## 1 Introduction

Over the past 20 years, step-indexing techniques [5] have become one of the most used tools for constructing operational models of programming languages with combinations of advanced features such as recursive types, polymorphism, concurrency and non-determinism. Often such models are beyond the scope of traditional domain theoretic techniques, and also have the additional benefit of being more elementary. Guarded recursion is an abstract form of step-indexing, in which the explicit steps are replaced by abstract computation steps in the form of a delay modality . This relieves the user of the book-keeping involved in explicit step-indexing and reveals the underlying structure that makes these models work in the form of an introduction , a guarded fixed point combinator of type and solutions to guarded recursive domain equations. In its multiclocked version, where the delay modality is indexed by a clock and clocks can be universally quantified, guarded recursion can moreover be used to encode coinductive types in type theory, allowing productivity requirements on these to be encoded in types [7].

Clocked Cubical Type Theory (CCTT) [25] is a type theory combining multiclocked guarded recursion with features from cubical type theory, in particular univalence and higher inductive types (HITs). The latter are a form of inductive types defined not only by constructors, but also by equations. HITs have been used to construct topological spaces such as the circle and the torus in type theory, but can also be used for free structures, such as the free group on a set. In computer science, free structures can be used to form the monads generated by algebraic theories. For example, the finite powerset monad, often used to model finite non-determinism, can be generated by a binary union operation plus axioms of associativity, commutativity, and idempotency, and can therefore be naturally represented as a HIT [9, 20].

Combining HITs with guarded recursion provides a powerful metatheory in which one can reason about programming languages and programs. This paper presents a worked example of this. We study the untyped lambda calculus with finite non-determinism, and show how to construct a model of this in CCTT using a guarded recursive type. The model construction takes as parameter a monad with a union operation for modelling non-determinism, as well as a step operation , which in combination with the fixed point operator allows us to model recursion.

We present two instantiations for , corresponding to two different notions of observation on non-deterministic programs. The first describes a notion of non-deterministic computation where all possible branches of a computation are executed in parallel and we can observe all possible values that occur along the way, even if there are diverging branches of the computation. This monad corresponds to may-convergence and can be characterised as being generated by the operations and with no equations between them.

The second instantiation corresponds to a notion of computation where all branches are evaluated in parallel, but partial results are only available when all branches have terminated. This is simply the composition of the free monad generated by the step operation and the finite powerset monad . It turns out that this composition is not itself a monad, but does have a sequencing operation sufficient for the purposes of this paper. We claim that this composition corresponds to must-convergence.

As an example application of this model, and to substantiate the claim that these constructors correspond to may- and must-convergence, respectively, we apply the model to a classical problem in lambda calculus, namely that of proving that applicative similarity is a congruence. This was first proved by Abramsky [2] for the lazy lambda calculus (without non-determinism) using domain theory and Stone duality, and this method has since been extended to calculi with non-determinism [32]. Here we use a different method due to Pitts [35] who used a domain theoretic model and a relation between syntax and semantics. We extend this proof to non-determinism for both may- and must-equivalence, and adapt it to guarded recursion.

The two instantiations of mentioned above are what we consider as examples of guarded recursive powerdomains. In classical domain theory [3]

a powerdomain is a domain theoretic correspondent to the powerset construction in set theory. A number of different powerdomains exist, each characterising a different notion of observation. One way of characterising the difference between these is in terms of enriched algebraic theories which allow them to be classified in terms of inequations such as

. In the case of guarded recursion the difference between the two guarded powerdomains studied here can be expressed in terms of equalities describing the interaction between and . This paper can therefore also be read as a first study of the interaction of algebraic effects and guarded recursion.### 1.1 Synthetic guarded domain theory

Until now most applications of guarded recursion and step-indexing have used these for operational reasoning for programming languages. While these techniques are very useful for proving properties of programs, we believe that there is a need for also developing guarded recursion as a tool for constructing denotational semantics. Denotational methods have the benefit of often being more modular than the operational methods, and often reveal the foundational mathematical building blocks of programming languages. Denotational semantics often inspire new programming constructions or languages, as exemplified in monads [31], runners for computational effects [38, 4], homotopy type theory [37], or even guarded recursion itself [11].

