Howe’s Method for Contextual Semantics

: We show how to use Howe’s method to prove that context bisimilarity is a congruence for process calculi equipped with their usual semantics. We apply the method to two extensions of HO (cid:25) , with passivation and with join patterns, illustrating diﬀerent proof techniques.


Introduction
Process equivalence relates processes whose behavior may not be distinguished, even when inserted in arbitrary contexts.Equivalent processes may thus be used interchangeably in any larger system, with no observable difference.This property is quite strong, and to prove it directly, one has to consider every possible context.Much effort has thus been applied to techniques that simplify the proofs of process equivalence.Such techniques often involve the definition of a relation between processes that is easier to establish.The relation, typically a form of bisimilarity, is then shown to characterize process equivalence.This characterization has two parts: bisimilarity is sound -bisimilar processes are equivalent -and completeequivalent processes are bisimilar.As process equivalence is generally intended to be preserved by every context, it is often a congruence.Hence a sound and complete bisimilarity also has to be a congruence.Even when considering sound (but not complete) bisimilarities, it is very convenient that they be congruences.Indeed, to prove that two processes are equivalent, one can then simply show they have the same external structure (context) with bisimilar processes inside.Proving congruence is thus a crucial step when working with process equivalence.
Howe's method [7] is a powerful approach to show that a bisimilarity is a congruence.In a nutshell, it reverses the problem: first define a relation, called "Howe's closure", that includes the bisimilarity of interest and is a congruence by definition.Second, show it is a bisimulation.As bisimilarity contains every bisimulations, Howe's closure is thus included in bisimilarity.Third, conclude that the bisimilarity and its Howe's closure coincide, thus the former is a congruence.
This approach works well in a functional setting.Until now, its application to higher-order process calculi has required significant adjustments, either yielding a sound but not complete bisimilarity [5], or requiring the definition of a new semantics [11].We present a direct application of Howe's method for the higher-order π calculus (HOπ) with its usual semantics, and state the central pseudo-simulation property that enables the application of the method (Section 2).We then detail two approaches to prove this lemma for two extensions of HOπ: one with passivation (Section 3), the other with join-patterns (Section 4).The complete proofs are available in an accompanying research report [10].

2
Howe's Method in HOπ with Contextual Semantics

Syntax and Contextual Semantics
We recall the syntax and contextual semantics of (the process-passing fragment of) HOπ [14] in Figure 1, omitting the symmetric rules for Par and HO.We use a, b, c to range over channel names, a, b, c to range over conames, γ to range over names and conames, and X, Y to range over process variables.We define a as a. Multisets {x 1 . . .x n } (where x ranges over some entities) are written x.Finally, we write for multiset union.An input a(X)P binds X in P , and a restriction νa.P binds a in P .We write fv(P ) for the free variables of a process P and fn(P ) for its free names.A closed process has no free variable.We identify processes up to α-conversion of names and variables: processes and agents are always chosen such that their bound names and variables are pairwise distinct, and distinct from their free names and variables.We write P {Q/X} for the capture-free substitution of X by Q in P .Structural congruence ≡ equates processes up to reorganization of their sub-processes and their name restrictions; it is the smallest congruence verifying the rules of Figure 1.Because the ordering of restrictions does not matter, we abbreviate νa 1 . . . .νa n .P as ν a.P ; since bound names are pairwise distinct, a is a set.
We define a labeled transition system (LTS), where agents transition to processes, abstractions F of the form (X)Q, or concretions C of the form ν b.R S. Like for processes, the ordering of restrictions does not matter for a concretion, therefore we write them using a set of names b; in particular, we write R S if b = ∅.Labels of the LTS are ranged over by α.Transitions are either an internal action P R S means that P may send the process R on a and then continue as S, and the scope of the names b has to be expanded to encompass the recipient of R. A higher-order communication takes place when a concretion interacts with an abstraction (rule HO).

