Unboundedness and Downward Closures of Higher-Order Pushdown Automata

Matthew Hague
Royal Holloway, University of London

Jonathan Kochems
Department of Computer Science, Oxford University

C.-H. Luke Ong
Department of Computer Science, Oxford University

Abstract: We show the diagonal problem for higher-order pushdown automata (HOPDA), and hence the simultaneous unboundedness problem, is decidable. From recent work by Zetzsche this means that we can construct the downward closure of the set of words accepted by a given HOPDA. This also means we can construct the downward closure of the Parikh image of a HOPDA. Both of these consequences play an important rôle in verifying concurrent higher-order programs expressed as HOPDA or safe higher-order recursion schemes.

1  Introduction

Recent work by Zetzsche [40] has given a new technique for computing the downward closure of classes of languages. The downward closure ↓(L) of a language L is the set of all subwords of words in L (e.g. a a is a subword of b a b a b). It is well known that the downward closure is regular for any language [19]. However, there are only a few classes of languages for which it is known how to compute this closure. In general it is not possible to compute the downward closure since it would easily lead to a solution to the halting problem for Turing machines.

However, once a regular representation of the downward closure has been obtained, it can be used in all kinds of analysis, since regular languages are well behaved under all kinds of transformations. For example, consider a system that waits for messages from a complex environment. This complex environment can be abstracted by the downward closure of the messages it sends or processes it spawns. This corresponds to a lossy system where some messages may be ignored (or go missing), or some processes may simply not contribute to the remainder of the execution. In many settings – e.g. the analysis of safety properties of certain kinds of systems – unread messages or unscheduled processes do not effect the precision of the analysis. Since many types of system permit synchronisation with a regular language, this environment abstraction can often be built into the system being analysed.

Many popular languages such as JavaScript, Python, Ruby, and even C++, include higher-order features – which are increasingly important given the popularity of event-based programs and asynchronous programs based on a continuation or callback style of programming. Hence, the modelling of higher-order function calls is becoming key to analysing modern day programs.

A popular approach to verifying higher-order programs is that of recursion schemes and several tools and practical techniques have been developed [23, 38, 26, 24, 30, 5, 6, 34]. Recursion schemes have an automaton model in the form of collapsible pushdown automata (CPDA) [18] which generalises an order-2 model called 2-PDA with links [1] or, equivalently, panic automata [22]. When these recursion schemes satisfy a syntactical condition called safety, a restriction of CPDA called higher-order pushdown automata (HOPDA or n-PDA for order-n HOPDA) is sufficient [29, 21]. HOPDA can be considered an extension of pushdown automata to a “stack of stacks” structure. It remains open as to whether CPDA are strictly more expressive than nondeterministic HOPDA when generating languages of words. It is known that, at order 2, nondeterministic HOPDA and CPDA generate the same word languages [1]. However, there exists a language generated by a deterministic order-2 CPDA that cannot be generated by a deterministic HOPDA of any order [31].

It is well known that concurrency and first-order recursion very quickly leads to undecidability (e.g. [33]). Hence, much recent research has focussed on decidable abstractions and restrictions (e.g. [14, 4, 20, 27, 13, 37, 28, 10, 16]). Recently, these results have been extended to concurrent versions of CPDA and recursion schemes (e.g. [35, 25, 15, 32]). Many approaches rely on combining representations of the Parikh image of individual automata (e.g. [13, 17, 16]). However, combining Parikh images of HOPDA quickly leads to undecidability (e.g. [17]). In many cases, the downward closure of the Parikh image is an adequate abstraction.

Computing downward closures appears to be a hard problem. Recently Zetzsche introduced a new general technique for classes of automata effectively closed under rational transductions – also referred to as a full trio. For these automata the downward closure is computable iff the simultaneous unboundedness problem (SUP) is decidable.

Definition 1 (SUP [40])   Given a language La1aα does ↓(L) = a1aα?
Theorem 1   [40, Theorem 1] Let C be class of languages that is a full trio. Then downward closures are computable for C if and only if the SUP is decidable for C.