Using guarded recursion for denotational semantics has several possible benefits over domain theory. The first is that it appears to be more expressive than domain theory as illustrated by the many uses of step-indexing for advanced programming languages. Another is that step-indexing and guarded recursion by many are considered more elementary tools. A third is that guarded recursion appears to be more amenable to effective formalisation in type theory and proof assistants, although some formalisations of classical domain theory do exist [10, 19], and in particular recent progress on such a formalisation in HoTT seems promising [23].

Initial steps towards such a *synthetic guarded domain theory* were taken by Birkedal, Møgelberg
and Paviotti [29, 33] who showed how to construct models of the programming
languages PCF and FPC modelling recursion in these as guarded recursion, and proving the adequacy of
these models entirely in a type theory with guarded recursion. This paper can be viewed as an extension of
these works to non-determinism. Perhaps the main disadvantage of guarded recursion compared to domain
theory is the intensional nature, allowing the model to distinguish between computations that produce the
same result in a different number of steps. The present paper shows that using universal quantification over
clocks allows to localise the steps and to prove properties that do not refer to steps, using the models.

### 1.2 Related work

Most proofs of applicative similarity being a congruence use operational arguments [26, 27], in particular Howe’s method [21]. More recently, an abstract version of Howe’s method has been developed [16] to handle languages with algebraic effects in a uniform way. This method uses domain theory to handle recursion. It would be interesting to see if the method described here generalises to a similar uniform method for computational effects, but this requires first developing a theory of algebraic effects in guarded type theory.

Step-indexing and guarded recursion based operational techniques have previously been used for languages with non-determinism. For example, Schwinghammer et al. [36] construct an operational model for reasoning about a typed programming language with recursive types, polymorphism and non-determinism and use it to prove contextual equivalences of programs. Bizjak et al. [12] show how to construct a similar model using guarded recursion and topos logic. These works use complex operational techniques including -closure. Our goal is different, namely to develop a theory of denotational semantics in a type theory with guarded recursion.

The above mentioned works on non-determinism [26, 27, 36, 12] study countable non-determinism, rather than finite non-determinism. This is generally considered a harder problem. For example, this forces the step-indexing used by Schwinghammer et al. [36] to be transfinite, whereas the underlying model of the Clocked Cubical Type Theory is based on natural number step-indexing. Likewise, defining powerdomains in domain theory for countable non-determinism is much harder than the finite case [6, 18]. We discuss the possibility of extending our approach to countable non-determinism in Section 8.

As described in Section 3, our partiality monad is strongly related to the coinductive partiality monad, and our use of it is similar to previous uses in semantics of recursion [10, 13, 17]. Interaction trees [40] are a general data structure combining the coinductive partiality monad with computational effects. Our guarded powerdomain monads can perhaps be seen as a form of guarded interaction trees for non-determinism, except that the use of HITs allows us to consider these up to an equational theory.

### 1.3 Overview

The paper is organised as follows: We first recall the basics of Cubical Type Theory in Section 2, in particular path types and higher inductive types. Section 3 then recalls Clocked Cubical Type Theory, the extension of Cubical Type Theory with multiclocked guarded recursion. Section 4 defines the guarded powerdomain for may-convergence and Section 5 presents our proof that applicative may-similarity is a congruence using a denotational model. Section 6 defines a guarded powerdomain for must-convergence, and Section 7 presents our proof that applicative must-similarity is a congruence. We conclude in Section 8.

## 2 Cubical type theory

Cubical Type Theory (CTT) [15] is a variant of Homotopy Type Theory (HoTT) [37] based on the cubical model of the univalence axiom, and specifically designed to compute with univalence. It moreover has the benefit of combining more easily with guarded recursion than HoTT, which was the reason for using it as a base for Clocked Cubical Type Theory as we shall describe in Section 3. Reading this paper does not require deep knowledge of CTT, and this section recalls the basic notions from CTT and HoTT that we shall need.

Perhaps the most fundamental difference between CTT and Martin-Löf type theory is that the identity type in the latter is replaced in CTT by a type of paths between two elements . We will often write the path type infix as , and say that and are path equal if there is an element of . Cubical Type Theory represent paths as maps from an abstract interval type , with endpoints and . In particular a lambda abstraction like will build a path of type . This allows more canonical proofs of equality than just reflexivity, and so to give computational content to principles like function extensionality and univalence. Path equality is still substitutive, in the sense that any element of type can be transported along a path to construct an element of . In the following we will not rely on details about the specific primitives of CTT, which can be found in [15], and [39] for their incarnation in the Agda proof assistant.

