Leaving the Nest: Nominal techniques forvariables with interleaving scopesMurdoch J. Gabbay1, Dan R. Ghica2, and Daniela Petrişan3

1 Heriot-Watt Univesity, UK2 University of Birmingham, UK3 Radboud University, Netherlands

AbstractWe examine the key syntactic and semantic aspects of a nominal framework allowing scopes ofname bindings to be arbitrarily interleaved. Name binding (e.g. λx.M) is handled by explicitname-creation and name-destruction brackets (e.g. 〈xMx〉) which admit interleaving. We definean appropriate notion of alpha-equivalence for such a language and study the syntactic structurerequired for alpha-equivalence to be a congruence. We develop denotational and categorical se-mantics for dynamic binding and provide a generalised nominal inductive reasoning principle. Wegive several standard synthetic examples of working with dynamic sequences (e.g. substitution)and we sketch out some preliminary applications to game semantics and trace semantics.

1998 ACM Subject Classification D.3.1 Formal Definitions and Theory

Keywords and phrases nominal sets, scope, alpha equivalence, dynamic sequences

Digital Object Identifier 10.4230/LIPIcs.xxx.yyy.p

1 Introduction and motivation

In the syntax of formal languages it is common to see names created by locally-scopedoperators such as λa.(st) and ∀a.(φ⇒ψ). The binders λ and ∀ have scope from the left-hand( to the matching right-hand ) and scope is determined at the site of binding in the structureof the term. However, dynamically-scoped binding is an often encountered phenomenaoccurring whenever resources are allocated and freed explicitly. The most common situationis that of memory in C-like languages, but this also applies to other resources such as openingand closing files or network sockets. In general, a physical resource will be handled using aname which can be used by the program. The choice of name, between the allocation and therelease of the resource, is irrelevant, leading to notions similar to binding and α-equivalence,but more finely grained, to account for possible scope interleaving.

Nominal techniques [15, 12, 23] provide a state-of-the-art formalism for reasoning aboutabstract syntax with statically-scoped binding. However, existing techniques do not ac-commodate syntax with dynamically-scoped binding. This paper addresses this issue byintroducing a syntactic notion of dynamic sequences and suitable denotational and categoricalmodels.

In dynamic sequences, scope is managed by name-creation and name-destruction brackets‘create a’ and ‘destroy a’, written as 〈a and a〉, respectively. These may be interleaved andneed not match up; 〈a〈ba〉b〉, 〈a〈bb〉a〉, and indeed just 〈a and a〉 are perfectly valid sequences.In the special case of a well-matched name-creation/-destruction pair the theory specialisesback to something that models nominal-style atoms-abstraction. For instance, 〈aaa〉, just asthe nominal atoms-abstraction [a]a, models the α-equivalence behaviour of λa.a.

© Murdoch J. Gabbay, Dan R. Ghica and Daniela Petrişan;licensed under Creative Commons License CC-BY

Conference title on which this volume is based on.Editors: Billy Editor and Bill Editors; pp. 1–21

Leibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany

2 Nominal techniques for variables with interleaving scopes

To define a mathematically well-behaved notion of α-equivalence, the basic notionsof free and bound names require generalisation, and a notion of freshness arity emerges(Sec. 2), generalising the freshness side-conditions of nominal terms. In Sec. 3 we providea relational semantics for dynamic sequences and in Sec. 4 we take stock of the monoidstructure on dynamic sequences. We give an equational axiomatisation for a notion ofdynamic binding monoid, that is, a monoid equipped with compatible nominal set structureand with left and right binders. We then prove that dynamic sequences form a free suchdynamic binding monoid and obtain as a corollary a structural induction principle and asimpler characterisation for the α-equivalence relation.

Dynamic sequences have a ‘flat’ monoid structure, as opposed to the syntax trees oneencounters in nominal abstract syntax. We use this ‘flatness’ to our advantage, as it allowsus to interpret the non-hierarchical structure of interleaved scope. Thus one interpretationof dynamic sequences is as the structures used in game semantics. As an application, Sec. 6gives a resource-sensitive formulation of pointer sequences as used in game semantics. Asecond application – a simple trace semantics for a low-level language with explicit resourcemanagement – is outlined in Appendix B, but had to be omitted due to space constraints.We conclude in Sec. 7 with an overview of related work and directions for future research.All omitted proofs can be found in Appendix A.

2 Dynamic sequences

2.1 PreliminariesLet A be a countably infinite set of names or atoms. Given a bijection (permutation)π : A→ A define its support by supp(π) = {a ∈ A | πa 6= a}. Write Perm(A) for the set ofall permutations with finite support. Write ι for the identity permutation and (a b) forthe swapping or transposition of a and b.

If X is a set with a Perm(A)-action, write this action infix as −·−. An element x ∈ Xis supported by A ⊆ A when for all π ∈ Perm(A), ∀a ∈ A.πa = a implies π ·x = x. Anominal set is a set with a Perm(A)-action where every element x has finite support. It isa fact that if X is a nominal set then every x ∈ X has a least finite support, which we writesupp(x).1 We are interested in elements with finite support. If a ∈ A such that a 6∈ supp(x)we write a#x. If X,Y are sets with Perm(A)-action, call f : X → Y equivariant whenf(π ·x) = π ·(fx) for every π ∈ Perm(A) and x ∈ X. Finally, if φ(c) is a predicate on names,write Nc.φ for “φ(c) holds for all but finitely many c ∈ A”; this is the NEW-quantifierand we may read it as “for fresh c, φ(c)”. For more on the theory above see [15, 12, 23].

I Definition 1. Fix disjoint sets a, b, c ∈ A of atoms and k ∈ K of constants. Define setsm ∈ T of tokens and e ∈ RSeq of raw sequences inductively by:

m ::= a | a〉 | 〈a | k (a ∈ A, k ∈ K) and e ::= ε | em

RSeq is equivalently the set of lists of tokens and is the free monoid on T. The set K can beequipped with a trivial Perm(A)-action: every permutation fixes all the elements of K. Thepermutation actions on A and K can be extended pointwise on the elements of raw sequences,in the obvious way. Then RSeq is a nominal set and the support of a sequence is the set ofnames occurring in it. The set RSeq also has a monoid structure given by concatenation,

1 The set Perm(A) can also be seen as a nominal set with the Perm(A)-action given by conjugation. Thesupport of a permutation π is indeed the set supp(π) as defined in the previous paragraph.

M. J. Gabbay, D. R. Ghica and D. Petrişan 3

which is compatible with the permutation action (monoid multiplication is equivariant and εhas empty support and thus is fixed by all permutations.)

Our notation and terminology suggest we should read the raw sequence 〈aaa〉 as “createa, use a (in some manner), then destroy it”—so if we assume a constant λ ∈ K then λ〈aaa〉is, informally, trying to model the syntax λa.a.

We can call the binding of raw sequences, which we will make formal shortly, dynamic inthe sense that scope is not determined by a single binder but by bracket-pairs; 〈a does not‘know’ where its matching a〉 is, or vice versa, and indeed 〈a on its own and unpaired withany a〉 is also a valid raw sequence, as are a〉, 〈aa〈aaa〉, and so forth.

We endow raw sequences with a binding structure using the following ideas, which willbe illustrated in Ex. 5:

Bound: An atom is bound if it is in the scope of a creation well-paired with a destruction.Created: An atom may appear following a creation operation which is not followed by amatching destruction.Destructed: Conversely, a destruction operation may appear without a matching creation.Free: An atom may be used without being created or destructed.

An atom occurrence cannot be characterised as merely ‘free’ or ‘bound’, but we need themore refined notion of freshness arities. We define a freshness arity as an element of amonoid B, which we call the binding monoid, and which is the free monoid over carrier{c, f, d} modulo the following equations:

f ··· f = f absorption (1)c··· f = c pre-absorption (2)f ···d = d post-absorption (3)c···d = ε cancellation (4)

The freshness arity is assigned by a monoid homomorphism Fa : RSeq→ B defined by:

Fa = {〈a 7→ c, 〈b 7→ ε, a 7→ f, b 7→ ε, a〉 7→ d, b〉 7→ ε, k 7→ ε} where (a 6= b ∈ A, k ∈ K).

The set of finitely supported functions denoted by BA has a nominal monoid structure, withthe multiplication of functions defined pointwise. The proof of the next lemmas is immediate.

I Lemma 2. The map F : RSeq→ BA defined by e 7→ λa.Fa(e) is an equivariant monoidmorphism.

