dot{N}}\rangle_{\mathsf{t}/?} by induction on r(N˙)r({\dot{N}}).

In the base case, where r(N˙)=1r({\dot{N}})=1, the outgoing edge of the focus is the only possible accessible path from the focus target. The outgoing edge is not a contraction edge by the assumption, and hence it is an instance edge, or an operation edge labelled with ϕ𝕆𝗍\phi\in\mathbb{O}_{\mathsf{t}} that takes no eager argument. We have N˙N˙𝗍/?{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{N}}\rangle_{\mathsf{t}/?}.

In the inductive case, where r(N˙)>1r({\dot{N}})>1, the outgoing edge of the focus is an operation edge eϕe_{\phi} labelled with ϕ𝕆𝗍\phi\in\mathbb{O}_{\mathsf{t}} that takes at least one eager argument. Any accessible path from the focus target in N˙{\dot{N}} is given by the edge eϕe_{\phi} followed by a stable path from a target of eϕe_{\phi}.

Let kk denote the number of eager arguments of ϕ𝗍\phi_{\mathsf{t}}, and ii be an arbitrary number in {1,,k}\{1,\ldots,k\}. Let 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) be the state as defined in 32.

By the assumption, any accessible path from an ii-th target of the operation edge eϕe_{\phi} in N˙{\dot{N}} is a stable path. Therefore by 32, in 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}), any accessible path from the focus target is a stable path. Moreover, these paths in N˙{\dot{N}} and 𝑠𝑤i(N˙)\mathit{sw}_{i}({\dot{N}}) correspond to each other. By 30, we can define r(𝑠𝑤i(N˙))r(\mathit{sw}_{i}({\dot{N}})) by the maximum length of stable paths from the focus target. This number r(𝑠𝑤i(N˙))r(\mathit{sw}_{i}({\dot{N}})) is well-defined, and satisfies r(𝑠𝑤i(N˙))<r(N˙)r(\mathit{sw}_{i}({\dot{N}}))<r({\dot{N}}). By induction hypothesis on this number, we have:

𝑠𝑤i(N˙)𝑠𝑤i(N˙)/?.\mathit{sw}_{i}({\dot{N}})\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{*}\langle\mathit{sw}_{i}({\dot{N}})\rangle_{\checkmark/?}.

Combining this search sequence with the following possible search transitions concludes the proof:

N˙𝑠𝑤1(N˙),\displaystyle{\dot{N}}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathit{sw}_{1}({\dot{N}}),
𝑠𝑤i(N˙)/?𝑠𝑤i+1(N˙),\displaystyle\langle\mathit{sw}_{i}({\dot{N}})\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathit{sw}_{i+1}({\dot{N}}),
𝑠𝑤k(N˙)/?N˙𝗍/?.\displaystyle\langle\mathit{sw}_{k}({\dot{N}})\rangle_{\checkmark/?}\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{N}}\rangle_{\mathsf{t}/?}.

Appendix E Parameterised (contextual) refinement and equivalence

Lemma 34.

For any focus-free contexts 𝒞1[χ,χ,χ′′]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi,\vec{\chi^{\prime\prime}}] and 𝒞2\mathcal{C}_{2} such that 𝒞1[χ,𝒞2,χ′′]\mathcal{C}_{1}[\vec{\chi^{\prime}},\mathcal{C}_{2},\vec{\chi^{\prime\prime}}] is defined, if both 𝒞1\mathcal{C}_{1} and 𝒞2\mathcal{C}_{2} are binding-free, then 𝒞1[χ,𝒞2,χ′′]\mathcal{C}_{1}[\vec{\chi^{\prime}},\mathcal{C}_{2},\vec{\chi^{\prime\prime}}] is also binding-free.

Proof E.1.

Let 𝒞\mathcal{C} denote 𝒞1[χ,𝒞2,χ′′]\mathcal{C}_{1}[\vec{\chi^{\prime}},\mathcal{C}_{2},\vec{\chi^{\prime\prime}}], and eχe_{\chi} denote the hole edge of 𝒞1\mathcal{C}_{1} labelled with χ\chi.

The proof is by contradiction. We assume that there exists a path PP in 𝒞\mathcal{C}, from a source of a contraction, atom, box or hole edge ee, to a source of a hole edge ee^{\prime}. We derive a contradiction by case analysis on the path PP.

  • When ee^{\prime} comes from 𝒞1\mathcal{C}_{1}, and the path PP consists of edges from 𝒞1\mathcal{C}_{1} only, the path PP gives a path in 𝒞1\mathcal{C}_{1} that contradicts 𝒞1\mathcal{C}_{1} being binding-free.

  • When ee^{\prime} comes from 𝒞1\mathcal{C}_{1}, and the path PP contains an edge from 𝒞2\mathcal{C}_{2}, by finding the last edge from 𝒞2\mathcal{C}_{2} in PP, we can take a suffix of PP that gives a path from a target of the hole edge eχe_{\chi} to a source of a hole edge, in 𝒞1\mathcal{C}_{1}. Adding the hole edge eχe_{\chi} at the beginning yields a path in 𝒞1\mathcal{C}_{1} that contradicts 𝒞1\mathcal{C}_{1} being binding-free.

  • When both ee and ee^{\prime} come from 𝒞2\mathcal{C}_{2}, and the path PP gives a path in 𝒞2\mathcal{C}_{2}, this contradicts 𝒞2\mathcal{C}_{2} being binding-free.

  • When both ee and ee^{\prime} come from 𝒞2\mathcal{C}_{2}, and the path PP does not give a single path in 𝒞2\mathcal{C}_{2}, there exists a path from a source of the hole edge eχe_{\chi} to a source of the hole edge eχe_{\chi}, in 𝒞1\mathcal{C}_{1}. This path contradicts 𝒞1\mathcal{C}_{1} being binding-free.

  • When ee comes from 𝒞1\mathcal{C}_{1} and ee^{\prime} comes from 𝒞2\mathcal{C}_{2}, by finding the first edge from 𝒞2\mathcal{C}_{2} in PP, we can take a prefix of PP that gives a path from a source of a contraction, atom, box or hole edge to a source of the hole edge eχe_{\chi}, in 𝒞1\mathcal{C}_{1}. This path contradicts 𝒞1\mathcal{C}_{1} being binding-free.

Lemma 35.

For any set \mathbb{C} of contexts that is closed under plugging, and any preorder QQ on natural numbers, the following holds.

  • ˙Q\mathrel{\dot{\preceq}}_{Q} and Q\preceq^{\mathbb{C}}_{Q} are reflexive.

  • ˙Q\mathrel{\dot{\preceq}}_{Q} and Q\preceq^{\mathbb{C}}_{Q} are transitive.

  • ˙Q\mathrel{\dot{\simeq}}_{Q} and Q\simeq^{\mathbb{C}}_{Q} are equivalences.

Proof E.2.

Because ˙Q\mathrel{\dot{\simeq}}_{Q} and Q\simeq^{\mathbb{C}}_{Q} are defined as a symmetric subset of ˙Q\mathrel{\dot{\preceq}}_{Q} and Q\preceq^{\mathbb{C}}_{Q}, respectively, ˙Q\mathrel{\dot{\simeq}}_{Q} and Q\simeq^{\mathbb{C}}_{Q} are equivalences if ˙Q\mathrel{\dot{\preceq}}_{Q} and Q\preceq^{\mathbb{C}}_{Q} are preorders.

Reflexivity and transitivity of ˙Q\mathrel{\dot{\preceq}}_{Q} is a direct consequence of those of the preorder QQ.

For any focus-free hypernet HH, and any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C} such that ?;𝒞[H]?;\mathcal{C}[H] is a state, ?;𝒞[H]˙Q?;𝒞[H]{?;\mathcal{C}[H]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H]} because of reflexivity of ˙Q\mathrel{\dot{\preceq}}_{Q}.

For any focus-free hypernets H1H_{1}, H2H_{2} and H3H_{3}, and any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C}, such that H1QH2H_{1}\preceq^{\mathbb{C}}_{Q}H_{2}, H2QH3H_{2}\preceq^{\mathbb{C}}_{Q}H_{3}, and both ?;𝒞[H1]?;\mathcal{C}[H_{1}] and ?;𝒞[H3]?;\mathcal{C}[H_{3}] are states, our goal is to show ?;𝒞[H1]˙Q?;𝒞[H3]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{3}]}. Because H1QH2H_{1}\preceq^{\mathbb{C}}_{Q}H_{2} and H2QH3H_{2}\preceq^{\mathbb{C}}_{Q}H_{3}, all three hypernets H1H_{1}, H2H_{2} and H3H_{3} have the same type, and hence ?;𝒞[H2]?;\mathcal{C}[H_{2}] is also a state. Therefore, we have ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]} and ?;𝒞[H2]˙Q?;𝒞[H3]{?;\mathcal{C}[H_{2}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{3}]}, and the transitivity of ˙Q\mathrel{\dot{\preceq}}_{Q} implies ?;𝒞[H1]˙Q?;𝒞[H3]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{3}]}.

Lemma 36.

For any set \mathbb{C} of contexts that is closed under plugging, and any preorder QQ on natural numbers, the following holds.

  1. (1)

    For any hypernets H1H_{1} and H2H_{2}, H1QQ1H2H_{1}\simeq^{\mathbb{C}}_{Q\cap Q^{-1}}H_{2} implies H1QH2H_{1}\simeq^{\mathbb{C}}_{Q}H_{2}.

  2. (2)

    If all compute transitions are deterministic, for any hypernets H1H_{1} and H2H_{2}, H1QH2H_{1}\simeq^{\mathbb{C}}_{Q}H_{2} implies H1QQ1H2H_{1}\simeq^{\mathbb{C}}_{Q\cap Q^{-1}}H_{2}.

Proof E.3.

Because (QQ1)Q(Q\cap Q^{-1})\subseteq Q, the point (1) follows from the monotonicity of contextual equivalence.

For the point (2), H1QH2H_{1}\simeq^{\mathbb{C}}_{Q}H_{2} means that any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C}, such that ?;𝒞[H1]?;\mathcal{C}[H_{1}] and ?;𝒞[H2]?;\mathcal{C}[H_{2}] are states, yields ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]} and ?;𝒞[H2]˙Q?;𝒞[H1]{?;\mathcal{C}[H_{2}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{1}]}. If the state ?;𝒞[H1]{?;\mathcal{C}[H_{1}]} terminates at a final state after k1k_{1} transitions, there exists k2k_{2} such that k1𝑄k2k_{1}\mathrel{Q}k_{2} and the state ?;𝒞[H2]{?;\mathcal{C}[H_{2}]} terminates at a final state after k2k_{2} transitions. Moreover, there exists k3k_{3} such that k2𝑄k3k_{2}\mathrel{Q}k_{3} and the state ?;𝒞[H1]{?;\mathcal{C}[H_{1}]} terminates at a final state after k3k_{3} transitions.

Because search transitions and copy transitions are deterministic, if all compute transitions are deterministic, states and transitions comprise a deterministic abstract rewriting system, in which final states are normal forms. By 20, k1=k3k_{1}=k_{3} must hold. This means k1QQ1k2k_{1}\mathrel{Q\cap Q^{-1}}k_{2}, and ?;𝒞[H1]˙QQ1?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q\cap Q^{-1}}{?;\mathcal{C}[H_{2}]}. Similarly, we can infer ?;𝒞[H2]˙QQ1?;𝒞[H1]{?;\mathcal{C}[H_{2}]}\mathrel{\dot{\preceq}}_{Q\cap Q^{-1}}{?;\mathcal{C}[H_{1}]}, and hence H1QQ1H2H_{1}\simeq^{\mathbb{C}}_{Q\cap Q^{-1}}H_{2}.

Appendix F Proof of 6

This section details the coinductive proof of 6, with respect to the UAM 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) parameterised by 𝕆\mathbb{O} and B𝕆B_{\mathbb{O}}.

At the core of the proof is step-wise reasoning, or transition-wise reasoning, using a lax variation of simulation dubbed counting simulation. Providing a simulation boils down to case analysis on transitions, namely on possible interactions between the focus and parts of states contributed by a pre-template. While output-closure helps us disprove some cases, input-safety and robustness give the cases that are specific to a pre-template and an operation set.

We also employ the so-called up-to technique in the use of quasi-specimens. We use counting simulations up to state refinements, with a quantitative restriction implemented by the notion of reasonable triple. This restriction is essential to make this particular up-to technique work, in combination with counting simulations. A similar form of up-to technique is studied categorically by Bonchi et al. [BPPR17], but for the ordinary notion of (weak) simulation, without this quantitative restriction.

The counting simulation up-to we use is namely (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation, parameterised by a triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}). This provides a sound approach to prove state refinement ˙Q\mathrel{\dot{\preceq}}_{Q}, using ˙Q\mathrel{\dot{\preceq}}_{Q^{\prime}} and ˙Q′′\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}, given that all transitions are deterministic and (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) forms a reasonable triple. {defi}[(Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulations] Let RR be a binary relation on states, and (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) be a triple of preorders on \mathbb{N}. The binary relation RR is a QQ-counting simulation up-to (Q,Q′′)(Q^{\prime},Q^{\prime\prime}) ((Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation in short) if, for any two related states G1˙𝑅G2˙{\dot{G_{1}}}\mathrel{R}{\dot{G_{2}}}, the following (A) and (B) hold:
(A) If G1˙{\dot{G_{1}}} is final, G2˙{\dot{G_{2}}} is also final.
(B) If there exists a state G1˙{\dot{G^{\prime}_{1}}} such that G1˙G1˙{\dot{G_{1}}}\to{\dot{G^{\prime}_{1}}}, one of the following (I) and (II) holds:
 (I) There exists a stuck state G1′′˙{\dot{G^{\prime\prime}_{1}}} such that G1˙G1′′˙{\dot{G^{\prime}_{1}}}\to^{*}{\dot{G^{\prime\prime}_{1}}}.
 (II) There exist two states H1˙{\dot{H_{1}}} and H2˙{\dot{H_{2}}}, and numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that
H1˙(˙QR˙Q′′)H2˙{\dot{H_{1}}}\mathrel{(\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ R\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}})}{\dot{H_{2}}}, (1+k1)𝑄k2(1+k_{1})\mathrel{Q}k_{2}, G1˙k1H1˙{\dot{G^{\prime}_{1}}}\to^{k_{1}}{\dot{H_{1}}}, and G2˙k2H2˙{\dot{G_{2}}}\to^{k_{2}}{\dot{H_{2}}}.

Proposition 37.

When the universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic, it satisfies the following.

For any binary relation RR on states, and any reasonable triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}), if RR is a (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation, then RR implies refinement up to QQ, i.e. any G1˙𝑅G2˙{\dot{G_{1}}}\mathrel{R}{\dot{G_{2}}} implies G1˙˙QG2˙{\dot{G_{1}}}\mathrel{\dot{\preceq}}_{Q}{\dot{G_{2}}}.

Proof F.1.

Our goal is to show the following: for any states G1˙𝑅G2˙{\dot{G_{1}}}\mathrel{R}{\dot{G_{2}}}, any number k1k_{1}\in\mathbb{N} and any final state N1˙{\dot{N_{1}}}, such that G1˙k1N1˙{\dot{G_{1}}}\to^{k_{1}}{\dot{N_{1}}}, there exist a number k2k_{2}\in\mathbb{N} and a final state N2˙{\dot{N_{2}}} such that k1𝑄k2k_{1}\mathrel{Q}k_{2} and G2˙k2N2˙{\dot{G_{2}}}\to^{k_{2}}{\dot{N_{2}}}. The proof is by induction on k1k_{1}\in\mathbb{N}.

In the base case, when k1=0k_{1}=0, the state G1˙{\dot{G_{1}}} is itself final because G1˙=N1˙{\dot{G_{1}}}={\dot{N_{1}}}. Because RR is a (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation, G2˙{\dot{G_{2}}} is also a final state, which means we can take 0 as k2k_{2} and G2˙{\dot{G_{2}}} itself as N2˙{\dot{N_{2}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ is a preorder and 0𝑄00\mathrel{Q}0 holds.

In the inductive case, when k1>0k_{1}>0, we assume the induction hypothesis on any hh\in\mathbb{N} such that h<k1h<k_{1}. Now that k1>0k_{1}>0, there exists a state G1˙{\dot{G^{\prime}_{1}}} such that G1˙G1˙k1N1˙{\dot{G_{1}}}\to{\dot{G^{\prime}_{1}}}\to^{k-1}{\dot{N_{1}}}. Because all intrinsic transitions are deterministic, the assumption that compute transitions are all deterministic implies that states and transitions comprise a deterministic abstract rewriting system, in which final states and stuck states are normal forms. By 20, we can conclude that there exists no stuck state G1′′˙{\dot{G^{\prime\prime}_{1}}} such that G1˙G1′′˙{\dot{G^{\prime}_{1}}}\to^{*}{\dot{G^{\prime\prime}_{1}}}.