Types can be classified according to the complexity of their
path equality: We say a type is a *mere
proposition* if any two elements are path equal, and that a type is
a *homotopy set*, or simply a *set*, if its path equality
type is a mere proposition. These predicates can be expressed
in the type theory as types and for a type .
Given any universe of types , we can form a universe of mere
propositions whose elements are pairs of an element of
and a proof that it is propositional. For we will
often write itself rather than its first projection.

Cubical Type Theory also supports Higher Inductive Types (HITs), which allow to define an inductive type by declaring constructors also for its path equality, rather than only for its elements. For example, the propositional truncation of a type is defined as a higher inductive type with the following constructors

This defines the least proposition extending in the sense that any map into a proposition , defines a unique map , such that for all . If is a set, then such an extension still exists if [24]. For any two propositions and their conjunction is given by the cartesian product , their disjunction by truncating their disjoint union , while the true and false propositions are given by the unit and the empty type. Univalence implies that any two logically equivalent propositions are equal, so associativity and commutativity of disjunction and other such laws hold as path equalities. Given a predicate , universal quantification is given by the dependent function type , while existential quantification is given by truncating the dependent pair type as generally it will not be propositional otherwise. As and coincide when is a proposition, so do and when uniquely determines .

### 2.1 Finite Powerset

The finite powerset [9, 20] of a type is another example of a higher inductive type defined by the following constructors

plus two equalities ensuring that is a set [25]. Note that we restrict ourselves to
*non-empty* finite powersets.
We say that a pair of a type and a binary operation is a *join-semilattice*^{1}^{1}1This is a slight misuse of terminology, since join-semilattices are
usually assumed to also have a unit
if is a set and is associative, commutative
and idempotent.
It can then be shown that is the free join-semilattice generated by , and as such maps
which preserve correspond to maps for any join-semilattice .
We use this to define the membership predicate , as forms a join-semilattice with disjunction. Membership satisfies the
following equations

If we write to mean and similarly for .

The finite powerset also supports the structure of a monad, and in particular, given we write for the bind operation, defined using the free join-semilattice structure. Given we write for the functor action of the finite powerset, defined as .

Finally, recall [30, Lemma 4.1] that if , , and , then

(1) |

## 3 Clocked cubical type theory

Clocked Cubical Type Theory [25] extends Cubical Type Theory with the constructions of Clocked Type Theory [8, 28], a type theory with Nakano style guarded recursion, multiple clocks and ticks. This section recalls each of these concepts, but in a simplified form, omitting constructions related to tick irrelevance.

The fundamental notion in guarded recursion is that of a time step on a clock.
Clocks are introduced as assumptions of the form in the context,
and time steps are represented as tick assumptions of the form .
The type classifies computations that in the next time step
(as represented by the tick ) return elements of . When does
not appear in we simply write for this type.
Elements of are introduced by *tick*
abstraction and eliminated by tick application
. The rules are similar to those for function types, except that
tick application requires the eliminated term not to depend on , nor any
of the variables bound before . This rules out terms like , which collapse two steps
into one. Interval variables are considered timeless
and therefore exempt from this restriction, which is necessary to
prove that tick application preserves equalities:

(2) |

In fact, the above map is an equivalence of types, and this extensionality principle is one of the main reasons CTT is used rather than HoTT. One consequence is that preserves truncation levels. In particular, if then also [30, Lemma 3.1] and similarly for sets.

The delay type allows to safely introduce a fixpoint combinator
of type and
satisfying the path equality for any .
We can use to define *guarded recursive types*, i.e. ones
where the recursive occurrences are guarded by .
An example is the partiality monad mapping to
.
The path equality between this type and its unfolding gives
rise to a type equivalence

We use and to denote the two inclusions into up to the above equivalence.

An element of represents a possibly non-terminating computation of an
element of . For example, the element
represents divergence.
We say that is a *delay algebra* if has
type . The pair is the free delay algebra generated by in the sense that any
map where is a delay algebra defines a unique
such that

The monad structure is then defined with as the unit, and multiplication defined as the unique (delay algebra)-homomorphism extending the identity.

The *clock quantification* type former
is introduced by clock abstraction, and eliminated by application to a clock.
It behaves much like a -type, except that is not a type, but has
a similar status to the interval .
Clock quantification localises guarded recursion on a clock, and in particular
supports a map , inverse to , allowing to safely eliminate .