I Lemma 3. For any β ∈ B there are unique m, p ∈ N and n ∈ {0, 1} such that β =Bdm ··· fn ···cp.

I Definition 4. Call the unique representation of β ∈ B its normal form.

Given a sequence e and a name a it is helpful to introduce some notational shortcutsregarding the arity of a in e:

We write a�e when Fae = dm ··· fn, for some m,n ∈ N, i.e. there are no pending unmatchedname creations 〈a in e.We write a�e when Fae = fn ···cm, for some m,n ∈ N, i.e. there are no pending unmatcheddestructors a〉 in e.We write a3 e when a�e∧a�e, i.e. there are no un-matched a-creations or a-destructions,so any occurrence of a is, informally, either ‘bound’ (Fae = ε) or ‘free’ (Fae = f) in theconventional sense.

4 Nominal techniques for variables with interleaving scopes

•zz %%

• •zz %%

• • vv ((•zz

• ((• •

• yy %%• yy %%• • • jj 44• dd • 99 • •

• xx &&•zz %%

• • • vv • vv • ((•%%• •

• yy %%• vv ((• • yy %%• • • hh • dd • 66• 66• •

Figure 1 Pointer sequence representation of dynamic sequences with Fa(e) = ε

I Example 5. Here are some 3-long sequences involving atom a, showing various arities.

Fa(〈a〈a〈a) = c3 Fa(a〉〈a〈a) = dc2

Fa(〈aa〉a〉) = d Fa(a〉aa〉) = d2

Fa(a〉a〉a) = d2f Fa(aaa) = fFa(〈aa〉a) = f Fa(〈aaa〉) = ε

2.2 α-equivalenceThe pairing of atom creation and atom destruction operations creates a phenomenon similarto binding. The concrete choice of a name, between its creation and its destruction, shouldnot matter. This leads directly to a dynamic version of the α-equivalence relation, illustratedby the following examples and non-examples.

〈aa〉〈bb〉 =α 〈aa〉〈aa〉 (5)〈a〈ba〉b〉 =α 〈b〈cb〉c〉 (6)〈a〈aa〉a〉 =α 〈b〈cc〉b〉 (7)〈a〈ca〉〈bc〉b〉 =α 〈a〈ca〉〈ac〉a〉 (8)〈a〈bba〉b〉 6=α 〈a〈bbb〉a〉 (9)〈a〈babb〉a〉 6=α 〈a〈bbab〉a〉. (10)

These sequences, in general sequences where Fa(e) = ε for any atom occurring in the sequence,can be given a name-free representation as “pointer sequences”: a node with a left-pointingarrow corresponds to a name creation, one with a right-pointing arrow to a name destruction,and an arrow-less dot to a name mention. Thus the pairs of α-equivalent sequences in(5)–(8) can be represented as the pointer sequences on the left column in Fig. 1, while theinequivalent pairs of sequences in (9) and (10) are represented on the right column in Fig. 1.

We now give a syntax-directed definition of α-equivalence.

I Definition 6. Define alpha-equivalence =α⊆ RSeq×RSeq inductively by:

ε =α ε(αε) e1 =α e2 m ∈ T

e1m =α e2m(αm)

Nc. e1〈c (c a) ·e2 =α e′1〈c (c b) ·e′2 a3 e2, b3 e′2

e1〈ae2a〉 =α e′1〈be′2b〉

(αα)

For other characterisations of =α see Thm. 17 and Cor. 23.The next two lemmas (proved in Appendix A) are instrumental in establishing that =α

is an equivalence relation and a congruence.

M. J. Gabbay, D. R. Ghica and D. Petrişan 5

I Lemma 7. If e1 =α e2 then F(e1) = F(e2).

I Lemma 8. e1〈ae2a〉=e′1〈ae′2a〉 and a3 e2, e′2 imply e1=e′1 and e2=e′2.

I Lemma 9. =α is an equivalence relation.

Proof sketch. A complete proof is in Appendix A. Transitivity is proved inductively using acase analysis of the possible rules ending the derivations. For example, assume that ea〉 =α

ga′〉 and ga′〉 =α ha′′〉 are both obtained using (αα). Then we have e = e1〈ae2, g = g1〈a′g2

with a3 e2, a′3 g2 such that Nc.e1〈c (c a) ·e2 =α g1〈c (c a′) ·g2. Similarly, g = g′1〈a′g′2, h =h1〈a′′h2 with a′3 g′2, a′′3h2 such that Nc.g′1〈c (c a′) ·g′2 =α h1〈c (c a′′) ·h2. Using Lem. 8it follows that gi = g′i from which we derive Nc.e1〈c (c a) ·e2 =α h1〈c (c a′′) ·h2 with a3 e2,a′′3h2. Thus ea〉 =α ha

′′〉 is obtained using (αα). J

I Theorem 10 (=α is a congruence). If e1 =α e′1 and e2 =α e

′2 then e1e2 =α e

′1e′2.

Proof sketch. By induction on e′2 with the only interesting case being when the secondequivalence was obtained using (αα). In this case, we have e2 = g1〈ag2a〉 and e′2 = g′1〈bg′2b〉such that a3 g2, b3 g′2 and Nc. g1〈c (c a) ·g2 =α g

′1〈c (c b) ·g′2. By the induction hypothesis

we have Nc. e1g1〈c (c a) ·g2 =α e′1g′1〈c (c b) ·g′2, hence by (αα) we obtain e1e2 =α e

′1e′2. J

I Definition 11. Let DSeq = (RSeq/=α) be sequences quotiented by α-equivalence; callthese dynamic sequences.

Note that Lem. 7 ensures that we can extend the notations of a3 e, a� e, a� e to dynamicsequences.

I Lemma 12. If e ∈ DSeq and a ∈ A then Fae = ε if and only if a#e.

2.3 On the congruence property of α-equivalenceThe congruence of α-equivalence is an essential mathematical property which has motivateddesign decisions in our definition of dynamic scope. We take a moment to discuss them, andso perhaps gain a better perspective on the design space in which dynamic sequences exist.Consider the raw sequence 〈aa〈aaa〉. Which of the two occurrences of 〈a should match thedestructor a〉? Rem. 8 and the equations of the binding monoid (1)–(4) uniquely identify itas the most recent unpaired 〈a before the a〉 (so above, the rightmost 〈a matches a〉). Wecall this late binding.

Some diagrams for the slightly more complex example of 〈a〈aa〉a〉 illustrate this. Weprefer the upper diagram to the lower diagram:

〈a〈aa〉a〉 =α 〈a〈bb〉a〉 = • xx &&•�� ��

• •〈a〈aa〉a〉 6=α 〈a〈ba〉b〉 = • ee 99• ee 99• •

The lower diagram (which we might call early or eager binding) is not obviously math-ematically wrong, but it is unreasonable in the sense that it invalidates congruence ofα-equivalence:I Remark. For any binding policy other than late binding, any reasonably defined =α is nota congruence.

Informal argument. Whatever α-equivalence is, we require 〈aa〉 =α 〈bb〉. If =α is a congru-ence then 〈a〈aa〉 =α 〈a〈bb〉. Given a binding policy which does not match a destructor fora with the most recent creation preceding it, it follows that 〈a〈aa〉 =α 〈b〈ab〉 6=α 〈a〈bb〉, acontradiction. J

6 Nominal techniques for variables with interleaving scopes

Late binding preserves existing dynamic bindings whereas other binding policies do not,thus α-equivalence is a congruence with late binding (Thm. 10), whereas other dynamicbinding policies are, in this sense, ill-behaved.

3 Relational semantics

We now give a concrete semantics in relations. This relational semantics is sound, complete,and compositional.

Call a stack a list of pairs of atoms Stacks = (A2)∗. A stack S ∈ Stacks is used as astack, i.e. it can be read from or written to S(a), and a record can be added S :: (a 7→b)or removed S \a. Both reading and removal of a record involve the most recent record(a 7→b) in the stack. Formally, if S = S1 :: (a 7→b) :: S2 for stacks S1, S2, and (a 7→c) doesnot occur in S2 for any c, then S(a) = b and S \a = S1 :: S2. Otherwise S(a) and S \a areundefined.

