Saturating Automata for Game Semantics

Saturation is a fundamental game-semantic property satisﬁed by strategies that interpret higher-order concurrent programs. It states that the strategy must be closed under certain rearrangements of moves, and corresponds to the intuition that program moves (P-moves) may depend only on moves made by the environment (O-moves). We propose an automata model over an inﬁnite alphabet, called saturating automata, for which all accepted languages are guaranteed to satisfy a closure property mimicking saturation. We show how to translate the ﬁnitary fragment of Idealized Concurrent Algol ( FICA ) into saturating automata, conﬁrming their suitability for modelling higher-order concurrency. Moreover, we ﬁnd that, for terms in normal form, the resultant automaton has linearly many transitions and states with respect to term size, and can be constructed in polynomial time. This is in contrast to earlier attempts at ﬁnding automata-theoretic models of FICA , which did not guarantee saturation and involved an exponential blow-up during translation, even for normal forms.


Introduction
Game semantics is a versatile modelling theory that interprets computation as interaction between two players, called O (Opponent) and P (Proponent).The two players represent the environment and the program respectively, so programs can be interpreted as strategies for P.Although initially game models concerned functional sequential computation, notably the language PCF [2,13], it did not take long for the methodology to be extended to other programming constructs such as state [3,1], control operators [16], and, soon afterwards, concurrency.Some of the game models were presented in the interleaving tradition of models of concurrency [17,18,12], while others were built in the spirit of partial-order methods (true concurrency) [7].
In the interleaving approach, the aim is to construct strategies in such a way that they will contain all possible sequential observations of parallel interactions.Within game semantics, this led to the realisation that strategies must be closed under certain rearrangements of moves, to reflect the limited power of programs to observe and control the actual ordering of concurrent actions.Critically, a program can wait until an environment action occurs before proceeding, but it does not have any influence over environment actions or its own concurrent actions beyond those stipulated by the game.To express this constraint, one requires that strategies should be closed under certain move swaps.More specifically, consecutive m 1 m 2 can be swapped as long as the swap still leads to a valid play and it is not the case that m 1 is an O-move and m 2 is a P-move.
In game semantics, this condition first appeared in a model of Idealized CSP [17], and was named saturation in [12].In game models based on event structures [7], an analogous condition can be expressed more directly using event structures with polarity.Variants of saturation also occur in other contexts in the theory of concurrency.For example, they have been used to describe propagation of signals across wires in delay-insensitive circuits [25] or to specify the relationship between input and output in asynchronous systems with channels [14].
More recently, there have been attempts at defining automata-theoretic formalisms that provide support for representing plays in concurrent game semantics [10,11].At the technical level, plays are sequences of moves connected by pointers, which poses a challenge for standard automata theory based on finite alphabets.However, an infinite alphabet is ideal for this purpose, especially if it has tree structure, so that the parent relation (link from child to parent) can provide a means of representing game-semantic pointers.Although the proposed formalisms were shown to accommodate the game semantics of higherorder concurrent programs, notably, that of a finitary version of Idealized Concurrent Algol (FICA) [12], they do not capture natively the saturation condition: in addition to interpretations of FICA terms (which are guaranteed to satisfy saturation), they are also capable of accepting many other languages, which need not be closed under any kind of swaps.
In contrast, in this paper, we define an automata model over infinite alphabets, called saturating automata, for which any accepted language is guaranteed to satisfy (a language variant of) the saturation condition.It is achieved through carefully tailored transitions, which in particular restrict the way that siblings may communicate with each other through parents, and minimise direct communication between other generations.
The new design turns out to bring another technical advantage over existing translations.Saturating automata corresponding to FICA terms in normal form have linearly many states and transitions (with respect to term size), and can be generated in at most quadratic time.This is an improvement over the exponential complexity inherent in earlier translations, which was due to either the fact that memory was modelled through control states [10] or the use of product constructions to handle parallel composition [11].In view of the ubiquity of the saturation condition, we believe that this makes saturating automata into a point of interest in the design space of automata models, which deserves further study in connection with game semantics or other areas mentioned above.

Related work
In addition to the papers already mentioned, the combination of game semantics and automata theory over infinite alphabets appeared in research into sequential computation, e.g. to handle call-by-value computation with state [8,9], ground references [21] and objects [20].On the concurrent front, Petri-netlike devices have recently been proposed to interpret higher-order concurrency along with a correspondence to game semantics [6].
More broadly, our results are related to encodings of higher-order computation in process calculi [24,23,4] (where the role of infinite alphabets would be played by a set of names) and to abstract machines [15].It would also be interesting to find connections between our work and trace theory over partially commutative alphabets [5,19], though there the commutation relation is typically symmetric, unlike in our case.

