Parametricity and local variables

We propose that the phenomenon of local state may be understood in terms of Strachey's concept of parametric (i.e., uniform) polymorphism. The intuitive basis for our proposal is the following analogy: a non-local procedure is independent of locally-declared variables in the same way that a parametrically polymorphic function is independent of types to which it is instantiated.
A connection between parametricity and representational abstraction was first suggested by J.C. Reynolds. Reynolds used logical relations to formalize this connection in languages with type variables and user-defined types. We use relational parametricity to construct a model for an Algol-like language in which interactions between local and non-local entities satisfy certain relational criteria. Reasoning about local variables essentially involved proving properties of polymorphic functions. The new model supports straightforward validations of all the test equivalences that have been proposed in the literature for local-variable semantics, and encompasses standard methods of reasoning about data representations. It is not known whether our techniques yield fully abstract semantics. A model based on partial equivalence relations on the natural numbers is also briefly examined.

2.1 Syntax : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 9 2.2 Semantics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 9 2.3 Recursion : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 12 3 Properties of Types 13 3.1 Basic Properties : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 3.2 Expansions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 15 One of the rst things most programmers learn is how to \declare" a new assignable local variable, and facilities to support this have been available in programming languages for over thirty years (Naur et al., 1963). It might be thought that there would by now be a satisfactory semantic interpretation for so fundamental and apparently elementary a mechanism. But existing models are not completely satisfactory (Meyer and Sieber, 1988;O'Hearn and Tennent, 1992). The problems arise when block bodies can contain calls of non-local procedures, and the di culty is in de ning precisely the sense in which non-local entities are \independent" of a locally-declared variable. For example, consider the following (Algol 60) block (Meyer and Sieber, 1988): begin integer z; procedure inc; z := z + 1; P(inc) end Although the unknown non-local procedure P can use its argument to change the value of z, this value can never be read, and so the block should be equivalent to P(skip), where skip does nothing, for every possible meaning of P. But this equivalence fails in all previous denotational models of local variables! The reader's reaction to this example might be that it is contrived, and that it has no practical signi cance; after all, who would ever write such a program? But consider the following slightly more complicated example: begin integer z; procedure inc; z := z + 1; integer procedure val; val := z; z := 0; P(inc; val) end The local variable, the two procedure declarations, and the initialization can be considered as constituting the concrete representation of an abstract \counter" object. Procedure P; the \client," is passed only the capabilities for incrementing and evaluating the counter, and cannot access the counter representation in any other way. A more modern language would provide a \sugared" syntax, and one could write something like module counter(exports inc; val); begin integer z; invariant z 0; procedure inc; z := z + 1; integer procedure val; val := z; z := 0 end counter; : : :counter. inc; : : :counter. val : : : but the unsugared form shows that, even without additional features, the combination of local variables and procedures in Algol-like languages supports a form of representational abstraction, which is one of the main themes of modern programming methodology. (In fact, the same example is used in the Appendix of (Reynolds, 1978) to make the same point.) See (Reynolds, 1981b;Tennent, 1991) for discussion of Algol-like languages, and (Reynolds, 1975;Cook, 1991) for comparisons of linguistic approaches to representational abstraction. To a certain extent, the relevance of representational abstraction to the semantics of local variables has already been exploited. The models described in (Meyer and Sieber, 1988;O'Hearn and Tennent, 1993b) support validation of invariance principles often used for reasoning about data representations, as in (Hoare, 1972). For example, these models validate the following equivalence: begin integer z; procedure inc; z := z + 1; integer procedure val; val := z; z := 0; P(inc; val); if z 0 then diverge end diverge where diverge is a statement whose execution (in any state) never terminates. Because P can be any procedure (of the appropriate type), the equivalence demonstrates that z 0 is an invariant of the counter representation; i.e., z 0 is true before and after every call of inc from P.
But there is more to representational abstraction than preservation of this kind of representation invariant. Consider the following block, which uses a \non-standard" representation of a counter: begin integer z; procedure inc; z := z ? 1; integer procedure val; val := ?z; z := 0; P(inc; val) end This block should be equivalent to the block that uses the \standard" representation. The equivalence illustrates the principle of representation independence: one concrete representation of a data abstraction should be replaceable by another, provided the relevant abstract properties are preserved; see, for example, (Mitchell, 1986). It is clearly important to be able to validate changes of representation; but existing semantic models of local variables almost always fail on such equivalences! This failure is especially surprising because standard informal methods for demonstrating correctness of data representations (Hoare, 1972) (Reynolds, 1981a, Chapter 5) can easily be adapted to proving such equivalences. For our example, consider the relation R between states for the two implementations such that, if z 0 and z 1 are the values of the variable z in the standard and non-standard implementations, respectively, R holds if and only if ?z 1 = z 0 0 and all other variables have the same values. It can be shown that R is initially established by executing the two initializations (with identical non-local states); executions of (the two implementations of) inc preserve R; and evaluations of (the two implementations of) val in R-related states yield the same result. The conclusion is that R holds after execution of the calls to P, and so the blocks have been \proved" to have equivalent e ects on non-local variables. But, although there is no reason to think these methods are invalid, they have never been rigorously veri ed for a language with local-variable declarations! This discussion of data abstraction motivates our link with the concept of parametricity, introduced by Strachey (1967) in the following remarks: There seem to be two main classes of polymorphism], which can be called ad hoc polymorphism and parametric polymorphism.
In ad hoc polymorphism there is no single systematic way of determining the type of the result from the type of the arguments. There may be several rules of limited extent which reduce the number of cases, but these are themselves ad hoc both in scope and content. All the ordinary arithmetic operators and functions come into this category. It seems, moreover, that the automatic insertion of transfer functions by the compiling system is limited to this class.
Parametric polymorphism is more regular and may be illustrated by an example. Suppose f is a function whose argument is of type and whose result is of type (so that the type of f might be written ) ), and that L is a list whose elements are all of type (so that the type of L is list). We can imagine a function, say Map, which applies f in turn to each member of L and makes a list of the results. Thus Map f; L] will produce a list. We would like Map to work on all types of list provided f was a suitable function, so that Map would have to be polymorphic. However its polymorphism is of a particularly simple parametric type which could be written ( ) ; list) ) list where and stand for any types. Although a complete understanding of the rami cations of this notion of parametricity is not yet available (cf., (Freyd et al., 1992b;Plotkin and Abadi, 1993)), Reynolds (1974;1983) has emphasized the close relationship with representational abstraction. The idea is that a parametric polymorphic function must work in a way that is independent of the types to which it is instantiated. For instance, (in the absence of recursion) the only parametric elements of type 8 . ! ! are the two functions with two arguments that return either the rst argument or the second argument, respectively. On the other hand, a function that would return its rst argument when instantiated to a function on integers, and its second otherwise, is not parametric because it works di erently at di erent types. Intuitively, a parametric function cannot make use of knowledge about the types to which it is instantiated, which is to say that type variables are treated \abstractly. " We propose that the independence of non-local entities and local variables is in essence similar to the sense in which a parametric function is independent of the speci c types to which it is instantiated. Stated in terms of abstraction, the principle that a non-local procedure cannot access a local variable (except through using arguments that access the variable) is analogous to the principle that the representation of an abstract type cannot be directly accessed by programs that use it (except through the provided operations of the type). We will de ne a semantics for an Algol-like language in which non-local procedures are modeled as parametric functions that can be instantiated with pieces of local state. The independence of the procedure itself from a local variable will then be explained in terms of the independence of a polymorphic function from type arguments, which here play the role of local state.
The approach to representational abstraction that we will follow is based on the work of (Reynolds, 1983), where the technique of \logical" relations (Plotkin, 1980;Mitchell, 1990) was used to give a rigorous formulation of abstraction that is appropriate for functional languages with higher-order and polymorphic procedures and programmer-de ned types. We can illustrate the representation-independence property provable using logical relations as follows. Suppose is a type expression with (say) one free type variable, and is a typing context, i.e., a nite list of types over the same type variable; Intuitively, this says that relations between di erent representations of a type variable are respected by programs that use it. We will refer to this kind of uniformity as relational parametricity, after (Strachey, 1967) and (Reynolds, 1983), and portray it diagrammatically as follows: Notice that double-headed arrowsare used here for (binary) relations, and that this is not a conventional commutative diagram.
The connection between logical relations and polymorphic functions emphasized by Reynolds is that if the above relation-preservation property is to hold in a polymorphic language, then values of 8-types must be constrained so as to satisfy similar relation-preservation conditions. In our model for local variables, function types will themselves have a polymorphic avour, and will be constrained by such a parametricity condition.
Relational parametricity is commonly thought to prescribe necessary properties that parametric functions must satisfy. What is less clear is whether, particularly in the binary-relation form, it is su cient to characterize the intuitive concept. Another appealing approach to parametricity, possessing a fairly coherent conceptual basis, uses partial equivalence relations (PERs); e.g., (Longo and Moggi, 1991). In the PER approach, polymorphic types are interpreted as in nitary intersections, so that a (realizer for a) polymorphic function is an untyped meaning that is type-correct for all instantiations of a type variable. This captures, to a certain (not completely understood) degree, the intuition that a polymorphic function is given by a uniform algorithm. On the other hand, the relational approach captures, to a certain (not completely understood) degree, intuitions about representation independence.
The larger part of our e ort in this paper will be directed toward examining the relational approach of Reynolds. The semantic model we de ne will represent quite directly the informal reasoning about local variables and data abstraction alluded to above. However, we will also brie y outline how PERs can be used to treat variable declarations. A comparison of the two models will be given in Section 11.
Our method of incorporating parametricity builds on the functor-category approach to local variables pioneered by Reynolds (1981b) (Reynolds, 1981b) and Oles (1982Oles ( , 1985. In the remainder of this Introduction, we will brie y review the basic elements of this approach, and indicate how relational parametricity will enter the picture. (The expository article (O'Hearn and Tennent, 1992) and textbook (Tennent, 1991) contain introductions to this approach.) The key insight of the Reynolds-Oles work is that, in a language with local-variable declarations, the concept of state is not constant|represented by a single set of states|but rather varies as storage variables are allocated and de-allocated. That is, there are di erent possible sets of states depending on the \shape" of the run-time stack; i.e., the number and type of variables that have been allocated.
To account for this, the semantics is parametrized by abstract \store shapes," e ectively building the variance in the concept of state into the semantics in a way that logically precedes any assignment of meanings to phrases. In general, the meaning of a type is not a single domain, but a whole family of domains. For example, the type of commands is often interpreted as S ! S ? , where S is a set of states. But in a language with variable declarations S itself varies, and so there is a domain X ! X ? for each possible set X of states. In particular, a local-variable declaration changes the set of states from X to X Y , where Y is the set of values the new variable may hold; the Y -valued component of each element of X Y represents the new variable. Similarly, if the the domain of command meanings prior to a variable declaration is X ! X ? , then, after declaration, it becomes X Y ! (X Y ) ? .
The semantic set-up can be elegantly described using basic concepts of category theory. The variance in the concept of state is modeled using a category of \possible worlds." Each possible world determines the set of storage states needed to represent the values of currently available variables, and a morphism of worlds \expands" the current state by allocating space for additional storage variables (the Y -valued component above). This variance in the concept of state induces a similar variance into types, which is represented by interpreting types as functors from the category of possible worlds to a category of domains and continuous functions. Phrases are interpreted as natural transformations of these functors. The naturality condition on the meaning of any phrase P is portrayed by the following commutative diagram: Notice that, in many respects, this is similar to the relational-parametricity picture discussed earlier. Parametrization by possible worlds is roughly analogous to abstraction on a type variable. In fact, if we think of the possible worlds as certain kinds of types, then P] ] is a family of functions indexed by these types and so is, in a certain sense, polymorphic. It is therefore certainly conceivable to require a family of this form to satisfy a parametricity constraint.
This analogy between possible worlds and type variables suggests how relational parametricity can be incorporated. We consider binary relations between worlds, regarded as relating di erent \representations" of the store shape, and the semantics of types is then arranged so that each such relation induces a relation between the meanings of a type at different store shapes. The meanings of terms are then families of maps satisfying a relationalparametricity constraint.
The naturality requirements of Reynolds and Oles will not be abandoned. However, to make the presentation more accessible, we will begin with a \category-free" description of our model. The naturality conditions are implicit in this presentation, but will later be shown to be implied by relational parametricity.
This category-free description has the advantage of being quite simple, and it also puts the role of parametricity clearly on display. But a consideration of relevant category-theoretic issues is crucial for a deeper understanding of the model. The category-free presentation appears very ad hoc in some respects; a fully satisfactory justi cation for some of the de nitions will come from categorical considerations. Further, while we will show that in certain circumstances naturality is implied by relational parametricity, it must be emphasized that, in general, these are di erent kinds of uniformity, with neither being stronger than the other. It will be seen, in fact, that the connection between these two concepts is somewhat delicate. (In Section 9, we show an example where \parametricity implies naturality" is not stable under Currying isomorphisms; this, for us, came as a surprise.) To study this combination of relational parametricity and naturality, we will de ne a suitable cartesian closed category of \relation-preserving" functors and natural transformations.
The key technical notion underlying this construction is that of a re exive graph, which is essentially an arbitrary category equipped with assignments of (abstract) \relations" to its objects and morphisms. This will be taken up in Sections 7{9. The earlier parts of the paper are devoted to the category-free presentation of the model.