Therefore, by RR being a (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation, there exist two states H1˙{\dot{H_{1}}} and H2˙{\dot{H_{2}}}, and numbers l1,l2l_{1},l_{2}\in\mathbb{N}, such that H1˙(˙QR˙Q′′)H2˙{\dot{H_{1}}}\mathrel{(\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ R\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}})}{\dot{H_{2}}}, (1+l1)𝑄l2(1+l_{1})\mathrel{Q}l_{2}, G1˙l1H1˙{\dot{G^{\prime}_{1}}}\to^{l_{1}}{\dot{H_{1}}}, and G2˙l2H2˙{\dot{G_{2}}}\to^{l_{2}}{\dot{H_{2}}}. By the determinism, 1+l1k11+l_{1}\leq k_{1} must hold; if H1˙{\dot{H_{1}}} is a final state, G1˙l1H1˙{\dot{G^{\prime}_{1}}}\to^{l_{1}}{\dot{H_{1}}} must coincide with G1˙k1N1˙{\dot{G^{\prime}_{1}}}\to^{k-1}{\dot{N_{1}}}; otherwise, G1˙l1H1˙{\dot{G^{\prime}_{1}}}\to^{l_{1}}{\dot{H_{1}}} must be a suffix of G1˙k1N1˙{\dot{G^{\prime}_{1}}}\to^{k-1}{\dot{N_{1}}}. There exist two states H3˙{\dot{H_{3}}} and H4˙{\dot{H_{4}}}, and we have the following situation, where the relations RR, ˙Q\mathrel{\dot{\preceq}}_{Q^{\prime}} and ˙Q′′\mathrel{\dot{\preceq}}_{Q^{\prime\prime}} are represented by vertical dotted lines from top to bottom.

G1˙\scriptstyle{{{\dot{G_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}R\scriptstyle{R}G1˙\scriptstyle{{{\dot{G^{\prime}_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}l1\scriptstyle{l_{1}}(1+l1)Ql2\scriptstyle{(1+l_{1})\,Q\,l_{2}}H1˙\scriptstyle{{\dot{H_{1}}}}k11l1\scriptstyle{k_{1}-1-l_{1}}˙Q\scriptstyle{\mathrel{\dot{\preceq}}_{Q^{\prime}}}N1˙\scriptstyle{{\dot{N_{1}}}}H3˙\scriptstyle{{{\dot{H_{3}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}R\scriptstyle{R}H4˙\scriptstyle{{{\dot{H_{4}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}˙Q′′\scriptstyle{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}G2˙\scriptstyle{{{\dot{G_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}l2\scriptstyle{l_{2}}H2˙\scriptstyle{{\dot{H_{2}}}}

We expand the above diagram as below (indicated by magenta), in three steps.

G1˙\scriptstyle{{{\dot{G_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}R\scriptstyle{R}G1˙\scriptstyle{{{\dot{G^{\prime}_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}l1\scriptstyle{l_{1}}(1+l1)Ql2\scriptstyle{(1+l_{1})\,Q\,l_{2}}H1˙\scriptstyle{{\dot{H_{1}}}}k11l1\scriptstyle{k_{1}-1-l_{1}}˙Q\scriptstyle{\mathrel{\dot{\preceq}}_{Q^{\prime}}}N1˙\scriptstyle{{\dot{N_{1}}}}(k11l1)Qm3\scriptstyle{(k_{1}-1-l_{1})\,Q^{\prime}\,m_{3}}H3˙\scriptstyle{{{\dot{H_{3}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}R\scriptstyle{R}m3\scriptstyle{m_{3}}N3˙\scriptstyle{{\dot{N_{3}}}}m3Qm4\scriptstyle{m_{3}\,Q\,m_{4}}H4˙\scriptstyle{{{\dot{H_{4}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}˙Q′′\scriptstyle{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}m4\scriptstyle{m_{4}}N4˙\scriptstyle{{\dot{N_{4}}}}m4Q′′m2\scriptstyle{m_{4}\,Q^{\prime\prime}\,m_{2}}G2˙\scriptstyle{{{\dot{G_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}l2\scriptstyle{l_{2}}H2˙\scriptstyle{{\dot{H_{2}}}}m2\scriptstyle{m_{2}}N2˙\scriptstyle{{\dot{N_{2}}}}

Firstly, by definition of state refinement, there exist a number m3m_{3}\in\mathbb{N} and a final state N3˙{\dot{N_{3}}} such that (k11l1)Qm3(k_{1}-1-l_{1})\mathrel{Q^{\prime}}m_{3} and H3˙m3N3˙{\dot{H_{3}}}\to^{m_{3}}{\dot{N_{3}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ^{\prime}\subseteq\geq_{\mathbb{N}}, and hence k1>k11l1m3k_{1}>{k_{1}-1-l_{1}}\geq m_{3}. Therefore, secondly, by induction hypothesis on m3m_{3}, there exist a number m4m_{4}\in\mathbb{N} and a final state N4˙{\dot{N_{4}}} such that m3𝑄m4m_{3}\mathrel{Q}m_{4} and H4˙m4N4˙{\dot{H_{4}}}\to^{m_{4}}{\dot{N_{4}}}. Thirdly, by definition of state refinement, there exist a number m2m_{2}\in\mathbb{N} and a final state N2˙{\dot{N_{2}}} such that m4Q′′m2m_{4}\mathrel{Q^{\prime\prime}}m_{2} and H2˙m2N2˙{\dot{H_{2}}}\to^{m_{2}}{\dot{N_{2}}}.

Now we have (k11l1)Qm3(k_{1}-1-l_{1})\mathrel{Q^{\prime}}m_{3}, m3𝑄m4m_{3}\mathrel{Q}m_{4} and m4Q′′m2m_{4}\mathrel{Q^{\prime\prime}}m_{2}, which means (k11l1)(QQQ′′)m2(k_{1}-1-l_{1})\mathrel{(Q^{\prime}\circ Q\circ Q^{\prime\prime})}m_{2}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, this implies (k11l1)𝑄m2(k_{1}-1-l_{1})\mathrel{Q}m_{2}, and moreover, k1𝑄(l2+m2)k_{1}\mathrel{Q}(l_{2}+m_{2}). We can take l2+m2l_{2}+m_{2} as k2k_{2}.

The focus in a focussed context 𝒞˙{\dot{\mathcal{C}}} is said to be remote, if it is not the entering \lightning-focus. The procedure of contextual lifting reduces a proof of contextual refinement down to that of state refinement. {defi}[Contextual lifting] Let ω(L,M𝕆𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\cup\mathbb{M}) be a set of contexts. Given a pre-template \vartriangleleft on focus-free hypernets ω(L,M𝕆\{?,,})\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\backslash\{?,\checkmark,\lightning\}), its \mathbb{C}-contextual lifting ¯\overline{\vartriangleleft}^{\mathbb{C}} is a binary relation on states defined by: G1˙¯G2˙{\dot{G_{1}}}\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{G_{2}}} if there exists a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) of \vartriangleleft, such that the focus of 𝒞˙{\dot{\mathcal{C}}} is remote, Gp˙=𝒞˙[Hp]{\dot{G_{p}}}={\dot{\mathcal{C}}}[\vec{H^{p}}], and 𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}] is rooted, for each p{1,2}p\in\{1,2\}.

The contextual lifting ¯\overline{\vartriangleleft}^{\mathbb{C}} is by definition a binary relation on rooted states.

Proposition 38.

For any set ω(L,M𝕆𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\cup\mathbb{M}) of contexts that is closed under plugging, any preorder QQ on \mathbb{N}, and any pre-template \vartriangleleft on focus-free hypernets ω(L,M𝕆\{?,,})\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\backslash\{?,\checkmark,\lightning\}), if the \mathbb{C}-contextual lifting ¯\overline{\vartriangleleft}^{\mathbb{C}} implies refinement ˙Q\mathrel{\dot{\preceq}}_{Q} (resp. equivalence ˙Q\mathrel{\dot{\simeq}}_{Q}), then \vartriangleleft implies contextual refinement Q\preceq^{\mathbb{C}}_{Q} (resp. contextual equivalence Q\simeq^{\mathbb{C}}_{Q}).

Proof F.2 (Proof of refinement case).

Our goal is to show that, for any H1H2H_{1}\vartriangleleft H_{2} and any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C} such that ?;𝒞[H1]{?;\mathcal{C}[H_{1}]} and ?;𝒞[H2]{?;\mathcal{C}[H_{2}]} are states, we have refinement ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]}.

Because ?;𝒞[Hp]=?;(𝒞[Hp])=(?;𝒞)[Hp]?;\mathcal{C}[H_{p}]=?;(\mathcal{C}[H_{p}])=(?;\mathcal{C})[H_{p}] for p{1,2}p\in\{1,2\}, and |?;𝒞|=𝒞|?;\mathcal{C}|=\mathcal{C}\in\mathbb{C}, the triple ((?;𝒞);H1;H2)((?;\mathcal{C});H_{1};H_{2}) is a \mathbb{C}-specimen of \vartriangleleft with the ??-focus. Moreover the states ?;𝒞[H1]?;\mathcal{C}[H_{1}] and ?;𝒞[H2]?;\mathcal{C}[H_{2}] are trivially rooted. Therefore, ?;𝒞[H1]¯?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{?;\mathcal{C}[H_{2}]}, and by the assumption, ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]}.

Proof F.3 (Proof of equivalence case).

It suffices to show that, for any H1H2H_{1}\vartriangleleft H_{2} and any focus-free context 𝒞[χ]\mathcal{C}[\chi]\in\mathbb{C} such that ?;𝒞[H1]{?;\mathcal{C}[H_{1}]} and ?;𝒞[H2]{?;\mathcal{C}[H_{2}]} are states, we have refinements ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{2}]} and ?;𝒞[H2]˙Q?;𝒞[H1]{?;\mathcal{C}[H_{2}]}\mathrel{\dot{\preceq}}_{Q}{?;\mathcal{C}[H_{1}]}, i.e. equivalence ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\simeq}}_{Q}{?;\mathcal{C}[H_{2}]}.

Because ?;𝒞[Hp]=?;(𝒞[Hp])=(?;𝒞)[Hp]?;\mathcal{C}[H_{p}]=?;(\mathcal{C}[H_{p}])=(?;\mathcal{C})[H_{p}] for p{1,2}p\in\{1,2\}, and |?;𝒞|=𝒞|?;\mathcal{C}|=\mathcal{C}\in\mathbb{C}, the triple ((?;𝒞);H1;H2)((?;\mathcal{C});H_{1};H_{2}) is a \mathbb{C}-specimen of \vartriangleleft with the ??-focus. Moreover the states ?;𝒞[H1]?;\mathcal{C}[H_{1}] and ?;𝒞[H2]?;\mathcal{C}[H_{2}] are trivially rooted. Therefore, ?;𝒞[H1]¯?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{?;\mathcal{C}[H_{2}]}, and by the assumption, ?;𝒞[H1]˙Q?;𝒞[H2]{?;\mathcal{C}[H_{1}]}\mathrel{\dot{\simeq}}_{Q}{?;\mathcal{C}[H_{2}]}.

Lemma 39.

For any set ω(L,M𝕆𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\cup\mathbb{M}) of contexts that is closed under plugging, any pre-template \vartriangleleft on focus-free hypernets ω(L,M𝕆\{?,,})\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\backslash\{?,\checkmark,\lightning\}), and any \mathbb{C}-specimen (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\vec{\chi}];\vec{H^{1}};\vec{H^{2}}) of \vartriangleleft, the following holds.

  1. (1)

    The state 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] is final (resp. initial) if and only if the state 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] is final (resp. initial).

  2. (2)

    If \vartriangleleft is output-closed, and 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] are both rooted states, then the focus of 𝒞˙{\dot{\mathcal{C}}} is not exiting.

  3. (3)

    If \vartriangleleft is output-closed, 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] are both rooted states, the focus of 𝒞˙{\dot{\mathcal{C}}} is the \checkmark-focus or the non-entering ??-focus, and a transition is possible from 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] or 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}], then there exists a focussed context 𝒞˙{\dot{\mathcal{C}^{\prime}}} with a remote focus such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}| and 𝒞˙[Hp]𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}]\to{\dot{\mathcal{C}^{\prime}}}[\vec{H^{p}}] for each p{1,2}p\in\{1,2\}.

Proof F.4 (Proof of point (1)).

Let (p,q)(p,q) be an arbitrary element of a set {(1,2),(2,1)}\{(1,2),(2,1)\}. If 𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}] is final (resp. initial), the focus source is an input in 𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}]. Because input lists of 𝒞˙[Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}], 𝒞˙{\dot{\mathcal{C}}} and 𝒞˙[Hq]{\dot{\mathcal{C}}}[\vec{H^{q}}] all coincide, the focus source must be an input in 𝒞˙{\dot{\mathcal{C}}}, and in 𝒞˙[Hq]{\dot{\mathcal{C}}}[\vec{H^{q}}] too. This means 𝒞˙[Hq]{\dot{\mathcal{C}}}[\vec{H^{q}}] is also a final (resp. initial) state.

Proof F.5 (Proof of point (2)).

This is a consequence of the contraposition of 26(3).

Proof F.6 (Proof of the point (3)).

The transition possible from 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] or 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}] is necessarily a search transition. By case analysis on the focus of 𝒞˙{\dot{\mathcal{C}}}, we can confirm that the search transition applies an interaction rule to the focus and an edge from 𝒞˙{\dot{\mathcal{C}}}.

  • When the focus of 𝒞˙{\dot{\mathcal{C}}} is the \checkmark-focus, the transition can only change the focus and its incoming operation edge. Because \vartriangleleft is output-closed, by the point (2), the focus of 𝒞˙{\dot{\mathcal{C}}} is not exiting. This implies that the incoming operation edge of the focus is from 𝒞˙{\dot{\mathcal{C}}} in both states 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}].

  • When the focus of 𝒞˙{\dot{\mathcal{C}}} is the non-entering ??-focus, the transition can only change the focus and its outgoing edge. Because the focus is not entering in 𝒞˙{\dot{\mathcal{C}}}, the outgoing edge is from 𝒞˙{\dot{\mathcal{C}}} in both states 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}].

Therefore, there exist a focus-free simple context 𝒞0[χ,χ]\mathcal{C}_{0}[\chi,\vec{\chi}] and an interaction rule N0˙N0˙{\dot{N_{0}}}\mapsto{\dot{N^{\prime}_{0}}}, such that 𝒞˙=𝒞0[N0˙,χ]{\dot{\mathcal{C}}}=\mathcal{C}_{0}[{\dot{N_{0}}},\vec{\chi}], and 𝒞0[N0˙,χ]\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}] is a focussed context.

Examining interaction rules confirms |N0˙|=|N0˙||{\dot{N_{0}}}|=|{\dot{N^{\prime}_{0}}}|, and hence |𝒞˙|=|𝒞0[N0˙,χ]|=|𝒞0[N0˙,χ]||{\dot{\mathcal{C}}}|=|\mathcal{C}_{0}[{\dot{N_{0}}},\vec{\chi}]|=|\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}]|. By definition of search transitions, we have:

𝒞˙[Hp]=𝒞0[N0˙,Hp]𝒞0[N0˙,Hp]{\dot{\mathcal{C}}}[\vec{H^{p}}]=\mathcal{C}_{0}[{\dot{N_{0}}},\vec{H^{p}}]\to\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{H^{p}}]

for each p{1,2}p\in\{1,2\}.

The rest of the proof is to check that 𝒞0[N0˙,χ]\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}] has a remote focus, namely that, if its focus is the \lightning-focus, the focus is not entering. This is done by inspecting interaction rules.

  • When the interaction rule N0˙N0˙{\dot{N_{0}}}\mapsto{\dot{N^{\prime}_{0}}} changes the \checkmark-focus to the \lightning-focus, this must be the interaction rule in Figure 9d, which means N0˙{\dot{N^{\prime}_{0}}} consists of the \lightning-focus and its outgoing operation edge. The operation edge remains to be a (unique) outgoing edge of the focus in 𝒞0[N0˙,χ]\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}], and hence the focus is not entering in 𝒞0[N0˙,χ]\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}].

  • When the interaction rule N0˙N0˙{\dot{N_{0}}}\mapsto{\dot{N^{\prime}_{0}}} changes the ??-focus to the \lightning-focus, this must be the interaction rule in Figure 18a18b9e, which means N0˙=N0˙/?{\dot{N^{\prime}_{0}}}=\langle{\dot{N_{0}}}\rangle_{\lightning/?}. Because the focus is not entering in 𝒞0[N0˙,χ]=𝒞˙\mathcal{C}_{0}[{\dot{N_{0}}},\vec{\chi}]={\dot{\mathcal{C}}}, the focus is also not entering in 𝒞0[N0˙,χ]=𝒞0[N0˙,χ]/?\mathcal{C}_{0}[{\dot{N^{\prime}_{0}}},\vec{\chi}]=\langle\mathcal{C}_{0}[{\dot{N_{0}}},\vec{\chi}]\rangle_{\lightning/?}.

Proposition 40.

When the universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) is deterministic and refocusing, it satisfies the following, for any set ω(L,M𝕆𝕄)\mathbb{C}\subseteq\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\cup\mathbb{M}) of contexts that is closed under plugging, any reasonable triple (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}), and any pre-template \vartriangleleft on focus-free hypernets ω(L,M𝕆\{?,,})\mathcal{H}_{\omega}(L,M_{\mathbb{O}}\backslash\{?,\checkmark,\lightning\}).