Finitary Idealised Concurrent Algol (FICA)
Idealised Concurrent Algol [12] is a paradigmatic call-by-name language combining higher-order computation with imperative constructs in the style of Reynolds [22], extended to concurrency with parallel composition (||) and binary semaphores.We consider its finitary variant, FICA, defined over a finite datatype t0, . . ., max u (max ě 0), with no recursion, but with iteration.Its types θ are generated by the 2 Γ $ skip : com Γ $ div θ : θ where com is the type of commands; exp that of t0, . . ., max u-valued expressions; var that of assignable variables; and sem that of semaphores.The typing judgments are displayed in Figure 1.Here, skip and div θ are constants representing termination and divergence respectively, i ranges over t0, . . ., max u, and op represents unary arithmetic operations, such as successor or predecessor (since we work over a finite datatype, operations of bigger arity can be defined using conditionals).Variables and semaphores can be declared locally via newvar and newsem.Variables are dereferenced using !M , and semaphores are manipulated using two (blocking) primitives, grabpsq and releasepsq, which grab and release the semaphore respectively.We assume that variables are initialised to 0 and semaphores are initially released.
In reduction rules, it will be convenient to use the syntax newvar x :" i in M and newsem x :" i in M , which allows us to specify initial values more flexibly, i.e. newvar x in M and newsem x in M should be viewed as newvar x :" 0 in M and newsem x :" 0 in M respectively.
The operational semantics is defined using a (small-step) transition relation V $ M, s ÝÑ M 1 , s 1 , where V is a set of variable names denoting active memory cells and semaphore locks.s, s 1 are states, i.e. functions s, s 1 : V Ñ t0, ¨¨¨, max u, and M, M 1 are terms.We write s b pv Þ Ñ iq for the state obtained by augmenting s with pv Þ Ñ iq, assuming v R dompsq.The basic reduction rules are given in Figure 2, where c stands for any language constant (i or skip) and x op : t0, ¨¨¨, max u Ñ t0, ¨¨¨, max u is the function corresponding to op.In-context reduction is given by the schemata: where reduction contexts Er´s are produced by the grammar: We say that a term $ M : com may terminate, written M ó, if H $ H, M ÝÑ ˚H, skip.
FICA terms can be compared using a notion of contextual (may-)equivalence, denoted Γ $ M 1 -M 2 . Fig.
The free variable f can be viewed as representing an unknown function, to be bound to concrete code by a context.Since we work in a call-by-name setting, that function may evaluate its argument arbitrarily many times, including none.If the function does not use its argument, the value of x will always be 0 (we assume that local variables are initialised to 0) and the term will never terminate, because the right term inside || will always diverge, preventing the whole term from terminating.On the other hand, as long as f evaluates its argument at least once and terminates, and the right-hand side of || is scheduled after the assignment x :" 1 (and code bound to c terminates) then the whole term will terminate too, returning 1.
In the next section we sketch the game semantics of FICA.

Game semantics
In this section, we briefly present the fully abstract game model for FICA from [12], which we rely on in the paper.Game semantics for FICA involves two players, called Opponent (O) and Proponent (P), and the sequences of moves made by them can be viewed as interactions between a program (P) and a surrounding context (O).The games are defined using an auxiliary concept of an arena.
Definition 3.1 An arena A is a tuple xM A , λ A , $ A , I A y, where: ‚ M A is a set of moves; ‚ λ A : M A Ñ tO, P u ˆtQ, Au is a function determining for each m P M A whether it is an Opponent or a Proponent move, and a question or an answer ; we write λ OP A , λ QA A for the composite of λ A with respectively the first and second projections; ‚ $ A is a binary relation on M A , called enabling, satisfying: if m $ A n then λ OP A pmq ‰ λ OP A pnq and λ QA A pmq " Q; ‚ I A Ď M A is a set of initial moves such that λ A pI A q Ď tpO, Qqu and $ A XpM A ˆIA q " H (no enablers).
Note that an initial move must be an O-question (OQ).In arenas used to interpret base types all A The arena A for the term from Example 2.1.More complicated types are interpreted inductively using the product (A ˆB) and arrow (A ñ B) constructions, given in Figure 3.
We write θ for the arena corresponding to type θ.In Figure 4a, we give (the enabling relation of) the arena A " p com Ñ com ˆ com q ñ exp , which needs to be constructed to interpret the term from Example 2.1.We use superscripts to distinguish copies of the same move (the use of superscripts is consistent with our future convention, which will be introduced in Definition 6.1).
Given an arena A, we specify next what it means to be a legal play in A. For a start, the moves that players exchange will have to form a justified sequence, which is a finite sequence of moves of A equipped with pointers.Its first move is always initial and has no pointer, but each subsequent move n must have a unique pointer to an earlier occurrence of a move m such that m $ A n. We say that n is (explicitly) justified by m or, when n is an answer, that n answers m.If a question does not have an answer in a justified sequence, we say that it is pending in that sequence.In Figures 4b, 4c we give two justified sequences s 1 and s 2 over A.
Not all justified sequences are valid.In order to constitute a legal play, a justified sequence must satisfy a well-formedness condition that reflects the "static" style of concurrency of our programming language: any started sub-processes must end before the parent process terminates.This is formalised as follows, where the letters q and a to refer to question-and answer-moves respectively, while m denotes arbitrary moves.

