Domains for Higher-Order Games

Matthew Hague and Roland Meyer and Sebastian Muskalla

Royal Holloway University of London and TU Braunschweig and TU Braunschweig

Abstract: We study two-player inclusion games played over word-generating higher-order recursion schemes. While inclusion checks are known to capture verification problems, two-player games generalize this relationship to program synthesis. In such games, non-terminals of the grammar are controlled by opposing players. The goal of the existential player is to avoid producing a word that lies outside of a regular language of safe words.
We contribute a new domain that provides a representation of the winning region of such games. Our domain is based on (functions over) potentially infinite Boolean formulas with words as atomic propositions. We develop an abstract interpretation framework that we instantiate to abstract this domain into a domain where the propositions are replaced by states of a finite automaton. This second domain is therefore finite and we obtain, via standard fixed-point techniques, a direct algorithm for the analysis of two-player inclusion games. We show, via a second instantiation of the framework, that our finite domain can be optimized, leading to a (k+1)EXP algorithm for order-k recursion schemes. We give a matching lower bound, showing that our approach is optimal. Since our approach is based on standard Kleene iteration, existing techniques and tools for fixed-point computations can be applied.

1 Introduction

Inclusion checking has recently received considerable attention [55, 23, 1, 2, 37]. One of the reasons is a new verification loop, which invokes inclusion as a subroutine in an iterative fashion. The loop has been proposed by Podelski et al. for the safety verification of recursive programs [33], and then been generalized to parallel and parameterized programs [43, 21, 19] and to liveness [20]. The idea of Podelski’s loop is to iteratively approximate unsound data flow in the program of interest, and add the approximations to the specification. Consider a program with control-flow language CF that is supposed to satisfy a safety specification given by a regular language R. If the check CF⊆ R succeeds, then the program is correct as the data flow only restricts the set of computations. If a computation w∈ CF is found that lies outside R, then it depends on the data flow whether the program is correct. If data is handled correctly, w is a counterexample to R. Otherwise, w is generalized to a regular language S of infeasible computations. We set R = R ∪ S and repeat the procedure.

Podelski’s loop has also been generalized to synthesis [36, 45]. In that setting, the program is assumed to have two kinds of non-determinism. Some of the non-deterministic transitions are understood to be controlled by the environment. They provide inputs that the system has to react to, and are also referred to as demonic non-determinism. In contrast, the so-called angelic non-determinism are the alternatives of the system to react to an input. The synthesis problem is to devise a controller that resolves the angelic non-determinism in a way that a given safety specification is met. Technically, the synthesis problem corresponds to a two-player perfect information game, and the controller implements a winning strategy for the system player. When generalizing Podelski’s loop to the synthesis problem, the inclusion check thus amounts to solving a strategy-synthesis problem.

Our motivation is to synthesize functional programs with Podelski’s loop. We assume the program to be given as a non-deterministic higher-order recursion scheme where the non-terminals are assigned to two players. One player is the system player who tries to enforce the derivation of words that belong to a given regular language. The other player is the environment, trying to derive a word outside the language. The use of the corresponding strategy-synthesis algorithm in Podelski’s loop comes with three characteristics: (1) The algorithm is invoked iteratively, (2) the program is large and the specification is small, and (3) the specification is non-deterministic. The first point means that the strategy synthesis should not rely on costly precomputation. Moreover, it should have the chance to terminate early. The second says that the cost of the computation should depend on the size of the specification, not on the size of the program. Computations on the program, in particular iterative ones, should be avoided. Together with the third characteristic, these two consequences rule out reductions to reachability games. The required determinization would mean a costly precomputation, and the reduction to reachability would mean a product with the program. This discussion in particular forbids a reduction of the strategy-synthesis problem to higher-order model checking [47], which indeed can be achieved (see the full version [29] for a comparison to intersection types [42]). Instead, we need a strategy synthesis that can directly deal with non-deterministic specifications.

We show that the winning region of a higher-order inclusion game w.r.t. a non-deterministic right-hand side can be computed with a standard fixed-point iteration. Our contribution is a domain suitable for this computation. The key idea is to use Boolean formulas whose atomic propositions are the states of the targeted finite automaton. While a formula-based domain has recently been proposed for context-free inclusion games [36] (and generalized to infinite words [45]), the generalization to higher-order is new. Consider a non-terminal that is ground and for which we have computed a formula. The Boolean structure reflects the alternation among the players in the plays that start from this non-terminal. The words generated along the plays are abstracted to sets of states from which these words can be accepted. Determining the winner of the game is done by evaluating the formula when sets of states containing the initial state are assigned the value true. To our surprise, the above domain did not give the optimal complexity. Instead, it was possible to further optimize it by resolving the determinization information. Intuitively, the existential player can also resolve the non-determinism captured by a set. Crucially, our approach handles the non-determinism of the specification inside the analysis, without preprocessing.

Besides offering the characteristics that are needed for Podelski’s loop, our development also contributes to the research program of effective denotational semantics, as recently proposed by Salvati and Walukiewicz [53] as well as Grellois and Melliès [25, 25], with [5, 50] being early works in this field. The idea is to solve verification problems by computing the semantics of a program in a suitable domain. Salvati and Walukiewicz studied the expressiveness of greatest fixed-point semantics and their correspondence to automata [53], and constructions of enriched Scott models for parity conditions [52, 51]. A similar line of investigation has been followed in recent work by Grellois and Melliès [26, 27]. Hofmann and Chen considered the verification of more restricted ω-path properties with a focus on the domain [34]. They show that explicit automata constructions can be avoided and give a domain that directly captures subsets (so-called patches) of the ω-language. The work has been generalized to higher order [35]. Our contribution is related in that we focus on the domain (suitable for capturing plays).

Besides the domain, the correctness proof may be of interest. We employ an exact fixed-point transfer result as known from abstract interpretation. First, we give a semantic characterization showing that the winning region can be captured by an infinite model (a greatest fixed point). This domain has as elements (potentially infinite) sets of (finite) Boolean formulas. The formulas capture plays (up to a certain depth) and the atomic propositions are terminal words. The infinite set structure is to avoid infinite syntax. Then we employ the exact fixed-point transfer result to replace the terminals by states and get rid of the sets. The final step is another exact fixed-point transfer that justifies the optimization. We give a matching lower bound. The problem is (k+1)EXP-complete for order-k schemes.

Related Work.

The relationship between recursion schemes and extensions of pushdown automata has been well studied [16, 17, 38, 30]. This means algorithms for recursion schemes can be transferred to extensions of pushdown automata and vice versa. In the sequel, we will use pushdown automata to refer to pushdown automata and their family of extensions.

The decidability of Monadic Second Order Logic (MSO) over trees generated by recursion schemes was first settled in the restricted case of safe schemes by Knapik et al. [38] and independently by Caucal [14]. This result was generalized to all schemes by Ong [47]. Both of these results consider deterministic schemes only.

Related results have also been obtained in the consideration of games played over the configuration graphs of pushdown automata [54, 13, 39, 30]. Of particular interest are saturation methods for pushdown games [7, 22, 12, 8, 31, 32, 9]. In these works, automata representing sets of winning configurations are constructed using fixed-point computations.

A related approach pioneered by Kobayashi et al. operating directly on schemes is that of intersection types [41, 42], where types embedding a property automaton are assigned to terms of a scheme. Recently, saturation techniques were transferred to intersection types by Broadbent and Kobayashi [10]. The typing algorithm is then a least fixed-point computation analogous to an optimized version of our Kleene iteration, restricted to deterministic schemes. This has led to one of the most competitive model-checking tools for schemes [40].

One may reduce our language inclusion problems to many of the above works. E.g. from an inclusion game for schemes, we may build a game over an equivalent kind of pushdown automaton and take the product with a determinization of the NFA. This obtains a reachability game over a pushdown automaton that can be solved by any of the above methods. However, such constructions are undesirable for iterative invocations as in Podelski’s loop.

We already discussed the relationship to model-theoretic verification algorithms. Abstract interpretation has also been used by Ramsay [49], Salvati and Walukiewicz [52, 51], and Grellois and Melliès [25, 24] for verification. The former used a Galois connection between safety properties (concrete) and equivalence classes of intersection types (abstract) to recreate decidability results known in the literature. The latter two strands gives a semantics capable of computing properties expressed in MSO. Indeed, abstract interpretation has long been used for static analysis of higher-order programs [4].

2 Preliminaries

Complete Partial Orders.

Let (D, ≤) be a partial order with set D and (partial) ordering ≤ on D. We call (D, ≤) pointed if there is a greatest element, called the top element and denoted by ⊤ ∈ D. A descending chain in D is a sequence (d_i)_{i ∈ N} of elements in D with d_i ≥ d_i+1. We call (D, ≤) ω-complete if every descending chain has a greatest lower bound, called the meet or the infimum, and denoted by ⊓_{i ∈ N} d_i. If (D, ≤) is pointed and ω-complete, we call it a pointed ω-complete partial order (cppo). In the following, we will only consider partial orders that are cppos. Note, cppo is usually used to refer to the dual concept, i.e. partial orders with a least element and least upper bounds for ascending chains.

A function f : D → D is ⊓-continuous if for all descending chains (d_i)_{i ∈ N} we have f(⊓_{i ∈ N} d_i) = ⊓_{i ∈ N} f(d_i). We call a function f : D → D monotonic if for all d, d′ ∈ D, d ≤ d′ implies f(d) ≤ f(d′). Any function that is ⊓-continuous is also monotonic. For a monotonic function, ⊤ ≥ f(⊤) ≥ f² (⊤) = f(f(⊤)) ≥ f³ (⊤) ≥ … is a descending chain. If the function is ⊓-continuous, then ⊓_{i ∈ N} fⁱ (⊤) is by Kleene’s theorem the greatest fixed point of f, i.e. f(⊓_{i ∈ N} fⁱ (⊤)) = ⊓_{i ∈ N} fⁱ (⊤) and ⊓_{i ∈ N} fⁱ (⊤) is larger than any other element d with f(d) = d. We also say ⊓_{i ∈ N} fⁱ (⊤) is the greatest solution to the equation x = f(x).

A lattice satisfies the descending chain condition (DCC) if every descending chain has to be stationary at some point. In this case ⊓_{i ∈ N} fⁱ (⊤) = ⊓_{i = 0}^i₀ fⁱ (⊤) for some index i₀ in N. With this, we can compute the greatest fixed point: Starting with ⊤, we iteratively apply f until the result does not change. This process is called Kleene iteration. Note that finite cppos, i.e. with finitely many elements in D, trivially satisfy the descending chain condition.

Finite Automata.

A non-deterministic finite automaton (NFA) is a tuple A = (Q_NFA, Γ, δ, q₀, Q_f) where Q_NFA is a finite set of states, Γ is a finite alphabet, δ ⊆ Q_NFA × Γ × Q_NFA is a (non-deterministic) transition relation, q₀ ∈ Q_NFA is the initial state, and Q_f ⊆ Q_NFA is a set of final states. We write q –[a]→ q′ to denote (q, a, q′) ∈ δ. Moreover, given a word w = a₁⋯ a_ℓ, we write q –[w]→ q′ whenever there is a sequence of transitions, also called run, q₁ –[a₁]→ q₂ –[a₂]→ ⋯ –[a_ℓ]→ q_ℓ+1 with q₁ = q and q_ℓ+1 = q′. The run is accepting if q = q₀ and q′ ∈ Q_f. The language of A is L(A) = {w | q₀ –[w]→ q ∈ Q_f} .

3 Higher-Order Recursion Schemes

We introduce higher-order recursion schemes, schemes for short, following the presentation in [28]. Schemes can be understood as grammars generating the computation trees of programs in a functional language. As is common in functional languages, we need a typing discipline. To avoid confusion with type-based approaches to higher-order model checking [41, 48, 42], we refer to types as kinds. Kinds define the functionality of terms, without specifying the data domain. Technically, the only data domain is the ground kind o, from which (potentially higher-order) function kinds are derived by composition:

κ ::= o ∣ ( κ₁ → κ₂ ) .

We usually omit the brackets and assume that the arrow associates to the right. The number of arguments to a kind is called the arity. The order defines the functionality of the arguments: A first-order kind defines functions that act on values, a second-order kind functions that expect functions as parameters. Formally, we have

arity

⎛
⎝

⎞
⎠

= 0,

order

⎛
⎝

⎞
⎠

= 0,

arity

⎛
⎝

κ₁ → κ₂

⎞
⎠

= arity

⎛
⎝

κ₂

⎞
⎠

+1,

order

⎛
⎝

κ₁ → κ₂

⎞
⎠

= max(order

⎛
⎝

κ₁

⎞
⎠

+1, order

⎛
⎝

κ₂

⎞
⎠

) .

Let Κ be the set of all kinds. Higher-order recursion schemes assign kinds to symbols from different alphabets, namely non-terminals, terminals, and variables. Let Γ be a set of such kinded symbols. For each kind κ, we denote by Γ^κ the restriction of Γ to the symbols with kind κ. The terms T^κ(Γ) of kind κ over Γ are defined by simultaneous induction over all kinds. They form the smallest set satisfying

Γ^κ⊆ T^κ(Γ),
∪_κ₁ {t v | t ∈ T^{κ₁ → κ₂}(Γ), v ∈ T^κ₁ (Γ)} ⊆ T^κ₂ (Γ), and
{λ x.t | x∈ T^κ₁(Γ), t∈ T^κ₂(Γ)}⊆ T^{κ₁ → κ₂}(Γ).

If term t is of kind κ, we also write t ∶ κ. We use T(Γ) for the set of all terms over Γ. We say a term is λ-free if it contains no sub-term of the form λ x . t. A term is variable-closed if all occurring variables are bound by a preceding λ-expression.

Definition 1 A higher-order recursion scheme, (scheme for short), is a tuple G = (V, N, T, R, S), where V is a finite set of kinded symbols called variables, T is a finite set of kinded symbols called terminals, and N is a finite set of kinded symbols called non-terminals with S ∈ N the initial symbol. The sets V, T, and N are pairwise disjoint. The finite set R consists of rewriting rules of the form F = λ x₁ … λ x_n.e, where F ∈ N is a non-terminal of kind κ₁ → … κ_n → o, x₁, …, x_n ∈ V are variables of the required kinds, and e is a λ-free, variable-closed term of ground kind from T^o(T ⨃ N ⨃ { x₁ ∶ κ₁, …, x_n ∶ κ_n} ).