  1. (1)

    If \vartriangleleft is a (,Q,Q)(\mathbb{C},Q,Q^{\prime})-template and (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, then the \mathbb{C}-contextual lifting ¯\overline{\vartriangleleft}^{\mathbb{C}} is a (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation.

  2. (2)

    If \vartriangleleft is a (,Q1,Q)(\mathbb{C},Q^{-1},Q^{\prime})-template and the converse 1\vartriangleleft^{-1} is (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, then the \mathbb{C}-contextual lifting 1¯\overline{\vartriangleleft^{-1}}^{\mathbb{C}} of the converse is a (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime})-simulation.

Proof F.7 (Proof prelude).

Let (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) be an arbitrary \mathbb{C}-specimen of \vartriangleleft, such that the focus of 𝒞˙{\dot{\mathcal{C}}} is remote, and Gp˙:=𝒞˙[Hp]{\dot{G_{p}}}:={\dot{\mathcal{C}}}[\vec{H^{p}}] is a rooted state for each p{1,2}p\in\{1,2\}. By definition of contextual lifting, G1˙¯G2˙{\dot{G_{1}}}\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{G_{2}}}, and equivalently, G2˙(¯)1G1˙{\dot{G_{2}}}\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{G_{1}}}. Note that 1¯=(¯)1\overline{\vartriangleleft^{-1}}^{\mathbb{C}}=(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}.

Because \vartriangleleft is output-closed, by 39(2), the focus is not exiting in 𝒞˙{\dot{\mathcal{C}}}. This implies that, if the focus has an incoming edge in G1˙{\dot{G_{1}}} or G2˙{\dot{G_{2}}}, the incoming edge must be from 𝒞˙{\dot{\mathcal{C}}}.

Because the machine is deterministic and refocusing, rooted states and transitions comprise a deterministic abstract rewriting system, in which final states and stuck states are normal forms. By 20, from any state, a sequence of transitions that result in a final state or a stuck state is unique, if any.

Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ^{\prime} and Q′′Q^{\prime\prime} are reflexive. By 35, this implies that ˙Q\mathrel{\dot{\preceq}}_{Q^{\prime}} and ˙Q′′\mathrel{\dot{\preceq}}_{Q^{\prime\prime}} are reflexive, and hence ¯˙Q¯˙Q′′\overline{\vartriangleleft}^{\mathbb{C}}\subseteq{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ\overline{\vartriangleleft}^{\mathbb{C}}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}, and (¯)1˙Q(¯)1˙Q′′(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}\subseteq{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}.

Proof F.8 (Proof of the point (1)).

Our goal is to check conditions (A) and (B) of Appendix F for the states G1˙¯G2˙{\dot{G_{1}}}\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{G_{2}}}.

If G1˙{\dot{G_{1}}} is final, by 39(1), G2˙{\dot{G_{2}}} is also final. The condition (A) of Appendix F is fulfilled.

If there exists a state G1˙{\dot{G^{\prime}_{1}}} such that G1˙G1˙{\dot{G_{1}}}\to{\dot{G^{\prime}_{1}}}, we show that one of the conditions (I) and (II) of Appendix F is fulfilled, by case analysis of the focus in 𝒞˙{\dot{\mathcal{C}}}.

  • When the focus is the \checkmark-focus, or the ??-focus that is not entering, by 39(3), there exists a focussed context 𝒞˙{\dot{\mathcal{C}^{\prime}}} with a remote focus, such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}| and Gp˙=𝒞˙[Hp]𝒞˙[Hp]{\dot{G_{p}}}={\dot{\mathcal{C}}}[\vec{H^{p}}]\to{\dot{\mathcal{C}^{\prime}}}[\vec{H^{p}}] for each p{1,2}p\in\{1,2\}. We have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II) of Appendix F is fulfilled.

    G1˙=𝒞˙[H1]¯1Q 1𝒞˙[H1]=G1˙¯G2˙=𝒞˙[H2]𝒞˙[H2]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 16.29175pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&\\&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-16.29175pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.20831pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 15.67734pt\raise-11.75276pt\hbox{\hbox{\kern 2.99998pt\raise-1.71112pt\hbox{$\scriptstyle{1\,Q\,1}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}]{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\text{$\,={\dot{G^{\prime}_{1}}}$}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 55.03201pt\raise-11.75278pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.2083pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 45.11012pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 45.11012pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}]}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

    By the determinism, 𝒞˙[H1]=G1˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}]={\dot{G^{\prime}_{1}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ is a preorder and 1𝑄11\mathrel{Q}1. The context 𝒞˙{\dot{\mathcal{C}^{\prime}}} satisfies |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}|\in\mathbb{C}, so (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{1}};\vec{H^{2}}) is a \mathbb{C}-specimen of \vartriangleleft. The context 𝒞˙{\dot{\mathcal{C}^{\prime}}} has a remote focus, and the states 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}] are both rooted. Therefore, we have 𝒞˙[H1]¯𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}]\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}].

  • When the focus is the ??-focus that is entering in 𝒞˙{\dot{\mathcal{C}}}, because \vartriangleleft is (,Q,Q)(\mathbb{C},Q,Q^{\prime})-input-safe, we have one of the following three situations corresponding to (I), (II) and (III) of Section 8.2.

    • There exist two stuck states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} such that Gp˙Np˙{\dot{G_{p}}}\to^{*}{\dot{N_{p}}} for each p{1,2}p\in\{1,2\}. By the determinism of transitions, we have G1˙G1˙N1˙{\dot{G_{1}}}\to{\dot{G^{\prime}_{1}}}\to^{*}{\dot{N_{1}}}, which means the condition (I) of Appendix F is satisfied.

    • There exist a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that the focus of 𝒞˙{\dot{\mathcal{C}^{\prime}}} is the \checkmark-focus or the non-entering ??-focus, (1+k1)𝑄k2(1+k_{1})\mathrel{Q}k_{2}, 𝒞˙[H1]1+k1𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]k2𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{k_{2}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]. By the determinism of transitions, we have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II) of Appendix F is fulfilled.

      G1˙=𝒞˙[H1]¯(1+k1)Qk2G1˙k1𝒞˙[H1]¯G2˙=𝒞˙[H2]k2𝒞˙[H2]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 16.29175pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-16.29175pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.20831pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 16.17686pt\raise-11.75276pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{(1+k_{1})\,Q\,k_{2}}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 81.0799pt\raise-11.75278pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.2083pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise-17.57497pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 39.76912pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      The context 𝒞˙{\dot{\mathcal{C}^{\prime}}} has a remote focus, and states 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] are rooted. Therefore, 𝒞˙[H1]¯𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}].

    • There exist a quasi-\mathbb{C}-specimen (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) of \vartriangleleft up to (˙Q,˙Q)(\dot{\simeq}_{Q^{\prime}},\dot{\simeq}_{Q^{\prime}}), whose focus is not the \lightning-focus, and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that (1+k1)𝑄(1+k2)(1+k_{1})\mathrel{Q}(1+k_{2}), 𝒞˙[H1]1+k1N1˙{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{N_{1}}}, and 𝒞˙[H2]1+k2N2˙{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{1+k_{2}}{\dot{N_{2}}}. By the determinism of transitions, we have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II) of Appendix F is fulfilled.

      G1˙=𝒞˙[H1]¯(1+k1)Q(1+k2)G1˙k1N1˙˙Q¯˙Q′′G2˙=𝒞˙[H2]1+k2N2˙\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 16.29175pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 54.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-16.29175pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.20831pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 21.22282pt\raise-11.75276pt\hbox{\hbox{\kern 2.99998pt\raise-1.75pt\hbox{$\scriptstyle{(1+k_{1})\,Q\,(1+k_{2})}$}}}}}}\ignorespaces{}{\hbox{\kern 54.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 95.9965pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 103.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 103.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 107.5469pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93373pt\hbox{$\scriptstyle{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ\overline{\vartriangleleft}^{\mathbb{C}}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 84.93399pt\raise-17.57497pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{1+k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 103.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 55.76912pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 103.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{2}}}}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      Because (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) is a quasi-\mathbb{C}-specimen of \vartriangleleft up to (˙Q,˙Q)(\dot{\simeq}_{Q^{\prime}},\dot{\simeq}_{Q^{\prime}}), and states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} are rooted, there exists a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft with a non-\lightning focus, such that 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] are also rooted, N1˙˙Q𝒞˙[H1]{\dot{N_{1}}}\mathrel{\dot{\simeq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]˙QN2˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\dot{\simeq}}_{Q^{\prime}}{\dot{N_{2}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ′′Q^{\prime}\subseteq Q^{\prime\prime}, and hence ˙Q˙Q′′\mathord{\dot{\simeq}_{Q^{\prime}}}\subseteq\mathord{\dot{\simeq}_{Q^{\prime\prime}}}. Therefore, we have:

      N1˙˙Q𝒞˙[H1]¯𝒞˙[H2]˙Q′′N2˙.{\dot{N_{1}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{2}}}.
  • When the focus is the \lightning-focus, G1˙G1˙{\dot{G_{1}}}\to{\dot{G^{\prime}_{1}}} is a rewrite transition, and by definition of contextual lifting, the focus is not entering in 𝒞˙{\dot{\mathcal{C}}}. Because \vartriangleleft is (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, and G1˙{\dot{G_{1}}} and G2˙{\dot{G_{2}}} are rooted, we have one of the following two situations corresponding to (II) and (III) of Section 8.3.

    • There exists a stuck state N˙{\dot{N}} such that G1˙N˙{\dot{G^{\prime}_{1}}}\to^{*}{\dot{N}}. The condition (I) of Appendix F is satisfied.

    • There exist a quasi-\mathbb{C}-specimen (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) of \vartriangleleft up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), whose focus is not the \lightning-focus, and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that (1+k1)𝑄k2(1+k_{1})\mathrel{Q}k_{2}, G1˙k1N1˙{\dot{G^{\prime}_{1}}}\to^{k_{1}}{\dot{N_{1}}}, and G2˙k2N2˙{\dot{G_{2}}}\to^{k_{2}}{\dot{N_{2}}}. We have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II) of Appendix F is fulfilled.

      G1˙=𝒞˙[H1]¯(1+k1)Qk2G1˙k1N1˙˙Q¯˙Q′′G2˙=𝒞˙[H2]k2N2˙\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 16.29175pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-16.29175pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-3.20831pt\hbox{$\scriptstyle{\overline{\vartriangleleft}^{\mathbb{C}}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 13.41035pt\raise-11.75276pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{(1+k_{1})\,Q\,k_{2}}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{1}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 75.5469pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93373pt\hbox{$\scriptstyle{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ\overline{\vartriangleleft}^{\mathbb{C}}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise-17.57497pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 39.76912pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{2}}}}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      Because (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) is a quasi-\mathbb{C}-specimen of \vartriangleleft up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), and states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} are rooted, there exists a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft with a non-\lightning focus, such that 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] are also rooted, N1˙˙Q𝒞˙[H1]{\dot{N_{1}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]˙Q′′N2˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{2}}}. This means 𝒞˙[H1]¯𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}], and hence:

      N1˙˙Q𝒞˙[H1]¯𝒞˙[H2]˙Q′′N2˙.{\dot{N_{1}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\overline{\vartriangleleft}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{2}}}.
Proof F.9 (Proof of the point (2)).

It suffices to check the “reverse” of conditions (A) and (B) of Appendix F for the states G2˙(¯)1G1˙{\dot{G_{2}}}\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{G_{1}}}, namely the following conditions (A’) and (B’).

(A’) If G2˙{\dot{G_{2}}} is final, G1˙{\dot{G_{1}}} is also final.

(B’) If there exists a state G2˙{\dot{G^{\prime}_{2}}} such that G2˙G2˙{\dot{G_{2}}}\to{\dot{G^{\prime}_{2}}}, one of the following (I’) and (II’) holds.

(I’) There exists a stuck state G2′′˙{\dot{G^{\prime\prime}_{2}}} such that G2˙G2′′˙{\dot{G^{\prime}_{2}}}\to^{*}{\dot{G^{\prime\prime}_{2}}}.

(II’) There exist two states N2˙{\dot{N_{2}}} and N1˙{\dot{N_{1}}}, and numbers k2,k1k_{2},k_{1}\in\mathbb{N}, such that N2˙(˙Q(¯)1˙Q)N1˙{\dot{N_{2}}}\mathrel{(\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}})}{\dot{N_{1}}}, (1+k2)𝑄k1(1+k_{2})\mathrel{Q}k_{1}, G2˙k2N2˙{\dot{G^{\prime}_{2}}}\to^{k_{2}}{\dot{N_{2}}}, and G1˙k1N1˙{\dot{G_{1}}}\to^{k_{1}}{\dot{N_{1}}}.

The proof is mostly symmetric to the point (1). Note that there is a one-to-one correspondence between \mathbb{C}-specimens of \vartriangleleft and \mathbb{C}-specimens of 1\vartriangleleft^{-1}; any \mathbb{C}-specimen (𝒞0˙;H01;H02)({\dot{\mathcal{C}_{0}}};\vec{H^{01}};\vec{H^{02}}) of \vartriangleleft gives a \mathbb{C}-specimen (𝒞0˙;H02;H01)({\dot{\mathcal{C}_{0}}};\vec{H^{02}};\vec{H^{01}}) of 1\vartriangleleft^{-1}. Because \vartriangleleft is output-closed, its converse 1\vartriangleleft^{-1} is also output-closed.

If G2˙{\dot{G_{2}}} is final, by 39(1), G1˙{\dot{G_{1}}} is also final. The condition (A’) is fulfilled.

If there exists a state G2˙{\dot{G^{\prime}_{2}}} such that G2˙G2˙{\dot{G_{2}}}\to{\dot{G^{\prime}_{2}}}, we show that one of the conditions (I’) and (II’) above is fulfilled, by case analysis of the focus in 𝒞˙{\dot{\mathcal{C}}}.

  • When the focus is the \checkmark-focus, or the ??-focus that is not entering, by 39(3), there exists a focussed context 𝒞˙{\dot{\mathcal{C}^{\prime}}} with a remote focus, such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}| and Gp˙=𝒞˙[Hp]𝒞˙[Hp]{\dot{G_{p}}}={\dot{\mathcal{C}}}[\vec{H^{p}}]\to{\dot{\mathcal{C}^{\prime}}}[\vec{H^{p}}] for each p{1,2}p\in\{1,2\}. We have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II’) is fulfilled.

    G2˙=𝒞˙[H1](¯)11Q 1𝒞˙[H2]=G2˙(¯)1G1˙=𝒞˙[H1]𝒞˙[H1]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&\\&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 15.67734pt\raise-11.75276pt\hbox{\hbox{\kern 2.99998pt\raise-1.71112pt\hbox{$\scriptstyle{1\,Q\,1}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}]{\color[rgb]{1,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,1}\pgfsys@color@cmyk@stroke{0}{1}{0}{0}\pgfsys@color@cmyk@fill{0}{1}{0}{0}\text{$\,={\dot{G^{\prime}_{2}}}$}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 55.03201pt\raise-11.75278pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.3333pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 45.11012pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 45.11012pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}]}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

    By the determinism, 𝒞˙[H2]=G2˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}]={\dot{G^{\prime}_{2}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ is a preorder and 1𝑄11\mathrel{Q}1. The context 𝒞˙{\dot{\mathcal{C}^{\prime}}} satisfies |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}|\in\mathbb{C}, so (𝒞˙;H2;H1)({\dot{\mathcal{C}^{\prime}}};\vec{H^{2}};\vec{H^{1}}) is a \mathbb{C}-specimen of 1\vartriangleleft^{-1}. The context 𝒞˙{\dot{\mathcal{C}^{\prime}}} has a remote focus, and the states 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}] are both rooted. Therefore, we have 𝒞˙[H2](¯)1𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{2}}]\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{1}}].

  • When the focus is the ??-focus that is entering in 𝒞˙{\dot{\mathcal{C}}}, because \vartriangleleft is (,Q1,Q)(\mathbb{C},Q^{-1},Q^{\prime})-input-safe, we have one of the following three situations corresponding to (I), (II) and (III) of Section 8.2.

    • There exist two stuck states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} such that Gp˙Np˙{\dot{G_{p}}}\to^{*}{\dot{N_{p}}} for each p{1,2}p\in\{1,2\}. By the determinism of transitions, we have G2˙G2˙N2˙{\dot{G_{2}}}\to{\dot{G^{\prime}_{2}}}\to^{*}{\dot{N_{2}}}, which means the condition (I’) is satisfied.

    • There exist a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that the focus of 𝒞˙{\dot{\mathcal{C}^{\prime}}} is the \checkmark-focus or the non-entering ??-focus, (1+k1)Q1k2(1+k_{1})\mathrel{Q^{-1}}k_{2}, 𝒞˙[H1]1+k1𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]k2𝒞˙[H2]{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{k_{2}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]. We have the following situation, namely the black part of the diagram below.