Syntax
Our language is an Algol-like language in the sense of (Reynolds, 1981b). The language does not include jumps or subtypes, but it raises the key issues related to variable allocation. The types are as follows: ::= int j bool (data types) ::= comm j exp ] j var ] (primitive phrase types) ::= j~ ! (phrase types) Data types are the types of values that can be stored, while phrase types consist of meanings that can be denoted by identi ers and, more generally, program phrases, but that cannot be stored. This distinction allows variable declarations to obey a stack discipline. comm is the type of commands. Executing a command causes a state change, but does not return a value. var ] is the type of storage variables that accept -typed values. exp ] is the type of expressions that return values of type . Expressions are \read only," in that they are state dependent but do not cause side e ects. So all state changes are concentrated in the type comm. In particular, procedures use by-name parameters, and can only change the state indirectly, by being used within a phrase of type comm.
In procedure types~ is a non-empty sequence of phrase types. This \uncurried" formulation of the syntax of procedure types is not essential, but is most amenable to a category-free description of the model.

Semantics
We will regard a binary relation R as a triple (W 0 ; W 1 ; S) where W 0 and W 1 are sets (the domains of R) and S W 0 W 1 (the graph of R). Although we will work exclusively with binary relations, our de nitions (though not all of our notation) generalize straightforwardly to n-ary relations for any n. We will use the notations R: W 0 $ W 1 and W 0 W 1 ? R 6 to mean that R is a binary relation with domains W 0 and W 1 , and w 0 R]w 1 to mean hw 0 ; w 1 i 2 graph R.
If W is any set, W : W $ W is the diagonal relation on W; i.e., w W ]w 0 () w = w 0 . We use W ! X and W X for the function space and product of sets. If W 0 , W 1 , X 0 , and X 1 are sets and R: W 0 $ W 1 and S: X 0 $ X 1 , R S: W 0 X 0 ! W 1 X 1 is de ned by hw 0 ; x 0 i R S]hw 1 ; x 1 i () w 0 R]w 1 and x 0 S]x 1 ; R ! S: W 0 ! X 0 ! W 1 ! X 1 is de ned by f 0 R ! S]f 1 () for all w 0 2 W 0 , w 1 2 W 1 , if w 0 R]w 1 then f 0 (w 0 ) S]f 1 (w 1 ). We often use the diagrammatic notation to indicate that f 0 R ! S]f 1 . Notice that this notation makes the domains of the relations, and the domains and codomains of the functions, evident. The collection of \store shapes" is a set of sets that includes desired data types, such as 2 = ftrue; falseg and Z = f: : :; ?2; ?1; 0; 1; 2; : : :g, and all nite (set) products of these.
We won't be more speci c about , except to emphasize that it must be a small collection.
For each data type , we assume a set ] ] in , with int] ] = Z and bool] ] = 2.
Following (Reynolds, 1983), we de ne a \twin" semantics of phrase types, where each determines two functions ]] : ?! Sets ]] : rel( ) ?! rel(Sets). Here, Sets stands for the class of sets, rel(Sets) for the class of binary relations between sets, and rel( ) for the set of binary relations between store shapes. The relational component of the semantics will be used to enforce parametricity constraints.
The interpretation of the command type is as follows: The two components of a variable allow for, respectively, updating and accessing its contents. This \object-oriented" approach to variables is from (Reynolds, 1981b). For procedure types one might expect to use a pointwise de nition, where ~ ! ]]W = ~ ]]W ! ]]W, and similarly for the relation part. However, a pointwise de nition is not appropriate in the present context. The reason is that we think of the sets in as \store shapes," which can grow between the point of de nition of a procedure and the point of call.
For example, if the store shape is W when a procedure identi er P is bound, and P is called after an integer variable is declared, then the shape of the stack for the call will be W Z, not W. binding of P begin integerx; P( x ) end Thus, a procedure meaning at store shape W must be applicable at an expanded shape W X, where X corresponds to additional variables that have been allocated. This is accounted for in (Reynolds, 1981b;Oles, 1982) by de ning a procedure meaning to be a family of functions, indexed by extra components X representing pieces of local state that can be added to the stack. We will follow the same route here, except that these families of functions will be subject to parametricity conditions.
A procedure type~ ! is interpreted as follows.
For every store shape W in , ? ] ]( W R) 6 Function p X] models the behaviour of the procedure instantiated at the \expanded" store shape W X.
For every relation R: X 0 $ X 1 in rel( ), p ~ ! ] ]R q i , for all relations S: Y 0 $ Y 1 in rel( ), ? ] ](R S) 6 Notice how the relational and domain-theoretic semantics become intertwined at this point. This is motivated by the use of a relational condition to constrain values of 8 types in (Reynolds, 1983). The identity relation W plays the same role as the identity relations there. (Of course, the foundational di culties described in (Reynolds, 1983;Reynolds and Plotkin, 1993) do not arise here, because the source collection , over which indexing is done, is small.)

Recursion
The presentation thus far is for a recursion-free dialect of Algol. Recursion can be dealt with by using domains in place of sets, as follows. (We still use sets, or discretely-ordered predomains, for the store shapes.) If D and E are partially ordered sets and R: D $ E (i.e., R is a relation on the underlying If D and E are directed-complete partially-ordered sets then a relation R: D $ E is complete, if its graph is a directed-complete subset of the pointwise-ordered product of the domains of the relation; and pointed, if D and E are pointed and R relates their least elements. The semantics can then be de ned by mapping store shapes to domains, and relations on store shapes to pointed complete relations on domains. For the command type: for every store shape W in , comm] ]W = W ! W ? ; and for every R: W 0 $ W 1 in rel( ), comm] ]R = R ! R ? : Here, the ! acts on (pre)domains as the continuous-function space constructor, and on complete relations by producing the evident complete relation on the function spaces. The denitions of the other base types can be modi ed in a similar fashion, and procedure types are exactly as before, but with the ! in the de nition understood as constructing the continuousfunction space, and the families p {] ordered component-wise.
The restriction to complete relations is standard. It is needed for the xed-point operator to satisfy the appropriate parametricity constraints, and also for domain-theoretic structure to be respected when using parametricity to constrain procedure types. As the consideration of recursion would add little to our discussion of locality, we will for simplicity concentrate on the set-theoretic semantics in the remainder of the paper.