The main use case for clock quantification is to encode coinductive
types. For example is the
final coalgebra for the functor , if is *clock irrelevant*,
i.e., if the canonical map is an equivalence.
The notion of clock irrelevance is closed under all basic type formers as
well as inductive types and (under certain restrictions [25])
higher inductive types. In particular, the inductive types used in this paper to
represent syntax are all clock irrelevant. This encoding of coinductive
types is originally due to Atkey and McBride [7] and
presumes the existence of a clock constant , which we achieve by
just initially assuming .

More generally for every (indexed) functor which commutes with clock quantification we have that is the final coalgebra of , i.e. its coinductive fixpoint [25]. The collection of functors commuting with clock quantification is closed under a long list of constructors including truncations, finite powersets and sum types as expressed in the following type equivalences.

## 4 A powerdomain for may-convergence

Define the may powerdomain as the unique solution to the guarded recursive equation

Formally, can be defined as a fixed point similarly to the definition of , but in the rest of this paper we will not give such definitions explicitly. The type constructor comes equipped with the following operations

where is inherited from and therefore defines a join-semilattice and

defines a unit and a delay algebra structure. In particular, this means that can represent diverging computations (), as well as values. An element of may also have both converging and diverging branches, as for example .

The next lemma states that for a set , is the free algebra for the theory combining delay and union with no interaction between the two.

###### Lemma 1.

Let be a set, let be a set with both a join-semilattice structure and a delay algebra structure, and let . Then there is a unique map extending and commuting with the join-semilattice and delay-algebra structures.

In terms of algebraic theories, can therefore be seen as generated by the theories of join-semilattices and delay-algebras with no operations between them. As a special case of the lemma one can define a bind operation mapping and to which then equips with a monad structure with unit given by . Bind moreover commutes with these operations as in the following equations

(3) | ||||

(4) |

## 5 Applicative may-simulation

The type constructor should be seen as a guarded recursive powerdomain for may-convergence. Intuitively, this is true because an element of describes a set of values (of type ) that the computation has returned now, and a set of computations that we can choose to further evaluate, but may also choose not to, if we are only interested in testing if a program may evaluate to a particular value. This should be seen in contrast to the must-powerdomain of Section 6 which will force all branches of a computation tree to be evaluated fully before the result values can be inspected. In this section we substantiate that claim by using to prove applicative may-similarity a congruence.

We start by recalling the untyped lambda calculus with binary non-determinism and the notion of applicative may-similarity. We use informal binding notation here for readability, using the grammar

for terms. This could for example be implemented more formally as an inductive family using de Bruijn indices. Note the use of to distinguish it from the meta-level lambda. A value is a closed term of the form , and we shall use and for the types of closed lambda terms and values respectively, which we will assume are sets (and indeed are if formalised using de Bruijn indices). These are moreover clock irrelevant, which can be shown by embedding them into the inductive types of all (also open) terms, and the fact that all inductive types are clock irrelevant [25].

We define two operational semantics. The first one is
a big-step operational semantics formulated as a relation
defined inductively in the standard way
V = WV ⇓_◇W M ⇓_◇ x . M’

N ⇓_◇V’

M’ [V’/x] ⇓_◇VM N ⇓_◇V M ⇓_◇V ∨N ⇓_◇VM orN ⇓_◇V
One can also similarly define
a small-step operational semantics and prove this equivalent to the
big-step semantics using standard methods.

The second operational semantics is less familiar but has the benefit of being suitable for guarded recursive reasoning. It uses the monad to model recursion and non-determinism, but since parts of the development in this section will be reused later, we will define the operational semantics relative to a monad , which can be instantiated to be . We will assume that has operations and providing with a join-semilattice structure as well as a delay-algebra structure satisfying the equations (3) and (4). In fact we shall see later that not all axioms for monads are needed for our developments.

Using this, we define an evaluation function as

where refers to the unit of the monad . Note that the match on in the application case is exhaustive, since values can only be lambda abstractions. To lift this to a big step relation, we will assume given a lifting of to predicates as follows.

###### Definition 1.

A lifting of a monad to predicates is a function that maps a predicate to a predicate satisfying the following properties

Note that a unique such lifting can be defined for using Lemma 1 since is a set, and and define a join-semilattice and delay-algebra structure on , so can be defined as the extension of .