      G2˙=𝒞˙[H2]k2(¯)1k2Q(1+k1)𝒞˙[H2](¯)1G1˙=𝒞˙[H1]1+k1𝒞˙[H1]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 61.21873pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 68.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-16.0583pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 16.8366pt\raise-16.0583pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{k_{2}\,Q\,(1+k_{1})}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 68.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\quad{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 82.39935pt\raise-16.05832pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.3333pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 56.15622pt\raise-26.18605pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{1+k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 68.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 38.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 68.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\quad{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      The magenta part holds, because the focus of 𝒞˙{\dot{\mathcal{C}^{\prime}}} is not the \lightning-focus and not entering, and because states 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] are rooted. We check the condition (II’) by case analysis on the number k2k_{2}.

      • *

        When k2>0k_{2}>0, by the determinism of transitions, we have the following diagram, which means the condition (II’) is fulfilled.

        G2˙=𝒞˙[H2](¯)1k2Q(1+k1)G2˙k21𝒞˙[H2](¯)1G1˙=𝒞˙[H1]1+k1𝒞˙[H1]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-16.0583pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 18.22548pt\raise-16.0583pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{k_{2}\,Q\,(1+k_{1})}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 60.65622pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}-1}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\quad{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 85.17712pt\raise-16.05832pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.3333pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 58.93399pt\raise-26.18605pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{1+k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 39.76912pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 71.158pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\quad{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}
      • *

        When k2=0k_{2}=0, G2˙=𝒞˙[H2]=𝒞˙[H2]{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]={\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}], and we have the following situation, namely the black part of the diagram below.

        G2˙=𝒞˙[H2]0(¯)10Q(1+k1)G2˙=𝒞˙[H2](¯)11Q 1G2˙=𝒞′′˙[H1](¯)1G1˙=𝒞˙[H1]1+k1𝒞˙[H1]𝒞′′˙[H1]\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&&\\&&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.38718pt\raise 5.25555pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.25555pt\hbox{$\scriptstyle{0}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 68.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-16.0583pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 20.2099pt\raise-16.0583pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{0\,Q\,(1+k_{1})}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 68.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\enspace{\dot{G_{2}}}={\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{{\hbox{\lx@xy@droprule}}}\ignorespaces{{\hbox{\kern 125.23793pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}}{{\hbox{\lx@xy@droprule}}}{{\hbox{\lx@xy@droprule}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 84.80908pt\raise-16.05832pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.3333pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 102.24768pt\raise-17.45969pt\hbox{\hbox{\kern 2.99998pt\raise-1.71112pt\hbox{$\scriptstyle{1\,Q\,1}$}}}}}}\ignorespaces{}{{\hbox{\kern 125.23793pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise-2.69722pt\hbox{$\scriptstyle{\enspace{\dot{G^{\prime}_{2}}}={\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 1}}]}$}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 138.66678pt\raise-16.05832pt\hbox{{}\hbox{\kern 0.0pt\raise-0.00002pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.3333pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 58.56595pt\raise-26.18605pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{1+k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 70.78996pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 38.38023pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 70.78996pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{\quad{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{{\hbox{\lx@xy@droprule}}}\ignorespaces{{\hbox{\kern 129.69627pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}}{{\hbox{\lx@xy@droprule}}}{{\hbox{\lx@xy@droprule}}}{{\hbox{\kern 129.69627pt\raise-32.11661pt\hbox{\hbox{\kern 0.0pt\raise-2.69722pt\hbox{$\scriptstyle{\enspace{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 1}}]}$}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

        Because G2˙G2˙{\dot{G_{2}}}\to{\dot{G^{\prime}_{2}}}, and the focus of 𝒞˙{\dot{\mathcal{C}^{\prime}}} is the \checkmark-focus, or the non-entering ??-focus, by 39(3), there exists a focussed context 𝒞′′˙{\dot{\mathcal{C}^{\prime\prime}}} with a remote focus, such that |𝒞′′˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime\prime}}}|=|{\dot{\mathcal{C}^{\prime}}}| and 𝒞˙[Hp]𝒞′′˙[Hp]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime p}}]\to{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime p}}] for each p{1,2}p\in\{1,2\}. By the determinism of transitions, G2˙=𝒞′′˙[H1]{\dot{G^{\prime}_{2}}}={\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 1}}]. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ is a preorder and 1𝑄11\mathrel{Q}1. The context 𝒞′′˙{\dot{\mathcal{C}^{\prime\prime}}} satisfies |𝒞′′˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime\prime}}}|=|{\dot{\mathcal{C}^{\prime}}}|\in\mathbb{C}, so (𝒞′′˙;H2;H1)({\dot{\mathcal{C}^{\prime\prime}}};\vec{H^{\prime 2}};\vec{H^{\prime 1}}) is a \mathbb{C}-specimen of 1\vartriangleleft^{-1}. The context 𝒞′′˙{\dot{\mathcal{C}^{\prime\prime}}} has a remote focus, and the states 𝒞′′˙[H1]{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 1}}] and 𝒞′′˙[H2]{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 2}}] are both rooted. Therefore, we have 𝒞′′˙[H2](¯)1𝒞′′˙[H1]{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 2}}]\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{\mathcal{C}^{\prime\prime}}}[\vec{H^{\prime 1}}]. Finally, because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ is closed under addition, and hence 1𝑄(2+k1)1\mathrel{Q}(2+k_{1}). The condition (II’) is fulfilled.

    • There exist a quasi-\mathbb{C}-specimen (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) of \vartriangleleft up to (˙Q,˙Q)(\dot{\simeq}_{Q^{\prime}},\dot{\simeq}_{Q^{\prime}}), whose focus is not the \lightning-focus, and two numbers k1,k2k_{1},k_{2}\in\mathbb{N}, such that (1+k1)Q1(1+k2)(1+k_{1})\mathrel{Q^{-1}}(1+k_{2}), 𝒞˙[H1]1+k1N1˙{\dot{\mathcal{C}}}[\vec{H^{1}}]\to^{1+k_{1}}{\dot{N_{1}}}, and 𝒞˙[H2]1+k2N2˙{\dot{\mathcal{C}}}[\vec{H^{2}}]\to^{1+k_{2}}{\dot{N_{2}}}. By the determinism of transitions, we have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II’) is fulfilled.

      G2˙=𝒞˙[H2](¯)1(1+k2)Q(1+k1)G2˙k2N2˙˙Q(¯)1˙Q′′G1˙=𝒞˙[H1]1+k1N1˙\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 54.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 21.22282pt\raise-11.75276pt\hbox{\hbox{\kern 2.99998pt\raise-1.75pt\hbox{$\scriptstyle{(1+k_{2})\,Q\,(1+k_{1})}$}}}}}}\ignorespaces{}{\hbox{\kern 54.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 95.9965pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 103.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 103.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 107.54689pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93373pt\hbox{$\scriptstyle{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 84.93399pt\raise-17.57497pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{1+k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 103.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 55.76912pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 103.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{1}}}}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      Because (N1˙,N2˙)({\dot{N_{1}}},{\dot{N_{2}}}) is a quasi-\mathbb{C}-specimen of \vartriangleleft up to (˙Q,˙Q)(\dot{\simeq}_{Q^{\prime}},\dot{\simeq}_{Q^{\prime}}), and states N1˙{\dot{N_{1}}} and N2˙{\dot{N_{2}}} are rooted, there exists a \mathbb{C}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 1}};\vec{H^{\prime 2}}) of \vartriangleleft with a non-\lightning focus, such that 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] and 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] are also rooted, N1˙˙Q𝒞˙[H1]{\dot{N_{1}}}\mathrel{\dot{\simeq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and 𝒞˙[H2]˙QN2˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\dot{\simeq}}_{Q^{\prime}}{\dot{N_{2}}}. Because (Q,Q,Q′′)(Q,Q^{\prime},Q^{\prime\prime}) is a reasonable triple, QQ′′Q^{\prime}\subseteq Q^{\prime\prime}, and hence ˙Q˙Q′′\mathord{\dot{\simeq}_{Q^{\prime}}}\subseteq\mathord{\dot{\simeq}_{Q^{\prime\prime}}}. Therefore, we have:

      N2˙˙Q𝒞˙[H2](¯)1𝒞˙[H1]˙Q′′N1˙.{\dot{N_{2}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{1}}}.
  • When the focus is the \lightning-focus, G2˙G2˙{\dot{G_{2}}}\to{\dot{G^{\prime}_{2}}} is a rewrite transition, and by definition of contextual lifting, the focus is not entering in 𝒞˙{\dot{\mathcal{C}}}. Because 1\vartriangleleft^{-1} is (,Q,Q,Q′′)(\mathbb{C},Q,Q^{\prime},Q^{\prime\prime})-robust relative to all rewrite transitions, and G1˙{\dot{G_{1}}} and G2˙{\dot{G_{2}}} are rooted, we have one of the following two situations corresponding to (II) and (III) of Section 8.3.

    • There exists a stuck state N˙{\dot{N}} such that G2˙N˙{\dot{G^{\prime}_{2}}}\to^{*}{\dot{N}}. The condition (I’) is satisfied.

    • There exist a quasi-\mathbb{C}-specimen (N2˙,N1˙)({\dot{N_{2}}},{\dot{N_{1}}}) of 1\vartriangleleft^{-1} up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), whose focus is not the \lightning-focus, and two numbers k2,k1k_{2},k_{1}\in\mathbb{N}, such that (1+k2)𝑄k1(1+k_{2})\mathrel{Q}k_{1}, G2˙k2N2˙{\dot{G^{\prime}_{2}}}\to^{k_{2}}{\dot{N_{2}}}, and G1˙k1N1˙{\dot{G_{1}}}\to^{k_{1}}{\dot{N_{1}}}. We have the following situation, namely the black part of the diagram below. Showing the magenta part confirms that the condition (II’) is fulfilled.

      G2˙=𝒞˙[H2](¯)1(1+k2)Qk1G2˙k2N2˙˙Q(¯)1˙Q′′G1˙=𝒞˙[H1]k1N1˙\begin{gathered}\lx@xy@svg{\hbox{\raise 2.5pt\hbox{\kern 28.80576pt\hbox{\ignorespaces\ignorespaces\ignorespaces\hbox{\vtop{\kern 0.0pt\offinterlineskip\halign{\entry@#!@&&\entry@@#!@\cr&&\\&&\crcr}}}\ignorespaces{\hbox{\kern-14.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{2}}}={\dot{\mathcal{C}}}[\vec{H^{2}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern-28.80576pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-2.33331pt\hbox{$\scriptstyle{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces{\hbox{\lx@xy@drawline@}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces{{{{\hbox{\framed@@{0.0pt}}}}}{\hbox{\kern 13.41035pt\raise-11.75276pt\hbox{\hbox{\kern 3.0pt\raise-1.75pt\hbox{$\scriptstyle{(1+k_{2})\,Q\,k_{1}}$}}}}}}\ignorespaces{}{\hbox{\kern 38.38023pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G^{\prime}_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise 5.93056pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{2}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 71.158pt\raise 0.0pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{2}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 75.54689pt\raise-11.75276pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93373pt\hbox{$\scriptstyle{\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime}}}\circ(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}\circ\mathord{\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}}}$}}}\kern 3.0pt}}}}}}}\ignorespaces{}\ignorespaces\ignorespaces{{\hbox{\lx@xy@drawline@}}}\ignorespaces{{\hbox{\lx@xy@drawline@}}}{\hbox{\kern-14.38023pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{G_{1}}}={\dot{\mathcal{C}}}[\vec{H^{1}}]}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$}}}}}}}\ignorespaces\ignorespaces\ignorespaces\ignorespaces{}{\hbox{\lx@xy@droprule}}\ignorespaces\ignorespaces\ignorespaces{\hbox{\kern 63.9965pt\raise-17.57497pt\hbox{{}\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\hbox{\hbox{\kern 0.0pt\raise-1.93056pt\hbox{$\scriptstyle{k_{1}}$}}}\kern 3.0pt}}}}}}\ignorespaces{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\lx@xy@tip{1}\lx@xy@tip{-1}}}}}}{\hbox{\lx@xy@droprule}}{\hbox{\lx@xy@droprule}}{\hbox{\kern 39.76912pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{}$}}}}}}}{\hbox{\kern 71.158pt\raise-23.50552pt\hbox{\hbox{\kern 0.0pt\raise 0.0pt\hbox{\hbox{\kern 3.0pt\raise-2.5pt\hbox{$\scriptstyle{{{\dot{N_{1}}}}}$}}}}}}}\ignorespaces}}}}\ignorespaces\end{gathered}

      Because (N2˙,N1˙)({\dot{N_{2}}},{\dot{N_{1}}}) is a quasi-\mathbb{C}-specimen of 1\vartriangleleft^{-1} up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), and states N2˙{\dot{N_{2}}} and N1˙{\dot{N_{1}}} are rooted, there exists a \mathbb{C}-specimen (𝒞˙;H2;H1)({\dot{\mathcal{C}^{\prime}}};\vec{H^{\prime 2}};\vec{H^{\prime 1}}) of 1\vartriangleleft^{-1} with a non-\lightning focus, such that 𝒞˙[H2]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}] and 𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}] are also rooted, N2˙˙Q𝒞˙[H2]{\dot{N_{2}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}], and 𝒞˙[H1]˙Q′′N1˙{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{1}}}. This means 𝒞˙[H2]1¯𝒞˙[H1]{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{\overline{\vartriangleleft^{-1}}^{\mathbb{C}}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}], and hence:

      N2˙˙Q𝒞˙[H2](¯)1𝒞˙[H1]˙Q′′N1˙.{\dot{N_{2}}}\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 2}}]\mathrel{(\overline{\vartriangleleft}^{\mathbb{C}})^{-1}}{\dot{\mathcal{C}^{\prime}}}[\vec{H^{\prime 1}}]\mathrel{\dot{\preceq}}_{Q^{\prime\prime}}{\dot{N_{1}}}.

Appendix G Sufficient conditions for robustness

A proof of robustness becomes trivial for a specimen with a rewrite token that gives a non-rooted state. Thanks to the lemma below, we can show that a state is not rooted, by checking paths from the token target. {defi}[Accessible paths]

  • A path of a hypernet is said to be accessible if it consists of edges whose all sources have type \star.

  • An accessible path is called stable if the labels of its edges are included in {𝖨}𝕆\{\mathsf{I}\}\cup\mathbb{O}_{\checkmark}.

  • An accessible path is called active if it starts with one active operation edge and possibly followed by a stable path.

Note that box edges and atom edges never appear in an accessible path.

Lemma 41.

If a state has a rewrite token that is not an incoming edge of a contraction edge, then the state satisfies the following property: If there exists an accessible, but not active, path from the token target, then the state is not rooted.

Proof G.1.

This is a contraposition of a consequence of 24 and 33(2).

Checking the condition (III) of robustness (see Section 8.3) involves finding a quasi-\mathbb{C}-specimen of \vartriangleleft up to (˙Q,˙Q′′)(\dot{\preceq}_{Q^{\prime}},\dot{\preceq}_{Q^{\prime\prime}}), namely checking the condition (B) of Figure 11(2). The following lemma enables us to use contextual refinement Q\preceq^{\mathbb{C}}_{Q^{\prime}} to yield state refinement ˙Q\mathrel{\dot{\preceq}}_{Q^{\prime}}, via single \mathbb{C}-specimens of a certain pre-template \vartriangleleft. {defi} A pre-template \vartriangleleft is a trigger if it satisfies the following:
(A) For any single \mathbb{C}-specimen (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\chi];H^{1};H^{2}) of \vartriangleleft, such that 𝒞˙{\dot{\mathcal{C}}} has an entering search token, 𝒞˙[Hp]𝒞˙[Hp]/?{\dot{\mathcal{C}}}[H^{p}]\to\langle{\dot{\mathcal{C}}}[H^{p}]\rangle_{\lightning/?} for each p{1,2}p\in\{1,2\}.
(B) For any hypernets H1H2H^{1}\vartriangleleft H^{2}, both H1H_{1} and H2H_{2} are one-way.

Lemma 42.

Let \mathbb{C} be a set of contexts, and QQ^{\prime} be a binary relation on \mathbb{N} such that, for any k0,k1,k2k_{0},k_{1},k_{2}\in\mathbb{N}, (k0+k1)Q(k0+k2)(k_{0}+k_{1})\mathrel{Q^{\prime}}(k_{0}+k_{2}) implies k1Qk2k_{1}\mathrel{Q^{\prime}}k_{2}. Let \vartriangleleft be a pre-template that is a trigger and implies contextual refinement Q\preceq^{\mathbb{C}}_{Q^{\prime}}. For any single \mathbb{C}-specimen (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\chi];H^{1};H^{2}) of \vartriangleleft, if compute transitions are all deterministic, and one of states 𝒞˙[H1]{\dot{\mathcal{C}}}[H^{1}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[H^{2}] is rooted, then the other state is also rooted, and moreover, 𝒞˙[H1]˙Q𝒞˙[H2]{\dot{\mathcal{C}}}[H^{1}]\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}}}[H^{2}].

Proof G.2.

This is a corollary of 43.

Lemma 43.