Basic Properties
We now turn to some basic properties satis ed by this semantics. These are all essentially consequences of the polymorphic view of phrase types sketched in the previous section.
First, as in (Reynolds, 1983), each ]] preserves identity relations. ? ] ]( W R) 6 In particular, taking R as a diagonal X and applying the induction hypothesis (both for~ and for ) gives that p X]a = q X]a for all X and a 2 ~ ]]X, and so p = q. (We are using the fact that the identity property can be seen to hold for ~ ] ] whenever it holds for each element of the vector.) A further related property, emphasized in (Freyd et al., 1992b), is that each ]] is functorial on isomorphisms. We say that a relation in rel( ) (respectively, rel(Sets)) is an isomorphism i it is the graph of a bijection. (In a domain-theoretic model, we would consider continuous isomorphisms, i.e. continuous, order-re ecting bijections.) It will be well, for future reference, to have an explicit description of functional isomorphisms induced by bijections between store shapes (even though these isomorphisms could alternatively be read o from the semantics of types, using a relational isomorphism). If f: W ! X is a bijection between store shapes then the isomorphism f : ]]W ! ]]X is de ned as follows.
Here we are using the action of exponentiation ! and product (in the category of sets) on morphisms, and id is an identity. In the last equation, the right-hand side denotes the function that takes p 2 ~ ! ] ]W and a store shape Y to the bottom of the following where f~ for vectors is de ned in the obvious component-wise way.

Lemma 2 (Isomorphism Functoriality)
Each ]] is functorial on isomorphisms. That is, for all isomorphisms R: W $ X in rel( ), (Preservation of identities is the identity extension lemma.) Furthermore, if f: W ! X is a bijection between store shapes and R f : W $ X is the relation with the same graph as f then the relation ]]R f and the function f have the same graph.
Proof: First, showing that f is iso follows by a straightforward argument, where the function type case is much as in the proof of the identity extension lemma. Second, that ]]R f and the function f have the same graph can be shown by induction on types, where the function-type case follows immediately from the induction hypothesis. It is then not di cult to show that ( ) preserves identities and composites, when applied to bijections.
Of course, relational composition is not preserved for all relations.
In the following, much use will be made of the canonical unity and associativity isomorphisms between store shapes. (Here, 1 is a singleton store shape.) unl: W 1 ! W unr: W ! W 1 assl: W (X Y ) ! (W X) Y assr: (W X) Y ! W (X Y ): These isomorphisms satisfy a special parametricity property. Proof: A routine induction on .
Notice that the notation for these canonical isomorphisms does not make the domains and codomains explicit. Perhaps we could write, e.g., assl X1X2X3 ; however, no ambiguity will arise as the relevant information will always be clear from context.

Expansions
There is further structure in the semantics that derives from the conception of elements of as representing \shapes" of the run-time stack. Speci cally, the expansion of store shapes caused by variable declarations is accompanied by mappings that convert semantic entities at a shape W to any expanded shape W X.
If W and X are store shapes, for each type we de ne a function expand (W; This treatment of expand maps would surely bene t from a dose of category theory. For now we will push on and complete the concrete description of the model, leaving the tidying up of categorical matters to Sections 7{9. There is a special uniformity property that the expansion functions satisfy. It states that expansions preserve relations on non-local states, and also produce meanings at expanded shapes that satisfy all relations on the local part of a store shape. By the Canonical-Isomorphism Parametricity Lemma we get (assr ; p 0 X 0 Y 0 ] ; assl) and, by the de nition of expand, this is just what we wanted to show.

Valuations
Whereas the category-free semantics of types is quite simple, the semantic equations for terms will turn out to be comparatively complex. This is a presentation trade-o : the valuations in the categorical semantics given later are much simpler, but require a more sophisticated interpretation of types.
A type assignment is a nite function from (an unspeci ed set of) identi ers to phrase types. Some typing rules are in Table 1. The rules are in a natural deduction format. The rules for abstraction and application are for the uncurried syntax of types. The pairing construct uses the \object-oriented" approach to variables. We write write `M : to indicate that M : is derivable from (undischarged) assumptions .
The example blocks in the Introduction can easily be desugared into this language. A block begin x ; C end is rendered as new ( x: var ].C). We will arrange matters so new always assigns an initial value to the variable created. Of course, we could alternatively let the programmer supply this value, in which case the type of new would be (exp ]; (var ] ! comm)) ! comm : If is a type assignment then the -compatible environments, and relations between them, are as follows.
for each store shape W, ] ]W = Q x2dom( ) (x)] ]W; and for each relation R: W 0 $ W 1 between store shapes, The meaning function associated with a judgement `P :~ ! will be a family of functions P]] ( Readers familiar with functor categories will notice that this valuation for identi ers is similar to what one obtains by uncurrying a projection A (B ) C) ?! (B ) C), where B ) C is the functor exponent. In general, all of the valuations in the category-free semantics are obtained by uncurrying maps in the more standard category-theoretic presentation.
Most of the valuations for the language are in Table 2. In each equation u is an environment in ] ]W for the appropriate and a store shape W andd 2 ~ ] ] is an appropriately typed vector of arguments. It is understood that this vector is omitted when the term in question is of base type. In the equation for if, t is either comm or of the form exp ]. The conditional extends to other types in the usual inductive fashion. The rules for abstraction and application are for the uncurried form of types.
We will not give denotations, or syntax rules, for ordinary arithmetic and logical opera-   (Schmidt, 1985). Intuitively, if a state change occurs, the old state is no longer available, so there is no way to backtrack to an earlier state. We will discuss this issue further in the Conclusion.
We now turn our attention to the key cases of new and application. is the new variable, de ned as follows: ehw; xi = x and a(y)hw; xi = hw; yi. The \acceptor" a overwrites the ] ]-valued component of the state. The intuition behind this de nition is that procedure p is executed in an expanded store shape, where the additional ]]-valued component holds the value of the new variable. The argument ha; ei provides the capability for updating and accessing this variable. The nal value of the variable is discarded using the projection fst. This is as in (Reynolds, 1981b;Oles, 1982).
The semantics of new is where the parametricity constraints in the model come into play. Because of the de nition of procedure types, a call to p at an expanded store shape W ] ] is required to satisfy uniformity conditions induced by relations involving ]]. In the next section we will consider a number of examples showing these parametricity conditions at work.
Next, we consider application. Suppose that we are given `M : ;~ ! and `N : . If = 0 is a primitive type then the semantics is simple, obtained by prepending the meaning of N onto a suitable vector.

M N] ]W ud = M] ]W u ( N] ]Wu;d )
It is clear that when~ is empty this is the obvious application.
The case when is not a primitive type is more complex. If =~ 0 ! 0 then we need to prepend an element of ~ 0 ! 0 ]]W onto a vector. Recall that a meaning of this type is a family of functions indexed by store shapes: we need to obtain such a family from the meaning of N.
For a xed environment u 2 ] ]W, de ne g as follows; for all X, where expansion maps are extended to type assignments pointwise: Notice that g X]: ~ 0 ]](W X) ! 0 ]](W X), so g is certainly of the right form to be in ~ 0 ! 0 ] ]W. It will be shown to satisfy the necessary parametricity constraints in the course of proving the Abstraction Theorem below. The semantics of application is The reader familiar with semantics in functor categories will notice that expansions come into this uncurried style of presentation in the case of application, whereas they appear when treating -abstraction when the semantics is presented in a more conventional curried form. Proof: The Abstraction Theorem and the well-de nedness of P]] are proven simultaneously by structural induction on P. Well-de nedness is immediate in all cases except application (which is the only case where the simultaneity is used in a non-trivial way).
For the well-de nedness of application, suppose `M : ;~ ! and `N : . If = 0 is a primitive type then the result is immediate, so suppose =~ 0 ! 0 . Well-de nedness will be assured if we can show that the family of functions In the case that =~ 0 ! 0 we reason in the same manner, but use g 0 ~ 0 ! 0 ] ]R g 1 , where g i is the meaning determined by the environment u i , as in the de nition of application. This last property follows from the Abstraction Theorem for N, with a proof similar to the well-de nedness of g above using R in place of W .