Zetzsche used this result to obtain the downward closure of languages definable by 2-PDA, or equivalently, languages definable by indexed grammars [2]. Moreover, for classes of languages closed under rational transductions, Zetzsche shows that the simultaneous unboundedness problem is decidable iff the diagonal problem is decidable. The diagonal problem was introduced by Czerwiński and Martens [11]. Intuitively, it is a relaxation of the SUP that is insensitive to the order the characters are output. For a word w, let |w|a be the number of occurrences of a in w.

Definition 2 (Diagonal Problem [11])   Given language L we define
        Diagonala1, …, aα
L
= ∀ m . ∃ w ∈ L . ∀ 1 ≤ i ≤ α .
w
ai ≥ m  .
The diagonal problem asks if Diagonala1, …, aα(L) holds of L.
Corollary 1 (Diagonal Problem and Downward Closures)   Let C be class of languages that is a full trio. Then downward closures are computable for C if and only if the diagonal problem is decidable for C.

Proof. The only-if direction follows from Theorem 1 since given a language La1aα the diagonal problem is immediately equivalent to the SUP. In the if direction, the result follows since L satisfies the diagonal problem iff ↓(L) also satisfies the diagonal problem. Since the diagonal problem is decidable for regular languages and ↓(L) is regular, we have the result.


In this work, we generalise Zetzsche’s result for 2-PDA to the general case of n-PDA. We show that the diagonal problem is decidable. Since HOPDA are closed under rational transductions, we obtain decidability of the simultaneous unboundedness problem, and hence a method for constructing the downward closure of a language defined by a HOPDA.

Corollary 2 (Downward Closures)   Let P be an n-PDA. The downward closure ↓(L(P)) is computable.

Proof. From Theorem 3 (proved in the sequel), we know that the diagonal problem for HOPDA is decidable. Thus, using Corollary 1, we can construct the downward closure of P.


This result provides an abstraction upon which new results may be based. It also has several immediate consequences:

  1. decidability of separability by piecewise testable languages, which follows from from Czerwiński and Martens [11],
  2. decidability of reachability for parameterised concurrent systems of HOPDA communicating asynchronously via a shared global register, from La Torre et al. [36],
  3. decidability of finiteness of a language defined by a HOPDA, and
  4. computability of the downward closure of the Parikh image of a HOPDA.

We present our decidability proof in two stages. First we show how to decide Diagonala(P) for a single character and HOPDA P in Sections 3 and 4. In Sections 5, 6, and 7 we generalise our techniques to the full diagonal problem.

In Section 3.1 we give an outline of the proof techniques for deciding Diagonala(P). In short, the outermost stacks of an n-PDA are created and destroyed using pushn and popn operations. These pushn and popn operations along a run of an n-PDA are “well-bracketed” (each pushn has a matching popn and these matchings don’t overlap). The essence of the idea is to take a standard tree decomposition of these well-bracketed runs and observe that each branch of such a tree can be executed by an (n−1)-PDA. We augment this (n−1)-PDA with “regular tests” that allow it to know if, each time a branch is chosen, the alternative branch could have output some a characters. If this is true, then the (n−1)-PDA outputs a single a to account for these missed characters. We prove that, although the (n−1)-PDA outputs far fewer characters, it can still output an unbounded number iff the n-PDA could. Hence, by repeating this reduction, we obtain a 1-PDA, for which the diagonal problem is decidable since it is known how to compute their downward closures [39, 9].

In Section 6.1 we outline the generalisation of the proof to the full problem Diagonala1, …, aα(P). The key difficulty is that it is no longer enough for the (n−1)-PDA to follow only a single branch of the tree decomposition: it may need up to one branch for each of the a1, …, aα. Hence, we define HOPDA that can output trees with a bounded number (α) of branches. We then show that our reduction can generalise to HOPDA outputting trees (relying essentially on the fact that the number of branches is bounded).

2  Preliminaries

2.1  Downward Closures

Given two words w = γ1 … γm∈ Σ and w′ = σ1 … σl∈ Σ for some alphabet Σ, we write ww′ iff there exist i1 < … < im such that for all 1 ≤ jm we have γj= σij. Given a set of words L ⊆ Σ, we denote its downward closure ↓(L) = {w | ww′ ∈ L}.