I Definition 13. Define a relational semantics

J-K : RSeq→ P((Stacks × (A + K)∗)2).

on raw sequences as follows:

JεK ={((S,X), (S,X)) | ∀S,X} (11)JeaK ={((S,X), (S′, X ′ :: S′(a))) | ((S,X), (S′, X ′)) ∈ JeK} (12)JekK ={((S,X), (S′, X ′ :: k)) | ((S,X), (S′, X ′)) ∈ JeK} (13)

Je〈aK ={((S,X), (S′ :: (a 7→b), X ′ :: b)) | ((S,X), (S′, X ′)) ∈ JeK, b # S′, X ′} (14)Jea〉K ={((S,X), (S′\a,X ′ :: S′(a))) | ((S,X), (S′, X ′)) ∈ JeK} (15)

In (12) and (15) it is assumed that S′(a) and, respectively, S′ \a, are well defined.The intuition behind (S,X) JeK (S′, X :: X ′) is quite operational. The stack S is to be

thought of as a stack of name replacements and the sequence X as a context in which e

is interpreted. S′ is an updated stack, since creation and destruction of names cause it tochange and X ′ is a sequence which “interprets” e given the updated stack S′ and the contextX. Using a name a (see (12)) extends the current sequence with its stack value S(a); creatinga name 〈a (see (14)) adds a new entry (a 7→b) to the stack and extends the current sequencewith b; destroying a name a〉 (see (15)) removes it from the stack and extends the currentsequence with its dictionary value. A constant k is simply added to the sequence (see (13)).

The interpretation J-K is compositional, using pointwise relational composition - ◦ -.

I Lemma 14. For any sequence e ∈ RSeq and token m ∈ T: JemK = JeK ◦ JmK.

Proof. Immediate from definitions. J

I Theorem 15. For any e, e′ ∈ RSeq, Jee′K = JeK ◦ Je′K

Proof sketch. By Lemma 14 we have that for any token m ∈ T we have JemK = JeK ◦ JmK.Then we can use induction on the structure of e′. J

I Proposition 16. If e1, e2 ∈ RSeq and m ∈ T then JemK = Je′mK implies JeK = Je′K.

Proof. By Lem. 14 and simple calculations. J

I Theorem 17. If e1, e2∈RSeq then e1=αe2 iff Je1K=Je2K.

In view of soundness and completeness (Thm. 17) we can also use J-K to interpret dynamicsequences rather than raw sequences, i.e. J-K : DSeq→ P((Stacks × (A + K)∗)2).

M. J. Gabbay, D. R. Ghica and D. Petrişan 7

4 Equational axiomatisation

We give an equational axiomatisation of the interleaved dynamic binding of this paper(Def. 18). The dynamic sequences of Def. 11 form a free dynamic binding monoid (Thm. 22),and α-equivalence gets a purely equational characterisation as an equality subject to freshness-arity side-conditions (Cor. 23).

The central idea is to use a monoid structure equipped with a compatible permutationaction, left and right ‘binders’ and a function with co-domain BA that encompasses theinterleaved binding laws—which we will call the freshness arity map, see Def. 18 below.We will call such structures dynamic binding monoids.

Several approaches in the literature investigate notions of algebraic theories and equationalreasoning in a nominal setting [14, 7, 6, 21]. A common denominator is that equations arepresented with freshness side-conditions. For example, the η-rule in untyped λ-calculus canbe captured by a#x ` lam([a]app(x, a)) = x. An algebraic theory of dynamic binding monoidsmust interpret interleaved scope, and so the freshness side-conditions familiar from e.g.nominal unification, rewriting, and universal algebra must be suitably enriched to interpretfreshness-arity side-conditions. Thus, some equations in Def. 18 have side-conditions on thefreshness arity of variables specified using the binding monoid B—if the reader prefers, thesecan also be seen as typing conditions.

I Definition 18. A dynamic binding monoid is a tuple (M, ::, 1, · ,‹,›, γ) where (M, ·)is a nominal set, (M, ::, 1) is a monoid such that the binary operation is equivariant and1 is an element of M with empty support, ‹,› : A → M are equivariant functions, andγ : M → BA is an equivariant monoid morphism, satisfying equations:

γa(‹a) =c, γa(a›) = d, a#x ` γa(x) = ε, and

b#m, γa(m)=fn ` ‹a :: m :: a› = ‹b :: (a b) ·m :: b›, n ∈ {0, 1}. (16)

Above, given a ∈ A we write γa : M → B for the map λm.γ(m)(a), and a› for › at a (insteadof ›a). We may omit the monoid multiplication :: when clear from the context.

Amorphism between dynamic binding monoids (M, ::, 1, · ,‹,›, γ) and (M ′, ::, 1, · ,‹′,›′, γ′)is an equivariant monoid morphism f : M → M ′ that preserves the left and right bindersand the freshness arity map, that is, f ◦ ‹ = ‹′, f ◦ › = ›′, respectively γ′ ◦ f = γ.

I Lemma 19. The set DSeq can be equipped with a dynamic binding monoid structure.

Thus dynamic binding monoids form a category denoted by DBMon. Categories ofnominal algebras described for example in [11, 21] have a forgetful functor to the category ofunderlying nominal sets Nom, and admit a free construction. That is, the forgetful functorfrom a category of nominal algebras to Nom has a left adjoint. Such a free construction allowsfor deriving structural induction principles in the presence of binding, see for example [23,Cor. 8.22]. Because of the side-conditions involving the freshness arities, dynamic bindingmonoids lie outside the scope of nominal universal algebra. If we consider as the underlyingstructure of a binding monoid, not only the carrier nominal set, but also the freshness aritymap, we can still obtain a free construction and hence a structural induction principle, seeThm. 21 below.

We introduce the category BNom of underlying nominal sets with a freshness arity map:

I Definition 20. Let BNom be the full subcategory of the slice category Nom/BA withobjects pairs (X, γ) where X is a nominal set and γ : X → BA is an equivariant functionsuch that a#x ` γa(x) = ε.

8 Nominal techniques for variables with interleaving scopes

A morphism in BNom from (X, γ) to (X ′, γ′) is an equivariant function f : X → X ′

such that γ′ ◦ f = γ.Let the forgetful functor U : DBMon → BNom send a dynamic binding monoid

(M, ::, 1, · ,‹,›, γ) to (M,γ).

I Theorem 21. The forgetful functor U : DBMon→ BNom has a left adjoint F .

Proof. Consider (X, γ) ∈ BNom, the set X +A+A = X ∪ {〈a|a ∈ A} ∪ {a〉|a ∈ A}, and theequivariant map γ : X + A + A→ BA that acts as γ on X such that γa(〈a) = c, γa(a〉) = d,γa(〈b) = ε and γa(a〉) = ε. Then γ can be extended uniquely to a monoid morphismγ∗ : (X + A + A)∗ → BA. Define a relation ≡ on (X + A + A)∗ as the congruence generatedby 〈awa〉 = 〈b(a b) ·wb〉, where a, b ∈ A, w ∈ (X + A + A)∗ and b#w and γ∗a(w) ∈ {ε, f}.

Construct F (X, γ) as a dynamic binding monoid on the carrier nominal set (X+A+A)∗/≡.Left and right binders are defined in the obvious way and the specification function is inducedby γ∗. It is easy to check that whenever w ≡ w′ then γ∗(w) = γ∗(w′). We must exhibitan isomorphism DBMon((X + A + A)∗/≡,M) ∼= BNom((X, γ), (M,γM )). Starting with amorphisms f : X → M in BNom, we can uniquely extend f + ‹+ › : X + A + A→ M toan equivariant monoid morphism f# : (X + A + A)∗ → M . We have that γ ◦ f# = γ∗. Itfollows that for every w,w′ ∈ (X +A+A)∗ such that w ≡ w′ then f#(w) = f#(w′). Hence, f#factors through a dynamic binding monoid morphism f : (X + A + A)∗/≡ →M . Conversely,given g ∈ DBMon((X + A + A)∗/≡,M) we consider g[ ∈ BNom((X, γ), (M,γM )) given byg[(x) = g([x]) where [x] is the ≡-equivalence class of x. J

I Theorem 22. DSeq is the free dynamic binding monoid on (A∪K, γA) where γA(a)(a) = f,γA(a)(b) = ε for b 6= a and γA(k) = ε.

Proof Sketch. We have that DSeq = RSeq/=α and RSeq = (A ∪ K + A + A)∗. Thus itsuffices that =α is equal to the relation ≡ described in the proof of Thm. 21. That ≡⊆=α

follows from the proof of Lem. 19. The other inclusion is proved in Appendix A. J

From the proof of Thm. 22 we obtain a new characterisation of =α from Def. 6:

I Corollary 23. The α-equivalence relation =α on RSeq is the least congruence closed underthe rule

b#e a3 e〈aea〉 =α 〈b (a b) ·eb〉

(α).