Examples of Reasoning
In each of the examples that follow, an unknown non-local procedure is passed a limited capability for accessing a local variable, in much the same way that an abstract type gives to its \clients" a limited capability for accessing its representation. The reasoning method employed involves choosing a relation that is satis ed by di erent arguments to the procedure, and then applying the parametricity property to infer a relational property that pairs of procedure calls must satisfy. For the sake of readability, we continue to use sugared notation for code in the examples. The desugarings into the language of the previous sections should be clear. We It is important here that w = w 0 when w R E ]hw 0 ; zi: the parametricity property always acts as the identity relation on non-local variables. This is where the identity extension lemma and the use of identities in the parametricity constraint on procedure types come into play. We would like to emphasize that the reasoning method in this example is simply an instance of reasoning about polymorphic functions using Reynolds parametricity ( (Reynolds, 1983); see also (Wadler, 1989) for numerous examples of this form of reasoning). The equivalence reduces to the following property fst ? p 1]( x.x) = fst ? p Z]( y.hfst y; (sndy) + 1i) for a polymorphic function p: 8 .( . This is what we mean when we say that reasoning about local variables often amounts to proving properties of polymorphic functions. Of course, it is fairly signi cant that the polymorphism that we are concerned with is predicative in nature; but the point remains that the reasoning method we employ is exactly as in (Reynolds, 1983;Wadler, 1989). These methods will be seen below to lead to remarkably straightforward validations of previously troublesome equivalences.
Before continuing, it is worth pausing to explain why typical counterexamples to this equivalence, which exist in previous models, are not present here. Let W = ftrue, falseg.
One counterexample is essentially a family of functions The equality test on states is the culprit in the de nition of p: any two states hw; zi and hw; z 0 i are \indistinguishable" from the point of view of the second domain of the relation R Z , so branching on the equality test violates parametricity.
Our second example demonstrates that the invariant-preserving properties of the models described in (Meyer and Sieber, 1988;O'Hearn and Tennent, 1993b) are encompassed by parametricity. If Z is the set of nonnegative integers, we again get skip comm] ]R Z inc. The property ( ) now ensures that z is non-negative when p Z](inc)hw; 0i = hw 0 ; zi. This can be used to verify that the value of local variable z is still nonnegative on termination of the procedure call in begin integer z; z := 0; P(z := z + 1); end Our last example using relations of the form R E is begin integer z; where P: exp int] ! comm; we have left the de-referencing coercion (deref) from var int] to exp int] implicit in the argument of the call. The intuition here is that the value of z will be 0 each time it is used during execution of the call P(z), because P cannot write to z. Therefore, this should be equivalent to simply supplying 0 as an argument instead of z.
To validate this we can use R f0g . The denotation of 0 is the constantly 0 function in exp] ](W Z), and the denotation of z, as an expression, is the projection W Z ! Z. These denotations are then related by exp] ]R f0g ; i.e., because if argument states are related, the Z-valued component is always 0. We can then use the parametricity of P; as in the other examples, to conclude that (the denotations of) the calls P(0) and P(z) are comm] ]R f0g -related, and the equivalence follows from the valuation for variable declarations.
Next we consider a relation that does not t into the R E pattern: the relation W R, where R: Z $ Z is de ned by z 0 R]z 1 () ?z 1 = z 0 0 . This can be used to validate the equivalence between blocks that use non-negative and nonpositive implementations of a counter in exactly the manner discussed in the Introduction.
The representations of the procedures inc and val are directly related by W R, and we can use the parametricity property of procedures to conclude that the calls to non-local procedure P are related. This implies the desired equivalence because the semantics of new disposes of the Z-valued component of W Z on termination, and we are left with W -related results.
We should mention that this last equivalence is in fact valid in the models of (Oles, 1982;Tennent, 1990). These models can typically handle representation independence when the di erent representations being considered are isomorphic. Our nal example shows how non-isomorphic representations can be dealt with.
The example involves a simple abstract \switch." A switch will have two associated operations.
ick: turns the switch on; and on: a predicate that tests whether the switch has been icked on. The switch is initially o , but remains on after it has been icked for the rst time.
One representation of the switch will be the evident one using a boolean variable. In the other, 0 will correspond to the switch being o , and the on position will be represented by any positive integer. These representations are given in the following two blocks, where P is of type (comm; exp bool]) ! comm. begin boolean z; procedure ick; z := true; boolean procedure on; on := z; z := false; P( ick; on) end begin integer z; procedure ick; z := z + 1; boolean procedure on; on := z 1; z := 0; P( ick; on) end A typical counterexample, which exists (in one form or another) in the models of (Oles, 1982;Meyer and Sieber, 1988;O'Hearn and Tennent, 1992), is p such that 6 Algebraic Aspects of First-Order Types A standard test for the parametricity of models of polymorphism involves connections between free algebras and the denotations of certain lower-order polymorphic types (Reynolds, 1983).
For example, in a model that is \su ciently parametric," the type 8 .( ! ) ! ( ! ) of Church numerals will (in the absence of recursion) in fact denote a natural numbers object, and the type 8 .( ! ) ! will be isomorphic to the type list ] of nite lists over . These representations supply a very clear picture of low-order polymorphic types, and are an indication of the constraining e ect of the parametricity conditions under consideration. Our purpose in this section is to describe how our parametric semantics yields similar representations of rst-order Algol types.
To begin, we consider comm ! comm] ]1. We can use an argument of Plotkin (1980) to characterize precisely the elements in this set. If p 2 comm ! comm] ]1 then there is a number n such that p N] (id f g succ) h ; 0i = h ; ni, where N is the set of natural numbers and succ is the successor function. Then for any X, c: X ! X and x 2 X, we can set up a relation R: N $ X where 0 R]x and m R]x 0 ) m + 1 R]c(x 0 ). The functions succ and c are then related by R ! R and we can use parametricity to conclude that p N] (id f g succ) h ; 0i and p X] (id f g c) h ; xi are R-related and, in particular, the latter is h ; c n (x)i, where c 0 = skip and c n+1 = c ; c n . Thus, p is the n-th Church numeral.
In an Algol-like language, the n-th Church numeral is de ned by c: comm.c n . From this we can immediately see two interesting facts. First, every element of comm ! comm] ]1 is de nable by a closed term. Second, up to semantic equivalence, the local-variable declarator new does not gure into closed terms of this type at all, for any closed term of this type will be equivalent to one that doesn't use new. One has to go up to closed terms of second-order type, or to open terms of rst-order, for new to make a di erence.
What we have done here is to follow the analogy between type variables and store shapes. comm ! comm] ]1 corresponds to 8 .(1 ! 1 ) ! (1 ! 1 ), and, as 1 = , this should in turn be the Church numerals. The reader familiar with (Reynolds, 1983) will then be able to see how similar representations can be obtained for other rst-order Algol types. We collect a few examples into the following proposition.
Proposition 6 (Reynolds) We have the following isomorphisms, where is a store shape. Proof: These isomorphisms are based on observations in (Reynolds, 1983). We will outline the proof of the last isomorphism to indicate that these arguments do go through for our semantics of Algol types.
Any c: Z ! Z, for some store shape Z, can be decomposed into two functions c 1 : Z ! and c 2 : Z ! Z. For  (This principle was at work in the example from the previous section involving P(0) and P(z)). Of course, not all elements of these types will be de nable; for example, de nability of all elements of exp int] ! exp int] is not possible for computability reasons.
For the types with comm in a contravariant position, changes to a local variable by a command argument are mirrored by cons: a list of 's records non-local states when a command argument is executed. The representation of comm ! exp ] illustrates the non-single-threaded nature of the semantics. In a semantics that captured single-threading properly we expect that the occurrences of list ] would disappear, because single-threading should mandate that commands cannot be executed within expressions.
These representations are limited to rst-order types: we do not know of characterizations of level-two types such as, for example, (comm ! comm) ! comm. A similar phenomenon occurs in models of polymorphism: much is known about level-two polymorphic types, but considerably less for level three. (Here our understanding breaks down at level two because these types correspond semantically to level-three functional types.) The situation in the presence of recursion is more complex due to lifting, and we do not have a clear general picture, given by a clean scheme like the one in (Reynolds, 1983), of the denotations of all rst-order types in the presence of recursion. Characterizations of certain speci c types have been obtained, however; we illustrate with comm ! comm] ]1.
Let Vnat be the vertical natural numbers, i.e., the natural numbers with the usual \less than" order, and with an extra top element 1. Vnat op is the vertical naturals with the ordering reversed. Then comm ! comm] ]1 = N ? Vnat op where is the smash product.
An outline of the proof of this isomorphism is as follows. Using the isomorphism 1 = , a meaning in comm ! comm] ]1 will be a family of continuous functions p ]: ( ! ? ) ! ( ! ? ) satisfying the parametricity condition. If p N] succ 0 = ? then p corresponds to h?; 1i. If p N] succ 0 = n then there will be a smallest m such that p N] (succ n + m]) 0 = n, where (succ k]) a = a + 1 if a < k and ? otherwise. In this case p corresponds to hn; mi. The desired isomorphism can then be shown using parametricity with an argument similar to the one used by Plotkin for the Church numerals: we de ne an appropriate relation that relates an argument in ! ? to a succ k].
As before, every element of this domain can be de ned by a closed term, with the appropriate boolean tests and a term diverge: comm that denotes the constantly-? function. Speci cally, h?; 1i is de ned by diverge, and hn; mi is de ned by c: comm.if (do c n+m result 1) = 1 thenc n elseskip The test (do c n+m result 1) = 1 will converge, and return true, i c n+m converges. The skip branch never gets executed.
It is now possible to appreciate the role of Vnat op . It concerns \lookahead," in the sense that we look to see if n + m executions of c will converge and, if so, we execute c n times.