The semantics of G is defined by rewriting subterms according to the rules in R. A context is a term C[•] ∈ T (Γ ⨃ { • ∶ o }) in which • occurs exactly once. Given a context C[•] and a term t:o, we obtain C[t] by replacing the unique occurrence of • in C[•] by t. With this, t ⇒_G t′ if there is a context C[•], a rule F = λ x₁ … λ x_n.e, and a term F t₁ … t_n:o such that t = C[F t₁ … t_n] and t′ = C[e[x₁ ↦ t₁, …, x_n ↦ t_n]]. In other words, we replace one occurrence of F in t by a right-hand side of a rewriting rule, while properly instantiating the variables. We call such a replaceable F t₁ … t_n a reducible expression (redex). The rewriting step is outermost to innermost (OI) if there is no redex that contains the rewritten one as a proper subterm. The OI-language L(G) of G is the set of all (finite, ranked, labeled) trees T over the terminal symbols that can be created from the initial symbol S via OI-rewriting steps. We will restrict the rewriting relation to OI-rewritings in the rest of this paper. Note, all words derivable by IO-rewriting are also derivable with OI-rewriting.

Word-Generating Schemes.

We consider word-generating schemes, i.e. schemes with terminals T⨃ {$:o} where exactly one terminal symbol $ has kind o and all others are of kind o→ o. The generated trees have the shape a₁ (a₂ (⋯ (a_k $))), which we understand as the finite word a₁ a₂ … a_k ∈ T^*. We also see L(G) as a language of finite words.

Determinism.

The above schemes are non-deterministic in that several rules may rewrite a non-terminal. We associate with a non-deterministic scheme G=(V, N, T, R, S) a deterministic scheme G^det with exactly one rule per non-terminal. Intuitively, G^det makes the non-determinism explicit with new terminal symbols.

Formally, let F:κ be a non-terminal with rules F= t₁ to F= t_ℓ. We may assume each t_i = λ x₁ … λ x_k. e_i, where e_i is λ-free. We introduce a new terminal symbol op_F: o → o → … → o of arity ℓ. Let the set of all these terminals be T^det={op_F | F∈ N}. The set of rules R^det now consists of a single rule for each non-terminal, namely F= λ x₁ … λ x_k. op_F e₁ ⋯ e_ℓ. The original rules in R are removed. This yields G^det=(V, N, T⨃ T^det, R^det, S). The advantage of resolving the non-determinism explicitly is that we can give a semantics to non-deterministic choices that depends on the non-terminal instead of having to treat non-determinism uniformly.

Semantics.

Let G=(V, N, T, R, S) be a deterministic scheme. A model of G is a pair M=(D, I), where D is a family of domains (D(κ))_κ∈Κ that satisfies the following: D(o) is a cppo and D(κ₁→ κ₂)=Cont(D(κ₁), D(κ₂)). Here, Cont(A, B) is the set of all ⊓-continuous functions from domain A to B. We comment on this cppo in a moment. The interpretation I: T→ D assigns to each terminal s:κ an element I(s)∈D(κ).

The ordering on functions is defined component-wise, f ≤_{κ₁ → κ₂} g if (f x) ≤_κ₂ (g x) for all x∈D(κ₁). For each κ, we denote the top element of D(κ) by ⊤_κ. For the ground kind, ⊤_o exists since D(κ) is a cppo, and ⊤_{κ₁ → κ₂} is the function that maps every argument to ⊤_κ₂. The meet of a descending chain of functions (f_i)_{i ∈ N} is the function defined by (⊓_{κ₁ → κ₂} (f_i)_{i ∈ N}) x = ⊓_κ₂ (f_i x)_{i ∈ N}. Note that the sequence on the right-hand side is a descending chain. The semantics of terms defined by a model is a function

M〚−〛:T→ (N⨃ V↛ D)→D .

that assigns to each term built over the non-terminals and terminals again a function. This function expects a valuation ν:N⨃ V↛ D and returns an element from the domain. A valuation is a partial function that is defined on all non-terminals and the free variables. We lift ⊓ to descending chains of valuations with (⊓_{i ∈ N} ν_i)(y) = ⊓_{i ∈ N} (ν_i(y)) for y ∈ N ⨃ V. We obtain that the set of such valuations is a cppo where the greatest elements are those valuations which assign the greatest elements of the appropriate domain to all arguments.

Since the right-hand sides of the rules in the scheme are variable-closed, we do not need a variable valuation for them. We need the variable valuation, however, whenever we proceed by induction on the structure of terms. The semantics is defined by such an induction:

M〚s〛 ν	=	I(s)
M〚F〛 ν	=	ν(F)
M〚t₁ t₂〛 ν	=	(M〚t₁〛 ν) (M〚t₂〛 ν)
M〚x〛 ν	=	ν(x)
M〚λ x:κ.t₁〛 ν	=	d∈ D(κ) ↦ M〚t₁〛 ν[x↦ d] .

We show that M〚t〛 is ⊓-continuous for all terms t. This follows from continuity of the functions in the domain, but requires some care when handling application.

Proposition 1 For all t, M〚t〛 is ⊓-continuous (in ν) over the respective lattice.

Given M, the rules F₁=t₁,…, F_k=t_k of the (deterministic) scheme give a function

rhs_M : (N → D) → (N → D) , where rhs_M(ν)(F_j) = M〚t_j〛 ν .

Since the right-hand sides are variable-closed, the M〚t_j〛 are functions in the non-terminals. Provided M〚t₁〛 to M〚t_k〛 are ⊓-continuous (in the valuation of the non-terminals), the function rhs_M will be ⊓-continuous. This allows us to apply Kleene iteration as follows. The initial value is the greatest element σ_M⁰ where σ_M⁰(F_j) = ⊤_j with ⊤_j the top element of D(κ_j). The (i+1)^th approximant is computed by evaluating the right-hand side at the i^th solution, σ_Mⁱ⁺¹ = rhs_M(σ_Mⁱ). The greatest fixed point is the tuple σ_M defined below. It can be understood as the greatest solution to the equation ν = rhs_M(ν). We call this greatest solution σ_M the semantics of the scheme in the model.

σ_M = ⊓_i ∈ N σ_Mⁱ = ⊓_i ∈ N rhs_Mⁱ (σ_M⁰)

4 Higher-Order Inclusion Games

Our goal is to solve higher-order games, whose arena is defined by a scheme. We assume that the derivation process is controlled by two players. To this end, we divide the non-terminals of a word-generating scheme into those owned by the existential player ◇ and those owned by the universal player □. Whenever a non-terminal is to be replaced during the derivation, it is the owner who chooses which rule to apply. The winning condition is given by an automaton A, Player ◇ attempts to produce a word that is in L(A), while Player □ attempts to produce a word outside of L(A).

Definition 2 A higher-order game is a triple G = (G, A, O) where G is a word-generating scheme, A is an NFA, O : N → {◇, □} is a partitioning of the non-terminals of G.

A play of the game is a sequence of OI-rewriting steps. Since terms generate words, it is unambiguous which term forms the next redex to be rewritten. In particular, all terms are of the form a₁ ( a₂ ( ⋯ (a_k (t) ) ) ), where t is either $ or a redex F t₁ ⋯ t_m. If O(F) = ◇ then Player ◇ chooses a rule F = λ x₁ … λ x_m . e to apply, else Player □ chooses the rule. This moves the play to a₁ (a₂ (⋯ (a_k e[x₁ ↦ t₁, …, x_m ↦ t_m]))).

Each play begins at the initial non-terminal S, and continues either ad infinitum or until a term a₁ (a₂ (⋯ (a_k $))), understood as the word w=a₁… a_k, is produced. Infinite plays do not produce a word and are won by Player ◇. Finite maximal plays produce such a word w. Player ◇ wins whenever w ∈ L(A), Player □ wins if w ∈ L(A). Since the winning condition is Borel, either Player ◇ or Player □ has a winning strategy [44].

Problem 1 The Winner of a Higher-Order Game (HOG)
Input: A higher-order game G.
Question: Does Player ◇ win G? If so, effectively represent Player ◇’s strategy.

Our contribution is a fixed-point algorithm to decide HOG. We derive it in three steps. First, we develop a concrete model for higher-order games whose semantics captures the above winning condition. Second, we introduce a framework that for two models and a mapping between them guarantees that the mapping of the greatest fixed point with respect to the one model is the greatest fixed point with respect to the other model. Finally, we introduce an abstract model that uses a finite ground domain. The solution of HOG can be read off from the semantics in the abstract model, which in turn can be computed via Kleene iteration. Moreover, this semantics can be used to define Player ◇’s winning strategy. We instantiate the framework for the concrete and abstract model to prove the soundness of the algorithm.

Concrete Semantics

Consider a HOG instance G = (G, A, O). Let G^det be the determinized version of G. Our goal is to define a model M^C = (D^C, I^C) such that the semantics of G^det in this model allows us to decide HOG. Recall that we only have to define the ground domain. For composed kinds, we use the functional lifting discussed in Section 3.

Our idea is to associate to kind o the set of positive Boolean formulas where the atomic propositions are words in T^∗. To be able to reuse the definition, we define formula domains in more generality as follows.

Domains of Boolean Formulas

Given a (potentially infinite) set P of atomic propositions, the positive Boolean formulas PBool(P) over P are defined to contain true, every p from P, and compositions of formulas via conjunction and disjunction. We work up to logical equivalence, which means we treat φ₁ and φ₂ as equal as long as they are logically equivalent.

Unfortunately, if the set P is infinite, PBool(P) is not a cppo, because the meet of a descending chain of formulas might not be a finite formula. The idea of our domain is to have conjunctions of infinitely many formulas. As is common in logic, we represent them as infinite sets. Therefore, we consider the set of all sets of (finite) positive Boolean formulas P(PBool(T^*))∖{∅} factorized modulo logical equivalence, denoted (P(PBool(T^*))∖{∅}) /_⇔. To be precise, the sets may be finite or infinite, but they must be non-empty.

To define the factorization, let an assignment to the atomic propositions be given by a subset of P′ ⊆ P. The atomic proposition p is true if p ∈ P′. An assignment satisfies a Boolean formula, if the formula evaluates to true in that assignment. It satisfies a set of Boolean formulas, if it satisfies all elements. Given two sets of formulas Φ₁ and Φ₂, we write Φ₁⇒ Φ₂, if every assignment that satisfies Φ₁ also satisfies Φ₂. Two sets of formulas are equivalent, denoted Φ₁⇔ Φ₂, if Φ₁⇒ Φ₂ and Φ₂⇒ Φ₁ holds. The ordering on these factorized sets is implication (which by transitivity is independent of the representative). The top element is the set {true}, which is implied by every set. The conjunction of two sets is union. Note that it forms the meet in the partial order, and moreover note that meets over arbitrary sets exist, in particular the domain is a cppo. We will also need an operation of disjunction, which is defined by Φ₁∨ Φ₂ = {φ₁∨ φ₂ | φ₁∈ Φ₁, φ₂∈ Φ₂}. We will also use disjunctions of higher (but finite) arity where convenient. Note that the disjunction on finite formulas is guaranteed to result in a finite formula. Therefore, the above is well-defined.

In our case, the assignment P′ ⊆ T^* of interest is the language of the automaton A. Player ◇ will win the game iff the concrete semantics assigns a set of formulas to S that is satisfied by L(A).

The Concrete Domains and Interpretation of Terminals.

From a ground domain, higher-order domains are defined as continuous functions as in Section 3. Thus we only need

D^C(o) =

⎛
⎜
⎝

P(PBool

⎛
⎝

T^*

⎞
⎠

)∖

⎧
⎨
⎩

∅

⎫
⎬
⎭

⎞
⎟
⎠

/_⇔ .

The endmarker $ yields the set of formulas {ε}, i.e. I^C($)={ε}. A terminal a:o→ o prepends a to a given word w. That is I^C(a) = prepend_a, where prepend_a distributes over conjunction and disjunction:

prepend_a(φ) =

⎧
⎪
⎪
⎨
⎪
⎪
⎩

φ = w ,

prepend_a(φ₁) op prepend_a(φ₂)

φ = φ₁opφ₂ and op∈

⎧
⎨
⎩

∧,∨

⎫
⎬
⎭

φ = true .

We apply prepend_a to sets of formulas by applying it to every element. Finally, I^C(op_F) where op_F has arity ℓ is an ℓ-ary conjunction (resp. disjunction) if Player □ (resp. ◇) owns F.

For M^C = (D^C, I^C) to be a model, we need our interpretation of terminals to be ⊓-continuous. This follows largely by the distributivity of our definitions.

Lemma 1 For all non-ground terminals s, I^C(s) is ⊓-continuous.

Example 1 Consider the higher-order game defined by the scheme S=H a $ | b $ and H=λ f.λ x.f (f x) | λ f.λ x.H (H f) x. Assume S is owned by Player ◇ and H is owned by Player □. Let the automaton accept the language {b}. Player ◇ can choose to rewrite S to b $ and therefore has a strategy to produce a word in the language. To derive this information from the concrete semantics, we compute σ_M^C(H). It is the function mapping f∈ Cont(D^C(o), D^C(o)) and d∈ D^C(o) to ∪_k>0f^2k(d). Note that the union is the conjunction of sets of formulas, which is the interpretation of op_H for the universal player. Moreover, note that due to non-determinism we obtain all even numbers of applications of f, not only the powers of 2. With this, the semantics of the initial symbol is

σ_M^C(S) =

∪

k>0

prepend_a^2k(

⎧
⎨
⎩

⎫
⎬
⎭

) ∨ prepend_b(

⎧
⎨
⎩

⎫
⎬
⎭

⎧
⎨
⎩

a^2k∨ b | k>0

⎫
⎬
⎭

The assignment {b} given by the language of the NFA satisfies {a^2k∨ b | k>0}. Indeed, since b evaluates to true, every formula in the set evaluates to true.

Correctness of Semantics and Winning Strategies.

We need to show that the concrete semantics matches the original semantics of the game.

Theorem 1 σ_M^C(S) is satisfied by L(A) iff there is a winning strategy for Player ◇.

When σ_M^C(S) is satisfied by L(A) the concrete semantics gives a winning strategy for ◇: From a term t such that M^C〚t〛 σ_M^C is satisfied by L(A), Player ◇, when able to choose, picks a rewrite rule that transforms t to t′, where M^C〚t′〛 σ_M^C remains satisfied. The proof of Theorem 1 shows this is always possible, and, moreover, Player □ is unable to reach a term for which satisfaction does not hold. This does not yet give an effective strategy since we cannot compute M^C〚t〛 σ_M^C. However, the abstract semantics will be computable, and can be used in place of the concrete semantics by Player ◇ to implement the winning strategy.