Proof. From the proof of Theorem 22 it follows that α-equivalence on RSeq is equal to arelation ≡, defined as the least congruence closed under the rule (α). J

5 Examples

Def. 11 defines a data type DSeq as the quotient of an inductive data type by an α-equivalencerelation. We can reason on it by taking representatives of equivalence classes and workinginductively on those representatives. This comes from how we define the set.

The reader familiar with nominal techniques might ask why we do not use nominalabstract syntax [15], where α-equivalence is built into the inductive definition of the data typeat every inductive stage (using atoms-abstraction; a type constructor naturally present inthe nominal universe), so we can work inductively up-to-α with no need for representatives.

That is impossible for us here because by design we do not know a priori when we write〈a in a dynamic sequence where (if anywhere) the matching a〉 will occur, and conversely,

M. J. Gabbay, D. R. Ghica and D. Petrişan 9

if we find a〉 in a dynamic sequence then we do not a priori know where (if anywhere) amatching 〈a will occur.

Instead we will use the technique described in [10], which allows us to lift functiondefinitions from raw terms (in our case raw sequences) to α-equivalence classes of raw terms(in our case dynamic sequences). The required condition for this method to work is thatwhat we call α-equivalence has the property of being Barendregt-abstractive; that everyequivalence class must contain a member with maximum support. In our case it meansthat in the set of all raw sequences that represent the same dynamic sequence, there isone with a maximum number of atoms. We may call a representative of such an orbit aBarendregt representative, due to the intended similarity with the Barendregt variablenaming convention [2]. If we make a notational distinction between e ∈ RSeq and itsequivalence class [e]α ∈ DSeq then we have:

I Lemma 24. The map e 7→ [e]α is Barendregt-abstractive.

Proof. We just need to find the Barendregt representative of [e]α. Consider the functione : RSeq → RSeq by induction on e such that ε = ε, e1〈ae2a〉 = e1〈c (c a) ·e2 c〉 for a freshc ∈ A if a3 e2, and em = em otherwise. It is easy to check that e is well defined, e =α e,and it has maximal support. J

To define a function on dynamic sequences it suffices to define the function on Barendregtrepresentative raw sequences:

I Theorem 25. Suppose X is a nominal set and F : RSeq → X and suppose for everye ∈ RSeq that supp(e)\supp([e]α)#F (e). Then the map NF : DSeq→ X defined by NF ([e]α) =F (e), is well-defined.

Proof. From Lem. 24 and [10, Thm. 27]. J

When we use Thm. 25 we will tend to write NF just as F , thus, notationally identifying thefunction-on-α-equivalence-classes with the function-on-representatives. We obfuscate thedistinction between e and [e]α and write our definitions ‘as if’ they were by induction ondynamic sequences. Doing this is consistent with informal practice: for instance, we are usedto writing size(λa.a) and saying “size of λa.a” but actually meaning “pick a representativeand calculate the size of that representative”. Thus, the reader who cares about such thingscan unpick this obfuscation back to the raw sequences and maximally distinct representatives;the reader who does not care, should be able to read the text just as they would any ‘inductive’definition on syntax quotiented by α-equivalence.

5.1 Operations on dynamic sequencesI Example 26 (Counting name creation-destruction pairs). Define a function |-| : DSeq→ Nusing Thm. 25 by:

|ε| = 0|ek| = |e||e〈a| = |e|

a3 e′ ⇒ |e〈ae′a〉| = |e′e|+ 1a� e⇒ |ea〉| = |e|.

10 Nominal techniques for variables with interleaving scopes

To apply Thm. 25 we must check that any maximally distinct choice of bound names in theargument is fresh for the result. This is indeed the case (since a#n for any atom and anyn∈Z).

|e| counts the number of pairs of matched creation-destructors in e. The side-conditionsensure that the clauses pick out the correct creation for each destructor.

We calculate |-| for an example sequence; in this example we mark instances of the atoma with subscripts to see how the answer is calculated (so a1 and a2 are the same atom; justdifferent instances):

|〈a1a2〈a3a4a5〉a6〉| = |a2〈a3a4a5〉|+ 1 = |a2a4|+ 2 = 2.

In fact, the side-condition a3 e′ is superfluous, but it ensures that the calculation above iscalculated sensibly in the sense that brackets get ‘eaten’ in well-matched pairs.

I Remark. The clauses above actually define an inductive function on raw sequences. Thm. 25gives us freshness-based conditions to verify that this induces a function on dynamic sequences(formally, N|e|).

Function |e| happens to make sense for all raw sequences whether bound names aremaximally distinct or not; for an example of where this not the case, see Ex. 28.

I Example 27 (Counting bound occurrences). Define a function ‖-‖ : DSeq → N usingThm. 25 as follows:

‖ε‖ = 0‖ek‖ = ‖e‖‖e〈a‖ = ‖e‖

a#e′ ⇒ ‖e〈ae′a〉‖ = ‖ee′‖a#e′, a3 e′′ ⇒ ‖e〈ae′ae′′a〉‖ = ‖e〈ae′e′′a〉‖+ 1

a� e⇒ ‖ea〉‖ = ‖e‖.

To apply Thm. 25 we must check that any maximally distinct choice of bound names in theargument is fresh for the result. This is indeed the case.

‖ek‖ counts how many names occur ‘bound’ in a dynamic sequence, i.e. between amatched pair of a creation and destructor. For example ‖a〈aaa〉a‖ = 1 because there is onlyone occurrence of a between its creation and destruction. Two other occurrences of a areoutside the scope. For the same example sequence as above we have:

‖〈a1a2〈a3a4a5〉a6〉‖ = ‖〈a1〈a3a4a5〉a6〉‖+1 = ‖〈a3a4a5〉‖+1 = ‖〈a3a5〉‖+2 = ‖ε‖+2 = 2

The side-conditions ensure that brackets get ‘eaten’ in well-matched pairs, and are also usedto identify the first free occurrence of the bound name.

M. J. Gabbay, D. R. Ghica and D. Petrişan 11

I Example 28 (Capture-avoiding substitution). We define -[-/-] : DSeq× A× A→ DSeq by:

ε[a/b] = ε

ek[a/b] = e[a/b]kea[a/b] = e[a/b]be〈a[a/b] = e[a/b]〈b

c6=a⇒ ec[a/b] = e[a/b]cc 6=a⇒ e〈c[a/b] = e[a/b]〈ca� e⇒ ea〉[a/b] = e[a/b]b〉

Nc.b3 e′ ⇒ e〈ce′c〉[a/b] = e[a/b]〈c(e′[a/b])c〉

Previous examples made perfect sense on raw sequences, even if bound names were not chosenmaximally distinct, but this function uses more of the power of Thm. 25, licensing us ineffect to rename bound atoms and so avoid accidental name-clashes: 〈aa〉[a/b] = 〈cc〉[a/b] =〈cc〉 = 〈aa〉.

In fact, no rule above can be applied in 〈aa〉[a/b], but we do not care because we onlycare about Barendregt representatives of triples (e, a, b) and such a representative will choosethe bound names in e distinct from a and b. If we wish to notice that we are technicallyworking with raw sequences and not dynamic sequences then we choose some junk value forthe non-maximally-distinct cases.

For the final example we first introduce some notation, a regular-expression-like language fordynamic sequences.

I Definition 29. Define functions

+, · : P(DSeq)× P(DSeq)→ P(DSeq)−∗ : P(DSeq)→ P(DSeq) by

e ∈ E + F iff e ∈ E or e ∈ Fe ∈ E · F iff ∃e1, e2 ∈ DSeq.e = e1e2 and e1 ∈ E, e2 ∈ Fe ∈ E∗ iff e = ε or e ∈ E · E∗.

I Example 30 (Capture-avoiding interleaving). Another phenomenon resembling variablecapture can occur when interleaving sequences. When we interleave a raw sequence suchas 〈aa〉 with itself, we obtain the set of sequences {〈aa〉〈aa〉, 〈a〈aa〉a〉}. If we representthem diagrammatically, we have the interleaving of • •**tt producing the sequences• •**tt • •**tt and • • •**tt •,,ss . What happened to the sequence• • •,,rr •,,rr ? Because the names are equal the wrong creation is ‘captured’by the wrong destructor in the course of interleaving. This can be avoided if we interleavethe sequences up to α-equivalence.

Define ‖ : DSeq× DSeq→ P(DSeq) using Thm. 25 and the notations from Def. 29:

ε ‖ e = e = e ‖ εm#e′m′,m′#em⇒ em ‖ e′m′ = (em ‖ e′) ·m′ + (e ‖ e′m′) ·m.