Behavioral Equivalences
Barbed congruence relates processes based on their observable actions, or barbs.The observable actions γ of a process P , written P ↓ γ , are unrestricted names or conames on which a communication may immediately occur (P γ − → A, for some A).A context C is a term with a single hole , that may be filled with a process P , written C{P }; the free names or free variables of P may be captured by Pseudo-application and process application Two processes P, Q are strong barbed congruent, written P ∼ b Q, if for all context C, there exists a strong barbed bisimulation R such that C{P } R C{Q}.
In [14], barbed congruence is characterized by a (strong) context bisimilarity, defined as follows.For two open processes P and Q, P R • Q holds if P σ R Qσ holds for all process substitutions σ that close P and Q.
Conversely, we write R c for the relation R restricted to closed processes.In the following, we use (bi)simulation up to structural congruence, a (bi)simulation proof technique which allows to use ≡ when relating processes.
Since ≡ is a context bisimulation, the resulting proof technique is sound.
Context bisimilarity is sound and complete.The congruence proof of [14] does not apply, however, to certain process calculi, such as the ones with passivation [11].For this reason, other congruence proof techniques, such as Howe's method [7], have been considered.

Howe's Method
We sketch the principles behind Howe's method and recall why its application to (early) context bisimilarity has been deemed problematic.
Howe's method [7,6] is a systematic proof technique to show that a bisimilarity B (and its open extension B • ) is a congruence.The method can be divided in three steps: first, prove some basic properties on the Howe's closure B • of the relation.By construction, B • contains B • and is a congruence.Second, prove a simulation-like property for B • .Finally, prove that B and B • coincide on closed processes.Since B • is a congruence, then so is B.
Given a relation R, Howe's closure is inductively defined as the smallest congruence which contains R • and is closed under right composition with R • .Definition 6. Howe's closure R • of a relation R is defined inductively by the following rules, where op ranges over the operators of the language.
• is a congruence by definition.The composition with B • enables some transitivity and additional properties.In particular, we can prove that B • is substitutive: By definition, we have B • ⊆ B • ; for the reverse inclusion to hold, we prove that B • is a bisimulation, hence it is included in the bisimilarity.To this end, we first prove that B • (restricted to closed terms) is a simulation, using a pseudo-simulation lemma (second step of the method, discussed below).We then use the following result on the reflexive and transitive closure (B

C O N C U R ' 1 5
The main challenge is stating and proving a simulation-like property for the Howe's closure B • of a bisimilarity B. The labels λ of a LTS λ − → of a higher-order language usually contain or depend on terms (e.g., in the λ-calculus, λ-abstractions are labels), so the technique generally extends B • to labels.The simulation-like property then follows the pattern below, similar to a higher-order bisimilarity clause as in Plain CHOCS [18].
Stating and proving such a result for a Howe's closure built from an early context bisimilarity ∼, where inputs and outputs depend on respectively concretions and abstractions, is problematic.Indeed, we would like to prove that P ∼ • Q implies: These clauses raise several issues.First, we have to find extensions of Howe's closure to abstractions and concretions which fit an early style.Even assuming such extensions, we cannot use this result to show ∼ • is a simulation.Indeed, suppose we are in the higher-order communication case: the processes are a parallel composition (P = and the transition is a higher-order communication (P to conclude we would need to show that ∼ • is transitive.Transitivity is the reason usual congruence proof techniques fail with weak bisimulations, and the very motivation to turn to Howe's method [11,Section 3.1].As we cannot bypass this mutual dependency nor this transitivity requirement, the proof fails in the communication case.
In [5], the authors break the mutual dependency by partially dropping the early style: they write the output clause in the late style.The resulting input-early bisimilarity is complete in the strong case, but not in the weak case.In [11], we propose to make the output clause a little less early: instead of first requiring the abstraction to provide a matching output, we only require the process that does the reception -that reduces to the abstraction.This small change is sufficient to break the mutual dependency.Indeed, the concretion C from Q 2 matching the P 2 a − → C step depends only on P 1 , which is known, and not on some unknown abstraction.We can then obtain the abstraction F from Q 2 that matches the P 1 a − → F step.This abstraction depends fully on C , in the usual early style.
Unfortunately, we do not directly use abstractions and concretions in [11], we define instead a complementary LTS, and its bisimilarity.Such a LTS implements the change above as follows: when P sends a message to Q, this becomes a transition from P using Q as a label.As a result, in the corresponding bisimilarity, an output action depends on a process that performs the input instead of the input itself.The LTS we obtain is serialized compared to the contextual one: in a communication, we do not have two parallel derivation trees for the output and the input, as with rule HO, but a single one, where we first look for the output, and then look for the input.But creating such a complementary LTS can be difficult, especially to handle scope extrusion properly, as we observed with passivation [11].In the next section, we show that we can in fact apply Howe's method with the regular LTS.