Let \mathbb{C} be a set of contexts, and QQ^{\prime} be a binary relation on \mathbb{N} such that, for any k0,k1,k2k_{0},k_{1},k_{2}\in\mathbb{N}, (k0+k1)Q(k0+k2)(k_{0}+k_{1})\mathrel{Q^{\prime}}(k_{0}+k_{2}) implies k1Qk2k_{1}\mathrel{Q^{\prime}}k_{2}. Let \vartriangleleft be a pre-template that is a trigger and implies contextual refinement Q\preceq^{\mathbb{C}}_{Q^{\prime}}. For any single \mathbb{C}-specimen (𝒞˙[χ];H1;H2)({\dot{\mathcal{C}}}[\chi];H^{1};H^{2}) of \vartriangleleft, the following holds.

  1. (1)

    For any kk\in\mathbb{N}, ?;|𝒞˙|[H1]k𝒞˙[H1]?;|{\dot{\mathcal{C}}}|[H^{1}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{1}] if and only if ?;|𝒞˙|[H2]k𝒞˙[H2]?;|{\dot{\mathcal{C}}}|[H^{2}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{2}].

  2. (2)

    If compute transitions are all deterministic, and one of states 𝒞˙[H1]{\dot{\mathcal{C}}}[H^{1}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[H^{2}] is rooted, then the other state is also rooted, and moreover, 𝒞˙[H1]˙Q𝒞˙[H2]{\dot{\mathcal{C}}}[H^{1}]\mathrel{\dot{\preceq}}_{Q^{\prime}}{\dot{\mathcal{C}}}[H^{2}].

Proof G.3 (Proof of the point (1)).

Let (p,q)(p,q) be an arbitrary element of a set {(1,2),(2,1)}\{(1,2),(2,1)\}. We prove that, for any kk\in\mathbb{N}, ?;|𝒞˙|[Hp]k𝒞˙[Hp]?;|{\dot{\mathcal{C}}}|[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{p}] implies ?;|𝒞˙|[Hq]k𝒞˙[Hq]?;|{\dot{\mathcal{C}}}|[H^{q}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{q}]. The proof is by case analysis on the number kk.

  • When k=0k=0, 𝒞˙[Hp]{\dot{\mathcal{C}}}[H^{p}] is initial, and by 39(1), 𝒞˙[Hq]{\dot{\mathcal{C}}}[H^{q}] is also initial. Note that \vartriangleleft is a trigger and hence output-closed.

  • When k>0k>0, by the following internal lemma, ?;|𝒞˙|[Hq]k𝒞˙[Hq]?;|{\dot{\mathcal{C}}}|[H^{q}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{q}] follows from ?;|𝒞˙|[Hp]k𝒞˙[Hp]?;|{\dot{\mathcal{C}}}|[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{p}].

    Lemma 44.

    For any m{0,,k}m\in\{0,\ldots,k\}, there exists a focussed context 𝒞˙[χ]{\dot{\mathcal{C}^{\prime}}}[\chi] such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}| and the following holds:

    ?;|𝒞˙|[Hp]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{p}] m𝒞˙[Hp]km𝒞˙[Hp],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m}{\dot{\mathcal{C}^{\prime}}}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}{\dot{\mathcal{C}}}[H^{p}],
    ?;|𝒞˙|[Hq]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{q}] m𝒞˙[Hq].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m}{\dot{\mathcal{C}^{\prime}}}[H^{q}].
    Proof G.4.

    By induction on mm. In the base case, when m=0m=0, we can take ?;|𝒞˙|?;|{\dot{\mathcal{C}}}| as 𝒞˙{\dot{\mathcal{C}^{\prime}}}.

    In the inductive case, when m>0m>0, by induction hypothesis, there exists a focussed context 𝒞˙[χ]{\dot{\mathcal{C}^{\prime}}}[\chi] such that |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}| and the following holds:

    ?;|𝒞˙|[Hp]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{p}] m1𝒞˙[Hp]km+1𝒞˙[Hp],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m+1}{\dot{\mathcal{C}}}[H^{p}],
    ?;|𝒞˙|[Hq]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{q}] m1𝒞˙[Hq].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{q}].

    Because |𝒞˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}|\in\mathbb{C}, (𝒞˙;H1;H2)({\dot{\mathcal{C}^{\prime}}};H^{1};H^{2}) is a single \mathbb{C}-specimen of \vartriangleleft, which yields rooted states. Because km+1>0k-m+1>0, 𝒞˙{\dot{\mathcal{C}^{\prime}}} cannot have a rewrite token. The rest of the proof is by case analysis on the token of 𝒞˙{\dot{\mathcal{C}^{\prime}}}.

    • When 𝒞˙{\dot{\mathcal{C}^{\prime}}} has an entering search token, because \vartriangleleft is a trigger, 𝒞˙[Hr]𝒞˙[Hr]/?{\dot{\mathcal{C}^{\prime}}}[H^{r}]\to\langle{\dot{\mathcal{C}^{\prime}}}[H^{r}]\rangle_{\lightning/?} for each r{p,q}r\in\{p,q\}. Because 𝒞˙[Hr]/?=𝒞˙/?[Hr]\langle{\dot{\mathcal{C}^{\prime}}}[H^{r}]\rangle_{\lightning/?}=\langle{\dot{\mathcal{C}^{\prime}}}\rangle_{\lightning/?}[H^{r}], and search transitions are deterministic, we have the following:

      ?;|𝒞˙|[Hp]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{p}] m1𝒞˙[Hp]𝒞˙/?[Hp]km𝒞˙[Hp],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{\mathcal{C}^{\prime}}}\rangle_{\lightning/?}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}{\dot{\mathcal{C}}}[H^{p}],
      ?;|𝒞˙|[Hq]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{q}] m1𝒞˙[Hq]𝒞˙/?[Hq].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{q}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{\mathcal{C}^{\prime}}}\rangle_{\lightning/?}[H^{q}].

      We also have |𝒞˙/?|=|𝒞˙|=|𝒞˙||\langle{\dot{\mathcal{C}^{\prime}}}\rangle_{\lightning/?}|=|{\dot{\mathcal{C}^{\prime}}}|=|{\dot{\mathcal{C}}}|.

    • When 𝒞˙{\dot{\mathcal{C}^{\prime}}} has a value token, or a non-entering search token, because \vartriangleleft is output-closed, by 39(3), there exists a focussed context 𝒞′′˙{\dot{\mathcal{C}^{\prime\prime}}} such that |𝒞′′˙|=|𝒞˙||{\dot{\mathcal{C}^{\prime\prime}}}|=|{\dot{\mathcal{C}^{\prime}}}| and 𝒞˙[Hr]𝒞′′˙[Hr]{\dot{\mathcal{C}^{\prime}}}[H^{r}]\to{\dot{\mathcal{C}^{\prime\prime}}}[H^{r}] for each r{p,q}r\in\{p,q\}. The transition 𝒞˙[Hr]𝒞′′˙[Hr]{\dot{\mathcal{C}^{\prime}}}[H^{r}]\to{\dot{\mathcal{C}^{\prime\prime}}}[H^{r}], for each r{p,q}r\in\{p,q\}, is a search transition, and by the determinism of search transitions, we have the following:

      ?;|𝒞˙|[Hp]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{p}] m1𝒞˙[Hp]𝒞′′˙[Hp]km𝒞˙[Hp],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{\mathcal{C}^{\prime\prime}}}[H^{p}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k-m}{\dot{\mathcal{C}}}[H^{p}],
      ?;|𝒞˙|[Hq]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{q}] m1𝒞˙[Hq]𝒞′′˙[Hq].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{m-1}{\dot{\mathcal{C}^{\prime}}}[H^{q}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}{\dot{\mathcal{C}^{\prime\prime}}}[H^{q}].
Proof G.5 (Proof of the point (2)).

If one of states 𝒞˙[H1]{\dot{\mathcal{C}}}[H^{1}] and 𝒞˙[H2]{\dot{\mathcal{C}}}[H^{2}] is rooted, by the point (1), the other state is also rooted, and moreover, there exists kk\in\mathbb{N} such that ?;|𝒞˙|[Hr]k𝒞˙[Hr]?;|{\dot{\mathcal{C}}}|[H^{r}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{r}] for each r{1,2}r\in\{1,2\}.

Our goal is to prove that, for any k1k_{1}\in\mathbb{N} and any final state N1˙{\dot{N_{1}}} such that 𝒞˙[H1]k1N1˙{\dot{\mathcal{C}}}[H^{1}]\to^{k_{1}}{\dot{N_{1}}}, there exist k2k_{2}\in\mathbb{N} and a final state N2˙{\dot{N_{2}}} such that k1Qk2k_{1}\mathrel{Q^{\prime}}k_{2} and 𝒞˙[H2]k2N2˙{\dot{\mathcal{C}}}[H^{2}]\to^{k_{2}}{\dot{N_{2}}}. Assuming 𝒞˙[H1]k1N1˙{\dot{\mathcal{C}}}[H^{1}]\to^{k_{1}}{\dot{N_{1}}}, we have the following:

?;|𝒞˙|[H1]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{1}] k𝒞˙[H1]k1N1˙,\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{1}]\to^{k_{1}}{\dot{N_{1}}},
?;|𝒞˙|[H2]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{2}] k𝒞˙[H2].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{2}].

Because \vartriangleleft implies contextual refinement Q\preceq^{\mathbb{C}}_{Q^{\prime}}, and |𝒞˙||{\dot{\mathcal{C}}}|\in\mathbb{C}, we have state refinement ?;|𝒞˙|[H1]˙Q?;|𝒞˙|[H2]?;|{\dot{\mathcal{C}}}|[H^{1}]\mathrel{\dot{\preceq}}_{Q^{\prime}}?;|{\dot{\mathcal{C}}}|[H^{2}]. Therefore, there exist l2l_{2}\in\mathbb{N} and a final state N2˙{\dot{N_{2}}} such that (k+k1)Ql2(k+k_{1})\mathrel{Q^{\prime}}l_{2} and ?;|𝒞˙|[H2]l2N2˙?;|{\dot{\mathcal{C}}}|[H^{2}]\to^{l_{2}}{\dot{N_{2}}}.

The assumption that compute transitions are all deterministic implies that all transitions, including intrinsic ones, are deterministic. Following from this are l2kl_{2}\geq k and the following:

?;|𝒞˙|[H1]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{1}] k𝒞˙[H1]k1N1˙,\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{1}]\to^{k_{1}}{\dot{N_{1}}},
?;|𝒞˙|[H2]\displaystyle?;|{\dot{\mathcal{C}}}|[H^{2}] k𝒞˙[H2]l2kN2˙.\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}^{k}{\dot{\mathcal{C}}}[H^{2}]\to^{l_{2}-k}{\dot{N_{2}}}.

By the assumption on QQ^{\prime}, (k+k1)Ql2(k+k_{1})\mathrel{Q^{\prime}}l_{2} implies k1Q(l2k)k_{1}\mathrel{Q^{\prime}}(l_{2}-k).

Appendix H Local rewrite rules and transfer properties

The sufficiency-of-robustness theorem reduces a proof of an observational equivalence down to establishing robust templates. As illustrated in Section 12, this typically boils down to checking input-safety of pre-templates, and checking robustness of pre-templates relative to rewrite transitions.

The key part of checking input-safety or robustness of a pre-template is to analyse how a rewrite transition involves edges (at any depth) of a state that are contributed by the pre-template. In this section, we focus on rewrite transitions that are locally specified by means of the contraction rules or rewrite rules (e.g. the micro-beta rewrite rules), and identify some situation where these transitions involve the edges contributed by a pre-template in a safe manner. These situations can be formalised for arbitrary instances of the universal abstract machine, including the particular instance 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}) that is used in Section 12 to prove the Parametricity law.

This section proceeds as follows. Firstly, Appendix H.1 formalises the safe involvement in terms of transfer properties. Appendix H.2 establishes transfer properties for the particular pre-templates and local rewrite rules used in Section 12 to prove the Parametricity law. Finally, Appendix H.3 demonstrates the use of the transfer properties, by providing details of checking input-safety and robustness to prove the Parametricity law.

H.1. Transfer properties

We refer to the contraction rules which locally specify copy transitions, and rewrite rules that locally specify rewrite transitions for active operations, altogether as \lightning-rules. To analyse how a \lightning-rule involves edges contributed by a pre-template, one would first need to check all possible overlaps between the local rule and the edges, and then observe how these overlaps are affected by application of the local rule. We identify safe involvement of the pre-template in the \lightning-rule, as the situation where the overlaps get only eliminated or duplicated without any internal modification.

We will first formalise safe involvement for a single application of \lightning-rules, and then for a pair of applications of \lightning-rules. The latter can capture safe involvement of edges contributed by a pre-template, which can be exploited to check input-safety and robustness of pre-templates.

Notation H.0.

Let mm\in\mathbb{N} and mm^{\prime}\in\mathbb{N}. Given a sequence x=x1,,xm\vec{x}=x_{1},\ldots,x_{m} of length mm and a function f:{1,,m}{1,,m}f\colon\{1,\ldots,m^{\prime}\}\to\{1,\ldots,m\}, a sequence f(x)=x1,,xmf(\vec{x})=x^{\prime}_{1},\ldots,x^{\prime}_{m^{\prime}} of length mm^{\prime} is given by xj=xf(j)x^{\prime}_{j}=x_{f(j)} for each j{1,,m}j\in\{1,\ldots,m^{\prime}\}.

{defi}

[Transfer of hypernets] Let \mathbb{C} and \mathbb{C^{\prime}} be two sets of focus-free contexts, and \mathbb{H} be a set of focus-free hypernets. A \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} of a universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) transfers \mathbb{H} from \mathbb{C} to \mathbb{C^{\prime}} if, for any mm\in\mathbb{N}, any focussed context 𝒞˙[χ1,,χm]{\dot{\mathcal{C}}}[\chi_{1},\ldots,\chi_{m}] such that |𝒞˙||{\dot{\mathcal{C}}}|\in\mathbb{C}, and any mm focus-free hypernets GiG_{i}\in\mathbb{H} (i{1,,m}i\in\{1,\ldots,m\}) such that N˙=𝒞˙[G1,,Gm]{\dot{N}}={\dot{\mathcal{C}}}[G_{1},\ldots,G_{m}], there exist some mm^{\prime}\in\mathbb{N}, some focussed context 𝒞˙[χ1,,χm]{\dot{\mathcal{C^{\prime}}}}[\chi^{\prime}_{1},\ldots,\chi^{\prime}_{m^{\prime}}], and some function f:{1,,m}{1,,m}f\colon\{1,\ldots,m^{\prime}\}\to\{1,\ldots,m\}, and the following holds.

  • |𝒞˙||{\dot{\mathcal{C^{\prime}}}}|\in\mathbb{C^{\prime}}.

  • N˙=𝒞˙[f(G1,,Gm)]{\dot{N^{\prime}}}={\dot{\mathcal{C^{\prime}}}}[f(G_{1},\ldots,G_{m})].

  • 𝒞˙[H1,,Hm]𝒞˙[f(H1,,Hm)]{\dot{\mathcal{C}}}[H_{1},\ldots,H_{m}]\mapsto{\dot{\mathcal{C^{\prime}}}}[f(H_{1},\ldots,H_{m})] is a \lightning-rule, for any mm focus-free hypernets HiH_{i}\in\mathbb{H} (i{1,,m}i\in\{1,\ldots,m\}).

This transfer property enjoys monotonicity in the following sense: if a \lightning-rule transfers \mathbb{H} from \mathbb{C} to \mathbb{C^{\prime}}, and ′′\mathbb{C^{\prime}}\subseteq\mathbb{C^{\prime\prime}}, then the \lightning-rule transfers \mathbb{H} from \mathbb{C} to ′′\mathbb{C^{\prime\prime}} as well. If a \lightning-rule transfers \mathbb{H} from \mathbb{C} to the same \mathbb{C}, we say the \lightning-rule preserves \mathbb{H} in \mathbb{C}.

Given an operation set 𝕆\mathbb{O}, we will be particularly interested in the following sets of hypernets and contexts for 𝕆\mathbb{O}, some of which have already been introduced elsewhere: the set 𝕆\mathbb{H}_{\mathbb{O}} of all focus-free hypernets, the set \mathbb{H}_{\otimes} of contraction trees, the set 𝕆\mathbb{C}_{\mathbb{O}} of all focus-free contexts, the set 𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} of all binding-free contexts, the set 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} of all deep contexts, i.e. focus-free contexts whose holes are all deep.

{exa}

[Transfer/preservation of hypernets in contexts]

  • When a \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} preserves 𝕆\mathbb{H}_{\mathbb{O}} in 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, any deep edge of N˙{\dot{N}} also appears as a deep edge in N˙{\dot{N^{\prime}}}, and it also retains its neighbours. This is trivially the case if the \lightning-rule involves no box edges (and hence deep edges) at all. It is also the case if the \lightning-rule only eliminates or duplicates box edges without modifying deep edges. The contraction rules are an example of duplicating boxes.

  • Preservation of deep edges can be restricted to binding-free positions, which are specified by binding-free contexts. When a \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} preserves 𝕆\mathbb{H}_{\mathbb{O}} in 𝕆-dp𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, any deep edge of N˙{\dot{N}} in a binding-free position also appears as a deep edge in a binding-free position in N˙{\dot{N^{\prime}}}.