Definition 3.2
The set P A of plays over A consists of the justified sequences s over A that satisfy the two conditions below.
FORK : In any prefix s 1 " ¨¨¨q ¨¨¨m of s, the question q must be pending when m is played.WAIT : In any prefix s 1 " ¨¨¨q ¨¨¨a of s, all questions justified by q must be answered.
It is easy to check that the justified sequences s 1 , s 2 from Figures 4b and 4c are plays.Remark 3.3 It is worth noting that the notion of play is stable with respect to swaps of adjacent moves except when the swaps involve occurrences of moves m 1 m 2 related by the pointer structure: m 1 m 2 or m 1 , m 2 are answers to questions q 1 , q 2 such that q 2 justifies q 1 .
A subset σ of P A is O-complete if s P σ and so P P A imply so P σ, when o is an O-move.
Suppose Γ " tx 1 : θ 1 , ¨¨¨, x l : θ l u and Γ $ M : θ is a FICA-term.Let us write Γ $ θ for the arena θ 1 ˆ¨¨¨ˆ θ l ñ θ .In [12] it is shown how to assign a strategy on Γ $ θ to any FICAterm Γ $ M : θ.We write Γ $ M to refer to that strategy.For example, Γ $ div " tǫ, runu and Γ $ skip " tǫ, run, run doneu.The plays s 1 , s 2 turn out to belong to the strategy that interprets the term from Example 2.1.Given a strategy σ, we denote by comppσq the set of non-empty complete plays of σ, i.e. those in which all questions have been answered.For example, s 1 (Figure 4b) is not complete, but s 2 (Figure 4c) is.
The game-semantic interpretation ¨¨¨ can be viewed as a faithful record of all possible interactions between the term and its contexts.It provides a fully abstract model in the sense that contextual equivalence is characterized by the sets of non-empty complete plays.
The strategies corresponding to FICA terms turn out to be closed under swaps of adjacent moves as long as the earlier move is a P-move or the later one is an O-move, and the swap produces a play.Formally, for any arena A, let us define ľĎ P A ˆPA to be the least preorder satisfying s m o s 1 ľ s o m s 1 and s p m s 1 ľ s m p s 1 , where m, o, p range over moves, O-moves and P-moves respectively.In the pairs of plays above, we assume that, during a swap, the justification pointers from the two moves also move with them.
Example 3.6 Consider the following play.
Observe that s 2 ľ s 3 , where s 2 is the play from Figure 4c, because the P-move done f 1 moved to the right past a P-move (run c ) and an O-move (done c ).In contrast, we do not have s 3 ľ s 2 , as this would involve moving a P-move (done f 1 ) left past an O-move (done c ).
Example 3.7 Consider the plays s 4 , s 5 given below (in the arena com Ñ com Ñ com ), which correspond to parallel and sequential composition respectively.Observe that s 4 ľ s 5 .Note that the witnessing swap involves swapping run 2 (P-move) with done 1 (O-move), which is permitted by the definition of ľ.
s 4 " run run Remark 3.9 Definition 3.8 states that saturated strategies are stable under ľ.Note that s o p s 1 ń s p o s 1 , while other o{p combinations are allowed in ľ.Thus, saturated strategies allow one to express causal dependencies of P-moves on O-moves.This aspect of strategies is captured explicitly in concurrent games based on event structures [7].
In the next section we will introduce an automata-theoretic model for representing plays.In contrast to earlier attempts, languages accepted by the automata will satisfy a language-theoretic equivalent of the saturation condition.

Saturating automata (SATA)
The automata to be introduced will accept the so-called data languages, i.e. languages over an alphabet of the form Σ ˆD, where Σ is a finite alphabet and D is a infinite alphabet of data values.In our case, the dataset D will have the structure of a countably infinite forest.This structure will be helpful when representing game semantics.In particular, it will be used to encode justification pointers and enforce the WAIT condition.‚ Infinite branching: pred ´1ptd K uq is infinite for any d K P D Y tKu.
‚ Well-foundedness: for any d P D, there exists i P N, called the level of d, such that pred i`1 pdq " K.
Level-0 data values are called roots.
We say that T Ď D is a subtree of D if and only if T is closed (@x P T : pred pxq P T Y tKu) and rooted (D!x P T : pred pxq " K).
Example 4.2 Suppose Σ consists of moves used in Figure 4a, pred pd 0 q " K, pred pd 1 q " pred pd 1 1 q " d 0 and pred pd 2 q " d 1 .The play s 2 (Figure 4c) can be represented by the following word over Σ D: pq, , d 0 q.Note that the predecessor relation is used to represent justification pointers.Full details of the representation scheme will be given in Section 6.
We use subtrees of D to represent configurations.Their nodes will be annotated with additional information.We distinguish between odd and even levels to reflect the distinction between the behaviours of the environment (O) and the program (P).
‚ Each even-level node will be annotated with a multiset of control states, and zero or more memory cells.This information will be allowed to evolve during runs.Intuitively, it represents the multiset of states of a group of processes.‚ Nodes at odd levels will be labelled with single control states, which will not change.
In a single transition, the automaton will be able to add or remove leaves from its configuration using very limited information.When adding a leaf as a child of node n, only the state at n will be available.When removing a leaf, in addition to the state at the leaf, only the parent state will be accessed, if at all.The automaton will also feature ǫ-transitions, which do not modify the shape of the configuration, but can be used to update annotations at even levels, while possibly accessing memory cells at ancestor nodes.
The automata will be parameterized by k and N .The parameter k is the maximal depth of the data used by the automaton, while N is the maximal number of memory cells at any node.A memory cell will store an element from V " t0, . . ., max u.The set of control states will be partitioned into sets C piq , for 0 ď i ď k, dedicated to representing run-time information at the corresponding level i. ‚ Σ " Σ OQ `ΣP Q `ΣOA `ΣP A is a finite alphabet, partitioned into O/P-questions and O/P-answers (we use q O , q P , a O , a P respectively to range over the elements of the four components); ‚ k ě 0 is the depth parameter and N ě 0 is the local memory capacity; ‚ C " Σ k i"0 C piq is a finite set of control states, partitioned into sets C piq of level-i control states; ‚ transitions in δ are partitioned according to their type (ADD, DEL or EPS) and level on which they operate; their shapes are listed below, where c piq , d piq , e piq P C piq and D p2iq , E p2iq P MpC p2iq q, where MpXq denotes the set of multisets over X. ¨ADDp2iq transitions have the form c p2i´1q q O Ý ÝÑD p2iq or : Ý ÝÑD p0q for the special case of i " 0; ¨ADDp2i `1q transitions have the form c p2iq q P Ý ÝÑd p2i`1q ; ¨DELp2iq transitions have the form D p2iq a P Ý ÝÑ:; ¨DELp2i `1q transitions have the form c p2i`1q a O Ý ÝÑd p2iq ; ¨EPSp2iq transitions have the form D p2iq ǫ Ý ÝÑE p2iq ; ¨EPSp2j, 2iq transitions read v P V from memory cell h P t1, . . ., N u at level 2j ď 2i and update it to Remark 4.4 Observe that O and P can "act" only at odd and even levels respectively.The ADDp2iq transitions map exactly onto O-questions from the game semantics.We may view them as spawning a finite number of jobs (hence the use of multisets to represent those jobs' states).Dually, the DELp2iq transition maps onto P-answers which answer those O-questions; correspondingly with WAIT, the DELp2iq transition is only firable when all jobs have reached their "terminal conditions".Each job created via ADDp2iq can evolve separately via ADDp2i `1q or DELp2i `1q, by EPSp2j, 2iq (internal state change plus memory operation), or as part of a group via EPSp2iq.
Definition 4.5 A SATA configuration is a tuple pD, E, f, mq, where D is a finite subset of D (consisting of data values that have been encountered so far), E is a finite subtree of D (the shape of the configuration), ‚ if d is a level-p2i ´1q data value then f pdq P C p2i´1q , and m : E á V N is a partial function whose domain is the set of even-level nodes of E.
A SATA A starts from the empty configuration κ 0 " pH, H, H, Hq and proceeds according to its transitions δ, as detailed below.We write κ " pD, E, f, mq and κ 1 " pD 1 , E 1 , f 1 , m 1 q for the current and the successor configurations respectively.