2.2  Trees

A Σ-labelled finite tree is a tuple T = (D, λ) where Σ is a set of node labels, and D ⊂ ℕ is a finite set of nodes that is prefix-closed, that is, η   δ ∈ D implies η ∈ D, and λ : D → Σ is a function labelling the nodes of the tree.

We write ε to denote the root of a tree (the empty sequence). We also write

    a
T1, …, Tm

to denote the tree whose root node is labelled a and has children T1, …, Tm. That is, we define a[T1, …, Tm] = (D′, λ′) when for each δ we have Tδ= (Dδ, λδ) and D′ = {δη | η ∈ Dδ} ∪ {ε} and

    λ′
η
=




        a        η = ε
λδ
η′
        η = δη′
 .

Also, let T[a] denote the tree ({ε}, λ) where λ(ε) = a. A branch in T = (D, λ) is a sequence of nodes of T, η1 ⋯ ηn, such that η1 = є, ηn = δ1   δ2 ⋯ δn−1 is maximal in D, and ηj+1 = ηj   δj for each 1 ≤ jn−1.

2.3  HOPDA

HOPDA are a generalisation of pushdown systems to a stack-of-stacks structure. An order-n stack is a stack of order-(n−1) stacks. An order-n push operation pushes a new order-(n−1) stack onto the stack that is a copy of the existing topmost order-(n−1) stack. Rewrite operations update the character that is at the top of the topmost stacks.

Definition 1 (Order-n Stacks)   The set of order-n stacks SnΓ over a given stack alphabet Γ is defined inductively as follows.
        
S0Γ =Γ 
Sk+1Γ =


 
s1 … sm
k+1 
 
  ∀ i . si∈ SkΓ 

 . 
 

Stacks are written with the top part of the stack to the left. We define several operations.

    
topk

s1 … sm
k

=s1 
topk

s1 … sm
n

=
topk
s1
n > k 
 
rewγ

γ1 … γm
1

=

γ   γ2 … γm
1 
rewγ   

s1 … sm
n

=

rewγ
s1
  s2 … sm

 

n
 
n > 1 
 
pushk

s1 … sm
k

=

s1   s1 … sm
k 
pushk

s1 … sm
n

=

pushk
s1
    s2, …, sm

 

n
 
n > k 
 
popk

s1 … sm
k

=

s2 … sm
k 
popk

s1 … sm
n

=

popk
  s1
  s2, …, sm

 

n
 
n > k 
 

and set

    Opsn =

rewγ 
 γ ∈ Γ



pushk, popk 
 1 ≤ k ≤ n

to be the set of order-n stack operations.

For example

    
push2



 
 
γ   σ
1 

 

2
 




=

 
γ   σ
1 
γ   σ
1 

 

2
 
rewσ



 
 
γ   σ
1 
γ   σ
1 

 

2
 




=

 
σ   σ
1 
γ   σ
1 

 

2
  . 
 
Definition 2 (HOPDA or n-PDA)   An order-n higher order pushdown automaton (HOPDA or n-PDA) is given by a tuple (P, Σ, Γ, R, F, pin, γin) where P is a finite set of control states, Σ is a finite output alphabet (that contains the empty word character є), Γ is a finite stack alphabet, RP × Γ × Σ × Opsn × P is a set of transition rules, F is a set of accepting control states, pinP is the initial control state, and γin ∈ Γ is the initial stack character.

We write (p, γ) —a→ (p′, o) for a rule (p, γ, a, o, p′) ∈ R.

A configuration of an n-PDA is a tuple ⟨ p, s ⟩ where pP and s is an order-n stack over Γ. We have a transition ⟨ p, s ⟩ —a→ ⟨ p′, s′ ⟩ whenever we have (p, γ) —a→ (p′, o), top1(s) = γ, and s′ = o(s).

A run over a word w ∈ Σ is a sequence of configurations c0a1→ ⋯ —amcm such that the word a1am is w. It is an accepting run if c0 = ⟨ pin, [[ γin ]] ⟩ — where we write [[ γ ]] for [⋯[γ]1⋯]n — and where cm= ⟨ p, s ⟩ with pF. Furthermore, for a set of configurations C, we define

    PreP
C

to be the set of configurations c such that there is a run over some word from c to c′ ∈ C. When C is defined as the language of some automaton A accepting configurations, we abuse notation and write PreP(A) instead of PreP(L(A)).