Congruence Proof Using Howe's Method
As explained in Section 2.3, the main challenge to apply Howe's method is stating and proving a pseudo-simulation lemma for the Howe's closure ∼ • .With contextual semantics, the challenge is to avoid mutual dependencies between the input and output clauses.Following the main idea behind the complementary semantics, we propose to keep the usual LTS but change the definition of the pseudo-simulation property to make the output depend on a process performing an input, and not the input itself.Conversely, the input now depends on a process performing an output, and not the output itself.Formally, if This definition offers two advantages.First, we do not have to define an extension of ∼ • to abstractions and concretions as we relate only processes.Second, the clauses for the input and the output are identical, exchanging only the roles of P 1 and P 2 , and of Q 1 and Q 2 .Therefore, we can capture the input and output clause as a single symmetric clause.This gives us the up-to ≡ pseudo-simulation lemma we will prove for ∼ • c (the restriction of ∼ • to closed processes).
With this formulation of the pseudo-simulation lemma, we easily dispatch the communication case.Suppose Lemma 8 can be proved in several ways, using either serialized inductions, or a simultaneous induction on We discuss here the former, with proofs detailed in [10, Appendix A].We then adapt this approach to a calculus with passivation (Section 3).The simultaneous induction approach is presented in Section 4 for a calculus with join patterns.
Using serialized inductions, we can start with Suppose we start with an induction on the sending processes Most cases consist in using the induction hypothesis, followed by congruence properties of ∼ • c .There are two exceptions: (1) the base case P 1 ∼ Q 1 , and (2) the case P 1 = a P 1  1 In these cases, we know which concretion C 2 the process Q 1 reduces to (either using ∼ in case (1), or by construction of P 1 and Q 1 in case ( 2)), but we have to find the abstraction F 2 the process Q 2 reduces to.To do so, we prove the following.
The proof of this lemma is by induction on the derivation of P 2 ∼ • c Q 2 .Lemma 9 deals with case (2) directly (just add the continuations P 2 1 and Q 2 1 using congruence), but it also handles case (1) (P 1 ∼ Q 1 ).Indeed, if R is the message of C 1 , applying Lemma 9 with Alternatively, we can prove Lemma 8 by starting with the induction on the receiving processes To handle the two cases (3) P 2 ∼ Q 2 and (4) P 2 = a(X)P , Q 2 = a(X)Q, P ∼ • Q, we need the following result.
Lemma 10.Let P ∼ • Q such that fv(P ) ∪ fv(Q) ⊆ {X}, and There exists Remark.Lemmas 8 and 10 are defined up to ≡ while Lemma 9 is not.Structural congruence is needed to move name restriction: suppose we have Note that, by our convention on bound names, b is neither in F 1 nor in F 2 .
We want to prove Depending on whether the scope of b has to be extended or not, it is not the same as , hence the need for ≡.We do not have this issue in Lemma 9, since only messages, and not concretions, are involved.
For ∼ • c to be a simulation, we have to prove the following result on τ -actions (by induction on the derivation of P ∼ • c Q), using Lemma 8 in the communication case.Lemma 11.