Relations and Re exive Graphs
The category-free presentation, though quite elementary, is also rather ad hoc in some respects. In the next few sections we will endeavour to place the model into a categorical context, providing some justi cation for the de nitions.
A rst attempt would be to say that the model lives in a category of \relators" (Mitchell and Scedrov, 1993;Ma and Reynolds, 1992;Abramsky and Jensen, 1991). The objects map store shapes and relations between them to sets and relations between them in a way that preserves identity relations, and the morphisms are families of functions, indexed by store shapes, satisfying a parametricity constraint. While it is true that each type in our model determines a relator, the relator viewpoint is not quite satisfactory. The appropriate notion of exponentiation for relators is pointwise: (A ! B)(X) = A(X) ! B(X) for X a store shape or relation. A better categorical explanation of the model would connect our interpretation of procedure types with exponentiation, and our interpretation is not pointwise. This is the point at which we must bring out the functor-category structure, which shows up in the category-free presentation in the use of expansion functions. It will be seen that each type determines a functor from the category of store shapes (from (Oles, 1982)) to the category of sets. The interpretation of procedure types then has some of the avour of a functor-category exponential, but with additional parametricity constraints. A suitable category will be obtained by considering both the relator and functor aspects of types, along with naturality and parametricity conditions on morphisms.
The reader might have noticed that naturality properties were never used in proving any of our results in previous sections, or in reasoning about example equivalences. The place where naturality does come in is in trying to prove the validity of the laws of the typed -calculus. It would have to be accounted for if we were to validate these laws directly in the category-free semantics; in the categorical semantics it will be crucial to get a Cartesian closed category.
In the following, we will need functor-like maps that preserve a certain kind of relational structure. There is a fundamental di culty, however. We do not want to insist on relations being composable, and so the structure that must be preserved is not really \categorical." One reason for not requiring composability is that, as is well known, composition is not preserved by logical relations at higher types. Another is that we want to be able to generalize to n-ary relations for n > 2, and then there is no evident notion of composition.
We propose that the appropriate way to describe the relational structure that is needed is to use the notion of a re exive graph. A re exive graph is conventionally a set of vertices with (oriented) edges between them; furthermore, for any vertex v, there is a distinguished edge from v to itself, the identity on v. Notice that a re exive graph is more structured than a set (because there are edges as well as vertices), but less structured than most categories (because edges need not be composable).
We will actually consider a generalization, familiar to category theorists, where categories of vertices and edges are allowed (Barr and Wells, 1990;Lawvere, 1989;Johnstone, 1989); the conventional notion of re exive graph becomes the special case in which the vertex and edge categories are small and discrete. In some examples, the edge objects will be relations over pairs of vertex objects, and the edge morphisms will be relation-preserving pairs of vertex morphisms; however, in general, edges are not required to be any of the usual categorical forms of relation (Ma and Reynolds, 1992;Mitchell and Scedrov, 1993).
Here is a precise de nition: a re exive graph G consists of two categories, G v (vertices) and G e (edges), and three functors between them as follows: ? G 1 6 such that G I ; G i = 1 Gv for i = 0; 1, where ; denotes composition in diagrammatic order and 1 Gv is the identity functor on G v . Intuitively, G i speci es the i'th domain for each edge and edge morphism, and G I speci es the identity edge for each vertex and vertex morphism.
An equivalent and more elegant presentation is as follows: a re exive graph is a functor G: G ! CAT, where CAT is the meta-category of all categories and functors between them (Mac Lane, 1971), and G is the two-object category whose (non-identity) morphisms are as follows: v e -I 0 ? 1 6 with I; i = id v for i = 0; 1, where id v is the identity morphism on v. (More generally, re exive graphs with n-ary edges would be generated by the two-object category having non-identity morphisms I: v ! e and i : e ! v for i = 0; 1; : : :; n ? 1, with a similar commutativity requirement.) As our rst example, we de ne a re exive graph S (sets) as follows.
The \vertex" category, S v , is the usual category of sets and functions. The \edge" category, S e , has binary relations on sets as objects and relation-preserving pairs of functions as morphisms; i.e., a morphism with domain R: W 0 $ W 1 and codomain S: X 0 $ X 1 is a quadruple (R; f 0 ; f 1 ; S) such that f 0 R ! S]f 1 . We will use the relational-parametricity diagram Category S e is the category of relations over sets presented in (Ma and Reynolds, 1992). Furthermore, the S i are similar to the forgetful functor U used there in a categorical treatment of the ( rst-order) \abstraction theorem," and S I is similar to the functor J used there in a categorical treatment of the \identity extension lemma." Hence, some of the key entities introduced in (Ma and Reynolds, 1992) are incorporated in the re exive graph S.
As our second example, we de ne a re exive graph D (domains) as follows. D v is the category of directed-complete partially-ordered sets and continuous functions. D e has complete binary relations as objects, and relation-preserving pairs of continuous functions as morphisms. Composites and identities are evident.
The functors D i : D e ! D v for i = 0; 1 and D I : D v ! D e are de ned exactly as for S.
Finally, we de ne a re exive graph W (worlds) having the small category of \state shapes" described in (Oles, 1982) as its vertex category W v . The category is as follows.
The objects are (certain) sets, including desired data types, such as ftrue; falseg and f?2; ?1; 0; 1; 2; : : :g, and all nite (set) products of these. The morphisms from W to X are all pairs ; such that { is a function from X to W; { is a function from W X to X, where the here (and throughout this example) is the set-theoretic Cartesian product; { for all x 2 X, h (x); xi = x ; { for all x 2 X and w 2 W, ( hw; xi) = w ; { for all x 2 X and w; w 0 2 W, w; hw 0 ; xi = hw; xi : For example, there is an \expansion" morphism ( ; ): W ! X such that X = W Y for some data type Y with hw; yi = w and w; hw; yi = hw; yi; i.e., \projects" a large stack into the small stack it contains, and \replaces" the small stack contained in a large stack by a new small stack, leaving unchanged local variables on the large stack.
In fact, Oles shows that any ( ; ): W ! X induces a set isomorphism X = W Y for some non-empty set Y ; that is, up to isomorphism, every morphism is an expansion.
The identity morphism on W is ( ; ) such that (w) = w and (w; w 0 ) = w. A category W e of relations over can be de ned as follows.
The objects are relations R: W $ X, where W and X are -objects. A morphism with domain R: W 0 $ W 1 and co-domain S: X 0 $ X 1 is a quadruple ? R; ( 0 ; 0 ); ( 1 ; 1 ); S such that 0 S ! R] 1 and 0 R S ! S] 1 . Again, we use diagrams of the form ? S 6 to depict morphisms in W e .
Composition and identities are de ned straightforwardly in terms of those in .
We can now complete the de nition of W by using diagonal relations for the identities, and de ning the domain functors in the evident fashion.
The de nition of \related" -morphisms above is particularly noteworthy: are morphisms in S e . This de nition ensures that appropriate relations will be preserved by variable de-allocation (using the \projections" i ) and by state changes in larger worlds induced by changes at smaller ones (using the \replacements" i ). Notice that W e is not a category of relations over in the sense of (Ma and Reynolds, 1992); in fact, does not even have a terminal object.

Parametric Functors and Natural Transformations
Next we describe a category of \parametric" functors and natural transformations. The description will be highly tailored to the speci c de nitions of W and S, but at the end of the section we sketch a more general setting for the de nitions.
The rst three conditions say that F 0 and F 1 constitute a conventional functor from W v to S v ; the next two conditions say that F 0 and F 2 constitute a \relator" (Mitchell and Scedrov, 1993;Abramsky and Jensen, 1991); and the last condition is a parametricity constraint. This last condition is closely related to the Expansion Parametricity Lemma and is crucial for function types to behave properly, e.g. for currying to satisfy relevant parametricity conditions. We will adopt the usual notational abuse of using a single symbol such as F to denote all three mappings.
If F and G are parametric functors from W to S, is a parametric natural transformation from F to G if it maps W v -objects to S v -morphisms such that for every W v -object w, (w): F(w) ! G(w); for every W v -morphism f: w ! x, ? G(f) commutes; and for every R: w 0 $ w 1 in W e , The rst two conditions say that is a conventional natural transformation from F to G, and the last condition is a parametricity constraint.
Parametric natural transformations compose in the obvious point-wise way (like \vertical" composition of natural transformations). The category having all parametric functors from W to S as objects and all parametric natural transformations of these as morphisms will be denoted S W . Theorem 7 S W is cartesian closed. Proof: Products can be de ned pointwise: with the obvious (parametric) projections. A terminal object 1 has 1(X) = f g, 1( ; ) = id f g and 1(R) = f g For exponentiation, we rst de ne the analogue of \representable" functors (Mac Lane, 1971;Lambek and Scott, 1986). If X and Y are store shapes then h X (Y ) = Hom Wv (X; Y ), and for f and g maps in , h f (g) = Hom Wv (f; g), so that h f g (h) = f; h; g. If R: X 0 $ X 1 and S: Y 0 $ Y 1 , then h R S: h X0 Y 0 ! h X1 Y 1 is such that We write h X ({) for the parametric functor that sends Y to h X Y , f to h idX f and R to h X (R).
Exponentiation is then de ned on store shapes as follows: (G F f p) Z]hg; ai = p Z] hf ; g; ai ; and on relations, p G F R]q i 8S: It is not di cult to show that G F satis es the functor and relator requirements, and the condition that a parametric functor send related W v -morphisms to related S v -morphisms.
The application and currying maps are exactly as in presheaf categories. The application map app: F G F . ! G is app W] ha; pi = p W]hid W ; ai: Naturality follows as usual. To see that it is parametric, assume p 0 (G F )R]p 1 and a 0 F(R)]a 1 .
? R 6 , we have that hid W0 ; a 0 i h R R F(R)]hid W1 ; a 1 i, and the de nition of G F (R) implies (p 0 W 0 ]hid; a 0 i) G(R) (p 1 W 1 ]hid; a 1 i). The Currying map curry: Hom(F G; H) ?! Hom(F; H G ) is curry m W a hf; bi = m X hF(f)a; bi where f: W ! X in W v . The naturality of curry m is shown as usual, and parametricity is proved using the condition that F send related W v -morphisms to related S v -morphisms.
That curry and app have the required properties of exponentiation is straightforward; this is where the naturality requirements are crucial.
We now show how to interpret types as parametric functors from W to S. We use the angled brackets hh i i to distinguish the parametric-functor semantics from ] ]. For the morphism part what we do is execute c on the small part of the stack, i.e. c( (x)), and then use to replace the small part of x with the resulting nal state.
The parametricity conditions on these functors are easily veri ed. It is noteworthy that these pointwise de nitions are actually isomorphic to what is obtained by introducing the obvious contravariant \states" functor S and de ning h hexp ]i i = S ! ] ] h hcommi i = S ! S using a parametric version of \contra-exponentiation" (O'Hearn and Tennent, 1992), where D is the constant functor whose object, morphism, and relation parts always yield D, id D , and D , respectively. This is an indication of the e ectiveness of the parametricity constraints.
For The interpretations of terms can be given exactly as in (Oles, 1982). We have already seen the application and currying maps in the proof of Proposition 7, and these are exactly as in functor categories. We will de ne Notice that a morphism of re exive graphs is nothing other than a natural transformation between graphs viewed as functors. Furthermore, what we called a \parametric" natural transformation above is an instance of the concept of modi cation (Kelly and Street, 1974).
(More precisely, the category S W is equivalent to the category having natural transformations between the graphs W and S (viewed as functors) as objects and modi cations as morphisms.) This gives some assurance of the appropriateness of the various conditions in the de nition S W , which uses simpli cations that depend on speci c structure in W and S.
Another perspective on our model can be given in terms of internal categories. As is well known, re exive graphs in CAT can be equivalently viewed as internal categories in a category of (large enough) re exive graphs. Parametric functors then correspond to internal functors between internal categories, and parametric natural transformations to internal natural transformations. We gave the \re exive graphs in CAT" presentation here because we felt that it might be (slightly) more accessible.
However, the internal category viewpoint perhaps shows more directly the connection to (Reynolds, 1981b;Oles, 1982): our semantics could be considered as essentially that of (Oles, 1982), but re-cast in a context where terms like \functor" must be understood as pertaining to categories that live in another category. This is the reason why the de nitions of currying, application, new, etc., for (the categorical presentation of) our model are just like those given by Oles. Of course, the interest in our model derives more from the semantics of types than of valuations. The uniformity conditions arising from relational parametricity give us stronger reasoning principles than in a standard functor-category framework.