ADD
We shall have κ pt,dq E 1 " E Y tdu, and if the transition-specific constraints from the table below are satisfied2 .We write f r¨¨¨s to extend or update f .
Note that, in the first two cases, memory is initialised at the new node.In the last case, c p2iq is removed from f ppred pdqq, i.e. if a job starts evolving via ADDp2i `1q, it is removed from the list of current jobs.

DEL
We shall have κ pt,dq Ý Ý ÝÑκ 1 provided t P Σ OA `ΣP A , d is a leaf in E, D 1 " D, E 1 " Eztdu, m 1 " m, and the transition-specific constraints listed below are satisfied.
Note that, in the first case, the leaf will contribute a new state to the parent node.For simplicity, we do not "garbage-collect" f 1 , since the leaf removal is already recorded via E 1 .

EPS
We shall have κ ε Ý ÝÑκ 1 provided D 1 " D, E 1 " E and there exists an even-level datum d satisfying the transition-specific constraints discussed below.
‚ For p2j, h, v, c p2iq q e Ý ÝÑpv 1 , d p2iq q, we require c p2iq P m f pdq and Note that, in the second case, mppred 2i´2j pdqqphq refers to the hth memory cell of d's ancestor at level 2j and only the content of this cell may be modified by the transition.Definition 4.6 A trace of a SATA A is a word w P pΣ ˆDq ˚such that κ 0 Ý ÝÑκ h , where κ 0 " pH, H, H, Hq, l i P tǫu Y pΣ ˆDq (1 ď i ď h) and w " l 1 ¨¨¨l h .A configuration κ " pD, E, f, mq is accepting if E is empty.A trace w is accepted by A if there is a non-empty sequence of transitions as above with κ h accepting.The set of traces (resp.accepted traces) of A is denoted by Tr pAq (resp.LpAq).
It follows that each data value can occur in a trace at most twice.The first occurrence (if any) must be related to a question, whereas the second one will necessarily be an answer.The fact that answers can be read only if the corresponding node becomes a leaf is analogous to the game-semantic WAIT condition.Note that E is empty in accepting configurations.This means that in every word that is accepted, each question q O {q P (corresponding to leaf creation) will have a corresponding answer a P {a O (corresponding to leaf removal), and they will be paired up with the same data value.Such words resemble complete plays (Theorem 3.5) under the convention that a justification pointer from an answer to a question is represented by using the data value introduced by the question.Indeed, we will rely on this when representing plays in Section 6.

Example 4.7
The SATA A " xΣ, 2, 1, C, δy specified below recognises complete plays generated by the FICA term from Example 2.1 according to the interpretation from [12].It is trace-and language-equivalent to the one that would be derived by the translation given in the proof of Theorem 6.4, though the representation here is made more concise.We use l and r to denote control states corresponding to the left and right subterms of the parallel composition in Example 2.1.The memory value maintained at level 0 corresponds to the value of the variable x.
We have Σ OQ " tq, run f 1 u, Σ P Q " trun f , run c u, Σ OA " tdone f , done c u, Σ P A " tdone f 1 , 0, ¨¨¨, max u, : Ý ÝÝÝÝÝ ÝÑ Ý ÝÝ ÝÑ : Ý ÝÝ ÝÑ: 3 q p0 ă i ď max q EPS(0,2): p0, 1, i, l 2 q p0 ď i ď max q We give a possible transition sequence for A. For the sake of simplicity, data values from D will be subscripted with a number corresponding to their level, and superscripted with zero or more primes to distinguish within each level.Configurations are denoted as a tree of nodes, reflecting the subtree of D currently maintained in the automaton.
Nodes at even levels 2i are written dpXq or dpX, vq, where d is a level-2i data value, X P MpC p2iq q and v represents the memory value maintained at that node (in this case always a single number).Nodes at odd levels 2i ´1 have the form dpXq, where d is a level-p2i ´1q data value and X P C p2i´1q .The complete transition sequence is given in Figure 5.It witnesses the acceptance of a data word corresponding to the play s 2 from Figure 4c.