The proof that σ_M^C(S) being unsatisfied implies a winning strategy for Player □ is more involved and requires the definition of a correctness relation between semantics and terms that is lifted to the level of functions, and shown to hold inductively.

5 Framework for Exact Fixed-Point Transfer

The concrete model M^C does not lead to an algorithm for solving HOG since its domains are infinite. Here, we consider an abstract model M^A with finite domains. The soundness of the resulting Kleene iteration relies on the two semantics being related by a precise abstraction α. Since both semantics are defined by fixed points, this requires us to prove α (σ_M^C) = σ_M^A. In this section, we provide a general framework to this end.

Consider the deterministic scheme G together with two models (left and right) M_l = (D_l, I_l) and M_r = (D_r, I_r). Our goal is to relate the semantics in these models in the sense that σ_{M_r}=α(σ_{M_l}). Such exact fixed-point transfer results are well-known in abstract interpretation. To generalize them to higher-order we give easy to instantiate conditions on α, M_l, and M_r that yield the above equality. Interestingly, exact fixed-point transfer results seem to be rare for higher-order (e.g. [48]). Our development is inspired by Abramsky’s lifting of abstraction functions to logical relations [3], which generalizes [11, 4]. These works focus on approximation and the compatibility we need for exactness is missing. Our framework is easier to apply than [15, 6], which are again concerned with approximation and do not offer (but may lead to) exact fixed-point transfer results.

For the terminology, an abstraction is a function α:D_l(o)→ D_r(o). To lift the abstraction to function domains, we define the notion of being compatible with α. Compatibility intuitively states that the function on the concrete domain is not more precise than what the abstraction function distinguishes. This allows us to define the abstraction of a function by applying the function and abstracting the result, α(f) α(v_l)=α(f v_l). Compatibility ensures the independence of the choice of v_l.

By definition, all ground elements v_l∈D_l(o) are compatible with α. For function domains, compatibility and the abstraction are defined as follows.

Definition 3 Assume α and the notion of compatibility are defined on D_l(κ₁) and D_l(κ₂). Let ⊤_κ^l (resp. ⊤_κ^r) be the greatest element of D_l(κ) (resp. D_r(κ)) for each κ.

Function f∈ D_l(κ₁→ κ₂) is compatible with α, if
1. for all compatible v_l, v_l′∈ D_l(κ₁) with α(v_l)=α(v_l′) we have α(f v_l)=α(f v_l′), and
2. for all compatible v_l ∈ D_l(κ₁) we have that f v_l is compatible.
We define α(f) ∈ D_r(κ₁→ κ₂) as follows.
1. If f is compatible, we set α(f) v_r= α(f v_l), provided there is a compatible v_l∈ D_l(κ₁) with v_r=α(v_l), and α(f) v_r=⊤_κ₂^r otherwise.
2. If f is not compatible, α(f)=⊤_{κ₁→ κ₂}^r.

We lift α to valuations ν : N ⨃ V ↛ D_l by α(ν)(F) = α(ν(F)) and similar for x. We also lift compatibility to valuations ν:N⨃ V↛ D_l by requiring ν(F) to be compatible for all F∈ N and similar for x∈ V.

The conditions needed for the exact fixed-point transfer are the following.

Definition 4 Function α is precise for M_l and M_r, if

(P1) α(D_l(o))=D_r(o),
(P2) α:D_l(o)→ D_r(o) is ⊓-continuous,
(P3) α(⊤_o^l)=⊤_o^r,
(P4) α(I_l(s))= I_r(s) for all terminals s∶o, and similarly α(I_l(s) v_l)= I_r(s) α(v_l) for all terminals s:κ₁ → κ₂ and all compatible v_l∈D_l(κ₁),
(P5) I_l(s) v_l is compatible for all terminals s:κ₁ → κ₂, and all compatible v_l∈D_l(κ₁).

(P1) is surjectivity of α. (P2) states that α is well-behaved wrt. ⊓. (P3) says that the greatest element is mapped as expected. Note that (P1)-(P3) are only posed for the ground domain. One can prove that they generalize to function domains by the definition of function abstraction. (P4) is that the interpretations of terminals in M^C and M^A are suitably related. Finally (P5) is compatibility. (P4) and (P5) are generalized to terms in Lemma 2.

To prove α(σ_{M_l})=σ_{M_r}, we need that rhs_{M_r} is an exact abstract transformer of rhs_{M_l}. The following lemma states this for all terms t, in particular those that occur in the equations. The generalization to product domains is immediate. Note that the result is limited to compatible valuations, but this will be sufficient for our purposes. The proof proceeds by induction on the structure of terms, while simultaneously proving M_l〚t〛 compatible with α. With this result, we obtain the required exact fixed-point transfer for precise abstractions.

Lemma 2 Assume (P1), (P4), and (P5) hold. For all terms t and all compatible ν, we have M_l〚t〛 ν compatible and α(M_l〚t〛 ν)=M_r〚t〛 α(ν).

Theorem 2 (Exact Fixed-Point Transfer) Let G be a scheme with models M_l and M_r. Let σ_l and σ_r be the corresponding semantics. If α: D_l → D_r is precise, we have σ_r=α(σ_l).

6 Domains for Higher-Order Games

We propose two domains, abstract and optimized, that allow us to solve HOG. The computation is a standard fixed-point iteration, and, in the optimized domain, this iteration has optimal complexity. Correctness follows by instantiating the previous framework.

Abstract Semantics.

Our goal is to define an abstract model for games that (1) suitably relates to the concrete model from Section 4 and (2) is computable. By a suitable relation, we mean the two models should relate via an abstraction function. Provided the conditions on precision hold, correctness of the abstraction then follows from Theorem 2. Combined with Theorem 1, this will allow us to solve HOG. Computable in particular means the domain should be finite and the operations should be efficiently computable.

We define the M^A = (D^A, I^A) as follows. Again, we resolve the non-determinism into Boolean formulas. But rather than tracking the precise words generated by the scheme, we only track the current set of states of the automaton. To achieve the surjectivity required by precision, we restrict the powerset to those sets of states from which a word is accepted. Let acc(w) = { q | q –[w]→ q_f ∈ Q_f }. For a language L we have acc(L) = { acc(w) | w ∈ L }. The abstract domain for terms of ground kind is D^A(o) = PBool(acc(T^*)). The lifting to functions is as explained in Section 3. Satisfaction is now defined relative to a set Ω of elements of P(Q_NFA) (cf. Section 4). With finitely many atomic propositions, there are only finitely many formulas (up to logical equivalence). This means we no longer need sets of formulas to represent infinite conjunctions, but can work with plain formulas. The ordering is thus the ordinary implication with the meet being conjunction and top being true.

The interpretation of ground terms is I^A($) = Q_f and I^A(a)= pre_a. Here pre_a is the predecessor computation under label a, pre_a(Q)={q′∈ Q_NFA | q′–[a]→ q ∈ Q}. It is lifted to formulas by distributing it over conjunction and disjunction. The composition operators are again interpreted as conjunctions and disjunctions, depending on the owner of the non-terminal. Since we restrict the atomic propositions to acc(T^*), we have to show that the interpretations use only this restricted set. Proving I^A(s) is ⊓-continuous is standard.

Lemma 3 The interpretations are defined on the abstract domain.

Lemma 4 For all terminals s, I^A(s) is ⊓-continuous over the respective lattices.

Recall our concrete model is M^C=(D^C, I^C), where D^C=P(PBool(T^*)). To relate this model to M^A, we define the abstraction function α:D^C(o)→D^A(o). It leaves the Boolean structure of a formula unchanged but maps every word (which is an atomic proposition) to the set of states from which this word is accepted. For a set of formulas, we take the conjunction of the abstraction of the elements. This conjunction is finite as we work over a finite domain, so there is no need to worry about infinite syntax. Technically, we define α on PBool(T^*) by α(Φ)=∧_φ∈Φα(φ) for a set of formulas Φ∈P(PBool(T^*)), and

α(φ) =

⎧
⎪
⎪
⎪
⎨
⎪
⎪
⎪
⎩

acc

⎛
⎝

⎞
⎠

if φ = w,

α(φ₁)opα(φ₂)

if φ = φ₁opφ₂ and op∈

⎧
⎨
⎩

∧,∨

⎫
⎬
⎭

if φ = true .

This definition is suitable in that α(σ_M^C)=σ_M^A entails the following.

Theorem 3 σ_M^A(S) is satisfied by {Q ∈ acc(T^*) | q₀ ∈ Q} iff Player ◇ wins G.

To see that the theorem is a consequence of the exact fixed-point transfer, observe that {Q ∈ acc(T^*) | q₀ ∈ Q} = acc(L(A)). Then, by σ_M^A=α(σ_M^C) we have acc(L(A)) satisfies σ_M^A(S) iff it also satisfies α(σ_M^C(S)). This holds iff L(A) satisfies σ_M^C(S) (a simple induction over formulas). By Theorem 1, this occurs iff Player ◇ wins the game.

It remains to establish α(σ_M^C)=σ_M^A. With the framework, the exact fixed-point transfer follows from precision, Theorem 2. The proof of the following is routine.

Proposition 2 α is precise. Hence, α(σ_M^C)=σ_M^A.

Optimized Semantics.

The above model yields a decision procedure for HOG via Kleene iteration. Unfortunately, the complexity is one exponential too high: The height of the domain for a symbol of order k in the abstract model is (k+2)-times exponential, where the height is the length of the longest strictly descending chain in the domain. This gives the maximum number of steps of Kleene iteration needed to reach the fixed point.

We present an optimized version of our model that is able to close the gap: In this model, the domain for an order-k symbol is only (k+1)-times exponentially high. The idea is to resolve the atomic propositions in M^A, which are sets of states, into disjunctions among the states. The reader familiar with inclusion algorithms will find this decomposition surprising.

We first define α:PBool(acc(T^*))→ PBool(Q_NFA). The optimized domain will then be based on the image of α. This guarantees surjectivity. For a set of states Q, we define α(Q)=∨Q= ∨_{q∈ Q} q. For a formula, the abstraction function is defined to distribute over conjunction and disjunction. The optimized model is M^O = (D^O, I^O) with ground domain α(PBool(acc(T^*))). The interpretation is I^O($)=∨Q_f. For a, we resolve the set of predecessors into a disjunction, I^O(a) q = ∨pre_a({q}). The function distributes over conjunction and disjunction. Finally, I^O(op_F) is conjunction or disjunction of formulas, depending on the owner of the non-terminal. Since we use a restricted domain, we have to argue that the operations do not leave the domain. It is also straightforward to prove our interpretation is ⊓-continuous as required.

Lemma 5 The interpretations are defined on the optimized domain.

Lemma 6 For all terminals s, I^O(s) is ⊓-continuous over the respective lattices.

We again show precision, enabling the required exact fixed-point transfer.

Proposition 3 α is precise. Hence, α(σ_M^A)=σ_M^O.

Theorem 4 σ_M^O(S) is satisfied by {q₀} iff Player ◇ wins G.

It is sufficient to show σ_M^A(S) is satisfied by {Q ∈ acc(T^*) | q₀ ∈ Q} iff σ_M^O(S) is satisfied by {q₀}. Theorem 3 then yields the statement. Propositions Q in σ_M^A(S) are resolved into disjunctions ∨Q in σ_M^O(S). For such a proposition, we have Q∈ {Q ∈ acc(T^*) | q₀ ∈ Q} iff ∨Q is satisfied by {q₀}. This equivalence propagates to the formulas σ_M^A(S) and σ_M^O(S) as the Boolean structure coincides. The latter follows from α(σ_M^A(S))=σ_M^O(S).

Complexity.

To solve HOG, we compute the semantics σ_M^O and then evaluate σ_M^O(S) at the assignment {q₀}. For the complexity, assume that the highest order of any non-terminal in G is k. We show the number of iterations needed to compute the greatest fixed point is at most (k+1)-times exponential. We do this via a suitable upper bound on the length of strictly descending chains in the domains assigned by D^O.

Proposition 4 The semantics σ_M^O can be computed in (k+1)EXP, where k is the highest order of any non-terminal in the input scheme.

The lower bound is via a reduction from the word membership problem for alternating k-iterated pushdown automata with polynomially-bounded auxiliary work-tape. This problem was shown by Engelfriet to be (k+1)EXP-hard. We can reduce this problem to HOG via well-known translations between iterated stack automata and recursion schemes, using the regular language specifying the winning condition to help simulate the work-tape.

Proposition 5 Determining whether Player ◇ wins G is (k+1)EXP-hard for k > 0.

Together, these results show the following corollary and final result.

Corollary 1 HOG is (k+1)EXP-complete for order-k schemes and k > 0.

Acknowledgments. This work was supported by the Engineering and Physical Sciences Research Council [EP/K009907/1]. The work instigated while some of the authors were visiting the Institute for Mathematical Sciences, National University of Singapore in 2016. The visit was partially supported by the Institute.