To use Thm. 25 it suffices to check of each clause that maximally distinct choice of boundnames do affect the result, and we can assume that bound names in e1 are chosen distinctfrom those in e2, since this is a Barendregt representative of the input (e1, e2) to ‖. Therefore

〈aa〉 ‖ 〈aa〉 = {〈aa〉〈aa〉, 〈a〈aa〉a〉, 〈a〈ba〉b〉}

12 Nominal techniques for variables with interleaving scopes

6 Application: Games with pointer sequences

In this section we sketch out a potential application of dynamic sequences, a more formaland more resource-sensitive representation of pointer sequences in game semantics. Notethat reasons of space prevent this application to be fully worked out, but we hope that itillustrates the potential of dynamic sequences to give a rigorous representation of semanticmodels where interleaved name scopes must be dealt with.

One of the original presentations of game semantics, by Hyland and Ong, representedplays as sequences of moves annotated with arrows between moves [18]. Formally, playswere formalised as sequences equipped with a function f from natural numbers to naturalnumbers indicating that the move at index n points at move at index f(n). 2

Ghica and Gabbay [9] already gave a formulation of plays using raw sequences, whichturned out to streamline key definitions and simplified many proofs. This paper did notconsider α-equivalence and dynamic sequences, although some of our ideas are foreshadowed.

A pointer sequence is represented diagrammatically as an ordinary sequence decoratedwith pointed arrows, for example

m0ttss

m1ss m2

ssm3tt

m4 m5

would be represented using HO integer indices as the pair

(m0m1m2m3m4m5, (1 7→0, 2 7→0, 3 7→2, 4 7→1, 5 7→3)).

The raw sequence representation is m0[a]∗ :: m1[b]a :: m2[c]a :: m3[d]c :: m4[e]b :: m5[f ]d.Each move has a name, freshly introduced, indicated in square brackets, serving as an address,and it uses a previously introduced name to indicate the point of the arrow.

Game semantics requires complex operations on pointer sequences, such as swapping moves(while preserving pointers) to model reordering of actions in asynchronous concurrency [16]or extracting sub-sequences to model restricted history sensitiveness in languages withouteffects (innocence [18]). With integer indices, the pointer map needs to be re-indexed, anawkward operation which can be formalised in principle but it never was in practice dueto sheer tedium. Using names, the same definitions are straightforward, as the names stayattached to the moves, making a more precise formalisation possible.

Although the raw sequence formalisation is from a mathematical point of view effective,from a conceptual and operational point of view is too profligate in its use of names. Thisis best illustrated with a simple example. The standard interpretation of the sequencingoperator in HO games for Algol-like languages [1] is the set of even-length prefixes of this

pointer sequence: r uu ttss r1tt d1 r2

tt d2 d . The operational intuitionis as follows, where P is ‘the program’ and E is ‘the environment’:

r E asks P to start sequencing the two commands;r1 P in reply to r (see arrow) asks E to execute the first command;d1 E in reply to r1 (see arrow) eventually reports the first command’s termination;r2 P, justified by r (see arrow), asks E to execute the second command;d2 E, in reply to r2, eventually reports the first command’s termination;d P, in reply to r, reports that sequencing is completed.

2 This section is best understood by readers familiar with Hyland-Ong-style game semantics, but it iswritten so that it can be also accessible to the casual reader.

M. J. Gabbay, D. R. Ghica and D. Petrişan 13

The raw sequence representation of this play is r[a]∗ :: r1[b]a :: d1b :: r2[d]a :: d2d :: da, whichrequires 3 names. Certain moves, called answers, are never pointed at, so they need notintroduce a name (they can, but it will simply be wasted). In certain game models answershave the additional property that after they point to a move no other subsequent move canever point to it either—like name destructors, in fact! Using dynamic sequences with explicitname creation and destruction and late binding, the same sequence can be represented as:r∗〈a :: r1a〈a :: d1a〉 :: r2a〈a :: d2a〉 :: da〉. The raw sequence representative of the dynamicsequence above uses just the name a. This is more aesthetically pleasing but it is also helpfulfor two reasons related to representing game models for program verification or compilation:

Dynamic sequences allow an improvement of the mathematical presentation of gamesemantics as well, beyond the raw-sequence formalisation. For example, in [9]:

Def. 2.12, formalises the concept of “enabled sequence” e, in which any name of a movemust be introduced before being used. This definition becomes just a� e.Def. 2.15(iii) “Call a play e strictly scoped when aa[b]e′ ∈ e implies a 6∈ supp(e′).” saysthat once the “answer” move a uses a name a, that name should never be used again.This condition can be removed now and plays be made strictly scoped by construction,because a can be destructed by the answer move: aa〉〈b :: e′.

Note that, as detailed in Sec. 5, the various raw-sequence operations used in game semanticscan be lifted to dynamic sequences in an elegant way.

7 Related and future work

The main contribution of this paper is the syntactic notion of dynamic sequence that modelsinterleaved scope by splitting binding into two more primitive syntactic constructs: a name-creation bracket 〈a, and a name-destruction bracket a〉. By interleaved we mean thatbrackets need not be perfectly nested, as in 〈a〈baba〉b〉.

The idea of splitting local binding into two brackets has been seen before. The Adbmalsyntax from [17] splits λ-binding specifically in the λ-calculus into an opening bracket λa anda closing bracket λa. However that paper is focused on scope-balanced terms and assumesa jump semantics, that is, λa closes the scope of all intermediate λs occurring before thematching λa in order to avoid interleaved scope. By contrast, in this paper a〉 lazily matchesonly the single most recent unmatched 〈a. It would be interesting to develop a categoricalsemantics for the λ-calculus and to explore further connections with dynamic sequences.

Dynamic scope also appears in natural languages, in semantic models for indefinitearticles [27]. An opening bracket corresponds to the creation of a new ‘file’ for storingsubsequent information and anchoring references. A closing bracket corresponds to thedeletion of the ‘file’ and the destruction of the context. That paper takes a radically differentapproach based on a variation of monoidal categories and Grothendieck constructions.Working out the precise connection with our setting is left as future work.

In Sec. 5 we introduced a number of concepts such as regular expressions over dynamicsequences (Def. 29) and a very simple programming language (Sec. B) with explicit deal-location. Regular expressions and Kleene algebras with statically scoping nominal-stylename-binding and -generation have been studied [13, 22, 20] and it would be interesting toinvestigate versions with dynamic scope. Languages with allocation have been extensivelystudied, including in the nominal setting (e.g. [3, 24]), but those with deallocation not somuch as far as we know. This too could be future work. It would also be interesting toextend nominal automata [25, 4, 19] to handle name destruction. We could then investigate

14 Nominal techniques for variables with interleaving scopes

whether dynamic binding monoids play a similar role in understanding the algebraic theoryof languages accepted by such automata, just as orbit-finite nominal monoids do for nominallanguages, see [5].

Our original motivation was to apply dynamic sequences as a notation for the pointersequences of game semantics, to simplify the formalisation of definitions of operations onpointer sequences and proofs of their properties. Raw nominal sequences are a step inthis direction [9]; dynamic sequences take this further by introducing appropriate rulesfor scope and α-equivalence. This may help to formalise parts of game semantics—think“game semantics in Nominal Isabelle” analogously to the current extensive implementationof nominal abstract syntax in Isabelle [26], or “rewriting on game semantics using nominalrewriting” (or a suitable generalisation with freshness side-conditions generalised to freshness-arity side-conditions) similar to [8]—and to tighten the connection between the game-semanticand abstract-machine models.

Perhaps the most significant challenge, but also the most exciting opportunity, is the useof dynamic sequences to model explicit resource management in C-like languages. Intuitively,a call to malloc() introduces a new name for a memory location, which in a dynamictrace corresponds to 〈a, whereas a call to free() removes that name, which in a dynamictrace corresponds to a〉. Clearly the scopes of the memory locations thus managed canbe arbitrarily interleaved. However, the nominal aspects are only one aspect required tounderstand malloc/free. The stateful effects, the possibility of dangling pointers andgarbage require significant amounts of further work.3

To conclude, we believe that interleaved name scopes are an interesting phenomenonwhich appears in several contexts: game semantics (our initial motivation), natural languagesand low-level languages with explicit resource management. However, beyond these actualand potential applications, dynamic sequences seem to also be a novel nominal phenomenon,interesting in its own right.

Acknowledgements:

We thank Bertram Wheen for a partial Agda formalisation of the syntactic model.

References

1 S. Abramsky and G. McCusker. Linearity, sharing and state: a fully abstract game se-mantics for idealized algol with active expressions. Electr. Notes Theor. Comput. Sci.,3:2–14, 1996.