Saturation
In this section we define a language variant of saturation and show that languages traced and accepted by SATA satisfy it.d 1 , d 2 P D will be called independent if neither d 1 " pred k pd 2 q nor d 2 " pred k pd 1 q for k ě 0, i.e. the data lie on different branches.Let Σ O " Σ OQ `ΣOA and Σ P " Σ P Q `ΣP A .Definition 5.1 We shall say that L Ď pΣ ˆDq ˚is saturated iff, for any w P L and independent d 1 , d 2 , w " w 1 pt 1 , d 1 qpt 2 , d 2 qw 2 P L implies w 1 pt 2 , d 2 qpt 1 , d 1 qw 2 P L whenever t 1 P Σ P or t 2 P Σ O .
Remark 5.2 The condition "t 1 P Σ P or t 2 P Σ O " is the negation of "t 1 P Σ O and t 2 P Σ P ", i.e. the swap is allowed unless the first letter is from Σ O and the second one from Σ P .Note that this is analogous to the game-semantic saturation condition (Definition 3.8).The definition above uses independent d 1 , d 2 .It would not make sense to extend it to any dependent cases: one can show that in such cases the swap will never result in a trace.
To show that saturating automata are bound to produce saturated sets of traces/accepted words, we establish a series of lemmas about commutativity between various kinds of transitions.
Ý ÝÑκ 3 for some κ 1 2 .Proof.We need to consider all combinations of the transitions listed below.
ǫ O Observe that the EPS transitions do not modify states at odd levels or add nodes.Thus, the Σ O transitions could be fired from κ 1 .Now note that the Σ O transitions cannot prevent the EPS transitions from being executed next, because they do not change states at even levels (though they add new ones).l Remark 5.4 The converse to Lemma 5.3 is false.If a Σ O transition is followed by an EPS transition, it may be impossible to swap them, because the latter could rely on states introduced by the former.Ý Ý ÝÑκ 3 for some κ 1 2 .Proof.We inspect the shape of the relevant rules, which are listed below.P ǫ c p2iq q P Ý ÝÑd p2i`1q or D p2iq a P Ý ÝÑ: Observe that the ǫ transitions do not depend on any information introduced by transitions on Σ P .Hence, they are executable from κ 1 .Note also that they will not destroy any information needed to execute the Σ P transitions when fired, as there must already have been enough copies of any information to fire the transitions in the original order.l Remark 5.6 The converse to Lemma 5.5 is false: an ǫ transition may well be followed by a transition on Σ P that relies on the states introduced by the ǫ transition.
Remark 5.7 One can use Lemmata 5.3 and 5.5 to replace sequences of transitions of the form Ý ÝÝ ÝÑκ 1 with sequences of transitions between the same configurations such that the transitions on pt 1 , d 1 q and pt 2 , d 2 q will be adjacent.
‚ If t 1 P Σ P then, using Lemma 5.5 repeatedly, one can obtain Note that these transformations require either t 1 P Σ P or t 2 P Σ O , so they cannot be carried out if t 1 P Σ O and t 2 P Σ P .
Next we examine permutability of consecutive transitions involving independent data values.Lemma 5.8 Suppose d 1 , d 2 are independent and κ 1 Ý ÝÝ ÝÑκ 3 , where t 1 P Σ P or t 2 P Σ O .Then there exists κ 1 2 such that κ 1 Proof.Recall that non-ǫ transitions rely only on two consecutive levels of the configuration tree.Consequently, if d 1 , d 2 are independent and pred pd 1 q ‰ pred pd 2 q then the transitions operate on disjoint regions of the configuration and can be swapped.Now suppose pred pd 1 q " pred pd 2 q and note that, because of independence, we have d 1 ‰ d 2 .Consequently, the transitions must operate at the same level and concern different children of the same node.
‚ If the level is even, we need to consider the following combinations of transitions: ADDp2iq ADDp2iq, DELp2iq ADDp2iq, DELp2iq DELp2iq (other cases can be ignored due to the t 1 P Σ P or t 2 P Σ O constraint).Recalling that ADDp2iq and DELp2iq transitions have the form c p2i´1q q O Ý ÝÑD p2iq and D p2iq a P Ý ÝÑ: respectively, we can confirm that the Lemma holds, because the state c p2i´1q associated with pred pd 1 q " pred pd 2 q is not modified and there is no scope for interference between the transitions.‚ If the level is odd, we need to consider the following combinations of transitions: ADDp2i`1qADDp2i`1q, ADDp2i `1qDELp2i `1q, DELp2i `1qDELp2i `1q (other cases can be ignored due to the t 1 P Σ P or t 2 P Σ O constraint).Recalling that ADDp2i`1q and DELp2i`1q transitions have the form c p2iq q P Ý ÝÑd p2i`1q and c p2i`1q a O Ý ÝÑd p2iq respectively, we can confirm that the Lemma holds, because the transitions will not interfere.In particular, due to d 1 ‰ d 2 , the DELp2i `1q transition in ADDp2i `1qDELp2i `1q cannot use the state introduced by the preceding ADDp2i `1q transition.l Remark 5.9 Note that the "t 1 P Σ P or t 2 P Σ O " condition is necessary: in the DELp2i `1q ADDp2i `1q case (i.e. a O q P ), it is possible for the latter transition to use the target state of the former.Ý ÝÝ ÝÑp ǫ Ý ÝÑq ˚κ2 .By Lemma 5.8, we then obtain Hence, Tr pAq is saturated.As LpAq is a subset of Tr pAq in which all questions have answers, LpAq is also saturated, because the swaps do not affect membership in LpAq.l Remark 5.11 Earlier proposals for automata models of FICA [10,11] failed to satisfy saturation.In retrospect, this was because they allowed for too much communication between control states at various levels.
Leafy automata [10] could access the whole branch of the configuration tree at each transition and modify it during transition.In particular, each move could access and update the state at the root.This feature could easily be used to define leafy automata that are very rigid and not closed under any kind of transition swaps.Local leafy automata, also introduced in [10], restrict access only to the local part of the branch but still allow communication (thus preventing swaps) between nodes sharing a parent or great-grandparent.
Split automata [11] in turn featured restricted access to control states at various levels, but their transitions still allowed for state-based communication between siblings, through transitions c p2iq q P Ý ÝÑpd p2iq , d p2i`1q q and pc p2iq , c p2i`1q q a O Ý ÝÑd p2iq .The first rule could be used to create two child nodes in a specific order only, violating Lemma 5.8 for t 1 , t 2 P Σ P .The second rule could be used to delete child nodes in a specific order only, violating the same lemma for t 1 , t 2 P Σ O .Finally, the fact that the two rules can communicate through level 2i means that we can make the second one conditional on the first one, meaning that Lemma 5.8 would be violated for t 1 P Σ P and t 2 P Σ O .Consequently, split automata did not offer native support for saturation, regardless of the polarity of letters.
6 From FICA to SATA In this section we provide an inductive translation from FICA to SATA.The main result states that, for terms in normal form, the construction can be carried out in quadratic time and the automata have linearly many states and transitions (with respect to term size).
First, we describe how to encode justification pointers in plays using data and a special indexing scheme.Recall from Section 3 that, to interpret base types, game semantics uses moves from the set The game-semantic interpretation of a term-in-context Γ $ M : θ is a strategy over the arena Γ $ θ , which is obtained through product and arrow constructions, starting from arenas corresponding to base types.As both constructions rely on the disjoint sum, the moves from Γ $ θ are derived from the base types present in types inside Γ and θ.To indicate the exact occurrence of a base type from which each move originates, we will annotate elements of M with a specially crafted scheme of superscripts.Suppose Γ " tx 1 : θ 1 , ¨¨¨, x l : θ l u.The superscripts will have one of the two forms, where i P N ˚and ρ P N: ‚ pi, ρq will represent moves from θ; ‚ px v i, ρq will represent moves from θ v (1 ď v ď l).
The annotated moves will be written as m pi,ρq or m pxvi,ρq , where m P M. We will sometimes omit ρ on the understanding that this represents ρ " 0. Similarly, when i is omitted, the intended value is ǫ, e.g.m stands for m pǫ,0q and m x for m px,0q .The next definition explains how the i superscripts are linked to moves from θ .Given X Ď tm pi,ρq | i P N ˚, ρ P Nu and y P N Y tx 1 , ¨¨¨, x l u, we let yX " tm pyi,ρq | m pi,ρq P Xu.Definition 6.1 Given a type θ, the corresponding alphabet T θ is defined as follows T Γ$exp " trun pf 1,ρq , done pf 1,ρq , run pf,ρq , done pf,ρq , run pc,ρq , done pc,ρq , q pǫ,ρq , i pǫ,ρq | 0 ď i ď max , ρ P N u.