References

[1]: P. A. Abdulla, Y. Chen, L. Clemente, L. Holík, C.-D. Hong, R. Mayr, and T. Vojnar. Simulation subsumption in Ramsey-based Büchi automata universality and inclusion testing. In CAV, volume 6174 of LNCS, pages 132–147. Springer, 2010.
[2]: P. A. Abdulla, Y. Chen, L. Clemente, L. Holík, C.-D. Hong, R. Mayr, and T. Vojnar. Advanced Ramsey-based Büchi automata inclusion testing. In CONCUR, volume 6901 of LNCS, pages 187–202. Springer, 2011.
[3]: S. Abramsky. Abstract interpretation, logical relations and Kan extensions. J. Log. Comp., 1(1):5–40, 1990.
[4]: S. Abramsky and C. Hankin. An introduction to abstract interpretation. In Abstract Interpretation of declarative languages, volume 1, pages 63–102. Ellis Horwood, 1987.
[5]: K. Aehlig. A finite semantics of simply-typed lambda terms for infinite runs of automata. LMCS, 3(3):1–23, 2007.
[6]: K. Backhouse and R. C. Backhouse. Safety of abstract interpretations for free, via logical relations and Galois connections. Sci. Comp. Prog., 51(1-2):153–196, 2004.
[7]: A. Bouajjani, J. Esparza, and O. Maler. Reachability analysis of pushdown automata: Application to model-checking. In CONCUR, volume 1243 of LNCS, pages 135–150. Springer, 1997.
[8]: A. Bouajjani and A. Meyer. Symbolic reachability analysis of higher-order context-free processes. In FSTTCS, volume 3328 of LNCS, pages 135–147. Springer, 2004.
[9]: C. Broadbent, A. Carayol, M. Hague, and O. Serre. A saturation method for collapsible pushdown systems. In ICALP, volume 7392 of LNCS, pages 165–176. Springer, 2012.
[10]: C. Broadbent and N. Kobayashi. Saturation-based model checking of higher-order recursion schemes. In CSL, volume 23 of LIPIcs, pages 129–148. Dagstuhl, 2013.
[11]: G. L. Burn, C. Hankin, and S. Abramsky. Strictness analysis for higher-order functions. Sci. Comp. Prog., 7(3):249–278, 1986.
[12]: T. Cachat. Symbolic strategy synthesis for games on pushdown graphs. In ICALP, volume 2380 of LNCS, pages 704–715. Springer, 2002.
[13]: T. Cachat. Higher order pushdown automata, the Caucal hierarchy of graphs and parity games. In ICALP, volume 2719 of LNCS, pages 556–569. Springer, 2003.
[14]: D. Caucal. On infinite terms having a decidable monadic theory. In MFCS, volume 2420 of LNCS, pages 165–176. Springer, 2002.
[15]: P. Cousot and R. Cousot. Higher order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection, and PER analysis. In ICCL, pages 95–112. IEEE, 1994.
[16]: W. Damm. The IO- and OI-hierarchies. Theor. Comp. Sci., 20:95–207, 1982.
[17]: W. Damm and A. Goerdt. An automata-theoretical characterization of the OI-hierarchy. Inf. Comp., 71:1–32, 1986.
[18]: J. Engelfriet. Iterated stack automata and complexity classes. Inf. Comput., 95(1):21–75, 1991.
[19]: A. Farzan, Z. Kincaid, and A. Podelski. Proof spaces for unbounded parallelism. In POPL, pages 407–420. ACM, 2015.
[20]: A. Farzan, Z. Kincaid, and A. Podelski. Proving liveness of parameterized programs. In LICS, pages 185–196. IEEE, 2016.
[21]: Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. Proofs that count. In POPL, pages 151–164. ACM, 2014.
[22]: A. Finkel, B. Willems, and P. Wolper. A direct symbolic approach to model checking pushdown systems. ENTCS, 9:27–37, 1997.
[23]: S. Fogarty and M. Y. Vardi. Efficient Büchi universality checking. In TACAS, volume 6015 of LNCS, pages 205–220. Springer, 2010.
[24]: C. Grellois. Semantics of linear logic and higher-order model-checking. PhD thesis, Université Paris Diderot (Paris 7), 2016.
[25]: C. Grellois and P.-A. Melliès. Finitary semantics of linear logic and higher-order model-checking. In MFCS, volume 9234 of LNCS, pages 256–268. Springer, 2015.
[26]: C. Grellois and P.-A. Melliès. An infinitary model of linear logic. In FoSSaCS, volume 9034 of LNCS, pages 41–55. Springer, 2015.
[27]: C. Grellois and P.-A. Melliès. Relational semantics of linear logic and higher-order model checking. In CSL, volume 41 of LIPIcs, pages 260–276. Dagstuhl, 2015.
[28]: A. Haddad. IO vs OI in higher-order recursion schemes. In FICS, volume 77 of EPTCS, pages 23–30, 2012.
[29]: M. Hague, R. Meyer, and S. Muskalla. Domains for higher-order games. CoRR, abs/1705.00355, 2017. URL: .
[30]: M. Hague, A. S. Murawski, C.-H. L. Ong, and O. Serre. Collapsible pushdown automata and recursion schemes. In LICS, pages 452–461. IEEE, 2008.
[31]: M. Hague and C.-H. L. Ong. Symbolic backwards-reachability analysis for higher-order pushdown systems. In FoSSaCS, volume 4423 of LNCS, pages 213–227. Springer, 2007.
[32]: M. Hague and C.-H. L. Ong. Winning regions of pushdown parity games: A saturation method. In CONCUR, volume 5710 of LNCS, pages 384–398. Springer, 2009.
[33]: M. Heizmann, J. Hoenicke, and A. Podelski. Nested interpolants. In POPL, pages 471–482. ACM, 2010.
[34]: M. Hofmann and W. Chen. Abstract interpretation from Büchi automata. In CSL-LICS, pages 51:1–51:10, 2014.
[35]: M. Hofmann and J. Ledent. A cartesian-closed category for higher-order model checking. In LICS. IEEE, 2017. To appear.
[36]: L. Holík, R. Meyer, and S. Muskalla. Summaries for context-free games. In FSTTCS, volume 65 of LIPIcs, pages 41:1–41:16. Dagstuhl, 2016.
[37]: Lukás Holík and Roland Meyer. Antichains for the verification of recursive programs. In NETYS, volume 9466 of LNCS, pages 322–336. Springer, 2015.
[38]: T. Knapik, D. Niwinski, and P. Urzyczyn. Higher-order pushdown trees are easy. In FoSSaCS, volume 2303 of LNCS, pages 205–222. Springer, 2002.
[39]: T. Knapik, D. Niwiński, P. Urzyczyn, and I. Walukiewicz. Unsafe grammars and panic automata. In ICALP, volume 3580 of LNCS, pages 1450–1461. Springer, 2005.
[40]: N. Kobayashi. HorSat2: A model checker for HORS based on SATuration. A tool available at .
[41]: N. Kobayashi. Types and higher-order recursion schemes for verification of higher-order programs. In POPL, pages 416–428. ACM, 2009.
[42]: N. Kobayashi and C.-H. L. Ong. A type system equivalent to the modal mu-calculus model checking of higher-order recursion schemes. In LICS, pages 179–188. IEEE, 2009.
[43]: Z. Long, G. Calin, R. Majumdar, and R. Meyer. Language-theoretic abstraction refinement. In FASE, volume 7212 of LNCS, pages 362–376. Springer, 2012.
[44]: D. A. Martin. Borel determinacy. Annals of Mathematics, 102(2):363–371, 1975. URL: .
[45]: R. Meyer, S. Muskalla, and E. Neumann. Liveness verification and synthesis: New algorithms for recursive programs. .
[46]: Robin P. Neatherway, Steven J. Ramsay, and C.-H. Luke Ong. A traversal-based algorithm for higher-order model checking. In ACM SIGPLAN International Conference on Functional Programming, ICFP’12, Copenhagen, Denmark, September 9-15, 2012, pages 353–364, 2012. URL: , http://dx.doi.org/10.1145/2364527.2364578.
[47]: C.-H. L. Ong. On model-checking trees generated by higher-order recursion schemes. In LICS, pages 81–90. IEEE, 2006.
[48]: S. J. Ramsay. Intersection-Types and Higher-Order Model Checking. PhD thesis, Oxford University, 2013.
[49]: S. J. Ramsay. Exact intersection type abstractions for safety checking of recursion schemes. In PPDP, pages 175–186. ACM, 2014.
[50]: S. Salvati. Recognizability in the simply typed lambda-calculus. In WoLLIC, volume 5514 of LNCS, pages 48–60. Springer, 2009.
[51]: S. Salvati and I. Walukiewicz. A model for behavioural properties of higher-order programs. In CSL, volume 41 of LIPIcs, pages 229–243. Dagstuhl, 2015.
[52]: S. Salvati and I. Walukiewicz. Typing weak MSOL properties. In FoSSaCS, volume 9034 of LNCS, pages 343–357. Springer, 2015.
[53]: S. Salvati and I. Walukiewicz. Using models to model-check recursive schemes. LMCS, 11(2):1–23, 2015.
[54]: I. Walukiewicz. Pushdown processes: Games and model-checking. Inf. Comp., 164(2):234–263, 2001.
[55]: M. Wulf, L. Doyen, T. A. Henzinger, and J.-F. Raskin. Antichains: A new algorithm for checking universality of finite automata. In CAV, volume 4144 of LNCS, pages 17–30. Springer, 2006.

A Relation to Higher-Order Model Checing

We elaborate on the relation of our work to the influential line of research on intersection types as pioneered by [42]. With intersection types, it is usually proven that there is a word or tree derivable by a HORS that is accepted by an automaton, i.e. a well-typed type environment can be certificate for the non-emptiness of the intersection L(scheme) ∩ L(Automaton) ≠ ∅. If the HORS is deterministic, L(scheme) consists of a single tree, so this is also decides the inclusion L(scheme) ⊆ L(Automaton). If we naively extend intersection types to non-deterministic schemes, this is not true anymore. To prove the inclusion in this case, we will need to complement the automaton and prove the emptiness of the intersection, i.e. L(scheme) ∩ L(Automaton) = ∅. Note that a well-typing (a well-typed type environment) cannot prove the emptiness by itself: If the type for the initial symbol does not contain a transition from a final to an initial state, that can either stem from the non-existence of a such a transition sequence, or from the typing not being strong enough. For example, the empty typing that does not assign any type to any symbol (or the empty intersection, if you want), is a well-typing and does not prove anything. Therefore, an algorithm that decides the non-emptiness of the intersection by using intersection-types has to guarantee that it constructs a well-typing strong enough to prove the existence of an accepting transition sequence if such a sequence exists. Note that algorithms that compute intersection types usually allow alternating automata as the specification. It is conceptually easier to complement an alternating automaton than it is to complement a non-deterministic automaton: The transition for each origin and label is given as a Boolean formula, and we can get the complement automaton by considering the dual formula (i.e. the formula in which conjunctions and disjunctions are swapped). Note that usually, the transition formulas are normalized to disjunctive normal form (DNF), so computing the dual formula (which will then be in CNF) and re-normalizing it to DNF can lead to an exponential blowup.

Work by Neatherway et al. [46] and Ramsay [48] considers schemes with non-determinism in the form of case statements. To handle this non-determinism they introduce union types as a ground type. Neatherway et al. give an optimised algorithm for checking such schemes against deterministic trivial automata (where all infinite runs are accepting – i.e. a Büchi condition where all states are accepting). In his thesis, Ramsay extends this to checking non-deterministic schemes against non-deterministic trivial automata using abstract interpretation from schemes to types. In our work, we generalise non-determinism to games (played over word-generating schemes), with a non-deterministic target language.

B Proofs for Section 3

B.1 Proof of Proposition 1

Let (ν_i)_{i ∈ N} be a descending chain of evaluations, i.e. ν_i ≥ ν_i+1 for all i ∈ N. It is to show that for all t, M〚t〛 is ⊓-continuous (in the argument ν) over the respective lattice, i.e.

M〚t〛

⎛
⎝

⊓_i ∈ N ν_i

⎞
⎠

= ⊓_i ∈ N (M〚F〛 ν_i) .

We proceed by induction over t.

Case t = F or t = x.
Both of these cases are identical, hence we only show the former. We have
M〚F〛 (⊓_i ∈ N ν_i) = (⊓_i ∈ N ν_i)(F) = ⊓_i ∈ N (ν_i(F)) = ⊓_i ∈ N (M〚F〛 ν_i)

where the first and final equalities are by definition of the concrete semantics, and the second is by definition of ⊓ over valuations ν_i.
Case t = s for some terminal s.
Similar to the previous case, we have
M〚s〛 (⊓_i ∈ N ν_i) = I(s) = ⊓_i ∈ N (M〚s〛 ν_i)

by definition.

Case t = t₁ t₂.
We have

	M〚t₁ t₂〛 (⊓_i ∈ N ν_i)
(Definition of semantics) =	(M〚t₁〛 (⊓_i ∈ N ν_i)) (M〚t₂〛 (⊓_i ∈ N ν_i))
(Induction hypothesis) =	(⊓_i ∈ N (M〚t₁〛 ν_i)) (⊓_i ∈ N (M〚t₂〛 ν_i))
(Definition of ⊓ for functions) =	⊓_i ∈ N ( (M〚t₁〛 ν_i) (⊓_i ∈ N (M〚t₂〛 ν_i)) )
(Continuity of M〚t₁〛 ν_i ∈ D) =	⊓_i ∈ N ⊓_j ∈ N ( (M〚t₁〛 ν_i) (M〚t₂〛 ν_j)) )
(Argued below) =	⊓_i ∈ N ( (M〚t₁〛 ν_i) (M〚t₂〛 ν_i)) )
(Definition of semantics) =	⊓_i ∈ N (M〚t₁ t₂〛 ν_i) .

We have to argue the step indicated above. That is,

⊓_i ∈ N ⊓_j ∈ N ( (M〚t₁〛 ν_i) (M〚t₂〛 ν_j)) ) = ⊓_i ∈ N ( (M〚t₁〛 ν_i) (M〚t₂〛 ν_i)) ) .

The right-hand side is greater than the left-hand side, because terms of the form ((M〚t₁〛 ν_i) (M〚t₂〛 ν_j)) where ν_i ≠ ν_j are missing in the RHS. To see that it is in fact equal, note that for two indices i,j ∈ N, we have either ν_i ≤ ν_j or ν_j ≤ ν_i, since the valuations form a descending chain. Let m = min{i,j}. We now use that ⊓-continuity implies monotonicity, and thus we have

((M〚t₁〛 ν_m) (M〚t₂〛 ν_m)) ≤ ((M〚t₁〛 ν_i) (M〚t₂〛 ν_j)) .

Hence, for any expression ((M〚t₁〛 ν_i) (M〚t₂〛 ν_j)) that is missing in the meet in the RHS, the meet in the RHS contains an expression that is smaller, hence, they are equal.

Case t = λ x . t′.
We have

	M〚λ x . t′〛 (⊓_i ∈ N ν_i)
(Definition of semantics) =	v ↦ (M〚t′〛 (⊓_i ∈ N ν_i)[x ↦ v])
(Induction hypothesis) =	v ↦ (⊓_i ∈ N (M〚t′〛 ν_i[x ↦ v]))
(Definition of ⊓ for functions) =	⊓_i ∈ N ( (v ↦ M〚t₁〛 ν_i[x ↦ v]) )
(Definition of semantics) =	⊓_i ∈ N (M〚λ x . t′〛 ν_i) .

▫

B.2 Substitution Lemma

Since we have not syntactically defined the evaluation of a λ-term, our development will need a simple substitution lemma.

Lemma 7 For all ν : N⨃ V↛ D, we have M〚(λ x . t) t′〛 ν = M〚t[x ↦ t′]〛 ν .