When Parametricity Implies Naturality
We now undertake to explain the connection between the category-free and parametricfunctor presentations of our semantics, and also to uncover why an \uncurried" treatment of types is used in the category-free version.
First, we need a result from (Oles, 1982) about morphisms in the category W v of store shapes.

Lemma 8 (Expansion Factorization (Oles))
Every W v -morphism W ! X can be factored into an expansion followed by an isomorphism: Recall that the Isomorphism Functoriality Lemma played an important role in the categoryfree semantics. A condition analogous to it was not needed in the de nition of re exive graph because of the following result which, it should be noted, applies to any parametric functor (and not just de nable ones).

Lemma 9 (Isomorphism Correspondence)
For every parametric functor A, if ( ; ): W ! X is an isomorphism then the function A( ; ) and relation A(R) have the same graph, where R: W $ X is the relation having the same graph as ?1 .
Proof: Let f = ( ; If a 2 A(W) then the left-hand diagram implies that a A(R)]A(f)a, using the fact that A preserves diagonal relations and identity morphisms. Conversely, if a A(R)]b then the righthand diagram implies that A(f)a = b, and the graphs of A(f) and A(R) are therefore equal.
We are now in a position to give (su cient) conditions under which the naturality requirements are super uous.
Theorem 10 (Naturality) Suppose A: W ! S is a parametric functor and p {]: A({) ! h h i i({) is a family of functions satisfying the following parametricity condition: for all R: X 0 $ X 1 , ? h h i i(R) 6 : Then p is automatically natural: for all g: ? h h i i(g): Proof: Consider any g. By the Expansion Factorization Lemma it can be factored into a composite e ; i, where e: X ! X W is an expansion and i: X W ! Y is an isomorphism.
The result will follow if we can show commutativity of The commutativity of the bottom part follows immediately from the Isomorphism Correspondence Lemma and the parametricity property for p. We will show the commutativity of the top part for = comm; the other base types are treated similarly.
Consider any w 2 W. De ne R w : X $ X W by x R w ](x 0 ; w 0 ) i x = x 0 and w = w 0 .
Clearly we have X X X X W ? X 6 id X e ? R 6 . Thus, as A is a parametric functor, for any a 2 A(X) we have that a A(R w )]A(e)(a), and so, using the parametricity of p, we get p X] a x R w p X W](A(e)a) hx; wi for any x 2 X. From the de nition of R w , and of h hcommii on morphisms, this implies that h hcommii(e) (p X] a) hx;wi = p X W](A(e)a) hx; wi: As this argument works for any w 2 W, the commutativity of the top part of the diagram follows.
Note that the naturality constraints in h h~ ! i iX are also super uous by this result, taking A = h X h h~ ii.
We are nally in a position to see where the category-free semantics of types given earlier comes from. First, in a type~ ! we can do away with all naturality constraints, as these are implied by parametricity. Second, by the Expansion Factorization Lemma any W v -morphism factors into a \true expansion" followed by an isomorphism. Further, by the Isomorphism Correspondence Lemma the action of a procedure meaning on the isomorphism part of such a factor is completely determined by the action of parametric functors on relations. Thus, when de ning a procedure meaning p at store shape W we do not need to consider all W v -morphisms out of W, but only the \true expansions" of the form W ! W X. ( Proof: Let D denote the collection of p's satisfying parametricity. We will set up an isomorphism f: h h ii A W ?! D with inverse g. First we have f m X] = m W X]he; i, where e: W ! W X is the expansion. Conversely, if we have a map ( ; ): W ! Z then this factors into an expansion followed by an isomorphism W e ! W Y i ! Z. Then we set g p Z] h( ; ); ai = h h ii(i) (p Y ](A(i ?1 )a)), where i ?1 is the inverse of the iso i. (In this de nition of g, the factors e and i are not uniquely determined; however, it is easy to show, using parametricity on isomorphisms, that hh ii(i) ( where the second-last step uses naturality of m and the fact that i and i ?1 are inverse isos. Conversely, the de nitions of f and g give us f (g p) X] a = g p W X] h(e: W ! W X); ai = hh ii i (p X]a) and in the factorization of e (in the last step) we can take i as the identity (because e;id = e), so f (g p) X]a = p X]a.
Thus we see that the calculation of (the object part of) function types in the category-free semantics is isomorphic to what is obtained from exponentiation in the parametric-functor semantics. It is also not di cult to see that the relation parts of the two semantics are isomorphic, and that the expand maps correspond to the morphism parts of parametric functors. Furthermore, the semantics of -abstraction and application that were given are precisely those obtained (after suitable uncurrying) from the Cartesian closed structure of S W . The details of these aspects of the correspondence should be abundantly clear to a reader who has followed so far, and are su ciently routine to warrant omission.
There is one nal matter that we must clear up. We have thus far steadfastly adhered to an \uncurried" presentation of the semantics of types, whereas in the ccc S W this is of course not necessary. The uncurried presentation is needed, however, for the category-free semantics to work properly. The reason is that parametricity does not imply naturality in general, but only for parametric functors of a speci c form. It will be simpler if we discuss this relationship between parametricity and naturality rst in the context of the category-free semantics, and then translate to the categorical one.  ? hhcomm ! commi ie fails, for e an expansion, using essentially the same counterexample as above. That is, for e 0 : X Y ! (X Y ) Z the state m X]( ) (X Y ) Z]h(e ; e 0 ); ci hhx;yi;zi will not necessarily be equal to the state m X Y ]( ) (X Y ) Z]he 0 ; ci hhx;yi;zi.
From this we see a curious property. While parametricity implies naturality for all families of maps in the correct position to qualify as a transformation from h hcommii to h hcommii, the analogous property does not hold for maps from 1 to h hcomm ! commi i. Thus, we see the reason for the uncurried presentation of types that we gave in the category-free semantics: the property that relational parametricity implies naturality is not stable under currying and uncurrying isomorphisms.
At this point it is worth mentioning that these observations are not at all at odds with the result of (Plotkin and Abadi, 1993) that relational parametricity implies (di)naturality. This result applies under assumptions that are not met here. (For instance, in (Plotkin and Abadi, 1993) the source and target categories are the same, while here the source W v is di erent from the target S v .)

The PER Model
In presenting a model based on partial equivalence relations we are taking the opposite tack to the one taken with the relational model. We begin with a presentation based on functors and natural transformations, and work our way back towards a functor-free description.
Once the decision has been made to re-cast the ideas of (Reynolds, 1981b;Oles, 1982) in a realizability setting, the de nition of the model falls out almost immediately. We work with a category of \realizable" functors PER , where PER is the usual category of partial equivalence relations and is a suitable version of Oles's category of store shapes. As most of the de nitions are essentially as in (Oles, 1982), we will move fairly quickly over the material in this section. The point of the development is to show how this simple re-casting of the Reynolds{Oles ideas gives us good uniformity conditions for reasoning about local variables.
We will be working with categories equipped with a notion of realizability. These structures can be viewed elegantly as internal categories in the e ective topos, or in the category of !-sets (see (Hyland, 1988;Hyland et al., 1989;Longo and Moggi, 1991)). To simplify the presentation we will keep internal-category aspects of the model in the background (though this viewpoint certainly guides the de nitions).
We use m n to denote Kleene application on !, the natural numbers (i.e., the application of the m'th partial recursive function to n). h{; {i is a recursive bijection from ! ! to !, and fst and snd are numbers such that fst hm; ni = m and snd hm; ni = n. We let pid denote a code for the identity function on !, and pcomp a realizer for composition in diagrammatic order, so pcomp m n a = n (m a). ( Again we will ignore recursion in this semantics. It could be incorporated using one of the PER categories that possess domain-theoretic structure (Amadio, 1989;Freyd et al., 1990;Phoa, 1990).