2 H. P. Barendregt. The Lambda Calculus: its Syntax and Semantics (revised ed.). North-Holland, 1984.

3 N. Benton and B. Leperchey. Relational reasoning in a nominal semantics for storage. InTyped Lambda Calculi and Applications, pages 86–101. Springer, 2005.

4 M. Bojanczyk, B. Klin, and S. Lasota. Automata theory in nominal sets. Logical Methodsin Comp. Sci., 10(3), 2014.

5 M. Bojańczyk. Nominal monoids. Theory of Computing Systems, 53(2):194–222, 2013.6 R. Clouston. Nominal lawvere theories: A category theoretic account of equational theories

with names. J. Comput. Syst. Sci., 80(6):1067–1086, 2014.

3 In Appendix B we show the semantics of a toy language where resource-names can be allocated andfreed, but in a setting where stateful behaviour is extremely restricted.

M. J. Gabbay, D. R. Ghica and D. Petrişan 15

7 R. A. Clouston and A. M. Pitts. Nominal equational logic. Electr. Notes Theor. Comput.Sci., 172:223–257, 2007.

8 M. Fernández and M. J. Gabbay. Nominal rewriting (journal version). Information andComputation, 205(6):917–965, June 2007.

9 M. Gabbay and D. R. Ghica. Game semantics in the nominal model. Electr. Notes Theor.Comput. Sci., 286:173–189, 2012.

10 M. J. Gabbay. A general mathematics of names. Information and Computation, 205(7):982–1011, July 2007.

11 M. J. Gabbay. Nominal algebra and the HSP theorem. Journal of Logic and Computation,19(2):341–367, April 2009.

12 M. J. Gabbay. Foundations of nominal techniques: logic and semantics of variables inabstract syntax. Bulletin of Symbolic Logic, 17(2):161–229, 2011.

13 M. J. Gabbay and V. Ciancia. Freshness and name-restriction in sets of traces with names.In FOSSACS, volume 6604 of Lec. Notes in Comp. Sci., pages 365–380. Springer, 2011.

14 M. J. Gabbay and A. Mathijssen. Nominal universal algebra: equational logic with namesand binding. Journal of Logic and Computation, 19(6):1455–1508, December 2009.

15 M. J. Gabbay and A. M. Pitts. A new approach to abstract syntax with variable binding.Formal Aspects of Computing, 13(3–5):341–363, July 2001.

16 D. R. Ghica and A. S. Murawski. Angelic semantics of fine-grained concurrency. Ann. PureAppl. Logic, 151(2-3):89–114, 2008.

17 D. Hendriks and V. van Oostrom. adbmal. In CADE, volume 2741 of Lec. Notes in Comp.Sci., pages 136–150. Springer, 2003.

18 J. M. E. Hyland and C. L. Ong. On full abstraction for PCF: i, ii, and III. Inf. Comput.,163(2):285–408, 2000.

19 D. Kozen, K. Mamouras, D. Petrisan, and A. Silva. Nominal Kleene coalgebra. Tech-nical Report http://hdl.handle.net/1813/39108, Computing and Information Science,Cornell University, February 2015.

20 D. Kozen, K. Mamouras, and A. Silva. Completeness and incompleteness in nominal Kleenealgebra. Technical report, Computing and Information Science, Cornell University, Novem-ber 2014.

21 A. Kurz and D. Petrisan. On universal algebra over nominal sets. Math. Struc. in Comp.Sci., 20(2):285–318, 2010.

22 A. Kurz, T. Suzuki, and E. Tuosto. On nominal regular languages with binders. InFOSSACS, volume 7213 of Lec. Notes in Comp. Sci., pages 255–269. Springer, 2012.

23 A. M. Pitts. Nominal Sets: Names and Symmetry in Comp. Sci., volume 57. CambridgeUniversity Press, 2013.

24 M. R. Shinwell and A. M. Pitts. On a monadic semantics for freshness. Theor. Comp. Sci.,342(1):28–55, 2005.

25 N. Tzevelekos. Fresh-register automata. In POPL, pages 295–306. ACM, 2011.26 C. Urban. Nominal reasoning techniques in Isabelle/HOL. J. of Automatic Reasoning,

40(4):327–356, 2008.27 A. Visser, K. Vermeulen, et al. Dynamic bracketing and discourse representation. Notre

Dame Journal of Formal Logic, 37(2):321–365, 1996.

16 Nominal techniques for variables with interleaving scopes

A Proofs

Proof of Lem. 7. We work by induction on the length of the sequences.

1. If e1 = e′1a for some e′1 ∈ RSeq then necessarily e2 = e′2a for some e′2 with e′1 =α e′2. For

b 6= a we have Fb(ei) = Fb(e′i), while Fa(ei) = Fa(e′i) · f, where i ∈ {1, 2}. Using theinduction hypothesis we derive F(e1) = F(e2).

2. The cases when e1 = e′1〈a and e1 = e′1k are similar.3. If e1 = e′1a〉 we need to consider two sub cases, depending whether the normal form ofFa(e′1) is of the shape dm · fn or dm · fn ·cp+1.In the former situation, the equivalence between e1 and e2 was necessarily inferred viathe rule (αm), so there exists e′2 ∈ RSeq such that e2 = e′2a〉 and e′1 =α e

′2. We conclude

that F(e1) = F(e2) just as in the previous cases.In the latter case, the rule (αα) was used. So we can write e1 = g′〈ag′′a〉 and e2 = e′2〈be′′2b〉for g′, g′′, e′2, e′′2 such that a3 g′′ and b3 e′′2 and for fresh c we have g′〈c (a c) ·g′′ =α

e′2〈c (b c) ·e′′2 . By induction we have

F(g′〈c (a c) ·g′′) = F(e′2〈c (b c) ·e′′2). (17)

We have Fa(e1) = Fa(g′)···c···Fa(g′′)···d = Fa(g′)···c··· fn ···d = Fa(g′). On the other hand,Fa(e2) = Fa(e′2)···ε···Fa(e′′2)···ε = Fa(e′2)···Fa(e′′2). From (17) we deduce Fa(g′)···ε···Fa((a c) ·g′′) =Fa(e′2)···ε···Fa((b c) ·e′′2), or equivalently, Fa(g′)···Fc(g′′) = Fa(e′2)···Fa(e′′2). Since c is fresh,we have Fc(g′) = ε, hence Fa(g′) = Fa(e′1)···Fa(e′′2). Therefore Fa(e1) = Fa(e2). Similarly,for any c we have Fc(e1) = Fc(e2). J

Proof of Lem. 8. Assume by contradiction that e2 is longer than e′2. Then there existse3 ∈ RSeq such that e2 = e3〈ae′2. This implies that Fa(e2) = Fa(e3〈ae′2). Since a3 e′2 wehave Fa(〈ae′2) = c, hence Fa(e2) = Fa(e3)···c. Since a3 e2 the normal form of Fa(e2) is frwith r ∈ {0, 1}. Assuming the normal form of Fa(e3) is dm ··· fn ···cp we obtain the equality oftwo normal forms fr = dm ··· fn ···cp+1, a contradiction. Similarly, e′2 is no longer than e2, sothey have the same length and ei = e′i. J

Proof of Lem. 9. It is easy to prove e =α e by induction on e; we just use (αε) and (αm).Likewise, symmetry is easy to prove.

We now prove by induction on derivations that if e =α e′ and e′ =α e

′′ then e =α e′′.