The HOπP Calculus
HOπP [11] extends HOπ with passivation, an operation that may stop a running process and capture its state.The granularity of passivation is the locality a[P ], a new construct added to the syntax of HOπ.The semantics of a[P ] is as follows: P can freely reduce and communicate with any other process; it may also be captured at any time by a process a(X)R, substituting its contents P for X in R. Formally, we extend the locality construct to all agents, and we add the rules Loc and Passiv to the LTS of Figure 1.
The rule Loc and the definition of a[C] imply that the scope of restricted names may cross locality boundaries, but structural congruence is left unchanged.In particular, νb.a[P ] is not congruent to a[νb.P ].Indeed, the combination of lazy scope extrusion and passivation may generate two distinct behaviors from these terms.See [11, Section 2.3] for more details.

Context Bisimilarity
The definition of context bisimulation is more complex in HOπP than in HOπ because of the discriminating power added by passivation.We briefly explain the differences; more details and examples can be found in [11,Section 2.4].First, we can distinguish between processes with different free names using passivation and lazy scope extrusion [2].Indeed, suppose a is free in P but not in Q, Next, when a message is sent outside a locality, the continuation stays in the locality (by definition of a[C]).The continuation can then be put into a completely different context using passivation.As a result, the message and its continuation may end up in different contexts, but still share a common information (the extruded names).To be able to express this situation specific to calculi with passivation, we introduce bisimulation contexts E, i.e., evaluation contexts used for observational purposes.The usual approach to prove soundness of ∼ consists in proving that its transitive and congruence closure is a context bisimulation.This proof technique does not carry to the weak case.In [11], we prove soundness of a weak complementary bisimilarity, which coincides with a weak variant of ∼, by defining a weak complementary LTS for HOπP, with elaborate labels and subtle side-conditions in the LTS rules to handle lazy scope extrusion.The resulting LTS has almost twice as many rules as the contextual one.
We show here how to directly apply Howe's method with the contextual semantics, as in HOπ.We give these results for the strong bisimilarity ∼ to ease the presentation; the proofs for the weak case are in [10,Appendix B].As usual when adapting Howe's method to calculi with passivation [5,11], we have to extend Howe's closure to bisimulation contexts.We define E 1 ∼ • E 2 as the smallest congruence satisfying the following rules.
We can then write a pseudo-simulation lemma similar to Lemma 8, as follows.

and
Unlike the case with HOπ, we do not have a choice in the induction strategy for the proof of Lemma 13: we cannot prove it by doing first the induction on the derivation for the receiving processes and we cannot move the boundaries of b with ≡.Therefore, when reasoning by induction on the receiving processes P 2 ∼ • c Q 2 , we cannot apply the resulting abstractions F 1 , F 2 to concretions.However, we can apply them to messages, as in the following lemma, identical to Lemma 9.

Lemma 14. Let
We then prove Lemma 13 by induction on the derivation for the sending processes P 1 ∼ • c Q 1 .We do not have problems with localities when doing the induction on the derivation of . }, therefore restriction poses no problem, and Lemma 13 is formulated without structural congruence, unlike Lemma 8.In addition to Lemma 13, we also prove a lemma similar to Lemma 11 for τ -actions, and then deduce that ∼ • c is a simulation.We conclude as for HOπ.
Completeness.The strong and weak variants of the context bisimilarity ∼ coincide with respectively the strong and weak complementary bisimilarities of [11], which are themselves complete (see [11,Section 5.2]).Consequently, the strong and weak context bisimilarities are also complete.