For convenience, we sometimes allow a set of characters to be output instead of only one. This is to be interpreted as outputing each of the characters in the set once (in some arbitrary order). We also allow sequences of operations o1; …; om in the rules instead of single operations. When using sequences we allow a test operation γ? that only allows the sequence to proceed if the top1 character of the stack is γ. All of these extensions can be encoded by introducing intermediate control states.

2.3.1  Regular Sets of Stacks

We will need to represent sets of stacks. To do this we will use automata to recognise stacks. We define the stack automaton model of Broadbent et al. [8] restricted to HOPDA rather than CPDA. We will sometimes call these bottom-up stack automata or simply automata. The automata operate over stacks interpreted as words, hence the opening and closing braces of the stacks appear as part of the input. We annotate these braces with the order of the stack the braces belong to. Let Γ[] = {[n−1,…,[1, ]1,…,]n−1} ⊎ Γ. Note, we don’t include [n, ]n since these appear exclusively at the start and end of the stack.

Definition 3 (Bottom-up Stack Automata)   A tuple A is a bottom-up stack automaton when A is (Q, Γ, qin, QF, Δ) where Q is a finite set of states, Γ is a finite input alphabet, qinQ is the initial state and Δ : (Q × Γ) → Q is a deterministic transition function.

Representing higher order stacks as a linear word graph, where the start of an order-k stack is an edge labelled [k and the end of an order-k stack is an edge labelled ]k, a run of a bottom-up stack automaton is a labelling of the nodes of the graph with states in Q such that

  1. the rightmost (final) node is labelled by qin, and
  2. whenever we have for any γ ∈ Γ[], and pair of labelled nodes with an edge qγq′ then q = Δ(q′, γ).

The run is accepting if the leftmost (initial) node is labelled by qQF. An example run over the word graph representation of [ [ [γ   σ]1[σ]1 ]2 [ [σ]1 ]2 ]3 is given in Figure 1.

Let L(A) be the set of stacks with accepting runs of A. Sometimes, for convenience, if we have a configuration c = ⟨ p, s ⟩ of a HOPDA, we will write cL(A) when sL(A).

Figure 1: A run over [ [ [γ   σ]1[σ]1 ]2 [ [σ]1 ]2 ]3

3  The Single Character Case

We assume Σ = {a, ε} and use b to range over Σ. This can be obtained by simply replacing all other characters with ε. We also assume that all rules of the form (p, γ) —b→ (p′, o) with o = pushn or o = popn have b = ε. We can enforce this using intermediate control states to first apply o in one step, and then in another output b (the stack operation on the second step will be rewγ where γ is the current top character). We start with an outline of the proof, and then explain each step in detail.

For convenience, we assume acceptance is by reaching a unique control state in F with an empty stack (i.e. the lowermost stack was removed with a popn and F = {pf}). This can easily be obtained by adding a rule to a new accepting state whenever we have a rule leading to a control state in F. From this new state we can loop and perform popn operations until the stack is empty.

3.1  Outline of Proof

The approach is to take an n-PDA P and produce an (n−1)-PDA P−1 that satisfies the diagonal problem iff P does. The idea behind this reduction is that an (accepting) run of P can be decomposed into a tree with out-degree at most 2: each pushn has a matching popn that brings the stack back to be the same as it was before the pushn; we cut the run at the popn and hang the tail next to the pushn and repeat this to form a tree from a run. This is illustrated in Figure 2 where nodes are labelled by their configurations, and the pushn and popn points are marked. The dotted arcs connect nodes matched by their pushes and pops – these nodes have the same stacks. Notice that at each branching point, the left and right subtrees start with the same order-(n−1) stacks on top. Notice also that for each branch, none of its transitions remove the topmost order-(n−1) stack. Hence, we can produce an (n−1)-PDA that picks a branch of this tree decomposition to execute and only needs to keep track of the topmost order-(n−1) stack of the n-PDA. When picking a branch to execute, the (n−1)-PDA outputs a single a if the branch not chosen could have output some a characters. We prove that this is enough to maintain unboundedness.

Figure 2: Tree decompositions of runs.