Specialising to we make the following definition.

###### Definition 2.

Let be the lifting of to predicates, let be a predicate on values and let . Define

One can then define a more standard big step operational semantics as

Intuitively means that if terminates to a value, that value will satisfy . In particular, will hold for any if diverges, unlike the statement which guarantees termination.

To express the precise relationship between the two semantics, we introduce a predicate of may-convergence on the powerdomain . Since termination cannot be expressed as a predicate on guarded recursive types directly, it must be expressed as a predicate on , which captures global behaviour of [29]. If and define as the proposition inductively generated by the following introductions * λκ. now_◇ (a) ⇓_P_◇^^∀a * m ⇓_P_◇^^∀a λκ. step_◇ (λ(α : κ).m [κ]) ⇓_P_◇^^∀a * m ⇓_P_◇^^∀a ∨m’ ⇓_P_◇^^∀a λκ. m [κ] ∪m’ [κ] ⇓_P_◇^^∀a This means that these rules should be read as constructors of a HIT which also has propositional truncation operators as a constructor. The relationship between the two semantics can then be expressed as follows.

###### Proposition 1.

The statements and are logically equivalent.

Finally, the next lemma makes the intuition for stated above precise. As the notation used in the lemma suggests, can appear free in .

###### Lemma 2.

Let be clock irrelevant, a family over for each , and . The statements and are logically equivalent. As a consequence is equivalent to .

### 5.1 Applicative may-similarity

We now recall the notion of applicative similarity, as originally studied by Abramsky [2] for the pure lambda calculus and adapt it to finite non-determinism in the case of may-convergence. Say that a relation on closed terms is an applicative may-simulation if and implies

Applicative may-similarity is the greatest applicative may-simulation. We define this by universally quantifying a clock in a guarded recursive definition. First define

The statement should be read as stating that if terminates, then also terminates, and moreover, applying the resulting terms to the same value results in the related results later. Note the asymmetry in the use of operational semantics: The evaluation of uses the guarded operational semantics which ensures that if diverges, then is true. On the other hand, once converges to a value, must also converge, and expressing this requires the inductive operational semantics. The delay in the definition of ensures well-definedness: unfolding the definition of in gives a guarded recursive definition.

Applicative similarity is extended to open terms by defining to mean for all substitutions mapping all free variables in and to values. Finally, we localise the steps in the definition of by universally quantifying and thereby pass to a coinductive type:

###### Lemma 3.

is the greatest applicative may-simulation.

We now proceed to prove that applicative may-similarity is a congruence. Most proofs of this use syntactic arguments, but here we use a semantic method developed by Pitts [35] in the context of domain theory, which we adapt to guarded recursion. As a first step we construct a denotational semantics of the untyped lambda calculus.

### 5.2 Denotational semantics

Like the operational semantics, the denotational semantics is parametrised by a monad equipped with a join-semilattice structure and a delay algebra structure, satisfying (3) and (4). Closed terms will be interpreted as elements of the type defined by the following equations.

Here the definition of should be read as a guarded recursive definition, and states that semantic values can be considered effectful computations on semantic values, but that this unfolding takes a single computation step. Define a semantic application as

and using this we define the operational semantics where is the set of terms with at most free variables, as

Note that the interpretation of values factor through via .

###### Theorem 1 (Soundness).

We now specialise to for the following notation and corollary. If and , we shall use the infix notation for , where is the lifting of .

###### Corollary 1.

The statements and are equivalent.

### 5.3 Relating syntax and semantics

We now construct a relation between syntax and semantics that will allow us to use the model to reason about the operational semantics. The relation is similar to the one constructed by Pitts [35] in the setting of domain theory, but whereas Pitts must provide a technical argument for the existence of the relation, which is far from obvious in the domain theoretic setting, in our setting the relation exists simply by guarded recursion.

In this section we specialise the model from the general monad to , and define two relations, one on values and one on general terms as follows

This is well-defined, because unfolding the definition of in the definition of gives a guarded recursive definition of . If and write to mean .

###### Lemma 4 (Fundamental lemma).

If then .

The fundamental lemma is proved by induction on . Using this, one can prove the following correspondence between and

###### Lemma 5.

If and are closed terms then is equivalent to .

The left to right direction is proved by showing that is upward closed in its second argument. The other direction is proved using guarded recursion. Note that as a consequence of Lemma 4 and 5 it follows that is a reflexive relation.