Note that T Γ$θ admits a natural partitioning into X-questions and X-answers (X P tO, P u), depending on whether the underlying move is an X-question or an X-answer.To represent the game semantics of terms-in-context Γ $ M : θ, we will represent plays as words over Σ ˆD, where Σ is a finite subset of T Γ$θ .Only a finite subset will be needed, because ρ will be bounded.
Next we explain how ρ and data will be used to represent justification pointers.Because no data value can be used twice with a question, occurrences of questions correspond to unique data values.A justification pointer from an answer to a question can then be represented simply by pairing up the same data value with the answer.Pointers from question-moves will be represented with the help of the index ρ.Initial question-moves do not have a pointer and to represent such questions we simply use ρ " 0. To represent moves with justification pointers, we will rely on ρ on the understanding that pm py,ρq , dq represents a pointer to the unique question-move that introduced pred ρ`1 pdq.The reader may wish to check that Example 4.2 does follow this convention (therein m x stands for m px,0q ).Below we give another example involving ρ ą 0, which may arise in our translation for certain P-moves.Example 6.3 The play q run f run f 1 run c can be represented by prun pǫ,0q , d 0 q prun pf,0q , d 1 q prun pf 1,0q , d 2 q prun pc,2q , d 3 q, given pred pd i`1 q " d i (0 ď i ď 2).
Below we state the main result linking FICA with saturating automata.Question-moves in this translation are handled with ADD transitions: ADDp2iq and ADDp2i `1q correspond to O-and P-questions respectively.Answer-moves are processed with DEL transitions: DELp2iq for P-answers and DELp2i `1q for O-answers.Theorem 6.4For any FICA term Γ $ M : θ there exists a SATA A M over a finite subset of T Γ$θ such that the set of plays represented by words from Tr pA M q is Γ $ M : θ , and LpA M q represents compp Γ $ M : θ q.Moreover, when M is in β-normal η-long form 3 , A M has linearly many states and transitions, and can be constructed in quadratic time.
Proof.It follows from analogous results for the simply-typed λ-calculus that any FICA term can be reduced to an equivalent term in β-normal η-long form.The argument proceeds by induction on the structure of such forms.When referring to the inductive hypothesis for a subterm M i , we use the subscript i to refer to the automata components, e.g.C pjq i , m Ý ÝÑ i etc.In contrast, C pjq , m Ý ÝÑ (without subscripts) will refer to the automaton that is being constructed.Inference lines indicate that the transitions listed under the line should be added to the new automaton provided the transitions listed above the line are present in the automaton obtained from the inductive hypothesis.
The following three invariants that strengthen the inductive hypothesis help us establish correctness and the requisite complexity.They concern labelled transitions only.
‚ OA (OA determinacy): if c p2i`1q a O Ý ÝÑd ‚ FA (final readiness): for every D p0q a P Ý ÝÑ:, i.e.where a P is a final answer, whenever the automaton reaches a configuration pD, E, f, mq with D p0q Ď f prq, where r is the root, then the transition can be executed, i.e. r has no children and f prq " D p0q .
Below we discuss a selection of cases.In the first three cases, the corresponding automaton merely needs to respond to the initial question with a suitable answer or not respond at all (for div θ ).
M " div θ : k " 0, N " 0, C p0q " t0u.Supposing θ " θ l Ñ ¨¨¨Ñ θ 1 Ñ β, recall that I β stands for the set of initial questions in β .δ is then given by x P I β : x Ý ÝÑt0u PQ and OA hold vacuously in the above cases, as they do not feature the relevant transitions.FA is also clearly satisfied.
In this case, we only need to adjust the final answers, i.e. we take all transitions for A M 1 except DELp0q, and modify the DELp0q transitions as follows.
The above relabelling does not concern transitions relevant to OA and PQ, so the properties are simply inherited from A M 1 .FA holds by appeal to IH.
M " M 1 ||M 2 : In order to match Γ $ M 1 ||M 2 , this construction needs to interleave A M 1 and A M 2 while gluing the initial and final moves.Accordingly, we take k " maxpk 1 , k 2 q, N " and A M 2 other than ADDp0q, DELp0q, EPSp0, 2iq are simply embedded into the new automaton.ADDp0q and DELp0q need to be synchronised, as shown below.N " N 1 `N2 reflects the need to combine local memories of the two automata.This need arises only at level 0, as memory at other levels will be disjoint.Consequently, we need to adjust memory indices for EPSp0, 2iq transitions from A M 2 only: It follows from IH and the construction that FA will be preserved for done.OA and PQ are preserved too, because the construction does not affect the relevant transitions.
M " M 1 ; M 2 : com: Here we need to let A M 1 run to completion and then direct the computation to A M 2 .We take `Cpiq 2 (0 ă i ď k).We modify the ADDp0q and DELp0q transitions as follows.
The remaining transitions are simply copies of other transitions from A M 1 , A M 2 , with the proviso that in EPSp0, 2jq transitions from A M 2 we add N 1 to the index of the memory cell that is accessed.
For correctness, we need to appeal to FA for M 1 , which tells us that reaching a configuration in which the root is labelled with D p0q 1 amounts to the termination of M 1 .As before, the construction does not modify transitions relevant to OA, PQ, so the properties are simply inherited from M 1 and M 2 .FA follows from IH.
M " f pM 1 q: This case is interesting, because this is where labelled transitions are created rather than inherited.According to [12], the automaton should start with run run f and end with done f done.In the meantime, after the first two moves, it should allow for an arbitrary number of run f 1 s, each of which should trigger a separate copy of A M 1 , which will terminate with done f 1 .done f should be read only when all of the copies are finished.
We discuss the simplest instance f : com Ñ com.We take k " 2 `k1 , N " N 1 , C p0q " t0 run , 0 done u, C p1q " t1 run u, C pj`2q " C pjq 1 (0 ď j ď k 1 ).First we add transitions corresponding to calling and returning from f : ÝÝÝÝÝÑ0 done t0 done u done pǫ,0q ÝÝÝÝÝÑ:.In state 1 run we want to allow the environment to spawn an unbounded number of copies of the strategy for Γ $ M 1 : com: Ý ÝÝÝÝ ÝÑ: . Note that the copies will run two levels lower than in A M 1 .
The remaining moves related to M 1 originate from Γ, i.e. are of the form m pxvi,ρq , where px v : θ v q P Γ.The associated transitions need to be embedded into the new automaton, but P-question-moves of the form m pxv ,ρq (corresponding to initial moves of θ v ) need to have their pointer adjusted so that they point at the move tagged with run pǫ,0q (leaving ρ unchanged in this case would mean pointing at run pf 1,0q ).To achieve this, it suffices to add 2 to ρ in this case.Otherwise ρ can remain unchanged, because the pointer structure is preserved.Below we use ˝L, ˝R to refer to arbitrary left/right-hand sides of transition rules.
Memory-related transitions are also copied, while adjusting the depth of the level that is being accessed by adding 2: The preservation of OA and PQ follows from the construction and IH, as the old transitions are simply copied in and relabelled injectively.FA follows from the shape of the new transitions and IH.
M " newvar x in M 1 : According to [12], it suffices to consider plays from M 1 in which read px,ρq and writepjq px,ρq moves are immediately followed by answers, and the sequences obey the "good variable" discipline (a value that is read corresponds to the most recently written value).To implement this recipe in an automaton, we add an extra cell at level 0 to store values of x along with explicit initialisation (to facilitate automata re-use in loops).To this end, we take k All transitions from A M 1 can be copied over except ADDp0q, DELp0q and those with superscripts of the form px, ρq, i.e. related to x. ADDp0q and DELp0q are handled as specified below.
Note that in this case β " com, exp, so I β " trunu or I β " tqu.
For transitions related to x we proceed as follows.
Similarly, thanks to PQ, each transition d p2i`1q j px,0q ÝÝÝÑ 1 e p2iq gives rise to (at most) one new transition p0, N, j, c p2iq q ǫ Ý ÝÑpj, e p2iq q.Correctness follows from the fact that it suffices to restrict the work of M 1 to traces in which the relevant moves follow each other [12].Further, by Lemma 5.3, it suffices to consider scenarios in which the associated transitions follow each other.OA, PQ are preserved, because no new relevant transitions are introduced.FA follows by appealing to IH.