We show that for all ν : N⨃ V↛ D and all suitable terms t, t′, we have

M〚(λ x . t) t′〛 ν = M〚t[x ↦ t′]〛 ν .

We have by definition

M〚(λ x . t) t′〛 ν = (M〚(λ x . t)〛 ν) (M〚t′〛 ν) = M〚t〛 (ν[x ↦ M〚t′〛 ν])

and show by induction over t that

M〚t〛 ν[x ↦ M〚t′〛 ν] = M〚t[x ↦ t′]〛 ν .

In the base cases we have

M〚F〛 ν[x ↦ M〚t′〛 ν] = ( ν[x ↦ M〚t′〛 ν] ) (F) = ν (F) = M〚F〛 ν = M〚F[x ↦ t′]〛 ν ,
M〚s〛 ν[x ↦ M〚t′〛 ν] = I (s) = M〚s〛 ν = M〚s[x ↦ t′]〛 ν ,
M〚x〛 ν[x ↦ M〚t′〛 ν] = M〚t′〛 ν = M〚x[x ↦ t′]〛 ν , and
M〚y〛 ν[x ↦ M〚t′〛 ν] = ( ν[x ↦ M〚t′〛 ν] ) (y) = ν (y) = M〚y〛 ν = M〚y[x ↦ t′]〛 ν , for variable y ≠ x.

Then, for the induction step, we first consider application. That is

M〚t₁ t₂〛 ν[x ↦ M〚t′〛 ν] =

⎛
⎝

M〚t₁〛 ν[x ↦ M〚t′〛 ν]

⎞
⎠

⎛
⎝

M〚t₂〛 ν[x ↦ M〚t′〛 ν]

⎞
⎠

which is equal to, by induction,

⎛
⎝

M〚t₁[x ↦ t′]〛 ν

⎞
⎠

⎛
⎝

M〚t₂[x ↦ t′]〛 ν

⎞
⎠

= M〚t₁[x ↦ t′] t₂[x ↦ t′]〛 ν = M〚(t₁ t₂)[x ↦ t′]〛 ν .

Finally, for abstraction, we can assume by α-conversion that y ≠ x, and we have

M〚λ y . t₁〛 ν[x ↦ M〚t′〛 ν] = v ↦ M〚t₁〛 ν[x ↦ M〚t′〛 ν, y ↦ v]

which is by induction equal to the function

v ↦ M〚t₁[x ↦ t′]〛 ν[y ↦ v] = M〚λ y . t₁[x ↦ t′]〛 ν = M〚(λ y . t₁)[x ↦ t′]〛 ν .

Thus, by induction, we have the lemma as required. ▫

C Proofs for Section 4

C.1 Proof of Lemma 1

We show that for all non-ground terminals s, I^C(s) is ⊓-continuous. We need to treat the terminals a ∶ o → o of the original scheme and the terminals op_F that were introduced for the determinisation separately. In each case, assume a descending chain of arguments (x_i)_{i ∈ N}.

Case s = a.
Since I^C(a) = prepend_a and we have
prepend_a (⊓_i ∈ N x_i) = ⊓_i ∈ N(prepend_a x_i)

by definition of prepend_a, we have the property as required.

Case s = op_F.
We show the property when op_F is owned by ◇, and thus interpreted as ℓ-fold disjunction, conjunction is similar. We proceed by induction on the arity ℓ. In the base case ℓ = 1, I^C(op_F) is the identity function that is ⊓-continuous

Now assume op_F has arity ℓ+1, and I^C(op_F) = ∨_ℓ+1 is an ℓ+1-fold disjunction. We have

	∨_ℓ+1 (⊓_i ∈ N x_i)
(Definition of ∨_ℓ+1) =	y₁, …, y_ℓ ↦ (⊓_i ∈ N x_i) ∨ ∨_ℓ y₁ ⋯ y_ℓ
(Distributivity (see below)) =	y₁, …, y_ℓ ↦ ⊓_i ∈ N (x_i ∨ ∨_ℓ y₁ ⋯ y_ℓ)
(Definition of ⊓ for functions) =	⊓_i ∈ N (y₁, …, y_ℓ ↦ x_i ∨ ∨_ℓ y₁ ⋯ y_ℓ)
(Definition of ∨_ℓ+1) =	⊓_i ∈ N ∨_ℓ+1 x_i

In the above we required ∨ to distribute over ⊓, which can be seen by induction over types. In the base case, that ∨ distributes over ⊓ = ∧ is standard. For the step case, we have for all f_i, g, and v

⎛
⎝

(⊓_i ∈ N f_i) ∨ g

⎞
⎠

(Definition of ∨ and ⊓) =

⎛
⎝

⊓_i ∈ N (f_i v)

⎞
⎠

∨ (g v)

(Induction) =

⊓_i ∈ N

⎛
⎝

(f_i v) ∨ (g v)

⎞
⎠

(Definition of ∨ and ⊓) =

⎛
⎝

⊓_i ∈ N(f_i ∨ g)

⎞
⎠

v .

▫

C.2 Proof of Theorem 1

We are required to show σ_M^C(S) is satisfied by L(A) iff there is a winning strategy foryer Player ◇. The theorem is shown in the following two lemmas.

First, we introduce some notation. We write prepend_w for w=a₁… a_n to abbreviate prepend_a₁ ∘ ⋯ ∘ prepend_{a_n}.

Lemma 8 (Player ◇) If σ_M^C(S) is satisfied by L(A) there is a winning strategy for ◇.

In what follows, whenever we refer to a term t, we mean a term built over N⨃ T, but not over T^det. The terminals op_F are excluded because they do not occur in the game, they are only introduced in the determinized scheme.

We will demonstrate a strategy for ◇ that maintains the invariant that the current (variable-free) term t reached is such that M^C〚t〛 σ_M^C is satisfied by L(A). All plays are infinite or generate a word w. Since we maintain M^C〚t〛 σ_M^C is satisfied by L(A), if t represents a word w, we know w is accepted by A and Player ◇ wins the game.

Initially, we have M^C〚S〛 σ_M^C = σ_M^C(S) which is satisfied by L(A) by assumption. Thus, suppose play reaches a term t such that M^C〚t〛 σ_M^C is satisfied by L(A). There are two cases.

In the first case t = a₁ (⋯ (a_n $)) and let w = a₁ … a_n. Since

M^C〚a₁(⋯(a_n($)))〛 σ_M^C = prepend_{a₁… a_n}(ε) = w

and w is satisfied by L(A), we know w ∈ L(A) and Player ◇ has won the game.

In the second case, we have t = a₁(⋯(a_n(F t₁ ⋯ t_m))). By assumption, we know

M^C〚a₁(⋯(a_n(F t₁ ⋯ t_m)))〛 σ_M^C =

prepend_{a₁ … a_n}( (M^C〚F〛 σ_M^C) (M^C〚t₁〛 σ_M^C) ⋯ (M^C〚t_m〛 σ_M^C) )

is satisfied by L(A). Let F = e₁, …, F = e_ℓ be the rewrite rules for F. There are two subcases.

If F is owned by ◇, then since M^C〚F〛 = M^C〚e₁〛 ∨ ⋯ ∨ M^C〚e_ℓ〛 there must exist some i such that

prepend_{a₁ … a_n}( (M^C〚e_i〛 σ_M^C) (M^C〚t₁〛 σ_M^C) ⋯ (M^C〚t_m〛 σ_M^C) )

is satisfied by L(A). The strategy of Player ◇ is to choose the i^th rewrite rule.

We need to show the invariant is maintained. Let e_i = λ x₁, …, x_m . e. We have (using the substitution lemma, Lemma 7),

	prepend_{a₁ … a_n}( (M^C〚λ x₁, …, x_m . e〛 σ_M^C) (M^C〚t₁〛 σ_M^C) ⋯ (M^C〚t_m〛 σ_M^C) )
=	prepend_{a₁ … a_n}( M^C〚(λ x₁, …, x_m . e) t₁ … t_m〛 σ_M^C )
=	prepend_{a₁ … a_n}( M^C〚e[x₁ ↦ t₁, …, x_m ↦ t_m]〛 σ_M^C )
=	M^C〚a₁(⋯(a_n(e[x₁ ↦ t₁, …, x_m ↦ t_m])))〛 σ_M^C .

Note that the term a₁(⋯(a_n(e[x₁ ↦ t₁, …, x_m ↦ t_m]))) is the result of Player ◇ rewriting F via F = e_i. Since the satisfaction by L(A) passes through the equalities, Player ◇’s move maintains the invariant as required.

If F is owned by □ the argument proceeds as in the previous case. The key difference is that we have to show satisfaction is maintained no matter which move □ chooses. However, since in this case M^C〚F〛 = M^C〚e₁〛 ∧ ⋯ ∧ M^C〚e_ℓ〛 then for all i we have
prepend_{a₁ … a_n}( (M^C〚e_i〛 σ_M^C) (M^C〚t₁〛 σ_M^C) ⋯ (M^C〚t_m〛 σ_M^C) )

is satisfied by L(A). The remainder of the argument is identical.

▫

Lemma 9 (Player □) If σ_M^C(S) is not satisfied by L(A) there is a winning strategy for □.

For φ ∈ D^C(o) and a variable-closed term t of kind o, we define φ to be sound for t, denoted φ ⊢ t, if for all w∈ T^* such that prepend_w(φ) is not satisfied by L(A), Player □ has a winning strategy from term w(t). For w=ε, we set prepend_ε(φ)=φ and let ε(t)=t. We can now restate the lemma as

σ_M^C(S) ⊢ S .

In particular, since σ_M^C(S) is not satisfied by L(A) it is the case that prepend_ε(σ_M^C(S)) is not satisfied. This means Player □ has a winning strategy from ε(S) = S.

In general, for Ξ ∈ D^C(κ₁ → κ₂), we will also define Ξ ⊢ t for terms of kind κ₁ → κ₂. That is, for a variable-closed term t of kind κ₁ → κ₂ and a function Ξ ∈ D^C(κ₁ → κ₂), we define Ξ ⊢ t to hold whenever for all variable-closed terms t′ of kind κ₁ and Ξ′ ∈ D^C(κ₁) such that Ξ′ ⊢ t′ we have Ξ Ξ′ ⊢ t t′:

Ξ ⊢ t, if ∀ Ξ′, t′ such that Ξ′ ⊢ t′, we have Ξ Ξ′ ⊢ t t′ .

Similarly, we need to extend ⊢ to terms t with free variables x=x₁ … x_m. Here, we make the free variables explicit and write t (x). We define for Ξ : (V↛ D^C) → D^C that Ξ ⊢ t(x) by requiring that for any variable-closed terms t₁, …, t_m and any Ξ₁, …, Ξ_m ∈ D^C with Ξ_j ⊢ t_j for all 1≤ j≤ m, we have Ξ ν ⊢ t [∀ j ∶ x_j ↦ t_j], where ν maps x_j to Ξ_j.

We now show the following. For every number of iterations i in the fixed-point calculation, we have M^C〚t〛 σ_M^Cⁱ ⊢ t, for all terms t built over the terminals and non-terminals in the scheme of interest. After the induction, we will show that the result holds for the greatest fixed point. Note that we have a nested induction: the outer induction is along i, the inner is along the structure of terms.

Since we are inducting over non-closed terms, we will have to extend σ_M^Cⁱ to assign valuations to free-variables. Thus we will write νⁱ to denote a valuation such that νⁱ(F) = σ_M^Cⁱ(F) for any non-terminal F.

Base case i.
In the base case, we have i=0 and νⁱ=⊤ for all non-terminals. We proceed by induction on the structure of terms. We will emphasize if an argumentation is independent of the iteration count. This is the case for all terms except non-terminals.

Base case t.
The base cases of the inner induction that are independent of the iteration count are the following.

Case t = $.
For all i, we have M^C〚$〛 νⁱ = ε. Take any word w such that prepend_w(ε) is not satisfied by L(A). No moves can be made from w(ε) and Player □ has won the game.
Case t = a.
We again reason over all i and show that
M^C〚a〛 νⁱ Ξ = prepend_a(Ξ) ⊢ a(t)

for any variable-closed term t : o and any Ξ so that Ξ ⊢ t. Take any word w such that prepend_w(prepend_a(Ξ)) is not satisfied by L(A). It follows that prepend_wa(Ξ) is also not satisfied by L(A). From Ξ ⊢ t, Player □ has a winning strategy from wa(t). Since wa(t) = w(a(t)) we are done.
Case t = x.
For all i and all extensions νⁱ of σ_M^Cⁱ, we have
M^C〚x〛 νⁱ = νⁱ(x).

Take any νⁱ(x)=Ξ and any variable-closed term t′ with Ξ ⊢ t′. Then νⁱ(x) ⊢ x[x ↦ t′] is immediate.

The only base case of the inner induction that depends on the iteration count is t=F. Let F take m arguments and consider variable-closed terms t₁, …, t_m with corresponding Ξ_j such that Ξ_j ⊢ t_j. We have

M^C〚F〛 ν⁰ Ξ₁ … Ξ_m = σ_M^C(F)⁰ Ξ₁ … Ξ_m = true.

Thus, trivially M^C〚F〛 ν⁰ ⊢ F since true is never unsatisfied.
Step case t.
In both cases, the argumentation is independent of the actual iteration count. Therefore, we give it for a general i rather than for 0.

Case t = t′ t″.
Assume we already know that

M^C〚t′〛 νⁱ ⊢ t′ and M^C〚t″〛 νⁱ ⊢ t″ .

Our task is to show that

M^C〚t′ t″〛 νⁱ = (M^C〚t′〛 νⁱ) (M^C〚t″〛 νⁱ) ⊢ t′ t″ .

Let the free variables be x₁, …, x_n and consider Ξ₁ ⊢ t₁ to Ξ_n⊢ t_n. Let νⁱ map x_j to Ξ_j for all 1≤ j≤ n. By the definition of ⊢ for terms with free variables, we have M^C〚t′〛 νⁱ ⊢ t′ [∀ j: x_j ↦ t_j] and M^C〚t″〛 νⁱ ⊢ t″ [∀ j: x_j ↦ t_j]. Then, by the definition of ⊢ for functions, we obtain

M^C〚t′ t″〛 νⁱ =	(M^C〚t′〛 νⁱ) (M^C〚t″〛 νⁱ)
⊢	(t′[∀ j: x_j ↦ t_j]) (t″[∀ j: x_j ↦ t_j]) = (t′ t″)[∀ j: x_j ↦ t_j] .