  • When a \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} transfers 𝕆\mathbb{H}_{\mathbb{O}} from 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} to 𝕆\mathbb{C}_{\mathbb{O}}, any deep edge of N˙{\dot{N}} also appears as an edge in N˙{\dot{N^{\prime}}}, retaining its neighbours, but not necessarily as a deep edge. This is preservation of deep edges in a weak sense. It is the case when a \lightning-rule replaces a box edge with its contents, turning some deep edges into shallow edges without modifying their connection. The micro-beta rewrite rules are an example of this situation.

  • When a \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} preserves \mathbb{H}_{\otimes} in 𝕆\mathbb{C}_{\mathbb{O}}, any contraction tree in N˙{\dot{N}} also appears in N˙{\dot{N^{\prime}}}. The contraction rules are designed to satisfy this preservation property. ∎

{defi}

[Transfer of (rooted) specimens] Let \mathbb{C} and \mathbb{C^{\prime}} be two sets of focus-free contexts, and \vartriangleleft be a pre-template.

  • A \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} of a universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}) transfers specimens of \vartriangleleft from \mathbb{C} to \mathbb{C^{\prime}} if, for any \mathbb{C}-specimen of the form (𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}}) such that N˙=𝒞2˙[G′′]{\dot{N}}={\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}], there exist some focussed context 𝒞2˙{\dot{\mathcal{C}^{\prime}_{2}}} and two sequences G′′′\vec{G^{\prime\prime\prime}} and H′′′\vec{H^{\prime\prime\prime}} of focus-free hypernets, and the following holds.

    • N˙=𝒞2˙[G′′′]{\dot{N^{\prime}}}={\dot{\mathcal{C}^{\prime}_{2}}}[\vec{G^{\prime\prime\prime}}].

    • 𝒞2˙[H′′]𝒞2˙[H′′′]{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[\vec{H^{\prime\prime\prime}}] is a \lightning-rule.

    • (𝒞1[χ,𝒞2˙];G,G′′′;H,H′′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}];\vec{G^{\prime}},\vec{G^{\prime\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime\prime}}) is a \mathbb{C^{\prime}}-specimen of \vartriangleleft.

  • The \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} is said to transfer rooted specimens of \vartriangleleft from \mathbb{C} to \mathbb{C^{\prime}} if, in the above definition, the \mathbb{C}-specimen (𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}}) is restricted to yield two rooted states 𝒞1[G,𝒞2˙[G′′]]\mathcal{C}_{1}[\vec{G^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]] and 𝒞1[H,𝒞2˙[H′′]]\mathcal{C}_{1}[\vec{H^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]].

If a \lightning-rule transfers specimens of \vartriangleleft from \mathbb{C} to the same \mathbb{C}, we say the \lightning-rule preserves specimens of \vartriangleleft in \mathbb{C}.

We can prove that certain transfer properties of hypernets imply the corresponding transfer properties of specimens, as stated in 45 below. These are primarily transfer of deep edges, and preservation of contraction trees. 45 below will simplify some part of establishing input-safety and robustness of a pre-template, because it enables us to analyse a single application of a \lightning-rule on a state, instead of a pair of applications of a \lightning-rule on two states induced by a specimen of the pre-template.

{defi}

[Root-focussed \lightning-rules] A \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} is said to be root-focussed if it satisfies the following.

  • N˙{\dot{N}} has only one input.

  • N˙=;|N˙|{\dot{N}}=\lightning;|{\dot{N}}| holds, i.e. the sole input of N˙{\dot{N}} coincides with the source of the token.

  • Every output of N˙{\dot{N}} is reachable from the sole input of N˙{\dot{N}}.

Proposition 45.

For any \lightning-rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}} of a universal abstract machine 𝒰(𝕆,B𝕆)\mathcal{U}(\mathbb{O},B_{\mathbb{O}}), the following holds.

  1. (1)

    If it transfers 𝕆\mathbb{H}_{\mathbb{O}} from 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} to 𝕆\mathbb{C}_{\mathbb{O}}, it transfers specimens of any pre-template \vartriangleleft from 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} to 𝕆\mathbb{C}_{\mathbb{O}}.

  2. (2)

    If it preserves 𝕆\mathbb{H}_{\mathbb{O}} in 𝕆-dp𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, it preserves specimens of any pre-template \vartriangleleft in 𝕆-dp𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

  3. (3)

    If it is root-focussed and transfers 𝕆\mathbb{H}_{\mathbb{O}} from 𝕆-dp𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} to 𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, it transfers rooted specimens of any output-closed pre-template \vartriangleleft from 𝕆-dp𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} to 𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

  4. (4)

    If it preserves \mathbb{H}_{\otimes} in 𝕆\mathbb{C}_{\mathbb{O}}, it preserves specimens of any pre-template ×\mathord{\vartriangleleft}\subseteq\mathbb{H}_{\otimes}\times\mathbb{H}_{\otimes}, which is on contraction trees, in 𝕆\mathbb{C}_{\mathbb{O}}.

Proof H.1 (Proof of the point (1)).

We take an arbitrary 𝕆-dp\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}-specimen of the form

(𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}})

of the pre-template \vartriangleleft, such that N˙=𝒞2˙[G′′]{\dot{N}}={\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]. Because the context 𝒞1[χ,𝒞2˙[χ′′]]\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]] of the specimen must be focussed, the token in the context is shallow. This means that the hole labelled with χ\chi in the context 𝒞1[χ,χ]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi] must be shallow. On the other hand, the specimen satisfies |𝒞1[χ,𝒞2˙]|𝕆-dp|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}]|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, and hence 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}. As a consequence, we have |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}. Now, by the assumption, there exist some focussed context 𝒞2˙{\dot{\mathcal{C}^{\prime}_{2}}} and some function ff, such that |𝒞2˙|𝕆|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}} and N˙=𝒞2˙[f(G′′)]{\dot{N^{\prime}}}={\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] hold, and moreover, 𝒞2˙[H′′]𝒞2˙[f(H′′)]{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{H^{\prime\prime}})] is also a \lightning-rule. We obtain a triple (𝒞1[χ,𝒞2˙];G,f(G′′);H,f(H′′))(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}];\vec{G^{\prime}},f(\vec{G^{\prime\prime}});\vec{H^{\prime}},f(\vec{H^{\prime\prime}})). It satisfies |𝒞1[χ,𝒞2˙]|𝕆|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}]|\in\mathbb{C}_{\mathbb{O}}, and is a 𝕆\mathbb{C}_{\mathbb{O}}-specimen of the pre-template \vartriangleleft.

Proof H.2 (Proof of the point (2)).

We take an arbitrary (𝕆-dp𝕆-bf)(\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}})-specimen of the form

(𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}})

of the pre-template \vartriangleleft, such that N˙=𝒞2˙[G′′]{\dot{N}}={\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}].

We first check that |𝒞2˙|𝕆-dp𝕆-bf|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} follows from |𝒞1[χ,𝒞2˙]|𝕆-dp𝕆-bf|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}]|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, as follows.

  • Because the context 𝒞1[χ,𝒞2˙]\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}] must be focussed, the token in the context is shallow. This means that the hole labelled with χ\chi in the context 𝒞1[χ,χ]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi] must be shallow. This, combined with |𝒞1[χ,𝒞2˙]|=𝒞1[χ,|𝒞2˙|]𝕆-dp|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}]|=\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, implies |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}.

  • If the context |𝒞2˙||{\dot{\mathcal{C}_{2}}}| contains a path that makes it not binding-free, the path is also a path in the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|] and makes the context not binding-free. Therefore, because |𝒞1[χ,𝒞2˙]|=𝒞1[χ,|𝒞2˙|]𝕆-bf|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}]|=\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} holds, the context |𝒞2˙||{\dot{\mathcal{C}_{2}}}| is without any path that makes the context not binding-free. This means |𝒞2˙|𝕆-bf|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

By the assumption, there exist some focussed context 𝒞2˙{\dot{\mathcal{C}^{\prime}_{2}}} and some function ff, such that |𝒞2˙|𝕆-dp𝕆-bf|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} and N˙=𝒞2˙[f(G′′)]{\dot{N^{\prime}}}={\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] hold, and moreover, 𝒞2˙[H′′]𝒞2˙[f(H′′)]{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{H^{\prime\prime}})] is also a \lightning-rule. We obtain a triple (𝒞1[χ,𝒞2˙];G,f(G′′);H,f(H′′))(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}];\vec{G^{\prime}},f(\vec{G^{\prime\prime}});\vec{H^{\prime}},f(\vec{H^{\prime\prime}})).

To conclude the proof, it suffices to prove that this triple is a (𝕆-dp𝕆-bf)(\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}})-specimen of the pre-template \vartriangleleft, which boils down to showing |𝒞1[χ,𝒞2˙]|=𝒞1[χ,|𝒞2˙|]𝕆-dp𝕆-bf|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}]|=\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

We firstly prove 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}. Because 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} holds, the holes labelled with χ\vec{\chi^{\prime}} of the context 𝒞1\mathcal{C}_{1} must be all deep. This, together with |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, implies 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}.

We then prove 𝒞1[χ,|𝒞2˙|]𝕆-bf\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} by contradiction, which will conclude the whole proof. Assume that the context is not binding-free. It has a path PP from a source of an edge ee that is either a contraction edge, an atom edge, a box edge or a hole edge, to a source of an edge ee^{\prime} that is a hole edge. Thanks to 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}} and |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, the hole edge ee^{\prime} of the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] must be deep. We will infer a contradiction by case analysis on the hole edge ee^{\prime}. There are two cases.

  • One case is when the edge ee^{\prime} of the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] comes from the context 𝒞1\mathcal{C}_{1}. In this case, the edge ee^{\prime} is one of the deep hole edges labelled with χ\vec{\chi^{\prime}}. This means that the path PP in the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] must consist of deep edges only, and these deep edges, together with the edge ee^{\prime}, must be contained in a box of the context 𝒞1\mathcal{C}_{1}. Therefore the path PP is also a path in the context 𝒞1\mathcal{C}_{1}, and it makes the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|] not binding-free. This contradicts 𝒞1[χ,|𝒞2˙|]𝕆-bf\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

  • The other case is when the edge ee^{\prime} of the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] comes from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}|. In this case, the edge ee^{\prime} is a hole edge of the context |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, and hence a deep edge. This means that the path PP is also a path in the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}|, consisting of deep edges only. The path PP therefore makes the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}| not binding-free, which contradicts |𝒞2˙|𝕆-bf|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

Proof H.3 (Proof of the point (3)).

We take an arbitrary (𝕆-dp𝕆-bf)(\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}})-specimen of the form

(𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}})

of the pre-template \vartriangleleft, such that N˙=𝒞2˙[G′′]{\dot{N}}={\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}] holds, and two states 𝒞1[G,𝒞2˙[G′′]]\mathcal{C}_{1}[\vec{G^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]] and 𝒞1[H,𝒞2˙[H′′]]\mathcal{C}_{1}[\vec{H^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]] are both rooted.

We can first check |𝒞2˙|𝕆-dp𝕆-bf|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, in the same way as the proof of the point (2). By the assumption, there exist some focussed context 𝒞2˙{\dot{\mathcal{C}^{\prime}_{2}}} and some function ff, such that |𝒞2˙|𝕆-bf|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}} and N˙=𝒞2˙[f(G′′)]{\dot{N^{\prime}}}={\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] hold, and moreover, 𝒞2˙[H′′]𝒞2˙[f(H′′)]{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{H^{\prime\prime}})] is also a \lightning-rule. We obtain a triple (𝒞1[χ,𝒞2˙];G,f(G′′);H,f(H′′))(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}];\vec{G^{\prime}},f(\vec{G^{\prime\prime}});\vec{H^{\prime}},f(\vec{H^{\prime\prime}})).

To conclude the proof, it suffices to prove that this triple is a 𝕆-bf\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}-specimen of the pre-template \vartriangleleft, which boils down to showing |𝒞1[χ,𝒞2˙]|=𝒞1[χ,|𝒞2˙|]𝕆-bf|\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}]|=\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}. We prove this by contradiction, as follows.

Assume that the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] is not binding-free. It has a path PP from a source of an edge ee that is either a contraction edge, an atom edge, a box edge or a hole edge, to a source of an edge ee^{\prime} that is a hole edge. We will infer a contradiction by case analysis on the edge ee^{\prime}. There are two cases.

  • One case is when the edge ee^{\prime} of the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] comes from the context 𝒞1\mathcal{C}_{1}. In this case, the edge ee^{\prime} is one of the hole edges labelled with χ\vec{\chi^{\prime}}. Because of 𝒞1[χ,|𝒞2˙|]𝕆-dp\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, the hole edge ee^{\prime} must be deep. This means that the path PP must consist of deep edges contained in a box of the context 𝒞1\mathcal{C}_{1}. The path is therefore a path in the context 𝒞1\mathcal{C}_{1}, and also in the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]. This means 𝒞1[χ,|𝒞2˙|]𝕆-bf\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}_{2}}}|]\notin\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}, which is a contradiction.

  • The other case is when the edge ee^{\prime} of the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] comes from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}|. In this case, we will infer a contradiction by further case analysis on the edge ee and the path PP. There are three (sub-)cases.

    • The first case is when the edge ee comes from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}| and PP is a path in the context. In this case, the path PP makes the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}| not binding-free, which contradicts |𝒞2˙|𝕆-bf|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{bf}}}.

    • The second case is when the edge ee comes from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}| and PP does not give a single path in the context. In this case, the edges ee and ee^{\prime} both come from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}|, but PP is a valid path only in the whole context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|]. This means that, in the context 𝒞1[χ,χ]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi], a source of the hole edge labelled with χ\chi is reachable from a target of the same hole edge.

      Because the \lightning-rule 𝒞2˙[G′′]𝒞2˙[f(G′′)]{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] is root-focussed, the focussed hypernet 𝒞2˙[G′′]{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}] has only one input, the input coincides with the source of the token, and every output of the hypernet is reachable from the sole input. Moreover, because of |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, the same holds for the focussed context 𝒞2˙{\dot{\mathcal{C}_{2}}} too, namely: the context has only one input, the input coincides with the source of the token, and every output of the context is reachable from the sole input.

      As a consequence, in the focussed context 𝒞1[χ,𝒞2˙]\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}], the token source is reachable from itself, via a cyclic path that contains some edges coming from the context 𝒞2˙{\dot{\mathcal{C}_{2}}} including the token edge. This path is not an operation path. Therefore, by 26(3), at least one of the states 𝒞1[G,𝒞2˙[G′′]]\mathcal{C}_{1}[\vec{G^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]] and 𝒞1[H,𝒞2˙[H′′]]\mathcal{C}_{1}[\vec{H^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]] is not rooted. This is a contradiction.

    • The last case is when the edge ee comes from the context 𝒞1\mathcal{C}_{1}. Recall that the edge ee^{\prime} comes from the context |𝒞2˙||{\dot{\mathcal{C}^{\prime}_{2}}}|. In this case, the path PP in the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|] has a prefix that gives a path PP^{\prime} in the context 𝒞1[χ,χ]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi], from the same source of the edge ee as the path PP, to a source of the hole edge labelled with χ\chi. Because the path PP^{\prime} is given as a part of the path PP in the context 𝒞1[χ,|𝒞2˙|]\mathcal{C}_{1}[\vec{\chi^{\prime}},|{\dot{\mathcal{C}^{\prime}_{2}}}|], the path PP^{\prime} in the context 𝒞1[χ,χ]\mathcal{C}_{1}[\vec{\chi^{\prime}},\chi] does not itself contain the hole edge labelled with χ\chi.

      Because the \lightning-rule 𝒞2˙[G′′]𝒞2˙[f(G′′)]{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] is root-focussed, the focussed hypernet 𝒞2˙[G′′]{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}] has only one input, and the input coincides with the source of the token. Moreover, because of |𝒞2˙|𝕆-dp|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}{\text{-}\mathrm{dp}}}, the same holds for the focussed context 𝒞2˙{\dot{\mathcal{C}_{2}}} too, namely: the context has only one input, and the input coincides with the source of the token.

      As a consequence, the path PP^{\prime} in turn gives a path in the focussed context 𝒞1[χ,𝒞2˙]\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}], from the same source of the edge ee as the path PP, to the source of the token. The first edge ee of this path is not an operation edge, and therefore the path is not an operation path. By 26(3), at least one of the states 𝒞1[G,𝒞2˙[G′′]]\mathcal{C}_{1}[\vec{G^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]] and 𝒞1[H,𝒞2˙[H′′]]\mathcal{C}_{1}[\vec{H^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]] is not rooted. This is a contradiction.

Proof H.4 (Proof of the point (4)).