In more detail, we perform the following steps.

  1. Instrument P to record whether an a character has been output. Then, using known reachability results, obtain regular sets of configurations from which the current topn stack can be popped, and moreover, we can know whether an a is output on the way. These tests can be seen as a generalisation of pushdown systems with regular tests introduced by Esparza et al. [12].
  2. From an n-PDA P, we define an (n−1)-PDA with tests P−1 and then an (n−1)-PDA P′ such that
                Diagonala
    		P
    		 ⇐⇒ Diagonala
    		P
    		  .
    The tests will be used to check the branches of the tree decomposition not explored by P−1.
  3. By repeated applications of the above reduction, we obtain an 1-PDA P for which Diagonala(P) is decidable since the downward closure of a context-free grammar (equivalent to 1-PDA) is computable [39, 9] and this is equivalent to the diagonal problem.

The (n−1)-PDA with tests P−1 will simulate the n-PDA P in the following way.

Although P−1 will output far fewer a characters than P (since it does not execute the full run), we show that it still outputs enough as for the language to remain unbounded.

We thus have the following theorem.

Theorem 1 (Decidability of the Diagonal Problem)   Given an n-PDA P and output character a, whether Diagonala(P) holds is decidable.

Proof. We construct via Lemma 2 an (n−1)-PDA P′ such that Diagonala(P) iff Diagonala(P′). We repeat this step until we have a 1-PDA. It is known that Diagonala(P) for an 1-PDA is decidable since it is possible to compute the downward closure [39, 9].


3.2  HOPDA with Tests

When executing a branch of the tree decomposition, to be able to ensure the branch is correct and whether we should output an extra a we need to know how the system could have behaved on the skipped branch. To do this we add tests to the HOPDA that allow it to know if the current stack belongs to a given regular set. We show in the following sections that the properties required for our reduction can be represented as regular sets of stacks. Although we take Broadbent et al.’s logical reflection as the basis of our proof, HOPDA with tests can be seen as a generalisation of pushdown systems with regular valuations due to Esparza et al. [12].

Definition 1 (n-PDA with Tests)   Given a sequence of automata A1, …, Am recognising regular sets of stacks, an n-PDA with tests is a tuple P = (P, Σ, Γ, R, F, pin, γin) where P, Σ, Γ, F, pin, and γin are as in HOPDA, and
        R ⊆ P × Γ ×

A1, …, Am

× Σ × Opsn × P
is a set of transition rules.

We write (p, γ, Ai) —b→ (p′, o) for (p, γ, Ai, b, o, p′) ∈ R. We have a transition ⟨ p, s ⟩ —b→ ⟨ p′, s′ ⟩ whenever (p, γ, Ai) —b→ (p′, o) ∈ R and top1(s) = γ, sL(Ai), and s′ = o(s).

We know from Broadbent et al. that these tests do not add any extra power to HOPDA. Intuitively, we can embed runs of the automata into the stack during runs of the HOPDA.

Theorem 2 (Removing Tests)   [8, Theorem 3 (adapted)] For every n-PDA with tests P, we can compute an n-PDA P with L(P) = L(P′).

Proof. This is a straightforward adaptation of Broadbent et al. [8]. A more general theorem is proved in Theorem 1.


3.2.1  Marking Outputs

When the HOPDA is in a configuration of the form ⟨ p, [s]n ⟩ – i.e. the outermost stack contains only a single order-(n−1) stack – we require the HOPDA to be able to know whether,

Given P, we first augment P to record whether an a has been produced. This can be done simply by recording in the control state whether a has been output.

Definition 2 (Pa)   Given P = (P, Σ, Γ, R, F, pin, γin) we define
        Pa =
P ⋃ Pa, Σ, Γ, R ⋃ Ra, F ⋃ Fa, pin, γin
where
        
            Pa=
            

pa 
 p ∈ P

Ra=
            


pa, γ
b→ 
pao
 
 

p, γ
b→ 
p′, o
∈ R


 ⋃
  
            


p, γ
a→ 
pao
 
 

p, γ
a→ 
p′, o
∈ R


Fa=
            

pa 
 p ∈ F

It is easy to see that P and Pa accept the same languages, and that Pa is only in a control state pa if an a has been output.