This means M^C〚t′ t″〛 νⁱ ⊢ t′ t″ as required.

Case t = λ x.e.
Let the free variables of e be x, x₁,…, x_n. For M^C〚λ x.e〛 νⁱ⊢ λ x.e, we have to argue that for any Ξ₁⊢ t₁ to Ξ_n⊢ t_n with νⁱ mapping x_i to Ξ_i for all 1≤ i≤ n, we get
            M^C〚λ x.e〛 νⁱ ⊢ (λ x.e)[∀ j: x_j↦ t_j]  .

This in turn means that for any Ξ⊢ t, we have to show
            (M^C〚λ x.e〛 νⁱ) Ξ⊢ ((λ x.e)[∀ j: x_j↦ t_j]) t  .

By the definition of the semantics, we have
            (M^C〚λ x.e〛 νⁱ) Ξ = M^C〚e〛 νⁱ[x↦ Ξ]  .

Moreover, since the t_j are variable-closed, they in particular are not affected by replacing x and we get
        ((λ x.e)[∀ j: x_j↦ t_j]) t = (λ x.(e[∀ j: x_j↦ t_j])) t.

In the game, λ-redexes of the form (λ x.e) t do not occur at all: When a non-terminal F is rewritten to its right-hand side λ x.e, this yields e[x↦ t] within a single step. This means the game equates (λ x.(e[∀ j: x_j↦ t_j])) t with e[x↦ t, ∀ j: x_j↦ t_j]. Hence, all that remains to be shown is
            M^C〚e〛 νⁱ[x↦ Ξ] ⊢ e[x↦ t, ∀ j: x_j↦ t_j]  .

This holds by the hypothesis of the inner induction, showing M^C〚e〛 νⁱ⊢ e.

Step case i.
We again do an induction along the structure of terms. The only case that has not been treated in full generality is F. We now show that M^C〚F〛 νⁱ⁺¹⊢ F. Let F take m arguments and consider Ξ₁⊢ t₁ to Ξ_m⊢ t_m. The task is to prove M^C〚F〛 νⁱ⁺¹ Ξ₁ … Ξ_m⊢ F t₁ … t_m. To ease the notation, assume there are two right hand sides e₁′, e₂ for F, i.e. we have the rules F = λ x₁ … λ x_m.e₁ and F = λ x₁ … λ x_m.e₂. This means the right-hand side in the determinised scheme is F = λ x₁ … λ x_m . (op_F e₁ e₂). Then,

M^C〚F〛 νⁱ⁺¹

= νⁱ⁺¹(F)

= M^C〚 λ x₁ … λ x_m . (op_F e₁ e₂) 〛 νⁱ

= v₁, …, v_m ↦ M^C〚(op_F e₁ e₂)[x₁ ↦ v₁, …, x_m ↦ v_m]〛 νⁱ

= v₁, …, v_m ↦ M^C〚(op_F e₁[

↦

] e₂[

↦

])〛 νⁱ

= v₁, …, v_m ↦ I^C(op_F)

⎛
⎜
⎝

M^C〚e₁[

↦

]〛 νⁱ

⎞
⎟
⎠

⎛
⎜
⎝

M^C〚e₂[

↦

])〛 νⁱ

⎞
⎟
⎠

Here, I^C(op_F) is a conjunction or disjunction, depending on the owner of F. Recall that the conjunction and disjunction of functions are defined by evaluating the argument functions separately and combining the results. This means

M^C〚F〛 νⁱ⁺¹

= v₁, …, v_m ↦ I^C(op_F)

⎛
⎜
⎝

M^C〚e₁[

↦

]〛 νⁱ

⎞
⎟
⎠

⎛
⎜
⎝

M^C〚e₂[

↦

])〛 νⁱ

⎞
⎟
⎠

= v₁, …, v_m ↦

⎛
⎜
⎝

M^C〚e₁[

↦

]〛 νⁱ

⎞
⎟
⎠

(∨/∧)

⎛
⎜
⎝

M^C〚e₂[

↦

])〛 νⁱ

⎞
⎟
⎠

⎛
⎜
⎝

v₁, …, v_m ↦ M^C〚e₁[

↦

]〛 νⁱ

⎞
⎟
⎠

(∨/∧)

⎛
⎜
⎝

v₁, …, v_m ↦ M^C〚e₂[

↦

])〛 νⁱ

⎞
⎟
⎠

⎛
⎝

M^C〚λ x₁ … λ x_m . e₁〛 νⁱ

⎞
⎠

(∨/∧)

⎛
⎝

M^C〚λ x₁ … λ x_m . e₂〛 νⁱ

⎞
⎠

⎛
⎝

M^C〚e₁′〛 νⁱ

⎞
⎠

(∨/∧)

⎛
⎝

M^C〚e₂′〛 νⁱ

⎞
⎠

With the same reasoning, we obtain

	M^C〚F〛 νⁱ⁺¹ Ξ₁ … Ξ_m
	= (M^C〚e₁′〛 νⁱ Ξ₁ … Ξ_m) (∨/∧) (M^C〚e₂′〛 νⁱ Ξ₁ … Ξ_m).

We have to prove that for any w∈ T^*, if L(A) does not satisfy the formula

	prepend_w((M^C〚e₁′〛 νⁱ Ξ₁ … Ξ_m) (∨/∧) (M^C〚e₂′〛 νⁱ Ξ₁ … Ξ_m))
=	prepend_w(M^C〚e₁′〛 νⁱ Ξ₁ … Ξ_m) (∨/∧) prepend_w(M^C〚e₂′〛 νⁱ Ξ₁ … Ξ_m),

then Player □ has a winning strategy from w(F t₁ … t_m).

Assume Player ◇ owns F and the formula is not satisfied. If Player □ owns F, the reasoning is similar. Since we have a disjunction for Player ◇, prepend_w(M^C〚e₁′〛 νⁱ Ξ₁ … Ξ_m) is not satisfied. By the hypothesis of the outer induction, we obtain M^C〚e₁′〛 νⁱ ⊢ e₁ and thus M^C〚e₁′〛 νⁱ Ξ₁ … Ξ_m ⊢ e₁′ t₁ … t_m. As in the case of λ-abstraction above, we use that the game identifies e₁′ t₁ … t_m and e₁ [x₁ ↦ t₁, … e_m ↦ t_m]. Hence, Player □ has a winning strategy from w(e₁ [x₁ ↦ t₁, … e_m ↦ t_m]). The same argumentation applies to prepend_w(M^C〚e₂〛 νⁱ Ξ₁ … Ξ_m). Consequently, whichever move Player ◇ makes at w(F t₁ … t_m), Player □ has a winning strategy.
This finishes the outer induction, proving that M^C〚t〛 σ_M^Cⁱ ⊢ t for all terms t and all i ∈ N. We would like to conclude M^C〚t〛 σ_M^C ⊢ t. Since the cppo under consideration is not finite, this needs to be proven separately.
Limit case.
We have shown M^C〚t〛 σ_M^Cⁱ ⊢ t for all i ∈ N; we now show M^C〚t〛 σ_M^C ⊢ t noting by Kleene that σ_M^C = ⊓_{i ∈ N} σ_M^Cⁱ. Once we have this we have σ_M^C(S) ⊢ S which proves the lemma.

We formulate a slightly more general induction hypothesis for induction over kinds: Given a descending sequence of Ξ_i for all i ∈ N such that each Ξ_i ⊢ t, we have ⊓_{i ∈ N} Ξ_i ⊢ t. In the base case we have t is of kind o and we assume Ξ_i ⊢ t. We now argue ⊓_{i ∈ N} Ξ_i ⊢ t.

Take any w and suppose prepend_w(⊓_{i ∈ N} Ξ_i) is not satisfied, then we need to show by the definition of ⊢ that Player □ has a winning strategy. Since ⊓ is conjunction, if

prepend_w(⊓_i ∈ N Ξ_i) = ⊓_i ∈ N prepend_w(Ξ_i)

is not satisfied, it must be the case that for some i we have prepend_w(Ξ_i) is not satisfied. In this case, we have Ξ_i ⊢ t by assumption and thus by the definition of ⊢ that Player □ has a winning strategy from w(t). This proves ⊓_{i ∈ N} Ξ_i ⊢ t.

If t is of kind κ₁ → κ₂ we need to show for all Ξ ⊢ t′ that (⊓_{i ∈ N} Ξ_i) Ξ ⊢ t t′. We have by the definition of ⊓ over functions

(⊓_i ∈ N Ξ_i) Ξ = ⊓_i ∈ N (Ξ_i Ξ)

Since by assumption on Ξ_i and definition of ⊢ for function kinds, we have Ξ_i Ξ ⊢ t t′ for each i. By the induction on the kind, we obtain ⊓_{i ∈ N}(Ξ_i Ξ) ⊢ t t′ . Since (⊓_{i ∈ N} Ξ_i) σ = ⊓_{i ∈ N} (Ξ_i σ) we establish the desired statement that finishes the induction.

Finally, since M^C〚t〛 σ_M^Cⁱ satisfies the conditions of the above induction hypothesis and because we have already shown M^C〚t〛 σ_M^Cⁱ ⊢ t for all t, we obtain

⊓_i ∈ N (M^C〚t〛 σ_M^Cⁱ) ⊢ t .

Then, since using continuity of M^C〚t〛 we have

M^C〚t〛 σ_M^C = M^C〚t〛 (⊓_i ∈ N σ_M^Cⁱ) = ⊓_i ∈ N (M^C〚t〛 σ_M^Cⁱ)

we obtain the lemma as required. ▫

D Proofs for Section 5

D.1 Generalising Precision Properties to Functions

We show that several properties needed for precision can be lifted from the ground domain to function domains.

Lemma 10 If (P1) holds, then for every κ∈ Κ and every v_r∈D_r(κ) there is a compatible v_l∈D_l(κ) with α(v_l)=v_r.

We show that, if (P1) holds, then for every κ∈ Κ and every v_r∈D_r(κ) there is a compatible v_l∈D_l(κ) with α(v_l)=v_r. We proceed by induction on kinds. The base case is given by the assumption (P1) and the fact that every ground element is compatible. Assume we have the required surjectivity of α for κ₁ and κ₂ and consider f_r∈D_r(κ₁→ κ₂). The task is to find a compatible function f_l so that α(f_l)=f_r. Assume f_r v_r = v_r′. By surjectivity for κ₁, there are compatible elements in α⁻¹(v_r), and similar for v_r′. Let v_l′ be a compatible element that is mapped to v_r′ by α. We define f_l v_l = v_l′ for all compatible v_l ∈ α⁻¹(v_r). Since α is total on D(κ₁), this assigns a value to all compatible v_l. We do not impose any requirements on how to map elements that are not compatible.

We argue that f_l is compatible. To this end, consider compatible v_l¹ and v_l² with α(v_l¹)=α(v_l²). By definition, both are mapped identically by f_l, f_l v_l¹=f_l v_l². Hence, in particular the abstractions coincide. Moreover, given a compatible v_l, we defined f_l v_l = v_l′ to be a compatible element.

Concerning the equality of the functions, we have α(f_l) v_r = α(f_l v_l) = α(v_l′) = v_r′. The first equality is the definition of abstraction for functions and the fact that α⁻¹(v_r) contains compatible elements, one of them being v_l, the second is the fact that v_l is mapped to v_l′, and the last is by v_l′ ∈ α⁻¹(v_r′). ▫

Lemma 11 If (P1) and (P2) hold, then for all κ∈ Κ and all descending chains of compatible elements (f_i)_{i ∈ N} in D(κ), we have ⊓_i∈N f_i compatible and α(⊓_{i∈ N}f_i)=⊓_{i∈ N}α(f_i).

We proceed by induction on kinds to show that, if (P1) and (P2) hold, then for all kinds κ∈ Κ and for all descending chains of compatible values f₁, f₂, … ∈D(κ), we have ⊓_{i∈ N}f_i again compatible and α(⊓_{i∈ N}f_i)=⊓_{i∈ N}α(f_i). The base case is the assumption.

In the induction step, let κ=κ₁→ κ₂ and f₁, f₂,…∈D_l(κ) be a descending chain of compatible elements. Let v_l∈ D_l(κ₁) be compatible. The following equalities will be helpful:

α((⊓_i∈ N f_i) v_l)=α(⊓_i∈ N (f_i v_l))=⊓_i∈ N α(f_i v_l) = ⊓_i∈ N (α(f_i) α(v_l))=(⊓_i∈ N α(f_i)) α(v_l).

The first equality is the definition of ⊓ on functions, the second is the induction hypothesis for κ₂, the third is compatibility of the f_i and v_l, the last is again ⊓ on functions.

To show compatibility, note that the above implies α((⊓_{i∈ N} f_i) v_l)=α((⊓_{i∈ N} f_i) v_l′) as long as α(v_l)=α(v_l′), for all compatible v_l, v_l′∈D_l(κ₁). For compatibility of (⊓_{i∈ N} f_i) v_l with v_l∈D_l(κ₁) compatible, note that (⊓_{i∈ N} f_i) v_l=⊓_{i∈ N} (f_i v_l). The latter is the meet over a descending chain of compatible elements in κ₂. By the induction hypothesis on κ₂, it is again compatible.

For ⊓-continuity, consider a value v_r∈D_r(κ₁). By Lemma 10, there is a compatible v_l∈D_l(κ₁) with α(v_l)=v_r. We have

α(⊓_i∈ Nf_i) v_r =α((⊓_i∈ Nf_i) v_l)= (⊓_i∈ N α(f_i)) α(v_l)=(⊓_i∈ N α(f_i)) v_r.

The first equality is the definition of abstraction on functions. Note that we need here the fact that ⊓_{i∈ N}f_i is compatible by the induction hypothesis. The second equality is the auxiliary one from above. The last equality is by α(v_l)=v_r. ▫

Lemma 12 If (P3) holds, then α(⊤_κ^l)=⊤_κ^r for all κ∈ Κ.

We show that, if (P3) holds, then α(⊤_κ^l)=⊤_κ^r for all κ∈ Κ. We proceed by induction on kinds. The base case is given by the assumption (P3). Assume for κ₂, we have α(⊤_κ₂^l)=⊤_κ₂^r. Consider function ⊤_{κ₁→ κ₂}^l∈D_l(κ₁→κ₂). We have to show α(⊤_{κ₁→ κ₂}^l)=⊤_{κ₁→ κ₂}^r. If the given top element is not compatible, this holds. Assume it is. For v_r ∈ D_r(κ₁), there are two cases. If there is no compatible v_l∈ D_l(κ₁) with α(v_l)=v_r, we have

α(⊤_{κ₁→ κ₂}^l) v_r = ⊤_κ₂^r = ⊤_{κ₁→ κ₂}^r v_r.