We take an arbitrary 𝕆\mathbb{C}_{\mathbb{O}}-specimen of the form

(𝒞1[χ,𝒞2˙[χ′′]];G,G′′;H,H′′)(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}_{2}}}[\vec{\chi^{\prime\prime}}]];\vec{G^{\prime}},\vec{G^{\prime\prime}};\vec{H^{\prime}},\vec{H^{\prime\prime}})

of the pre-template ×\mathord{\vartriangleleft}\subseteq\mathbb{H}_{\otimes}\times\mathbb{H}_{\otimes}, such that N˙=𝒞2˙[G′′]{\dot{N}}={\dot{\mathcal{C}_{2}}}[\vec{G^{\prime\prime}}]. All the hypernets in G,G′′,H,H′′\vec{G^{\prime}},\vec{G^{\prime\prime}},\vec{H^{\prime}},\vec{H^{\prime\prime}} are elements of \mathbb{H}_{\otimes}, i.e. contraction trees. It trivially holds that |𝒞2˙|𝕆|{\dot{\mathcal{C}_{2}}}|\in\mathbb{C}_{\mathbb{O}}. Therefore, by the assumption, there exist some focussed context 𝒞2˙{\dot{\mathcal{C}^{\prime}_{2}}} and some function ff, such that |𝒞2˙|𝕆|{\dot{\mathcal{C}^{\prime}_{2}}}|\in\mathbb{C}_{\mathbb{O}} and N˙=𝒞2˙[f(G′′)]{\dot{N^{\prime}}}={\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{G^{\prime\prime}})] hold, and moreover, 𝒞2˙[H′′]𝒞2˙[f(H′′)]{\dot{\mathcal{C}_{2}}}[\vec{H^{\prime\prime}}]\mapsto{\dot{\mathcal{C}^{\prime}_{2}}}[f(\vec{H^{\prime\prime}})] is also a \lightning-rule. We obtain a triple (𝒞1[χ,𝒞2˙];G,f(G′′);H,f(H′′))(\mathcal{C}_{1}[\vec{\chi^{\prime}},{\dot{\mathcal{C}^{\prime}_{2}}}];\vec{G^{\prime}},f(\vec{G^{\prime\prime}});\vec{H^{\prime}},f(\vec{H^{\prime\prime}})), and this is a 𝕆\mathbb{C}_{\mathbb{O}}-specimen of the pre-template \vartriangleleft.

H.2. Transfer properties for the Parametricity law

We can now establish transfer properties of deep edges and contraction trees for the particular machine 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}) which is used to prove the Parametricity law.

Proposition 46.

The universal abstract machine 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}) satisfies the following.

  1. (1)

    The contraction rules and all rewrite rules transfer 𝕆ex\mathbb{H}_{\mathbb{O}^{\mathrm{ex}}} from 𝕆ex-dp\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}} to 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}.

  2. (2)

    The contraction rules, and all rewrite rules except for the micro-beta rewrite rules, preserve 𝕆ex\mathbb{H}_{\mathbb{O}}^{\mathrm{ex}} in 𝕆ex-dp𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}.

  3. (3)

    The micro-beta rewrite rules transfer 𝕆ex\mathbb{H}_{\mathbb{O}}^{\mathrm{ex}} from 𝕆ex-dp𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} to 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}.

  4. (4)

    The contraction rules and all rewrite rules preserve \mathbb{H}_{\otimes} in 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}.

Proof H.5 (Sketch of the proof).

We can prove the four points by analysing each \lightning-rule, i.e. a contraction rule or a local rewrite rule for an active operation, of the universal abstract machine 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}).

Firstly, the only way in which a contraction rule involves deep edges is to have them inside the hypernet to be duplicated (HH in Figure 17). The deep edges and their connection are all preserved, and replacing these edges with arbitrary deep edges still enables the contraction rule. The point (1) therefore holds. Additionally, any path to a source of a deep edge must consist of deep edges only, and if such a path appears in the result N˙{\dot{N^{\prime}}} of a contraction rule N˙N˙{\dot{N}}\mapsto{\dot{N^{\prime}}}, the path necessarily appears in the original hypernet N˙{\dot{N}} too. Therefore, if the contraction rule moves deep edges out of binding-free positions, these edges must not be at binding-free positions beforehand. This is a contradiction, and the point (2) holds. As for contraction trees, whenever a contraction rule involves a contraction tree, the tree is either deep and gets duplicated, or shallow and left unmodified. Replacing the contraction tree with another contraction tree still enables the contraction rule that duplicates the same hypernet. The point (4) therefore holds.

Secondly, we analyse the micro-beta rewrite rules. Whenever deep edges are involved in a micro-beta rewrite rule, they must be inside the box edge that gets opened (i.e. GG in Figure 10b). These deep edges may be turned into shallow edges, but their connection is unchanged. The difference of deep edges does not affect application of the rule, and hence the point (1) holds. If these deep edges are at binding-free positions, they remain at binding-free positions after applying the micro-beta rewrite rule, for a similar reason as the contraction rules. The point (3) therefore holds. As for contraction trees, the only way in which contraction trees get involved in a micro-beta rewrite rule is for them to be deep. The point (4) reduces to the point (1) for micro-beta rewrite rules.

The rest of the local rewrite rules involve no deep edges at all, and therefore points (1) and (2) trivially hold. These rules either involve no contraction trees, or involve shallow contraction trees without any modification. The difference of contraction trees does not affect application of the rules. The point (4) therefore holds.

Corollary 47.

In the universal abstract machine 𝒰(𝕆ex,B𝕆ex)\mathcal{U}(\mathbb{O}^{\mathrm{ex}},B_{\mathbb{O}^{\mathrm{ex}}}), the contraction rules and all rewrite rules satisfies the following.

  1. (1)

    The rules transfer specimens of any pre-template \vartriangleleft from 𝕆ex-dp\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}} to 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}.

  2. (2)

    The rules transfer rooted specimens of any output-closed pre-template \vartriangleleft from 𝕆ex-dp𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} to 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}.

  3. (3)

    The rules preserve specimens of any pre-template ×\mathord{\vartriangleleft}\subseteq\mathbb{H}_{\otimes}\times\mathbb{H}_{\otimes}, which is on contraction trees, in 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}.

Proof H.6.

This is a consequence of 46 and 45, noting that the micro-beta rewrite rules are root-focussed and preserving in 𝕆ex-dp𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} implies transferring from 𝕆ex-dp𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{dp}}}\cap\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} to 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}.

H.3. Input-safety and robustness for the Parametricity law

Refer to captionRefer to captionRefer to caption
Refer to captionRefer to captionRefer to caption
Figure 24. Triggers where kk\in\mathbb{N}
dependency implication of H1H2H_{1}\vartriangleleft H_{2} used for
1\vartriangleleft^{1} Assoc,Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}},\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2} \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}
2\vartriangleleft^{2} Assoc,Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}},\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2} \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}
3\vartriangleleft^{3} Assoc,Comm,Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}},\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}},\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2} BPullC\vartriangleleft^{\mathrm{BPullC}}
4\vartriangleleft^{4} Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2} BPullW\vartriangleleft^{\mathrm{BPullW}}
6\vartriangleleft^{6} Assoc,Idem,GC\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}},\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}},\vartriangleleft^{\mathrm{GC}} H1=𝕆exH2H_{1}\simeq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{=_{\mathbb{N}}}H_{2} Param\vartriangleleft^{\mathrm{Param}}
9\vartriangleleft^{9} ,GC\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}},\vartriangleleft^{\mathrm{GC}} H1𝕆exH2,H2𝕆exH1H_{1}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\geq_{\mathbb{N}}}H_{2},\enspace H_{2}\preceq^{\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}}_{\leq_{\mathbb{N}}}H_{1} Param\vartriangleleft^{\mathrm{Param}}
Table 5. Triggers and their implied contextual refinements/equivalences

In this section we give some details of proving input-safety and robustness of the pre-templates for the Parametricity law, as indicated in Table 3. The proofs exploit the transfer properties established in 47.

Figure 24 lists triggers that we use to prove input-safety and robustness of some of the pre-templates777The numbering of triggers is according to the one used in [Mur20, Section 4.5.5]. Some of triggers in loc. cit. are for observational equivalences that we do not consider in this paper, and hence not presented here.. Table 5 shows contextual refinements/equivalences implied by these triggers (in the “implication” column), given that some pre-templates (shown in the “dependency” column) imply contextual refinement as shown in Table 3. All the implications can be proved simply using the congruence property and transitivity of contextual refinement. Table 5 shows which pre-template requires each trigger in its proof of input-safety or robustness (in the “used for” column). Note that the converse of any trigger is again a trigger.

Recall that there is a choice of contraction trees upon applying a contraction rule and some of the local rewrite rules. The minimum choice is to collect only contraction edges whose target is reachable from the token target. The maximum choice is to take the contraction tree(s) so that no contraction or weakening edge is incoming to the unique hole edge in a context.

H.3.1. Pre-templates on contraction trees

First we check input-safety and robustness of Assoc\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}}, Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} and Idem\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Idem}}, which are all on contraction trees.

Input-safety of Assoc\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Assoc}} and Comm\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}\mathrm{Comm}} can be checked as follows. Given a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) with an entering search token, because any input of a contraction tree is a source of a contraction edge, we have:

𝒞˙[H1]𝒞˙[H1]/?,𝒞˙[H2]𝒞˙[H2]/?.{\dot{\mathcal{C}}}[\vec{H^{1}}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{\mathcal{C}}}[\vec{H^{1}}]\rangle_{\lightning/?},\quad{\dot{\mathcal{C}}}[\vec{H^{2}}]\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\langle{\dot{\mathcal{C}}}[\vec{H^{2}}]\rangle_{\lightning/?}.

It can be observed that a rewrite transition is possible in 𝒞˙[H1]/?\langle{\dot{\mathcal{C}}}[\vec{H^{1}}]\rangle_{\lightning/?} if and only if a rewrite transition is possible in 𝒞˙[H2]/?\langle{\dot{\mathcal{C}}}[\vec{H^{2}}]\rangle_{\lightning/?}. When a rewrite transition is possible in both states, we can use 47(3), by considering a maximal possible contraction rule. The results of the rewrite transition can be given by a new quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(=,=) (here == denotes equality on states). When no rewrite transition is possible, both of the states are not final but stuck.

Robustness of the three pre-templates and their converse can also be proved using 47(3), by considering a maximal possible local (contraction or rewrite) rule in each case.

H.3.2. Input-safety of pre-templates not on contraction trees

As mentioned in Section 12.2, pre-templates that relate hypernets with no input of type \star are trivially input-safety for any parameter (,Q,Q)(\mathbb{C},Q,Q^{\prime}). This leaves us pre-templates \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}, @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}}, 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} and Param\vartriangleleft^{\mathrm{Param}} to check.

As for \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}, note that the pre-template \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} relates hypernets with at least one input. Any 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen of \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} with an entering search token can be turned into the form (𝒞[(?;jχ),χ];H1,H1;H2,H2)(\mathcal{C}[(?;_{j}\chi),\vec{\chi}];H^{1},\vec{H^{1}};H^{2},\vec{H^{2}}) where jj is a positive number. The proof is by case analysis on the number jj.

  • When j=1j=1, we have:

    𝒞[(?;jH1),H1]\displaystyle\mathcal{C}[(?;_{j}H^{1}),\vec{H^{1}}] 𝒞[(;jH1),H1]\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\lightning;_{j}H^{1}),\vec{H^{1}}]
    𝒞[(?;jH2),H1].\displaystyle\to\mathcal{C}[(?;_{j}H^{2}),\vec{H^{1}}].

    We can take (𝒞[(?;jH2),χ];H1;H2)(\mathcal{C}[(?;_{j}H^{2}),\vec{\chi}];\vec{H^{1}};\vec{H^{2}}) as a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen, and the token in 𝒞[(?;jH2),χ]\mathcal{C}[(?;_{j}H^{2}),\vec{\chi}] is not entering.

  • When j>1j>1, the token target must be a source of a contraction edge. There exist a focus-free context 𝒞[χ]\mathcal{C}^{\prime}[\chi^{\prime}], two focus-free hypernets H1H2H^{\prime 1}\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}H^{\prime 2} and a focus-free hypernet GG, such that

    𝒞[(?;jH1),H1]\displaystyle\mathcal{C}[(?;_{j}H^{1}),\vec{H^{1}}] 𝒞[(;jH1),H1]\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\lightning;_{j}H^{1}),\vec{H^{1}}]
    𝒞[(?;j𝒞[H1]),H1],\displaystyle\to\mathcal{C}[(?;_{j}\mathcal{C}^{\prime}[H^{\prime 1}]),\vec{H^{1}}],
    𝒞[(?;jH2),H2]\displaystyle\mathcal{C}[(?;_{j}H^{2}),\vec{H^{2}}] 𝒞[(;jH2),H2]\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\lightning;_{j}H^{2}),\vec{H^{2}}]
    𝒞[(?;jG),H2],\displaystyle\to\mathcal{C}[(?;_{j}G),\vec{H^{2}}],

    and 𝒞[H2]˙=G\mathcal{C^{\prime}}[H^{\prime 2}]\mathrel{\dot{\simeq}}_{=_{\mathbb{N}}}G given by the trigger 1\vartriangleleft^{1} via 42. The results of these sequences give a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,˙=)(\mathord{=},\mathord{\dot{\simeq}_{=_{\mathbb{N}}}}).

A proof of input-safety of the operational pre-templates @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} and 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} is a simpler version of that of \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}, because the operational pre-templates relate hypernets with only one input.

Let \mathbb{C} be either 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}} or 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}. Any \mathbb{C}-specimen of an operational pre-template with an entering search token can be turned into the form (𝒞[(?;χ),χ];H1,H1;H2,H2)(\mathcal{C}[(?;\chi),\vec{\chi}];H^{1},\vec{H^{1}};H^{2},\vec{H^{2}}); note that the parameter jj that we had for \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} is redundant in ?;χ?;\chi. We have:

𝒞[(?;H1),H1]\displaystyle\mathcal{C}[(?;H^{1}),\vec{H^{1}}] 𝒞[(;H1),H1]\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\lightning;H^{1}),\vec{H^{1}}]
𝒞[(?;H2),H1].\displaystyle\to\mathcal{C}[(?;H^{2}),\vec{H^{1}}].

We can take (𝒞[(?;H2),χ];H1;H2)(\mathcal{C}[(?;H^{2}),\vec{\chi}];\vec{H^{1}};\vec{H^{2}}) as a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen, and the token in 𝒞[(?;jH2),χ]\mathcal{C}[(?;_{j}H^{2}),\vec{\chi}] is not entering. This data gives a 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}-specimen when =𝕆ex-bf\mathbb{C}=\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}}, which follows from the closedness of 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} with respect to plugging (34). Note that ?;H1?;H^{1} can be seen as a context with no holes, which is trivially binding-free.

Finally, we look at the parametricity pre-template Param\vartriangleleft^{\mathrm{Param}}. Any 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen of this pre-template, with an entering search token, can be turned into the form (𝒞[(?;jχ),χ];(\mathcal{C}[(?;_{j}\chi),\vec{\chi}]; H1,H1;H2,H2)H^{1},\vec{H^{1}};H^{2},\vec{H^{2}}) where jj is a positive number. The token target is a source of an edge labelled with λ𝕆ex\lambda\in\mathbb{O}^{\mathrm{ex}}_{\checkmark}, so we have:

𝒞[(?;jH1),H1]\displaystyle\mathcal{C}[(?;_{j}H^{1}),\vec{H^{1}}] 𝒞[(;jH1),H1],\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\checkmark;_{j}H^{1}),\vec{H^{1}}],
𝒞[(?;jH2),H2]\displaystyle\mathcal{C}[(?;_{j}H^{2}),\vec{H^{2}}] 𝒞[(;jH2),H2].\displaystyle\mathrel{\stackrel{{\scriptstyle\raisebox{1.50694pt}{$\scriptstyle\bullet\,$}}}{{\raisebox{0.0pt}[0.0pt][0.0pt]{$\rightarrow$}}}}\mathcal{C}[(\checkmark;_{j}H^{2}),\vec{H^{2}}].

The results of these sequences give a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}).

H.3.3. Robustness of pre-templates not on contraction trees: a principle

Robustness can be checked by inspecting rewrite transition 𝒞˙[H1]N˙{\dot{\mathcal{C}}}[\vec{H^{1}}]\to{\dot{N^{\prime}}} from the state given by a specimen (𝒞˙;H1;H2)({\dot{\mathcal{C}}};\vec{H^{1}};\vec{H^{2}}) of a pre-template, where the token of 𝒞˙{\dot{\mathcal{C}}} is not entering. We in particular consider the minimum local (contraction or rewrite) rule G˙G˙{\dot{G}}\mapsto{\dot{G^{\prime}}} applied in this transition. This means that, in the hypernet G˙{\dot{G}}, every vertex is reachable from the token target.

The inspection boils down to analyse how the minimum local rule involves edges that come from the hypernets H1\vec{H^{1}}. If all the involvement is deep, i.e. only deep edges from H1\vec{H^{1}} are involved in the local rule, these deep edges must come via deep holes in the context 𝒞˙{\dot{\mathcal{C}}}. We can use 47(1).

If the minimum local rule involves shallow edges that are from H1\vec{H^{1}}, endpoints of these edges are reachable from the token target. This means that, in the context 𝒞˙{\dot{\mathcal{C}}}, some holes are shallow and their sources are reachable from the token target. Moreover, given that the token is not entering in 𝒞˙{\dot{\mathcal{C}}}, the context has a path from the token target to a source of a hole edge.