4
Application to a Calculus with Join Patterns

Syntax and Semantics
Join patterns allow several messages to be received at once by the same process.The syntax of HOπJ is given in Figure 2. We replace the receiving process a(X)P of HOπ by a process π P , where π is a join pattern a 1 (X 1 ) | . . .| a n (X n ).A higher-order communication takes place when messages are available simultaneously on the names a 1 . . .a n .We write i∈{1..n} x i or x (where x ranges over some entity) for the parallel composition The syntax of abstractions is changed accordingly (F ∆ = (π)P ), and concretions now accumulate the messages of several emitting processes in parallel.A concretion is of the form ν b. a 1 , P 1 . . .a n , P n Q, meaning that each process P i is sent on the name a i , and the scope of the names b has to be extended to encompass the recipient of the messages.We abbreviate ν b. a 1 , P 1 . . .a n , P n Q as ν b. a, P Q.
The semantics of HOπJ is given by the LTS rules of Structural congruence for join patterns of names on which messages are expected, and an output P a − → C is labelled by the multiset a of conames on which messages are sent.Operators are extended to all agents as in HOπ, with the addition of parallel composition of concretions, to deal with the case where two processes P and Q in parallel reduce to C 1 and C 2 .The parallel composition of C 1 and C 2 is defined as a concretion C which merges the messages and extruded names of C 1 and C 2 , and composes in parallel their continuations (Figure 2, rule Par-Out).
A process P , receiving on names a (i.e., such that P a − → (π)P ), may communicate with a process Q emitting on names b (i.e., such that We have two possible outcomes: either b = a and the resulting agent is a process (rule HO), or b a -some inputs of the join patterns are not filled with Q -and we obtain an abstraction (rule Part-HO).

Context Bisimilarity
The definition of context bisimilarity for HOπJ is the same as for HOπ, adapted to the fact that • may generate several results for a given F and C. A similar context bisimulation has been defined for Kell [17], a higher-order calculus with passivation and join patterns.It is sound and complete in the strong case; the soundness proof of [17] does not rely on Howe's method, but instead shows that the reflexive, transitive, and congruence closure of the bisimilarity is itself a bisimulation.This direct method unfortunately does not scale to the weak case, as explained in [11].Here, we prove that ∼ is a congruence using Howe's method.As in the previous section, even though we present the results in the strong case for simplicity, the complete proofs in [10, Appendix C] are for the weak case.To our knowledge, it is the first proof of soundness of a weak bisimilarity for a higher-order calculus with join patterns.
Bisimulation up to ≡ is defined as in HOπ, by replacing R by ≡R≡ in the clauses.To prove that ∼ is sound with Howe's method, we use the following pseudo-simulation lemma.
We extend relations to multisets of same size in a pointwise way: R ∼ • c R means the two multisets are of the same size, and R i ∼ • c R i holds for every i.Note that Lemma 16 is a direct extension of Lemma 8 to multisets of sending processes; indeed, if we replace R and R with single processes, we obtain the same formulation as Lemma 8 (with the exception that • is a predicate).
The proofs by serialization of Lemma 8, where we proceed by induction on the derivations for the the sender and then on the receiver (or conversely), do not apply to a calculus with join patterns, where a receiver communicates with several emitters -we cannot focus on a sender in particular, we have to consider them together.As a result, we consider another proof method, where we reason by induction on the derivations of P ∼ • c Q and all the R ∼ • c R simultaneously.We distinguish two kinds of cases, depending on whether we need the induction hypothesis (detailed proofs are in [10, Appendix C]).Using the same definitions as in Lemmas 8 and 9, the cases where we do not need induction are those where each 1) or (2) (bisimilar, or congruent outputs), and P ∼ • c Q verifies either (3) or (4) (bisimilar, or congruent inputs).In these cases, we can conclude using substitutivity of ∼ • c and the definition of ∼.The remaining cases are dealt with by using the induction hypothesis, and then congruence of ∼ • c and ≡.Again, we rely on structural congruence to change the scope of names when needed (we have the same issue as described in Remark 2.4).
Using Lemma 16, we can prove that ∼ • c is a simulation up to ≡, and then conclude that ≡∼ • c ≡ = ∼ as in HOπ.
Completeness.In [10, Appendix D], we prove that a weak variant of ∼ is complete, using the usual technique of [16].We can prove completeness in the strong case with a similar proof.
Remark.Proving Lemma 8 in HOπ is possible by reasoning simultaneously on as described above.However, this method does not work for HOπP (Lemma 13) as pseudo-application and locality contexts do not commute (even up to structural congruence).One way to make the simultaneous induction works in calculi with passivation would be to add bisimulation contexts in the input clause, as follows: for all P a − → F , for all C, there exists F such that Q a − → F and for all E, we have With such a definition, we can prove soundness of the resulting bisimilarity in a calculus with passivation and join patterns (such as Kell) with the simultaneous induction.However, this extra use of bisimulation context adds complexity to the bisimulation.We conjecture they are not necessary in the input case.