If there is such a v_l, we obtain

α(⊤_{κ₁→ κ₂}^l) v_r =α(⊤_{κ₁→ κ₂}^l v_l) = α(⊤_κ₂^l)=⊤_κ₂^r = ⊤_{κ₁→ κ₂}^r v_r.

The first equality is the definition of abstraction for functions, the next is the fact that ⊤_{κ₁→ κ₂}^l maps every element v_l ∈ D_l(κ₁) to ⊤_κ₂^l. The image of ⊤_κ₂^l is ⊤_κ₂^r by the induction hypothesis. The last equality is the definition of ⊤_{κ₁→ κ₂}^r. ▫

D.2 Proof of Lemma 2

Assume (P1), (P4), and (P5) hold. We show, for all terms t and all compatible ν, M_l〚t〛 ν is compatible and α(M_l〚t〛 ν)=M_r〚t〛 α(ν). We proceed by structural induction on t.

Case F, x.
By the assumption, M_l〚F〛 ν = ν(F) is compatible. Moreover,
α(M_l〚F〛 ν)=α(ν(F))=α(ν)(F)=M_r〚F〛 α(ν)

holds. For x∈ V, the reasoning is similar.
Case terminal s.
Note that M_l〚s〛 ν=I_l(s). If s is ground, the claim holds by (P4). Let s:κ₁→ κ₂. For compatibility, consider v_l, v_l′∈D(κ₁) compatible with α(v_l)=α(v_l′). Then
α(I_l(s) v_l)=I_r(s) α(v_l) = I_r(s) α(v_l′) = α(I_l(s) v_l′).

The first equality is (P4), the next is α(v_l)=α(v_l′), and the last is again (P4). The second requirement on compatibility is satisfied by (P5).
To show α(M_l〚s〛 ν) = M_r〚s〛 α(ν), consider a value v_r ∈D_r(κ₁). By Lemma 10, there is some compatible v_l∈D_l(κ₁) with α(v_l)=v_r. We have
α(I_l(s)) v_r = α(I_l(s) v_l)= I_r(s) α(v_l) =I_r(s) v_r.

The first equality is compatibility of I_l(s) and the definition of function abstraction. The next equality is (P4). The last is α(v_l)=v_r.

For the induction step, assume the claim holds for t₁ and t₂.

Case t₁ t₂.
For compatibility, observe that M_l〚t₁ t₂〛 ν=(M_l〚t₁〛 ν) (M_l〚t₂〛 ν). Moreover, M_l〚t₁〛 ν and M_l〚t₂〛 ν are both compatible by the induction hypothesis. By definition of compatibility, applying a compatible function to a compatible argument yields a compatible value. Hence, M_l〚t₁ t₂〛 ν is compatible.
For the equality, note that
M_r〚t₁ t₂〛 α(ν) = (M_r〚t₁〛 α(ν)) (M_r〚t₂〛 α(ν)) = α(M_l〚t₁〛 ν) α(M_l〚t₂〛 ν).

The first equality is by the definition of the semantics, the second is the induction hypothesis. Compatibility justifies the first of the following equalities. The second is again the definition of the semantics:
α(M_l〚t₁〛 ν) α(M_l〚t₂〛 ν) = α((M_l〚t₁〛 ν) (M_l〚t₂〛 ν)) = α(M_l〚t₁ t₂〛 ν).
Case λ x:κ.t₁.
We argue for compatibility. Consider compatible v_l and v_l′ with α(v_l)=α(v_l′). By definition of the semantics and the induction hypothesis, we have
                α((M_l〚λ x.t₁〛 ν) v_l) = α(M_l〚t₁〛 ν[x↦ v_l]) = M_r〚t₁〛 α(ν[x↦ v_l])  .

For v_l′, the reasoning is similar. Since α(v_l)=α(v_l′), we have α(ν[x↦ v_l])=α(ν[x↦ v_l′]). Hence, M_r〚t₁〛 α(ν[x↦ v_l])=M_r〚t₁〛 α(ν[x↦ v_l′]). We conclude the desired equality.
For the second requirement in compatibility, let v_l be compatible. By definition of the semantics, (M_l〚λ x.t₁〛 ν) v_l = M_l〚t₁〛 ν[x↦ v_l]. Since ν and v_l are compatible, ν[x↦ v_l] is compatible. Hence, M_l〚t₁〛 ν[x↦ v_l] is compatible by the induction hypothesis.
To prove M_r〚λ x.t₁〛 α(ν) = α(M_l〚λ x.t₁〛 ν), consider an arbitrary value v_r ∈ D_r(κ). Let v_l∈D_l(κ₁) be compatible with α(v_l)=v_r, which exists by Lemma 10. We have:
                (M_r〚λ x.t₁〛 α(ν)) v_r = M_r〚t₁〛 α(ν)[x ↦ v_r] = M_r〚t₁〛 α(ν[x↦ v_l])  .

We showed above that M_l〚λ x.t₁〛 ν is compatible. Using the definition of abstraction for functions and the definition of the semantics, the other function yields
                α(M_l〚λ x.t₁〛 ν) v_r = α((M_l〚λ x.t₁〛 ν) v_l)= α(M_l〚t₁〛 ν[x↦ v_l])  .

With the induction hypothesis, α(M_l〚t₁〛 ν[x↦ v_l])=M_r〚t₁〛 α(ν[x↦ v_l]).

▫

D.3 Proof of Theorem 2

Recall σ_l⁰ and σ_r⁰ are the greatest elements of the respective domains. We have

α(σ_l)=α(⊓_i∈ N rhs_{M_l}ⁱ(σ_l⁰))= ⊓_i∈N α(rhs_{M_l}ⁱ(σ_l⁰)) = ⊓_i∈N rhs_{M_r}ⁱ(σ_r⁰) = σ_r.

The first equality is Kleene’s theorem. The second equality uses the fact that each rhs_{M_l}ⁱ(σ_l⁰) is compatible and that they form a descending chain (both by induction on i), and then applies Lemma 11. The third equality also relies on compatibility of the rhs_{M_l}ⁱ(σ_l⁰) and invokes Lemma 2. Moreover, it needs α(σ_l⁰)=σ_r⁰ by Lemma 12. The last equality is again Kleene’s theorem. ▫

E Proofs for Section 6

E.1 Proof of Lemma 3

Observe I^A($) = Q_f = acc(ε). Given a formula φ∈ PBool(acc(T^*)), we have to show that pre_a(φ)∈ PBool(acc(T^*)). Since pre_a distributes over conjunction and disjunction, it is sufficient to show the requirement for atomic propositions. Consider Q=acc(w). We have I^A(a) acc(w) = pre_a(acc(w)) = acc(a.w). Finally, I^A(op_F) with F∈ N is conjunction or disjunction, and there is nothing to do as the formula structure is not modified. ▫

E.2 Proof of Lemma 4

We require, for all terminals s, I^A(s) is ⊓-continuous over the respective lattices. We remark that the case s = op_F is identical to Lemma 1. Hence, we show the case s = a ∈ Γ. Given a descending chain (x_i)_i∈N, we have to show I(a) (⊓_i∈N x_i) = ⊓_i∈N (I(a) x_i). Recall that the meet of formulas is conjunction, and that we are in a finite domain. The latter means that the infinite conjunction is really the conjunction of finitely many formulas. Now pre_a is defined to distribute over finite conjunctions. We have

I(a) (⊓_i∈N x_i) = pre_a

⎛
⎜
⎜
⎝

∧

i finite

x_i

⎞
⎟
⎟
⎠

∧

i finite

pre_a

⎛
⎝

x_i

⎞
⎠

= ⊓_i∈N (I(a) x_i)

as required. ▫

E.3 Proof of Proposition 2

To show α is precise, we have to show (P1) to (P5). For (P1), it is sufficient to argue that for every set of states Q∈ acc(T^*) there is a word that is mapped to it — which holds by definition. For formulas, note that α=acc distributes over conjunction and disjunction, which means we can take the same connectives in the concrete as in the abstract and replace the leaves appropriately. Note that we only need a set consisting of one formula.
(P2) is satisfied by the concrete meet being the union of sets of formulas and α being defined by an element-wise application.
For (P3), note that the greatest elements are {true} for D^C(o) and true for D^A(o). By definition, α({true})=α(true)=true.
For (P4), consider $. We have α(I^C($)) = α({ε})=acc(ε)=Q_f=I^A($). The first equality is by definition of the concrete interpretation, the second is the definition of α, the third uses the fact that ε is accepted precisely from the final states, and the last equality is the interpretation of the $ in the abstract domain.

For a letter a and a word w⊆ T^*, we have

α(I^C(a) w) = α(prepend_a(w))= α(a.w) = acc

⎛
⎝

a.w

⎞
⎠

=pre_a(acc

⎛
⎝

⎞
⎠

) = I^A(a) α(w).

The first equality is the interpretation of a in the concrete, the second is the definition of prepending a letter, the third is the definition of the abstraction, the next is how taking predecessors changes the set of states from which a word is accepted, and the last equality is the interpretation of a in the abstract domain and the definition of the abstraction function. The relation generalizes to formulas by noting that both the concrete interpretation and the abstract interpretation of a distribute over conjunction and disjunction. It also generalizes to sets of formulas by noting that prepend_a is applied to all elements in the set and, in the abstract domain, pre_a distributes over conjunction.

Let F be a non-terminal owned by □. To simplify the notation, let the associated operation be binary, op_F:o→ o → o. Let Φ₁,Φ₂∈D^C(o) be sets of formulas. We have

α(I^C(op_F) Φ₁ Φ₂) = α(Φ₁⋃ Φ₂)

∧

φ∈Φ₁⋃ Φ₂

α(φ)

∧

φ∈Φ₁

α(φ) ∧

∧

φ∈Φ₂

α(φ) = I^A(op_F)(α(Φ₁) α(Φ₂)).

The first equality is the concrete interpretation of op_F. The second is the definition of the abstraction function. The third equality holds as we work up to logical equivalence. The last is the abstract interpretation of op_F and again the definition of the abstraction.

Assume F is owned by ◇ and op_F is again binary. Consider Φ₁,Φ₂∈D^C(o). It will be convenient to denote {φ₁∨φ₂ | φ₁∈ Φ₁,φ₂∈ Φ₂} by Φ. We have

α(I^C(op_F) Φ₁ Φ₂) = α(Φ)

∧

φ₁∨φ₂∈ Φ

α(φ₁∨φ₂)

∧

φ₁∈ Φ₁, φ₂∈ Φ₂

(α(φ₁)∨α(φ₂))

= (

∧

φ₁∈Φ₁

α(φ₁))∨ (

∧

φ₂∈Φ₂

α(φ₂)) = I^A(op_F)(α(Φ₁) α(Φ₂)).

The first equality is the concrete interpretation of op_F, the second is the definition of α on sets of formulas. The third equality is the fact that α distributes over disjunctions and rewrites the iteration over the elements of Φ. The following equality is distributivity of conjunction over disjunction, and the fact that we work up to logical equivalence. The last is the abstract interpretation of op_F and the definition of the abstraction function.
It remains to show (P5). For I^C($) and I^C(a), there is nothing to do as all ground values are compatible. Assume F is owned by □ and op_F is binary. The proof for ◇ is similar. We show that, given a set of formulas Φ, the function Φ∪ − is compatible. An inspection of the proof of (P4) shows that for any set of formulas φ₁, we have

α(Φ⋃ Φ₁) = α(Φ)∧ α(Φ₁).

Hence, if α(Φ₁)=α(Φ₂), then α(Φ∪ Φ₁)= α(Φ∪ Φ₂). That Φ∪ Φ₁ is compatible holds as the element is ground. ▫

E.4 Proof of Lemma 5

v We have I^O($)=∨Q_f= α(Q_f)=α(acc(ε)). For I^O(a), we note that both the abstract and the optimized interpretation distribute over conjunctions and disjunctions. Hence, it remains to consider whether the application to leaves results in a disjunction that is the image of an abstract set. Let Q=acc(w). We have

I^O(a) α(acc

⎛
⎝

⎞
⎠

) = I^O(a) (∨Q)

∨

q∈ Q

I^O(a) q

∨

q∈ Q

∨pre_a(

⎧
⎨
⎩

⎫
⎬
⎭

)

=∨pre_a(Q)

=α(pre_a(Q)) =α(pre_a(acc

⎛
⎝

⎞
⎠

))=α(acc

⎛
⎝

a.w

⎞
⎠

The first equality is the definition of the abstraction function. Then we apply distributivity of the optimized interpretation of a over disjunctions. The following equality is the actual interpretation of a in the optimized model. The next equality uses pre_a(Q)=∪_{q∈ Q}pre_a(q). The following is again the definition of the abstraction function. Then we replace Q by its definition. Finally, we note the interplay between pre_a and acc(−).

For conjunction and disjunction, which are used as the interpretation of op_F depending on the player, we note that α distributes to the arguments. Hence, if the arguments are α(φ₁) and φ₂, we have α(φ₁)∧ α(φ₂)=α(φ₁∧ φ₂). ▫

E.5 Proof of Lemma 6

We need, for all terminals s, I^O(s) is ⊓-continuous over the respective lattices. We remark that the case s = op_F is identical to Lemma 1. The case s = a ∈ Γ follows from distributivity of I^O(a) as in the proof of Lemma 4. ▫

E.6 Proof of Proposition 3

We show the optimized abstraction is precise. Surjectivity in (P1) holds by definition as does (P3). Also ⊓-continuity in (P2) is by the fact that the meets over the concrete domain are finite, and hence the definition of α already yields continuity. We argue for (P4).
For $, Lemma 5 yields I^O($)=α(Q_f), which is α(I^A($)) as required. For a, the same lemma shows I^O(a) α(acc(w))=α(pre_a(acc(w))), which is α(I^A(a) acc(w)). The equality generalizes to formulas as both, the abstraction function and the interpretations distribute over conjunctions and disjunctions. For op_F, assume it is a binary conjunction. We have

I^O(op_F) α(φ₁) α(φ₂)= α(φ₁)∧ α(φ₂)=α(φ₁∧ φ₂)=α(I^A(op_F) φ₁ φ₂).