Store Shapes
Oles's construction of the category of store shapes can be carried out starting from any category C with nite products, by expressing the equational constraints on morphisms as commutative diagrams. The resulting category (C) is as follows. (The proof that this is indeed a category follows routinely as in (Oles, 1982).) Objects. The objects are those of C.
Morphisms. A (C)-morphism from W to X is a pair of maps : X ! W and : W X ! X in C such that the following three diagrams commute: X X -?
Identities. The identity on X is (id X ; fst), where fst is the rst projection.
Composition. If ; : X ! Y and 0 ; 0 : Y ! Z, their composite is 00 ; 00 where 00 = 0 ; and 00 is h((id 0 ) ; ); sndi ; 0 : (Here h ; i is the pairing associated with the Cartesian structure in C, not the recursive pairing bijection on !.) For example, (C) is Oles's category of store shapes for a suitable small cartesian subcategory C of the category of sets. More interestingly (as pointed out by A. Pitts), the category W e of relations between store shapes from Section 7 is also a category of the form (C), for C a suitable (small) subcategory of the category S e of binary relations and relation-preserving pairs of functions. This is further justi cation for the de nition of related W v -morphisms.
We are going to work with (PER) as our category of store shapes; in this section, we simply call this . As with PER, there will be no realizability relation for objects.
For morphisms, if ( ; ): W ! X in then hm; ni j = ( ; ) i m j = : X ! W and n j = : W X ! W as PER maps. Note that here hm; ni is not a pair, but a number produced by the pairing bijection. We again use the notation jmj: X ! Y for a morphism in realized by m. (The ambiguity in the notations j = and j j, which are used both for PER and , is always resolved by the context.) The expansion maps X ! X V are realized by expand = hfst; overwritei where overwrite hx 0 ; hx; vii = hx 0 ; vi: We will often rely on equations such as the one for overwrite to de ne a realizer implicitly. This will be more readable than using and projections everywhere, as in overwrite = y. hsnd y; snd (fst y)i : The identity on a -object X is given by the realizer wid = hpid; fst i. For composition, suppose jhf; gij: X ! Y and jhf 0 ; g 0 ij: Y ! Z. A realizer hr; qi for their composite is as follows: r is pcomp f 0 f, and q hz; xi = g 0 hz; g hf 0 z; xii From this de nition it is clear that there is a number wcomp such that wcomp h i realizes the composite jhj ; jij in . Notice that expansions, composition and identities are given uniformly, by a single realizer for each.

Realizable Functors and Natural Transformations
A functor F from to PER is realizable i there is a number n such that 8h 2 Mor( ) 8m.if m j = h then n m j = F(h).
We say that n realizes F. There is no condition on how F acts on objects. As F is a functor it preserves identities and composites. Notice, however, that the explicitly-speci ed realizers for identities and composites need not be preserved. For example, m wid = pid need not hold; m wid must simply be a realizer for the identity on F(A), for each PER A. Suppose F and G are realizable functors from to PER. A natural transformation : F : ! G is realizable i for some n, 8X 2 Ob( ).n j = X.
For a natural transformation to be realizable all of its components must be given by the same code. Realizable natural transformations compose in the usual componentwise (vertical) fashion. We let PER denote this category of realizable functors and realizable natural transformations.
Proof: and PER, together with their notions of realizability, can be viewed as internal categories in the category of !-sets, or the ::-separated presheaves in the e ective topos.
As such a category, PER is \complete" and Cartesian closed (see (Robinson, 1989) for a discussion of various notions of completeness). By the result of (Freyd et al., 1992b)  These de nitions of types are almost exactly as in (Oles, 1982). The semantics of terms is also essentially similar. We illustrate by de ning the semantics of new. First we de ne the standard local variable locvar.
We need a realizer acc for the acceptor part of a local variable. It is given by acc n hs; mi = hs; ni The number hs; mi is thought of as a state, where s is the non-local part of the stack.
The expression part of a local variable should map hs; mi to m, so it is simply snd. We then de ne locvar = hacc; snd i: Notice that locvar 2 dom( var] ]X Y ), for any -objects X and Y . The standard local variable is \uniformly given" for all worlds.
For new , we need a realizable natural transformation var ] ! comm] ] .
Its realizer new is as follows: new p s = fst (p hexpand; locvari hs; i) Once again, is a standard initial value for variables of type . We could, of course, do away with this standard value by accepting the initialization as an argument to a new block. Then the realizer for new would be independent of altogether.

Naturality and the Groupoid Interpretation
Our aim is to obtain results analogous to the Naturality Theorem and Representation Theorem, but using uniform realizability in PERs in place of Reynolds parametricity. This will be done in the context of the groupoid interpretation of polymorphism from (Freyd et al., 1992b;Phoa, 1991).
In the usual Moggi-Hyland interpretation of polymorphism, a type with, say, one free type variable is interpreted as (internally) a function F: Ob(C) ! Ob(C) where C is an internal category and the 8 quanti er is interpreted as an internal product. In the case that C is PER, the product 8F is the intersection T X2Ob(PER) F(X). The groupoid interpretation modi es this by interpreting a type as a functor F: C iso ! C, where C is the groupoid of isomorphisms in C. Then 8F is taken to be a limit of the functor F. In the case of PER, the groupoid interpretation of 8F can be calculated as follows: m 8F]n i m T X F(X)]n and (f i m) F(Y )](f j n) whenever jij = jjj: X ! Y is an isomorphism and f is a realizer for F.
We will continue to work externally. One point that should be noted, however, is that by PER iso we actually mean the category of isomorphism pairs from PER. This is needed to allow e ective computation of inverses.

Lemma 13 (Expansion Factorization for PER)
Every -morphism ( ; ): W ! X can be factored into an expansion followed by an isomorphism W e ! W Y i ! X. Furthermore, Y can always be taken to be a super-per of X, and realizers for i and its inverse can be e ectively calculated from a realizer for ( ; ).
Proof: Suppose jhf; gij: W ! X. De ne the PER Y by y 1 Y ]y 2 i w 1 W]w 2 implies (g hw 1 ; y 1 i) X](g hw 2 ; y 2 i) Notice that X is a sub-per of Y . The isomorphism i is coded by hf 0 ; g 0 i where f 0 = x. hf x; xi g 0 = pcomp g fst Clearly, f 0 and g 0 are obtained e ectively from f and g and the inverse of jhf 0 ; g 0 ij is hg; pcomp f 0 fsti That these maps have the required properties can be shown straightforwardly using the de nition of Y and the diagrammatic conditions on maps in .
We can then show that, for transformations into a base type, naturality on all maps is assured if we assume naturality with respect to isomorphisms only. We will give the proof for = comm.
Consider any x 2 dom(X), and let R x be the PER with domain fxg. Then jexpandj: W ! W R x is an isomorphism in , and the assumption of naturality on isomorphisms implies that (n (h expand a 1 ) hw 1 ; xi) W R x ]h(n a 2 w 2 ); xi when a 1 A(X)]a 2 and w 1 W]w 2 , where h is a realizer for A. If the PER X is non-empty, we have R x X and, since expand also realizes the expansion W ! W X, (n (p expand a 1 ) hw 1 ; xi) W X]h(n a 2 w 2 ); xi as required. If X is the empty PER, then commutativity is assured trivially.
We are now ready to relate suitably uncurried function types to the groupoid interpretation of polymorphism. First, note that there is an obvious embedding functor E: PER iso ! . It is the identity on objects, and on morphisms takes an isomorphism pair jhi; jij: X ! W in PER iso to the map jhj; (pcomp fst i)ij. The requirement that a morphism in PER iso consist of both an isomorphism and its inverse is important here for the functor E to be realizable.
Composing with E then takes a functor ! PER to PER iso ! PER.
For F: PER iso ! PER and X a PER, let F(X {) be the (realizable) functor that takes Y to F(X Y ) and an isomorphism i to F(X i). Recall from Lemma 13 that, given a realizer r for a map W ! X in , we can e ectively calculate a realizer r i for i in the factorization W e ! W Y i ! X together with a realizer r ?1 i for its inverse iso. (Recall also from the proof of 13 that the calculation of r i and r ?1 i is independent of W, X, and Y .) The isomorphism that we want is realized by j such that j m hr; ai = h r i ? m hexpand; (h A r ?1 i a)i Lemma 13 and Theorem 14 can then be used to show that j codes a well-de ned map and that it is an isomorphism whose inverse is realized by k where k p a = p hexpand; ai.
Using known facts about PER models ( (Hyland et al., 1989;Freyd et al., 1992a)) we immediately obtain that, for example, comm ! comm] ]1 is isomorphic to the PER N that relates each natural number to itself.
We do not know if this theorem goes through for the Moggi-Hyland interpretation of polymorphism with PERs. It does whenever A is a product of Algol base types, but what happens at higher-order Algol-de nable types is not clear to us. If we try to generalize the result by allowing ] ] to be an arbitrary realizable functor then we run into the same problem as in the relational model. Speci cally, if m n hhf; gi; ci s = g hf s; c si then jmj: 1({) ! comm ! comm] ]({) is natural on isomorphisms, but not on all maps.
It is interesting to compare this to the result of (Freyd et al., 1992a)