M " newsem s in M 1 :
This case is very similar to the previous one but only two values are possible: 0 (the initial one) or 1. Transitions corresponding to grabbing change 0 to 1, whereas releasing the semaphore does the opposite.

Complexity analysis
The constructions produce an automaton in which there are linearly many states, memory cells and transitions, with respect to term size.For states, it suffices to observe that each construction adds at most a fixed number of new states to those obtained from IH.The same applies to memory cells.The case of transitions is harder, as there are several ways in which transitions are added to the new automaton.The easiest case is when a transition is simply copied from an automaton obtained through IH without any changes to transition labels.Other cases, represented by inference rules, are based on single premises (old transitions) and generate new single transitions.As the old ones are not included in the new automaton, such rules preserve the number of transitions.newvar in relies on a rule with two premises but, as discussed, the outcome could still be viewed as a single transition with a wildcard.Finally, when transitions cannot be traced back to old ones, their number is always bounded by a constant (we regard max as a constant too).
Hence, we can conclude that the number of transitions (possibly with wildcards) will be linear.Because each transition with a wildcard represents max `1 transitions without wildcards, by instantiating them we still obtain a linear number of transitions.It is also worth noting that each transition involves at most three states: whenever sets of states are involved in transitions, they contain at most two elements.
Finally, we assess the time complexity of the constructions.A typical case consists of invoking IH and performing a bounded number of linear-time operations on the results to implement the constructions, such as retagging to implement the disjoint sum and relabelling.The combinations of transitions mentioned in newvar can also be considered in linear time after some preprocessing that guarantees constant-time access to incoming and outgoing transition of a given state.Overall, this could be viewed as a linear number of linear-time operations, yielding quadratic time complexity.Note that the quadratic bound will not extend to the general case, as the conversion to β-normal η-long form can induce a significant blowup in the size of the term.l