###### Theorem 2.

is a congruence, i.e., if and is a context then also .

###### Proof.

Using reflexivity it suffices to show that if and then , and . The cases of application and choice can be reduced to the statements that if and then and , which can be proved by guarded recursion. To prove it suffices to prove that . By definition of applicative may-similarity for open terms, however, we know that . ∎

## 6 A powerdomain for must-convergence

We now introduce our powerdomain construction for must-convergence. This should have an inclusion , a join-semilattice structure and a delay algebra structure . However, when considering must-convergence, a term diverges if diverges even if converges. To enforce that in our powerdomain we use equations to enforce parallel evaluation of subcomputations and stating that terminating values are postponed until all subcomputations have been evaluated fully:

(5) | ||||

(6) |

These equations (together with the derivable symmetric version of (6)) allow steps to bubble up the syntax tree, to a normal form consisting of a (possibly infinite) sequence of computation steps followed by a finite set of values. Following this intuition we define

This has the benefit over, say a HIT given by the equations above, of giving direct access to the set of possible values returned by a computation that must converge.

By definition carries a delay-algebra structure, and the inclusion of into can be defined as

The join-semilattice can be defined by guarded recursion using the equations (5), (6), the symmetrisation of (6) and

A natural question is whether defines a monad. Since it is the composite of two monads, it is sufficient that there is a distributive law of monads, and indeed a natural candidate is easily defined as

However, this only defines a distributive law of the monad over considered as a functor, not a monad.

###### Proposition 2.

Of the four diagrams for distributive laws over monads:

all but the last commute.

A counterexample to the last is which is mapped by the lower composite to and by the upper to . Note that these only differ by a finite number of computation steps, i.e., are equal up to weak bisimilarity. We conjecture that this is generally true and that is a monad up to weak bisimilarity.

As a consequence, using to define the multiplication of does not define a monad. Nevertheless, it does define a bind operation.

###### Lemma 6.

The bind operation induced by maps and to

and satisfies the equations and , and moreover defines a homomorphism of delay-algebras as well as join-semilattices in . It does not satisfy the associativity axiom.

Since the associativity axiom is not used in our development, the proofs done in the previous section for a general monad carry over to this case, as we shall see.

## 7 Applicative must-simulation

We now show how our techniques from the may-convergence case apply to
show that applicative must-similarity is a congruence also in the case of must-convergence.
First we set up the operational semantics. In the case of the standard big-step semantics,
define the predicate as
M ⇓_□X

N ⇓_□YM orN ⇓_□X ∪Y x . M ⇓_□{ x . M} M ⇓_□X

N ⇓_□Y

∀( y . M’) ∈X, V ∈Y. M’ [V/y] ⇓_□Z y . M’,VM N ⇓_□∪V’ ∈X, V ∈Y ZV’,V
The judgement states that must converge and that the possible values
that it can converge to is .

The evaluation function is defined by specialising the general definition given in Section 5. We also define a relation stating that if terminates, it will terminate to a set of values satisfying . Note that is a predicate on sets of values, rather than values themselves (as was the case for ). This allows us to express properties e.g. by existential quantification over outcome values, as needed e.g. in the definition of must-similarity below. To define , consider first a lifting of predicates to defined as

and note that this also satisfies items 1 and 4 of Definition 1. Define .

The relationship between these two operational semantics is similar to the one between and . First define, for and a termination predicate as an inductive family in like so: m ⇓_□^∀a(λκ. step_L^ (λ(_ : κ).m κ)) ⇓_□^∀a (λ_. now_L^ a) ⇓_□^∀a

###### Proposition 3.

The statements and are logically equivalent.

###### Lemma 7.

Let be clock irrelevant, a family over , and . The statements and are logically equivalent. As a consequence the statements and are equivalent.

Say that a relation on closed terms is an applicative must-simulation if implies

Define by guarded recursion to be

This is extended to open terms by defining to mean for all substitutions mapping all free variables in and to closed terms. Write for .

###### Lemma 8.

is the greatest applicative must-simulation.

Also in the case of the denotational semantics the general case described in Section 5.2 specialises to . None of the proofs or constructions rely on associativity of the bind operation, so also the soundness result holds. For our applications of the denotational semantics, however, we need a variant of Corollary 1 which applies to predicates on sets of values rather than on values themselves. This uses an infix notation for