Conclusion
In this work we have argued that the phenomenon of local state is intimately linked to Strachey's notion of parametric polymorphism, and we have shown that reasoning about local variables often amounts to proving properties of polymorphic functions. The straightforward treatment of a number of test examples, and representations of rst-order types obtained from parametricity, lend a measure of support to our position. However, as is the case with models of polymorphism, little is known about the semantics at higher types, and we do not know if full abstraction can be achieved using our methods.
No previous model of local variables correctly handles all of the test equivalences that we have demonstrated here. However,  (building on the earlier paper (Meyer and Sieber, 1988)) has recently constructed a model which also treats all of them correctly. Sieber's model is similar in many respects to our relational-parametricity model: it also is based on functors and logical relations; however, the exact connection between the models is not clear to us. Firstly, Sieber's approach is tightly tied to locations. Our approach can also be applied with a location-oriented semantics (as we did in the preliminary version (O'Hearn and Tennent, 1993a)), but a location-free semantics is much cleaner, as predicted in (Reynolds, 1981b). A more substantive di erence has to do with identity relations. Sieber allows for non-identity relations on the set of natural numbers; this ties up with the treatment of sequentiality in (Sieber, 1992). And there is also some question concerning the respective roles of identities in treating function types.
Our identi cation of parametricity as the central notion connected to locality provides, in our opinion, a sounder conceptual basis for explaining why and how this form of uniformity arises in local-variable semantics. In the Sieber and Meyer-Sieber work, logical relations appear primarily as an ad hoc method of cutting down a model. The fact that many of the subtleties in local-variable semantics involve the form of data abstraction that can be achieved with procedures and local variables gives a fairly coherent explanation as to why parametricity and logical relations should be relevant. And, as we have seen, reasoning about local variables often amounts to proving properties of polymorphic functions. The PER model serves to further underscore our position.
But, independently of this, we would like to acknowledge the in uence of (Meyer and Sieber, 1988) on this work. For one, contemplation of their equivalences|which incidentally are primarily responsible for a wider understanding of the subtleties involved in local-variable semantics|played a part in leading us to propose parametricity as a central theme. For another, their use of functors and logical relations certainly had an in uence, albeit indirectly, on our development of the relational-parametricity model. Honsell, Smith, Mason and Talcott (1993) have developed a logic for reasoning about state based on operational, rather than denotational, semantics; see also the earlier paper (Mason and Talcott, 1992). Once again, we feel that the conceptual principles underlying their formal rules for reasoning about local state are not as clear as, and lack the coherence of, our parametricity{locality connection. Their logic appears to be quite powerful, however, and many of the subtle local-variable equivalences can be proven in the logic. It would be interesting to see if a suitable representation-independence property for local state could be derived in their logic, or if such a property could be formulated in a way that could be added to their reasoning framework.
We have used the framework of re exive graphs mainly to examine the speci c structure of our model, but it may have more general interest. Re exive graphs could conceivably be of use in studying the connection between relational parametricity and naturality in a more general context, or in clarifying the mathematical signi cance of using diagonal relations as \identities." It may be that our Cartesian closure result can be considered as an instance of a re exive-graph version of the usual result that the functor category C X is Cartesian closed whenever C is Cartesian closed and complete (the results of (Freyd et al., 1992b) could be relevant here). Similar kinds of structure have been used by Pitts (1993) in his study of relations and recursive domain equations, and by Pitts and Stark (19931, 1993b) in their study of dynamic allocation. Dynamic allocation poses challenging problems beyond those considered here, where we have considered variable declarations that obey a stack discipline.
(Some examples from (Pitts and Stark, 1993b) suggest that parametricity, by itself, might not be su cient for understanding dynamic allocation.) The problem of single threading is deserving of further attention. It is interesting that most work on the semantics of state, including that of the authors, has concentrated on local variables. In our opinion, the single-threaded nature of state is at least as fundamental an issue as the nature of local variables. In this paper, the main aim was to examine the phenomenon of locality, and we feel that it is reasonable to study this in isolation from single threading. However, ideally a semantics of state should exclude the kind of state backtracking found in the block expression.
(A. Meyer has pointed out that the \single threading" terminology can be misleading. The issue does not concern single versus multiple threads of execution, but rather \backtracking within a single thread." Since the term \single threading" is now used extensively in the functional programming community, we continue to use it here to avoid needless terminological di erences. The reader should be warned, however, of the possible confusion that may arise if one thinks of the more common programming usage of the term \thread.") A simple equivalence which illustrates the problem is the following: if x = 0 then f(0) else 1 if x = 0 then f(x) else 1: This equivalence fails in our model because of the phenomenon of temporary side e ects; an f that distinguishes these terms is y: exp int].do int x := 3 result y.
This particular equivalence is given only to illustrate the problem, and is not itself a serious challenge for semantics: we have known for some time how this and similar examples of temporary side-e ect can be eliminated. One method is to use the state-set restrictions of (Tennent, 1990). Another, which is somewhat less \intensional," is to interpret a function type for expressions so that the state argument appears only at the outermost level; i.e., we would de ne exp ] ! exp 0 ]] ]W = W ! ( ]] ! 0 ]]) (this is as in (Goerdt, 1985)). But these must be regarded as limited partial solutions. What we do not have is a general semantic explanation of single threading that encompasses such special cases.
The rst thing that comes to mind when considering single threading is to try and apply ideas from linear logic; however, naive attempts we have made along these lines have failed. One di culty is that linearity captures only one aspect of state: that a state change destroys the old state. It does not capture the intuition that there may be multiple readers of a variable in a context where the variable is not assigned to. A more serious di culty is that an Algol program is single-threaded only in the state, not in phrase types, and it is not obvious how to reconcile this with the interpretation of procedure types. A more sophisticated use of linear logic, which involves non-trivial extensions to the basic framework, appears in preliminary work of Reddy (1993) . This model does appear to account for single-threading to some extent; it will be interesting to see precisely how complete the account is. Reddy's semantics also handles local variables well.
One of the problems we faced in this work was that parametricity is a concept whose rigourous formulation is still undergoing development, e.g. (Wadler, 1989;Ma and Reynolds, 1992;Freyd et al., 1992b;Plotkin and Abadi, 1993). We illustrated our ideas with two of the more appealing approaches, those based on PERs and logical relations, but it may be expected that our understanding of locality will improve with that of parametricity (or possibly vice versa).
An interesting possibility might be to bypass models altogether by examining a syntactic translation from (a recursion-free dialect of) Algol into the polymorphic -calculus. Such a translation is implicit in, or can easily be obtained from, the category-free presentation of our semantics (consider especially the PER model). One could ask which Poly-theory is generated by this translation, where we equate all Poly-terms that are the translations of observationally equivalent Algol terms (and close up under the equational rules of the polymorphic calculus). A related question is whether there is a Poly-theory for which this translation is fully abstract (in that equivalence is preserved and re ected); we conjecture that the maximum consistent Poly-theory of Moggi and Statman (Moggi, 1988) is one such example. One can also ask whether there is a unique such theory.
We do not know if there is there is any di erence between the equational theories generated by our PER and relational-parametricity models; this is of course related to outstanding questions about the PER model of the polymorphic -calculus. Nevertheless, there are advantages to each model.
In the case of PERs the model construction is smoother in some respects that the relational one: it is simply a re-casting of the ideas of (Reynolds, 1981b;Oles, 1982) in a realizability setting. Once the decision is made to work with PERs it is quite obvious how to proceed. We work with a category of \realizable" functors PER for a suitable version of Oles's category of store shapes. Certain properties, like Cartesian closure, are then immediate from known results (Freyd et al., 1992b). In contrast, a proper categorical understanding of the relational model required considerably more work, the framework itself (of re exive graphs) not being a priori obvious.
On the other hand, the PER model can be criticized for its reliance on an underlying model of the untyped -calculus; after all, there is nothing impredicative about Algol! In this respect, the relational model, which is completely predicative, is more satisfactory. Furthermore, the relational model provides a very direct codi cation of common informal techniques for reasoning about data abstraction in imperative languages.
Of course, the corresponding advantage of the PER-based model is that it extends to an interpretation of a polymorphic variant of Algol. A direction for future work would be to give a model for such a language in which data abstraction using local variables is combined with that obtained from user-de ned types. The design and semantics of such a language is not as straightforward as it may seem. There are subtleties in interpreting polymorphic conditionals, due to the state dependence of the boolean type; this is related to problems discussed in (Tennent, 1989). We expect that quanti ers would have to range over appropriate state-dependent objects. Also, as mentioned in (Reynolds, 1983), close attention should be paid to the distinction between data types and phrase types. For example, the assignment operation should be thought of as a parametric polymorphic function, for polymorphism over data types, while, e.g., a xed-point operator should be parametrically polymorphic over phrase types.
Addendum, January, 1995. Since the work described in the body of this paper was done, there have been several developments. First, Robinson and Rosolini (1994) have given an elegant construction of parametric models of second-order -calculus utilizing re exive graphs in the setting of internal-category models of polymorphism. Second, Sieber (1994) has used his methods to give a full abstraction result for closed terms of up to second-order type, in a language containing a snapback combinator. Third, Reddy's development has matured considerably, and accounts to a very good (but not completely understood) degree for both locality and single threading, in the context of syntactic control of interference (Reddy, 1994;Reddy, 1995). Finally, this \object-based" approach of Reddy has been merged with functor categories (O'Hearn and Reddy, 1994) to produce a model of a language without snapback combinators that is fully abstract for closed terms of up to second-order type. This nal direction appears to have important connections with the parametricity viewpoint expressed here; the details await further development.