Conclusion
We have introduced saturating automata, a new model of computation over infinite alphabets.Unlike earlier proposals [10,11], the automata accept only languages that satisfy a closure property corresponding to saturation, a property that naturally emerges in concurrent interactions between programs and their environment.Consequently, the automata can be claimed to provide a more intrinsic model of such interactions.
We also showed that saturating automata can be used to represent the game semantics of FICA, a paradigmatic language combining higher-order functions, state and concurrency.In contrast to previous translations, one does not incur an exponential penalty for using saturating automata to interpret FICA terms in normal form, which further confirms their fit with FICA.Regarding emptiness testing, one can still obtain decidable cases by imposing restrictions analogous to those for leafy [10] and split automata [11].
The opportunity for further exploration of saturating automata remains, with a view to finding verification routines that can capitalise on saturation.

Fig. 1 .
Fig. 1.FICA typing rules grammar θ ::" β | θ Ñ θ β ::" com | exp | var | semwhere com is the type of commands; exp that of t0, . . ., max u-valued expressions; var that of assignable variables; and sem that of semaphores.The typing judgments are displayed in Figure1.Here, skip and div θ are constants representing termination and divergence respectively, i ranges over t0, . . ., max u, and op represents unary arithmetic operations, such as successor or predecessor (since we work over a finite datatype, operations of bigger arity can be defined using conditionals).Variables and semaphores can be declared locally via newvar and newsem.Variables are dereferenced using !M , and semaphores are manipulated using two (blocking) primitives, grabpsq and releasepsq, which grab and release the semaphore respectively.We assume that variables are initialised to 0 and semaphores are initially released.In reduction rules, it will be convenient to use the syntax newvar x :" i in M and newsem x :" i in M , which allows us to specify initial values more flexibly, i.e. newvar x in M and newsem x in M should be viewed as newvar x :" 0 in M and newsem x :" 0 in M respectively.The operational semantics is defined using a (small-step) transition relation V $ M, s ÝÑ M 1 , s 1 , where V is a set of variable names denoting active memory cells and semaphore locks.s, s 1 are states, i.e. functions s, s 1 : V Ñ t0, ¨¨¨, max u, and M, M 1 are terms.We write s b pv Þ Ñ iq for the state obtained by augmenting s with pv Þ Ñ iq, assuming v R dompsq.The basic reduction rules are given in Figure2, where c stands for any language constant (i or skip) and x op : t0, ¨¨¨, max u Ñ t0, ¨¨¨, max u is the function corresponding to op.In-context reduction is given by the schemata:

Fig. 3 .
Fig. 3. Arena constructions (`and r¨¨¨s stand for the disjoint union of sets and functions respectively; x¨¨¨y denotes pairing).

Definition 4 . 1 D
is a countably infinite set equipped with a function pred : D Ñ D Y tKu (the parent function) such that the following conditions hold.

Lemma 5 . 5 ( 1 ǫ
P ǫ Þ Ñ ǫP ) If κ 1 pt,dq Ý Ý ÝÑκ 2 ǫÝ ÝÑκ 3 and t P Σ P then κ 2. Reduction rules for FICATwo terms of the same type and with the same free variables are equivalent if they cannot be distinguished with respect to termination by any context: for all contexts C such that $ CrM 1 s : com, we have CrM 1 s ó if and only if CrM 2 s ó.Using game semantics, one can reduceto equality of the associated sets of complete plays (Theorem 3.5).Example 2.1 Consider the term s1, a short justified sequence over A.