Refer to caption
(a) A shallow overlap where CC is a contraction tree and BiB_{i} are box edges
Refer to caption
(b) A focussed context where CC is a contraction tree

For example, in checking robustness of BPerm\vartriangleleft^{\mathrm{BPerm}} with respect to copy transitions, one situation of shallow overlaps is when G˙{\dot{G}} is in the form in Figure 25a, and some of the box edges BiB_{i} are from H1\vec{H^{1}}. Taking the minimum contraction rule means that CC in the graph is a contraction tree that gives a path from the token target. This path CC followed by the operation edge ϕ\phi corresponds to paths from the token target to hole sources in the context 𝒞˙{\dot{\mathcal{C}}}.

So, if the minimum local rule involves shallow edges that are from H1\vec{H^{1}}, the context 𝒞˙{\dot{\mathcal{C}}} necessarily has a path PP from the token target to a hole source. The path becomes a path in the state 𝒞˙[H1]{\dot{\mathcal{C}}}[\vec{H^{1}}], from the token target to a source of an edge ee that is from H1\vec{H^{1}}. The edge ee is necessarily shallow, and also involved in the application of the minimum local rule, because of the connectivity of G˙{\dot{G}}. Moreover, a source of the edge ee is an input, in the relevant hypernet of H1\vec{H^{1}}. By inspecting minimum local rules, we can enumerate possible labelling of the path PP and the edge ee, as summarised in Table 6. Explanation on the notation used in the table is to follow.

local rule labels of path PP label of edge ee
contraction (𝖢)+𝕆ex(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}\cdot\mathbb{O}^{\mathrm{ex}} box
(𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} 𝖢,𝖨,𝕆ex\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}},\ \mathsf{I},\ \mathbb{O}^{\mathrm{ex}}
@\mathop{\overset{\rightarrow}{@}} @λ\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot\lambda box
@(𝕆ex)\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} 𝕆ex,𝖨\mathbb{O}^{\mathrm{ex}}_{\checkmark},\ \mathsf{I}
𝚛𝚎𝚏\mathtt{ref} 𝚛𝚎𝚏(𝕆ex)\mathord{\mathtt{ref}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} 𝕆ex,𝖨\mathbb{O}^{\mathrm{ex}}_{\checkmark},\ \mathsf{I}
== =\mathord{=} 𝖨\mathsf{I}
=𝖨(𝖢)\mathord{=}\cdot\mathsf{I}\cdot(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}})^{*} 𝖢,\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}},\ \circ
:=:= :=(𝕆ex)𝖨(𝖢)\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}\cdot\mathsf{I}\cdot(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}})^{*} 𝖢,\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}},\ \circ
:=(𝕆ex)\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} 𝕆ex,𝖨\mathbb{O}^{\mathrm{ex}}_{\checkmark},\ \mathsf{I}
!! !\mathord{!} 𝖨\mathsf{I}
!𝖨(𝖢)\mathord{!}\cdot\mathsf{I}\cdot(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}})^{*} 𝖢,\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\diamond}_{\mathsf{C}},\ \circ
++ ++ \mathbb{N}
- - \mathbb{N}
1-_{1} 1-_{1} \mathbb{N}
Table 6. Summary of paths that witness shallow overlaps

We use the regular-expression like notation in Table 6. For example, (𝖢)+𝕆ex(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}\cdot\mathbb{O}^{\mathrm{ex}} represents finite sequences of edge labels, where more than one occurrences of the label 𝖢\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}} is followed by one operation ϕ𝕆ex\phi\in\mathbb{O}^{\mathrm{ex}}. This characterises paths that inhabit the overlap shown in Figure 25a, i.e. the contraction tree CC followed by the operation edge ϕ\phi. Note that this regular-expression like notation is not a proper regular expression, because it is over the infinite alphabet M𝕆exM_{\mathbb{O}^{\mathrm{ex}}}, the edge label set, and it accordingly admits infinite alternation (aka. union) implicitly.

To wrap up, checking robustness of each pre-template that is not on contraction trees boils down to using 47(1) and/or analysing the cases enumerated in the table above.

H.3.4. Robustness of \vartriangleleft^{\otimes} and its converse

Robustness check of the pre-template \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} with respect to copy transitions has two cases. The first case is when one shallow overlap is caused by a path characterised by (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}, and the second case is when no shallow overlaps are present and 47(1) can be used.

In the first case, namely, a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen with a non-entering rewrite token can be turned into the form (𝒞[𝒞˙[χ],χ];H1,H1;H2,H2)(\mathcal{C}[{\dot{\mathcal{C}^{\prime}}}[\chi^{\prime}],\vec{\chi}];H^{1},\vec{H^{1}};H^{2},\vec{H^{2}}) where jj is a positive number, and 𝒞˙{\dot{\mathcal{C}^{\prime}}} is a focussed context in the form of Figure 25b. A rewrite transition is possible on both states given by the specimen, in which a contraction rule is applied to 𝒞˙[H1]{\dot{\mathcal{C^{\prime}}}}[H^{1}] and 𝒞˙[H2]{\dot{\mathcal{C^{\prime}}}}[H^{2}]. Results of the rewrite transition give a new quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen. When k1=0k_{1}=0, this quasi-specimen is up to (=,˙=)(\mathord{=},\mathord{\dot{\simeq}_{=_{\mathbb{N}}}}), using the trigger 2\vartriangleleft^{2}. When k1>0k_{1}>0, the quasi-specimen is also up to (=,˙=)(\mathord{=},\mathord{\dot{\simeq}_{=_{\mathbb{N}}}}), but using the trigger 1\vartriangleleft^{1}.

Robustness check of the pre-template \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}} with respect to rewrite transitions always boils down to 47(1). This is intuitively because no local rewrite rule of operations involves any shallow contraction edge of type \star.

Robustness of ()1(\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}})^{-1} can be checked in a similar manner. Namely, using Table 6, shallow overlaps are caused by paths:

(𝖢)+,\displaystyle(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}, =,\displaystyle\mathord{=}, +,\displaystyle+,
@(𝕆ex),\displaystyle\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, :=(𝕆ex),\displaystyle\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, ,\displaystyle-,
𝚛𝚎𝚏(𝕆ex),\displaystyle\mathord{\mathtt{ref}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, !,\displaystyle!, 1\displaystyle-_{1}

from the token target. All paths but (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} gives rise to a state that is not rooted, which can be checked using 41. This reduces the robustness check of ()1(\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}})^{-1} to that of \vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}}.

H.3.5. Robustness of GC\vartriangleleft^{\mathrm{GC}} and its converse

These two pre-templates both relate hypernets with no inputs. Proofs of their robustness always boil down to the use of 47(1), following the discussion in Section H.3.3. Namely, it is impossible to find the path PP in the context 𝒞˙{\dot{\mathcal{C}}} from the token target to a hole source.

H.3.6. Robustness of BPerm\vartriangleleft^{\mathrm{BPerm}}, BPullC\vartriangleleft^{\mathrm{BPullC}} and BPullW\vartriangleleft^{\mathrm{BPullW}}, and their converse

These six pre-templates all concern boxes. Using Table 6, shallow overlaps are caused by paths (𝖢)+𝕆ex(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}\cdot\mathbb{O}^{\mathrm{ex}} and @λ\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot\lambda from the token target.

Robustness check with respect to compute transitions of operations 𝕆ex\{@}\mathbb{O}^{\mathrm{ex}}_{\lightning}\backslash\{\mathop{\overset{\rightarrow}{@}}\} always boil down to 47(1).

As for compute transitions of the operation ‘@\mathop{\overset{\rightarrow}{@}}’, either one path @λ\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot\lambda causes one shallow overlap, or all overlaps are deep. The latter situation boils down to 47(1). In the former situation, a micro-beta rule involves one box that is contributed by a pre-template, and states given by a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen are turned into a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}), by one rewrite transition.

As for copy transitions, there are two possible situations.

  • Paths (𝖢)+𝕆ex(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}\cdot\mathbb{O}^{\mathrm{ex}} cause some shallow overlaps and there are some deep overlaps too.

  • All overlaps are deep, which boils down to 47(1).

In the first situation, some of the shallow boxes duplicated by a contraction rule are contributed by a pre-template, and other duplicated boxes may have deep edges contributed by the pre-template. By tracking these shallow and deep contributions in a contraction rule, it can be checked that one rewrite transition turns states given by a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen into a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen. This quasi-specimen is up to the following, depending on pre-templates:

  • (=,=)(\mathord{=},\mathord{=}) for BPerm\vartriangleleft^{\mathrm{BPerm}} and its converse,

  • (=,˙=)(\mathord{=},\mathord{\dot{\simeq}_{=_{\mathbb{N}}}}) for BPullC\vartriangleleft^{\mathrm{BPullC}}, and (˙=,=)(\mathord{\dot{\simeq}_{=_{\mathbb{N}}}},\mathord{=}) for its converse, using the trigger 3\vartriangleleft^{3}, and

  • (=,˙=)(\mathord{=},\mathord{\dot{\simeq}_{=_{\mathbb{N}}}}) for BPullW\vartriangleleft^{\mathrm{BPullW}}, and (˙=,=)(\mathord{\dot{\simeq}_{=_{\mathbb{N}}}},\mathord{=}) for its converse, using the trigger 4\vartriangleleft^{4}.

H.3.7. Robustness of operational pre-templates and their converse

For the operational pre-templates and their converse, we use the class 𝕆ex-bf\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}{\text{-}\mathrm{bf}}} of binding-free contexts. This restriction is crucial to rule out some shallow overlaps.

Using Table 6, shallow overlaps with the operational pre-templates @\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}} and 𝚛𝚎𝚏\vartriangleleft^{\mathtt{ref}} are caused by paths (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} from the token context. However, the restriction to binding-free contexts makes this situation impossible, which means the robustness check always boils down to 47(1) and 47(2).

In checking robustness of the converse (@)1(\vartriangleleft^{\mathop{\overset{\rightarrow}{@}}})^{-1} and (𝚛𝚎𝚏)1(\vartriangleleft^{\mathtt{ref}})^{-1}, shallow overlaps are caused by paths:

(𝖢)+,\displaystyle(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}, =,\displaystyle\mathord{=}, +,\displaystyle+,
@(𝕆ex),\displaystyle\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, :=(𝕆ex),\displaystyle\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, ,\displaystyle-,
𝚛𝚎𝚏(𝕆ex),\displaystyle\mathord{\mathtt{ref}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, !,\displaystyle!, 1\displaystyle-_{1}

from the token target. Like the case of ()1(\vartriangleleft^{\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}})^{-1}, all paths but (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} give rise to a state that is not rooted, which can be checked using 41. The paths (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} are impossible because of the binding-free restriction. As a result, this robustness check also boils down to 47(1) and 47(2).

H.3.8. Robustness of the parametricity pre-template Param\vartriangleleft^{\mathrm{Param}} and its converse

These two pre-templates concern lambda-abstractions, and they give rather rare examples of robustness check where we compare different numbers of transitions.

Using Table 6, shallow overlaps with these pre-templates are caused by paths:

(𝖢)+,\displaystyle(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+}, @(𝕆ex),\displaystyle\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*},
𝚛𝚎𝚏(𝕆ex),\displaystyle\mathord{\mathtt{ref}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}, :=(𝕆ex)\displaystyle\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}

from the token target.

As for compute transitions of operations 𝕆ex\{@}\mathbb{O}^{\mathrm{ex}}_{\lightning}\backslash\{\mathop{\overset{\rightarrow}{@}}\}, there are two possible situations.

  • Shallow overlaps are caused by paths 𝚛𝚎𝚏(𝕆ex)\mathord{\mathtt{ref}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} or :=(𝕆ex)\mathord{:=}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*}.

  • There is no overlap at all, which boils down to 47(1).

In the first situation, a stable hypernet GSG_{S} of a local rewrite rule (see e.g. Figure 19a) contains shallow edges, labelled with λ𝕆ex\lambda\in\mathbb{O}^{\mathrm{ex}}_{\checkmark}, that are contributed by a pre-template. The overlapped shallow contributions are not modified at all by the rewrite rule, and consequently, one rewrite transition results in a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}).

As for copy transitions, either one path (𝖢)+(\mathrel{\raisebox{0.2pt}{\scalebox{0.6}{\boldmath$\otimes$}}}^{\star}_{\mathsf{C}})^{+} causes one shallow overlap, or all overlaps are deep. The latter situation boils down to 47(1). In the former situation, one lambda-abstraction contributed by a pre-template gets duplicated. Namely, a 𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen with a non-entering rewrite token can be turned into the form (𝒞[𝒞˙[χ],χ];H1,H1;H2,H2)(\mathcal{C}[{\dot{\mathcal{C}^{\prime}}}[\chi^{\prime}],\vec{\chi}];H^{1},\vec{H^{1}};H^{2},\vec{H^{2}}) where 𝒞˙{\dot{\mathcal{C}^{\prime}}} is a focussed context in the form of Figure 25b. There exist a focussed context 𝒞′′˙{\dot{\mathcal{C}^{\prime\prime}}} and two hypernets G1ParamG2G^{1}\vartriangleleft^{\mathrm{Param}}G^{2} such that:

𝒞[𝒞˙[H1],H1]\displaystyle\mathcal{C}[{\dot{\mathcal{C}^{\prime}}}[H^{1}],\vec{H^{1}}] 𝒞[𝒞′′˙[G1],H1],\displaystyle\to\mathcal{C}[{\dot{\mathcal{C}^{\prime\prime}}}[G^{1}],\vec{H^{1}}],
𝒞[𝒞˙[H2],H2]\displaystyle\mathcal{C}[{\dot{\mathcal{C}^{\prime}}}[H^{2}],\vec{H^{2}}] 𝒞[𝒞′′˙[G2],H2].\displaystyle\to\mathcal{C}[{\dot{\mathcal{C}^{\prime\prime}}}[G^{2}],\vec{H^{2}}].

Results of these rewrite transitions give a new quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}).

As for compute transitions of the operation ‘@\mathop{\overset{\rightarrow}{@}}’, there are two possible situations.

  • One path @\mathop{\overset{\rightarrow}{@}} causes a shallow overlap of the edge that has label λ\lambda and gets eliminated by a micro-beta rewrite rule, and possibly some other paths @(𝕆ex)\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} cause shallow overlaps in the stable hypernet GSG_{S} (see Figure 10b).

  • There are possibly deep overlaps, and paths @(𝕆ex)\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} may cause shallow overlaps in the stable hypernet GSG_{S}.

In the second situation, all overlaps are not modified at all by the micro-beta rewrite rule, except for some deep overlaps turned shallow. Consequently, one rewrite transition results in a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}).

In the first situation, one lambda-abstraction contributed by the pre-template is modified, while all the other shallow overlaps (if any) are not. We can focus on the lambda-abstraction. The micro-beta rewrite acts on the lambda-abstraction, an edge labelled with ‘@\mathop{\overset{\rightarrow}{@}}’, and the stable hypernet GSG_{S}.

The involved lambda-abstraction can be in two forms (see Figure 20). Firstly, it contains function application in its body. Application of the micro-beta rule discloses the inner function application, whose function side is another lambda-abstraction that can be related by the pre-template Param\vartriangleleft^{\mathrm{Param}} again. As a result, one rewrite transition yields a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,=)(\mathord{=},\mathord{=}). Secondly, the involved lambda-abstraction consists of dereferencing ‘!!’ or constant ‘11’. Application of the micro-beta rule discloses the dereferencing, or constant, edge. When it is the dereferencing edge that is disclosed, the micro-beta rule is followed by a few transitions to perform dereferencing and produce the same constant ‘11’. As a result, we compare nine transitions with one transition, and obtain a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (˙,=)(\mathord{\dot{\preceq}_{\geq_{\mathbb{N}}}},\mathord{=}), using triggers 6\vartriangleleft^{6} and 9\vartriangleleft^{9}.

The case of the converse of Param\vartriangleleft^{\mathrm{Param}} is similar. The only difference is that, in the last situation described above where we compare nine transitions with one transition and obtain a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (˙,=)(\mathord{\dot{\preceq}_{\geq_{\mathbb{N}}}},\mathord{=}), we obtain a quasi-𝕆ex\mathbb{C}_{\mathbb{O}^{\mathrm{ex}}}-specimen up to (=,˙)(\mathord{=},\mathord{\dot{\preceq}_{\leq_{\mathbb{N}}}}) as a result of the symmetrical comparison of transitions.

On a final note, let us recall Section 12.4, where we observed some situations of robustness for Param\vartriangleleft^{\mathrm{Param}} using informal reduction semantics on terms. We namely observed situations where parts related by the pre-template is subject to the standard call-by-value beta reduction, either as an argument or a function. The involvement as a function corresponds to one of the robustness situations described in this section, namely: a shallow overlap with a micro-beta rewrite rule that is caused by a path @\mathop{\overset{\rightarrow}{@}} and modified by the rewrite rule. The other involvement, which is as an argument, corresponds to a combination of two situations described in this section, namely: any overlaps with a contraction rule, and shallow overlaps with a micro-beta rule that are caused by paths @(𝕆ex)\mathord{\mathop{\overset{\rightarrow}{@}}}\cdot(\mathbb{O}^{\mathrm{ex}}_{\checkmark})^{*} and preserved. The combination is due to the fact that the universal abstraction machine decomposes the beta reduction into the micro-beta rewrite rule and contraction rules, making substitution explicit and not eager.