There are nine cases; one for each of the 3×3 possible rules ending the derivations:

Case ((αε), ∗) for any rule ∗. If e =α ε and ε =α ε then e =α ε. Case (∗, (αε)) is similar.Case ((αm), (αm)). Suppose em =α e′m by (αm), so e =α e′, and e′m =α e′′m by(αm), so e′ =α e

′′. By inductive hypothesis e =α e′′ and so by (αm) em =α e

′′m.Case ((αm), (αα)). Suppose ea〉 =α e′a〉 by (αm),so e =α e′, and e′a〉 =α e′′a′′〉 by(αα). Using Lem. 7 it follows that F(ea〉) = F(e′a〉) = F(e′′a′′〉). Since e′′ = e′′1〈a′′e′′2 witha′′3 e′′2 it follows then that e′ = e′1〈ae′2 =α e with a3 e′2. Using Lem. 7 again, it followsthat F(e′1〈ae′2) = F(e), so e = e1〈ae2 with a3 e2. Thus e′1〈ae′2 =α e1〈ae2 with a3 e2, e

′2,

from which Nc.e′1〈c (c a) ·e′2 =α e1〈c (c a) ·e2, a3 e2, e′2 which proves that ea〉 =α e

′a〉because (αα) thus reducing the case ((αm), (αα)) to ((αα), (αα)), proved below.Case ((αα), (αα)). If ea〉 =α e′a′〉 using (αα) then e = e1〈ae2, e

′ = e′1,1〈a′e′1,2 witha3 e2, a′3 e′1,2 such that for all but finitely many c, e1〈c (c a) ·e2 =α e

′1,1〈c (c a′) ·e′1,2. If

e′a′〉 =α e′′a′′〉 using (αα) then e′ = e′2,1〈a′e′2,2, e′′ = e′′1〈a′′e′′2 with a′3 e′2,2, a′′3 e′′2 such

that for all but finitely many c, e′2,1〈c (c a′) ·e′2,2 =α e′′1〈c (c a′′) ·e′′2 . Using Lem. 7 it follows

that e′1,2 = e′2,2 = e′2 from which it follows that it must be that e′1,1 = e′2,1 = e′1. It follows

M. J. Gabbay, D. R. Ghica and D. Petrişan 17

that for all but finitely many c, e1〈c (c a) ·e2 =α e′′1〈c (c a′′) ·e′′2 with a3 e2, a′′3 e′′2 , so

ea〉 =α e′′a′′〉 using (αα). J

Proof of Lem. 12. We show the left-to-right implication by induction on the length of thesequence. It is easier to work with a representative e ∈ RSeq. We have that a is fresh for theequivalence class of e if and only if Nb.(b a) ·e =α e, so we shall prove that whenever Fa(e) = ε

and b is fresh for e then (b a) ·e =α e. For e = ε the statement is true by definition. For theinduction step we must show that for any token m ∈ T, if Fa(em) = ε then (b a) ·em =α em.We have the following cases:

1. If a#m then Fam = ε which, from Lem. 3, requires that Fae = ε. The inductionhypothesis along with the obvious fact that (b a) ·m = m proves the statement.

2. The case m ∈ {a, b, 〈a, 〈b} is impossible, from Lem. 3, given that Fa(em) = Fb(em) = ε,since the freshness arities f, c cannot be cancelled into ε from the left.

3. If m = a〉, Fa(ea〉) = ε implies Fae = c, since Fa(a〉) = d (by (4) and Lem. 3). Asimple argument shows there exist sequences e1, e2 with Fae1 = ε and a3 e2 suchthat e = e1〈ae2. We must show that for fresh b (b a) ·e1〈ae2a〉 =α e1〈ae2a〉 ⇔((b a) ·e1

)〈b

((b a) ·e2

)b〉 =α e1〈ae2a〉. Since b was chosen fresh, we may assume b#e1, and

by induction hypothesis (b a) ·e1 =α e1.For fresh c, (c b)(b a) ·e2 =α (c a) ·e2 because the permutations agree on the support of e.Congruence of α-equivalence along with a3 e2 proved earlier allows us to use the rule(αα) and conclude the proof.

The other implication can also be proved by induction. J

I Theorem 31. For e, e′ ∈ RSeq, if e =α e′ then JeK = Je′K.

Proof. By induction on the derivation of α-equivalence. The only non-trivial computationis when e =α e

′ was derived from the rule (αα). In this case we know that e = e1〈ae2a〉and e′ = e′1〈be′2b〉 such that a3 e2, b3 e′2 and for any fresh c we have e1〈c (a c) ·e2 =α

e′1〈c (b c) ·e′2. By induction we have that Je1〈c (a c) ·e2K = Je′1〈c (b c) ·e′2K, or equivalently:Je1〈cK ◦ (a c) ·Je2K = Je′1〈cK ◦ (b c) ·Je′2K. From Thm. 15 and the simple observations that(a c) ·〈a = (b c) ·〈b and (a c) ·a〉 = (b c) ·b〉 it follows that

Je1K ◦ (a c) ·J〈ae2a〉K = Je′1K ◦ (b c) ·J〈be2b〉′K. (18)

We claim that

(a c) ·J〈ae2a〉K = J〈ae2a〉K. (19)

From (19) and (18) we conclude that JeK = Je′K. Claim (19) follows by induction andmakes use of a3 e2. It suffices to prove for fresh c that J〈ae2a〉K ⊆ J〈c(c a) ·e2c〉K. Assume(S,X)J〈ae2a〉K(S1, X1). Using the fact that J〈ae2a〉K = J〈aK ◦ Je2K ◦ Ja〉K we obtain that S1 isof the form S′\a and X1 = X :: b :: X ′ :: b, where b is fresh and S′ and X ′ are such that(S :: (a 7→b), X :: b)Je2K(S′, X :: b :: X ′). To prove (S,X)J〈c(c a) ·e2c〉K(S1, X1), it suffices tocheck

(S :: (c, b), X :: b)J(c a) ·e2K(S′′, X :: b :: X ′) (20)

where S′′ is obtained from S′ by replacing the occurrence of the pair (a 7→b) by (c 7→b). Ifthis is the case, then we can finish using the compositionality of J-K (Thm. 15) and thatS′′\c = S′\a and S′′(c) = S′(a) = b. J

18 Nominal techniques for variables with interleaving scopes

Proof of Thm. 17. The left-to-right direction is Thm. 31. So consider e1, e2 such that Je1K =Je2K. First we note that the lengths of e1 and e2 must be equal, because if (S,X) Je1K (S′, X ::X ′) then the lengths of e1 and X ′ are also equal (the proof is a straightforward inductiveargument on the length of e1). We will use induction on the length of X ′. The base case ε isimmediate, e1 = e2 = ε and (α− ε).

For the inductive cases, if X ′ = X ′′ :: k the proof is immediate. The interesting case isX ′ = X ′′ :: b. There are three further cases depending on which equation was used to derive(S′, X ′).

S′=S′′::(a 7→b), which requires that (14) was used, so e1 = e′1a, e2 = e′2b. Since Je1K = Je2K,Prop. 16 implies that Je′1K = Je′2K. We apply the induction hypothesis and (α-m).S′(a) = b for some name a, but (a 7→b) is not at the top of the stack. This case is just likethe previous except that this means (12) was used. We also use the rule (α-m) togetherwith Prop. 16 and the inductive hypothesis.S′(a) is not defined, which means that (15) was used, so it must be that e1 = e′1a1〉,e2 = e′2a2〉 for some a1, a2 ∈ A. This is the interesting case. Using the induction hypothesisand the compositionality of J-K (Thm. 15), for any (S,X),

(S,X) Je1K (S1, X1) Ja1〉K (S1\a1, X1 :: S1(a1))⇔ (S,X) Je2K (S2, X2) Ja2〉K (S2 \a2, X2 :: S2(a2)) (21)

which means that X1 = X2 = X ′, S1 \a1 = S2\a2, S1(a1) = S2(a2) = b, so we write (21)equivalently as

(S,X) Je1K (S1, X′) Ja1〉K (S1 \a1, X

′ :: b)⇔ (S,X) Je2K (S2, X

′) Ja2〉K (S2 \a2, X′ :: b) (22)

Because S1 and S2 differ only in the inclusion of the (a1 7→b) and respectively (a2 7→b) andbecause this can only be introduced by the occurrence of name creation, it follows thate1 = e11〈a1e12 and e2 = e21〈a2e22. Moreover, e12 and e22 may not have occurrences ofa1〉 and a2〉, respectively, because S1(a1) and S2(a2) must be defined. Therefore

a13 e12, a23 e22 (23)

Using the compositionality of J-K (Thm. 15) and (22):

(S,X) Je11K (S11, X11)J〈a1K (S11 :: (a1 7→b), X11 :: b)Je12K (S12, X11 :: b :: X12)

if and only if(S,X) Je21K (S21, X21)

J〈a2K (S21 :: (a2 7→b), X21 :: b)Je22K (S22, X21 :: b :: X22)

(24)

which, because X11 :: b :: X12 = X21 :: b :: X22 = X ′ and b is fresh, and because S1 andS2 are in agreement except for a1 and a2, can be rewritten as

(S,X) Je11K (S′1, X1)J〈a1K (S′1 :: (a1 7→b), X1 :: b)Je12K (S′2, X1 :: b :: X2)

if and only if(S,X) Je21K (S′1, X1)

J〈a2K (S′1 :: (a2 7→b), X1 :: b)Je22K (S′2, X1 :: b :: X2)

(25)

M. J. Gabbay, D. R. Ghica and D. Petrişan 19

We note immediately that

Je1K = Je2K so by the IH e1 =α e2. (26)

We also note that J〈a1e12K, J〈a2e22K differ only by the entries (a1 7→b), (a2 7→b) in theirdictionaries. Following a line of reasoning analogue to that in Thm. 31 and using (23)it implies that for a fresh c ∈ A, J(c a1) ·e12K = J(c a2) ·e22K which, from the IH, implies(c a1) ·e12 =α (c a2) ·e22. Together with (26) and the congruence property of =α (Thm. 10),it follows that e11〈c (c a1) ·e12 =α e21〈c (c a2) ·e22, so that e1 =α e2 by (αα). J

Proof of Lem. 19. Clearly RSeq is a nominal monoid and since =α is an equivariant equi-valence relation and a congruence with respect to concatenation, we have a nominal monoidstructure on DSeq = RSeq/=α.