Related Work
Howe's method in process calculi.Howe's method has been originally used to prove congruence in a lazy functional programming language [7].Baldamus and Frauenstein [1] are the first to adapt the method to process calculi for variants of Plain CHOCS [18], and prove in particular the soundness of a weak late delay context bisimilarity.Hildebrandt and Godskesen [5] then adapt Howe's method for their calculus Homer, to prove the congruence of a (delay) input-early context bisimilarity (see Section 2.3).In [11], we use Howe's method to prove congruence of strong and weak complementary bisimilarities in HOπ and HOπP.The Howe's proof of [11] is somewhat similar to the serialized proof of Sections 2 and 3, except for the symmetric formulation of the pseudo-simulation lemma.However, there is no equivalent to the simultaneous induction proof of Section 4 in [11].
Bisimilarities in calculi with passivation.In addition to the context (or complementary) bisimilarities already discussed for Kell [17], Homer [5], and HOπP [11], environmental bisimilarities [15] have also been defined by Piérard and Sumii for calculi with passivation [12,13].Such relations compare P and Q using an environment E, which represents the knowledge that an observer has about these processes, like the messages they have sent.The observer then uses E to challenge P and Q.For instance, the observer is able to compare inputs from P and Q with any messages built from the processes inside E. In [12], the authors propose a sound weak environmental bisimilarity for HOπP.Their approach is not complete, seemingly because of the interplay between "by need" scope extrusion and passivation.
In [13], they consider a variant of HOπP with name creation instead of name restriction, for which they define a sound and complete weak environmental bisimilarity.With name creation, a name generated in a given locality becomes automatically known from the whole system.Name creation is therefore less expressive than name restriction with lazy scope extrusion, where we can control more finely the scope of generated names.In particular, it is not possible to implement internal choice or recursion using name creation, as shown in [8].Finally, Koutavas and Hennessy recently developed a correct and complete symbolic bisimulation for a higher-order process calculus with passivation [8].Their approach avoids the quantification over contexts at the cost of a more complex calculus, with local ports to recover the expressivity lost by using name creation.
Bisimilarities in calculi with join patterns.In [4], Fournet and Laneve define bisimilarities for the Join-Calculus, a first-order process calculus with join patterns.They define a weak bisimilarity which is sound w.r.t. the weak barbed congruence defined in [3], and also complete if name matching is added to the calculus.To our knowledge, only Kell [17] combines higherorder communication with join patterns.In [9], we define a weak complementary bisimilarity for Kell, which tests inputs by passing them messages one by one.This strategy requires processes to choose which input to perform without having all the necessary information (i.e., all the messages they are going to receive), and the resulting bisimilarity is therefore too discriminating (i.e., not complete).

Conclusion
In this paper, we showed how to directly use Howe's method to prove congruence properties of a context bisimilarity, without relying on an auxiliary relation such as complementary bisimilarity.We proposed a symmetric formulation of the pseudo-simulation lemma, which we can prove either with a serialized or with a simultaneous induction on the derivations for the emitting and receiving processes.The latter seems necessary in calculi with join patterns, while the former seems more appropriate for calculi with passivation.The resulting soundness proofs are much simpler than in complementary semantics [11], and they scale better to calculi with join patterns.Indeed, we compare receiving patterns by passing them several messages at once, and not only one by one as in the complementary case [9].Finally, the bisimilarities of this paper are also complete in the weak case, unlike the input-early bisimilarity of [5], or the bisimilarity of [9] for join patterns.The use of Howe's method remains an open problem for calculi with both passivation and join patterns, such as Kell, if we do not want to make the definition of the bisimilarity more complex by using bisimulation contexts in the input case (see the remark at the end of Section 4).