The first equality is the definition of the interpretation in the optimized model, the next is distributivity of α over conjunction. Finally, we have the interpretation of op_F in the abstract model.
For (P5), there is nothing to do for I^C($) and I^C(a), as all ground values are compatible. We consider the conjunctions and disjunctions used to resolve the non-determinism. Consider a formula φ. The task is to show that the function φ∧ − is compatible. Consider φ₁ and φ₂ with α(φ₁)=α(φ₂). Then

α(φ∧ φ₁)=α(φ)∧α(φ₁)=α(φ)∧α(φ₂)=α(φ∧φ₂).

The first equality is distributivity of the abstraction function over conjunctions. The next is the assumed equality. The third is again distributivity. Compatibility of φ∧φ₁ holds as ground values are always compatible. ▫

E.7 Proof of Corollary 1

To show the complexity, we argue the upper and lower bounds separately.

[Proof of Proposition 4] We need to argue that σ_M^O can be computed in (k+1)-times exponential time. We have that σ_M^O = ⊓_{i ∈ N} rhs_M^Oⁱ(σ_l⁰). Since the domains D^O(κ) are finite for all kinds κ, there is an index i₀ ∈ N such that σ_M^O = ⊓_{i = 0}^i₀ rhs_M^Oⁱ(σ_l⁰) = rhs_M^O^i₀(σ_l⁰). In the following, we will see that the number of iterations, i.e. the index i₀ is at most (k+1)-times exponential, and that one iteration can be executed in (k+1)-times exponentially many steps.

First, we reason about the number of iterations. For a partial order D, we define its height h(D) as the length of the longest strictly descending chain, i.e. the height is m if the longest such chain is of the shape

x₀ > x₁ > … > x_k .

The height of the domain is an upper bound for i₀ by its definition: If for some index i₁ we have rhs_M^O^i₁(σ_l⁰) = rhs_M^O^{i₁ + 1}(σ_l⁰), we know ⊓_{i = 0}^i₀ rhs_M^Oⁱ(σ_l⁰) = rhs_M^O^i₀1(σ_l⁰) and thus i₁ = i₀. Such an index i₁ has to exist and has to be smaller than the height of the domain, otherwise the sequence of the rhs_M^Oⁱ(σ_l⁰) would form a chain that is strictly longer than the height, a contradiction to the definition.

It remains to see what the height of our optimized domain is. Recall that rhs_M^O has the type signature (N → D^O) → (N → D^O). Our goal in the following is to determine h(N → D^O ). We can identify N → D^O with D^O(F₁) × … × D^O(F_ℓ), where F₁, …, F_ℓ are the non-terminals of the scheme. The height of this product domain is the sum of its height. We are done if we show that even the domain D^O(F) with the maximal height is (k+1)-times exponentially high, since the number of non-terminals is polynomial in the input scheme.

In the following we prove: If kind κ is of order k′, then D^O(κ) has (k′+1)-times exponential height. For the induction step, we also need to consider the cardinality of D^O(κ), therefore, we strengthen the statement and also prove that the cardinality |D^O(κ)| is (k′+2)-times exponential.

We proceed by induction on k′.

In the base case k′ = 0, we necessarily have κ = o, and indeed the domain α(PBool(acc(T^*))) ⊆ PBool(Q_NFA) is singly exponentially high. To see that this is the case, consider a strictly decreasing chain (φ_j)_{j ∈ N} of positive boolean formulas over Q_NFA, i.e. a chain where each formula is strictly implied by the next. To each formula, φ_j, we assign the set Q_j = {Q ⊆ Q_NFA | Q satisfies φ_j} of assignments under which φ_j evaluates to true. That φ_j is strictly implied by φ_j+1 translates to the fact that Q_j is a strict subset of Q_j+1. This gives us that the sets Q_j themselves form a strictly ascending chain in P(P(Q_NFA)), and it is easy to see that such a chain has length at most | P(Q_NFA) | = 2^|Q_NFA|.

Furthermore, we can represent each equivalence class of formulas in PBool(Q_NFA) by a representative in conjunctive normal form, i.e. by an element of P(P(Q_NFA)). This shows that the cardinality of the domain is indeed bounded by | P(P(Q_NFA)) | = 2^|P(Q_NFA)| = 2^{2^|Q_NFA|}.

Now assume the statement holds for k′, and consider κ of order k′+1. We need an inner induction on the arity m of κ.

Since o is the only kind of arity 0, and does not have order k′+1 for any k′, there is nothing to do in the base case.

Now assume that κ = κ₁ → κ₂. By the definitions of arity and order, we know that κ₁ is of order at most k′, therefore we now by the outer induction that the height of D^O(κ₁) is at most (k′+1)-times exponential. The order of κ₂ is at most (k′+1), but the arity of κ₂ is strictly less than the arity of κ, thus we get by the inner induction that the height of D^O(κ₂) is at most (k′+2)-times exponential.

The domain D^O(κ₁ → κ₂) = Cont(D^O(κ₁), D^O(κ₂)) is a subset of all functions from D^O(κ₁) to D^O(κ₂). Let us reason about the height of this more general function domain. We know that its height is the height of the target times the size of the source, i.e. h(D^O(κ₂)) · | D^O(κ₁) |. The induction completes the proof, as both h(D^O(κ₂)) and | D^O(κ₁) | are at most (k′+2)-times exponential.

It remains to argue that each iteration can be implemented in at most (k+1)-times exponentially many steps. To this end, we argue that each element of D^O(κ) can be represented by an object of size (k′+1)-times exponential, where k′ is the order of κ. It is easy to see that all operations that need to be executed on these objects, namely evaluation, conjunction, disjunction, and predecessor computation can be implemented in polynomial time in the size of the objects.

Let k′ = 0, i.e. κ = o. We again represent each element of D^O(o) by a formula over Q_NFA in conjunctive normal form, i.e. as an element of P( P( Q_NFA)). In the worst case, one single formula φ contains everyone of the 2^Q_NFA many clauses, each clause having size at most |Q_NFA|. This means that one formula needs at most singly exponential space.

For the induction step, consider κ of order k+1. As above, we need an inner induction on the arity of κ, for which the base case is trivial.

Let κ = κ₁ → κ₂. An element of D^O(κ) is a function that assigns to each of the |D^O(κ₁)|-many elements of D^O(κ₁) an element of D^O(κ₂). In the previous part of the proof, we have argued, that |D^O(κ₁)| is at most (k+1) times exponential. By the induction on the arity, we know that each object in D^O(κ₂) can be represented in at most (k+2)-times exponential space. This shows that objects of D^O(κ) can be represented using (k+2)-times exponential space, and finishes the proof. ▫

We show that determining the winner in a higher-order word game is (k+1)EXP-hard for an order-k recursion scheme.

[Proof of Proposition 5] We begin with a result due to Engelfriet [18] that shows alternating k-iterated pushdown automata with a polynomially bounded auxiliary work-tape (k-PDA⁺) characterize the (k+1)EXP word languages. We fix any (k+1)EXP-hard language and its corresponding alternating k-PDA B. Let L(B) be the set of words accepted by B. Deciding if a given word w is in the language defined by B is (k+1)EXP-hard in the size of w (recall B is fixed). We show that this problem can be reduced in polynomial time to an inclusion problem L(B′) ⊆ L(A) for some k-iterated pushdown automaton (without work-tape) (k-PDA) B′ and NFA A of size polynomial in the length of w. From B′, we can construct in polynomial time an equivalent game over a scheme G. This will show the game language inclusion problem for order-k schemes is (k+1)EXP-hard.

In an alternating k-PDA⁺, there are two Players ◇ and □. When decided whether a word w is in the language of a k-PDA⁺, ◇ will attempt to prove the word is in the language, while □ will try to refute it.

We first describe how to obtain B′ from B. Since the word w is fixed, we can force B to output the word w by forming a product of w with the states of B. Call this automaton B × w. This reduces the word membership problem to the problem of determining whether B × w can reach an accepting state. Next, to remove the worktape from B × w (and form B′) we replace the output of B × w (which will always be w or empty) with a series of guesses of the worktape. That is, a transition of B × w will be simulated by B′ by first making a transition as expected, and then outputting a guess (consistent with the transition) of what the worktape of B × w should be. The automaton A will accept a guessed sequence of worktapes iff it is able to find an error in the sequence. The word w will be in the language of B if B′ is able to reach a final state and produce a word w′ that is correct; that is, w′ is not in the language of A.

Note, here, the reversal of the roles of the Players. In B, control states are owned by ◇ or □. When determining if w ∈ L(B) for some w, the first Player ◇ tries to show the word is accepted, while the second Player □ tries to force a non-accepting run. In B′, however, w is accepted iff the output of B′ is not included in the language of A. Thus, □ will effectively be aiming to prove that w ∈ L(B).

In more detail, we take any (k+1)EXP-hard language and its equivalent (fixed) alternating k-PDA⁺. Given a word w, deciding w ∈ L(B) is (k+1)EXP-hard. We define B′ directly from B rather than going through the intermediate B × w.

A transition (p, a, o, σ, p′) of B means the following. From control state p, upon reading a character a from w, apply operation o to the work-tape (which may become stuck if not applicable) and operation σ to the stack (which may also become stuck if not applicable). Next, move to control state p′, from which the remainder of w is to be read.

Let m be the polynomial bound on the size of the work-tape of A given the input word w. Let Σ be the alphabet of the work-tape. Let the set of work-tape operations O = {o₁, …, o_n} and work-tape positions P = [1..m] be disjoint from Σ. Also, let ∘ ∈ Σ be the initial symbol appearing in each cell of the initial work-tape. We will construct A′ such that

⎛
⎝

A′

⎞
⎠

⊆ ∘^m

⎛
⎝

P O Σ^m

⎞
⎠

^∗ .

That is, A′ outputs a sequence of work-tape configurations separated by positions in P and operations in O. That is, A′ will simulate a run of A over w.

For every control state p of A, we will have control states (p, w′) of A′, where w′ is a suffix of w. We will also have (p, w′, o) where o is a work-tape operation to be applied. Then for each transition (p, a, o, σ, p′) of B we have a transition ((p, aw′), ε, σ, (p′, w′, o)) of B × w. From (p′, w′, o) the automaton B′ will output some character from P (a guess at the work-tape head position), followed by o (to indicate the operation applied). It will then be able to output any word from Σ^m (a guess of the work-tape contents) before moving to (p′, w′) and continuing the simulation. Initially, B′ will simply output ∘^m and move to control state (p, w) where p is the initial control state of B.

The final step in defining B′ is to assign ownership of the control states. Recall, we needed to switch the roles of the Players. Thus, we define O((p, w)) = ◇ whenever p belongs to □ in B. All other control states of B′ are owned by □. We define the accepting control states to be those of the form (p, ε) where p is accepting in B. Observe these have no outgoing transitions.

Next we define the regular automaton A which detects mistakes in the work-tape. Such an error is either due to a poorly updated cell, or due to a poorly updated head position. The set of work-tape operations O is such that there is a mapping

π : (P × O → P) ⋃ (P × Σ × P × O → Σ ⋃ {⊥})

where ⊥ ∉ Σ and

π(i, o) = j means if the head is at position i, it is at position j after operation o, and
π(i, α, j, o) = β means, if the head is at position i, α is the contents of the cell at position j, and operation o is applied, then β is the contents of the cell after applying o. If β = ⊥ then o could not be applied to this work-tape and became stuck. (E.g. if i = j and the operation required the head to read a character other than α.)

Thus, we require the following regular language, for which a polynomially-sized regular automaton is straightforward to construct. Let Γ = Σ ∪ P ∪ O.

⎛
⎝

⎞
⎠

⎛
⎜
⎜
⎝

Γ^∗

⎛
⎜
⎜
⎝

∪

π(i, o) ≠ j

i o Σ^m j

⎞
⎟
⎟
⎠

Γ^∗

⎞
⎟
⎟
⎠

⋃

⎛
⎜
⎜
⎝

Γ^∗

⎛
⎜
⎜
⎝

∪

π(i, α, j, o) ≠ β

i o Σ^j α Γ^m+2 β

⎞
⎟
⎟
⎠

Γ^∗

⎞
⎟
⎟
⎠

We have thus defined a k-PDA B′ that produces some word w′ not accepted by A iff w is accepted by B.

The final step is to produce a game over a scheme G that is equivalent to the game problem for k-iterated pushdown automata. This is in fact a straightforward adaptation of the techniques introduced by Knapik et al. [38]. However, we choose to complete the sketch using definitions from Hague et al. [30] as we believe these provide a clearer reference. In particular, we adapt their Definition 4.3.

The key to the reduction is a tight correspondence (given in op. cit.) between configurations (q, s) of a k-iterated pushdown automaton, and terms of the form¹ F_q^a Ψ_k−1 ⋯ Ψ₀. That is, every configuration is represented (in a precise sense) by such a term and every term of such a form represents a configuration. Moreover, for every transition (q, a, o, σ, q′) of the pushdown automaton, when o ≠ ε we can associate a rewrite rule of the scheme

F_q^a = λ

. o(e_(q′, σ))

such that the term obtained by applying the rewrite rule to F_q^a Ψ_k−1 ⋯ Ψ₀ is a term o(F_q′^b Ψ′_k−1 ⋯ Ψ′₀) where F_q′^b Ψ′_k−1 ⋯ Ψ′₀ represents the configuration reached by the transition. That is, (q′, σ(s)). When o = ε we simply omit o, that is

F_q^a = λ

. e_(q′, σ) .

To each non-terminal, we assign O(F_q^a) = ◇ whenever q is a ◇ control state. Otherwise, O(F_q^a) = □. For every accepting control state q we introduce the additional rule

F_q^a = λ

. $ .

Finally, we have an initial rule

S = t

where t is the term representing the initial configuration.

Given the tight correspondence between configurations and transitions of the k-PDA and terms and rewrite steps of G, alongside the direct correspondence between the owner of a control state q and the owner of a non-terminal of G, it is straightforward to see, via induction over the length of an accepting run in one direction, or derivation sequence in the other, that B′ is able to produce a word not in A iff a word not in A is derivable from S. Thus, we have reduced the word acceptance problem for some alternating k-PDA⁺ to the game problem for language inclusion of a scheme. This shows the problem is (k+1)EXP-hard. ▫

1: In fact, in op. cit. non-terminals had the form F_q^{a, e} Ψ Ψ_k−1 ⋯ Ψ₀. where e and Ψ are used to handle collapse links, which we do not need here.

This document was translated from L^AT_EX by H^EV^EA.