The functions ‹ and › map a to the equivalence classes of 〈a and a〉 respectively. Thefunction γ on RSeq/=α is obtained from the function F : RSeq→ BA of Lem. 2, which byLem. 7 factors through RSeq/=α.

It remains to check the equations in Def. 18 are satisfied. The first three are clear fromthe definition of F .

To prove (16), it suffices to show that for any e ∈ RSeq and a, b ∈ A such that b#e anda3 e we have 〈aea〉 =α 〈b (b a) ·eb〉. We obtain this as an instance of (αα):

Nc. 〈c :: (c a) ·e =α 〈c :: (c b) ◦ (b a) ·e a3 e, b3 ((b a) ·e)〈aea〉 =α 〈b (b a) ·eb〉

The premise holds since (c a) ·e=(c b)◦(b a) ·e for fresh b. J

Proof of Thm. 21. Consider (X, γ) ∈ BNom, the set X +A+A = X ∪{〈a|a ∈ A}∪ {a〉|a ∈A}, and the equivariant map γ : X + A + A→ BA that acts as γ on X such that γa(〈a) = c,γa(a〉) = d, γa(〈b) = ε and γa(a〉) = ε. Then γ can be extended uniquely to a monoidmorphism γ∗ : (X + A + A)∗ → BA. Define a relation ≡ on (X + A + A)∗ as the congruencegenerated by 〈awa〉 = 〈b(a b) ·wb〉, where a, b ∈ A, w ∈ (X + A + A)∗ and b#w andγ∗a(w) ∈ {ε, f}.

Construct F (X, γ) as a dynamic binding monoid on the carrier nominal set (X+A+A)∗/≡.Left and right binders are defined in the obvious way and the specification function is inducedby γ∗. It is easy to check that whenever w ≡ w′ then γ∗(w) = γ∗(w′). We must exhibitan isomorphism DBMon((X + A + A)∗/≡,M) ' BNom((X, γ), (M,γM )). Starting with amorphisms f : X → M in BNom, we can uniquely extend f + ‹+ › : X + A + A→ M toan equivariant monoid morphism f# : (X + A + A)∗ → M . We have that γ ◦ f# = γ∗. Itfollows that for every w,w′ ∈ (X +A+A)∗ such that w ≡ w′ then f#(w) = f#(w′). Hence, f#factors through a dynamic binding monoid morphism f : (X + A + A)∗/≡ →M . Conversely,given g ∈ DBMon((X + A + A)∗/≡,M) we consider g[ ∈ BNom((X, γ), (M,γM )) given byg[(x) = g([x]) where [x] is the ≡-equivalence class of x. J

Proof of Thm. 22. We have that RSeq = (A∪K+A+A)∗, thus it suffices that =α is equalto the relation ≡ described in the proof of Thm. 21. That ≡⊆=α follows from the proof ofLem. 19. For the other inclusion, we prove by induction on the length of e that whenevere =α e

′ then e ≡ e′. If the former equivalence was derived using the rules (αε) or (αm)then the proof is immediate by induction. Assume that e =α e

′ was derived using (αα).That is, e = e1〈ae2a〉, e′ = e′1〈be′2b〉 such that a3 e2, b3 e′2 and for any fresh c we havee1〈c (c a) ·e2 =α e

′1〈c (c b) ·e′2. By inductive hypothesis e1〈c (c a) ·e2 ≡ e′1〈c (c b) ·e′2 for fresh

c; we must prove e1〈ae2a〉 ≡ e′1〈be′2b〉.

20 Nominal techniques for variables with interleaving scopes

We consider the case when e1〈c (c a) ·e2 = h1〈dhd〉h2 and e′1〈c (c b) ·e′2 = h′1〈d′(d′ d) ·hd′〉h′2such that h1 ≡ h′1, h2 ≡ h′2, d′#h′ and d3h. The most interesting case is when h = g1〈cg2.We have that

e1〈ae2a〉 = h1〈dg1〈a(a c) ·g2d〉(a c)h2a〉≡ h1〈dg1〈cg2d〉h2c〉≡ h′1〈d′(d′ d) ·g1〈c(d′ d) ·g2d

′〉h′2c〉≡ h′1〈d′(d′ d) ·g1〈b(b c)(d′ d) ·g2d

′〉(b c)h′2b〉= e′1〈be′2b〉.

It might be the case that e1〈c (c a) ·e2 ≡ e′1〈c (c b) ·e′2 was obtained using the transitivityof ≡, for example 〈d1〈d2〈cd2〉d1〉 ≡ 〈d′1〈d′2〈cd′2〉d′1〉 can only be derived using the transitivityof ≡. For this case the proof that e1〈ae2a〉 ≡ e′1〈be′2b〉 requires several steps and transitivity,but it reduces to the basic case resolved above. J

B Languages with explicit allocation and deallocation

It seems natural to use dynamic sequences to model programming languages with explicitresource allocation and deallocation. We now give a toy example of such a language: consideran imperative language with resource management primitives whose terms are defined by:

C ::= alloc(x) | use(x) | free(x) | new x.C | C;C | C ‖ C ′ | skip.

Resources are bound to (local) variables chosen from a set X. and can be allocated, used orreleased. Commands can be sequenced or interleaved. We also include the trivial commandskip. The nominal treatment of local variables, chosen from set of atoms X, is conventionaland the definitions of free or bound variable in a term are the standard ones, as is alphaequivalence on terms. The set of terms (up to α-equivalence) is denoted by Prog. We givea denotational trace semantics of Prog. Let X be the set of constants used in defining rawsequences (Def. 1). A program trace will consist of a sequence of symbols indicating at whatvariable an action occurred, and what that action was (allocation, use, deallocation). Definethe denotational semantics J-K : Prog→ P(DSeq) by:

JskipK = {ε} Jalloc(x)K = {x〈a | a ∈ A}Juse(x)K = {xa | a ∈ A} Jfree(x)K = {xa〉 | a ∈ A}

Command composition, sequential or parallel, is defined as:

JC;C ′K = {ee′ | e ∈ JCK, e′ ∈ JC ′K, e#e′}JC ‖ C ′K = {e ‖ e′ | e ∈ JCK, e′ ∈ JC ′K, e#e′}.

This is perhaps surprising because it forces mismatches between actions associated with thesame variable, e.g.

Jalloc(x); free(x)K = {x〈a :: xb〉 | a, b ∈ A, a 6= b}

This ‘bad variable’ behaviour is inspired by game-semantic models of state. As in gamesemantics, order is restored by the local variable binder [1], replacing all names of actionsassociated with x with a fresh name c, then removing all occurrences of x from the trace:

Jnew x.CK = {e′\x | e ∈ JCK, Nc.e′ = e[supp(e|x)/c]}

M. J. Gabbay, D. R. Ghica and D. Petrişan 21

By e|x we mean sequence e restricted to a concatenation of sub-sequences of form xm. Thesubstitution notation is extended pointwise to a set of atoms. For instance,

Jnew x.alloc(x); free(x)K = {〈aa〉},

a singleton set. We can also prove equations such as

(new x.alloc(x); free(x)) ‖ (new x.alloc(x); free(x))≡ new x.new y.(alloc(x); free(x)) ‖ (alloc(y); free(y))

which both are interpreted as 〈aa〉 ‖ 〈aa〉. Straightforward proofs are possible that sequentialand parallel composition form monoids on Prog with unit skip.

Due to design decisions discussed in Sec. 2.3 this language satisfies equivalences thatC-like languages do not, such as:

new x.alloc(x); alloc(x); free(x); free(x) ≡ new x.new y.alloc(x); alloc(y); free(y); free(x)

which are both {〈a〈aa〉a〉}.