τ
− → P , a message input P a − → F , or a message output P a − → C. The transition P a − → (X)Q means that P may receive a process R on a to continue as Q{R/X}.The transition P a − → ν b.

' 1 5
Syntax: P ::= 0 | X | P | P | a(X)P | a P P | νa.P Agents: A, B ::= P | F | C Abstractions F, G ::= (X)P Concretions C, D ::= P Q | νa.C Extension of operators to abstractions and concretions are context simulations.Context bisimilarity, written ∼, is the largest context bisimulation.The definition is written in the early style, because the answer Q a − → F depends on the particular C considered in the input case, and Q a − → C depends on F in the output case.In the late style, this dependency is broken by moving the universal quantification on C or F after the existential one on F or C .We extend the equivalences to open terms by defining the open extension of a relation R. Definition 3.
to closed terms) is also a simulation.By Lemma 7, (B • ) * is in fact a bisimulation.Consequently, we have B ⊆ B • ⊆(B • ) * ⊆ B on closed terms, and we conclude that B is a congruence.
consider the context b[νa.cR].Then a communication on c extends the scope of a outside b for P but not for Q, which gives us processes of the form νa.(b[R] | P ) and b[νa.R] | Q for some P and Q .If we then capture the locality b and duplicate its content, we obtain νa.(R | R | P ) in one case, and (νa.R) | (νa.R) | Q in the other: for the first process, a is shared, but not for the second one, and by choosing R accordingly, we obtain different behavior.Therefore, two processes P and Q are equivalent only if fn(P ) = fn(Q).
the output case, we now compare F • E{C} with F • E{C }.The extra context E represents the potential passivation of the continuations of C and C .The definition of context bisimulation for HOπP is then as follows.Definition 12.A relation R on closed processes is a context simulation if P R Q implies fn(P ) = fn(Q) and: for all P τ − → P , there exists Q such that Q τ − → Q and P R Q ; for all P a − → F , for all C, there exists F such that Q a − → F and F • C R F • C; for all P a − → C, for all F , E, there exists C such that Q a − → C and F • E{C} R F • E{C }.A relation R is a context bisimulation if R and R −1 are context simulations.Context bisimilarity, written ∼, is the largest context bisimulation.

Figure 2
Figure 2 Syntax and operational semantics of HOπJ.
For instance, we have a R 0 | (a(X) | b(Y )) P b − → (b(Y ))P {R/X}.The definition of • in Figure 2 takes into account these two cases.Besides, the pseudo-application of an abstraction to a concretion may generate several results, depending on how the matching between the C O N C U R ' 1 5outputs and the input is done.For instance, a R 1 0 | a R 2 0 | (a(X) | a(Y )) P can reduce to either P {R 1 /X}{R 2 /Y }, or P {R 2 /X}{R 1 /Y } (assuming R 1 and R 2 closed).Consequently, we write • as a predicate F • C P (respectively F • C F ), meaning that P (respectively F ) can be obtained as a result of the pseudo-application of F to C.

Definition 15 .
A relation R on closed processes is a context simulation if P R Q implies: for all P τ − → P , there exists Q such that Q τ − → Q and P R Q ; for all P a − → F , for all C, for all P such that F • C P , there exist F , Q such that Q a − → F , F • C Q , and P R Q ; for all P a − → C, for all F , for all P such that F • C P , there exist C , Q such that Q a − → C , F • C Q , and P R Q .A relation R is a context bisimulation if R andR −1 are context simulations.Context bisimilarity, written ∼, is the largest context bisimulation.
and νb.P 2 , Q 1 , P 2 , and Q 2 , there exist F 2 and and let P such that F • i C i P .Then there exist F , C , and Q such that we have Q