3.2.2  Building the Automata

Fix some P = (P, Σ, Γ, R, F) and Pa = (Pa, Σ, Γ, Ra, Fa). To obtain a HOPDA with tests, we need, for each p1, p2P the following automata. Note, we define these automata to accept order-(n−1) stacks since they will be used in an (n−1)-PDA with tests.

  1. Ap1, p2 accepting all stacks s such that there is a run of P from ⟨ p1, [s]n ⟩ to ⟨ p2, []n ⟩,
  2. Ap1, p2a accepting all stacks s such that there is a run of P from ⟨ p1, [s]n ⟩ to ⟨ p2, []n ⟩ that outputs at least one a.

To do this we will use a reachability result due to Broadbent et al. that appeared in ICALP 2012 [7]. This result uses an automata representation of sets of configurations. However, these automata are slightly different in that they read full configurations “top down”, whereas the automata of Theorem 2 (Removing Tests) read only stacks “bottom up”.

It is known that these two representations are effectively equivalent, and that both form an effective boolean algebra [8, 7]. In particular, for a top-down automaton A and a control state p we can build a bottom-up stack automaton B such that ⟨ p, s ⟩ ∈ L(A) iff sL(B) and vice versa. We recall the reachability result.

Theorem 3   [7, Theorem 1 (specialised)] Given an HOPDA P and a top-down automaton A, we can construct an automaton A accepting PreP(A).

Let Ap, γ be a top-down automaton accepting configurations of the form ⟨ p, [s]n ⟩ where top1(s) = γ. Next, let

    Ap =
 

p′, γ
ε→ 
p, popn
∈ R
Ap′, γ

and

    Apa=
 

p′, γ
ε→ 
p, popn
∈ R
Apa, γ

I.e. Ap and Apa accept configurations of Pa from which it is possible to perform a popn operation to p and reach the empty stack.

Definition 3 (Ap1, p2 and Ap1, p2a)   Using the preceding notation, given p1 and p2 we define bottom-up automata

It is easy to see both Ap1, p2 and Ap1, p2a are regular and representable by bottom-up automata since both

    PreP
Ap2
     and     PrePa
Ap2a

are regular from Theorem 3, and bottom-up and top-down automata are effectively equivalent. To enforce only stacks of the form [s]n we intersect with an automaton A1 accepting all stacks containing a single order-(n−1) stack (this is clearly regular).

3.3  Reduction to Lower Orders

We are now ready to complete the reduction. Correctness is shown in Section 4. Let Att be the automaton accepting all stacks. In the following definition, a control state (p1, p2) means that we are currently in control state p1 and are aiming to empty the stack on reaching p2, and the rules Rsim simulate all operations apart from pushn and popn directly, Rfin detect when the run is accepting, Rpush follow the push branch of the tree decomposition, using tests to ensure the existence of the pop branch, and Rpop follow the pop branch of the tree decomposition, also using tests to check the existence of the push branch.

Definition 4 (P−1)   Given an n-PDA P described by the tuple (P, Σ, Γ, R, {pf}, pin, γin) as well as families of automata (Ap1, p2)p1, p2P and (Ap1, p2a)p1, p2P we define an (n−1)-PDA with tests
        P−1 = 
P−1, Σ, Γ, R−1, F−1,
pinpf
, γin

where
        
            P−1=
            


p1p2
 
  p1p2 ∈ P



f

R−1=            Rsim ⋃ Rfin ⋃ Rpush ⋃ Rpop
F−1=
            

f

and we define

In the next section, we show the reduction is correct.

Lemma 1 (Correctness of P−1)  
            Diagonala
P
 ⇐⇒ Diagonala
P−1

To complete the reduction, we convert the HOPDA with tests into a HOPDA without tests.

Lemma 2 (Reduction to Lower Orders)   For every n-PDA P we can construct an (n−1)-PDA P such that
        Diagonala
P
 ⇐⇒ Diagonala
P
 .

Proof. From Definition 4 (P−1) and Lemma 1 (Correctness of P−1), we obtain from P an (n−1)-PDA with tests P−1 satisfying the conditions of the lemma. To complete the proof, we invoke Theorem 2 (Removing Tests) to find P′ as required.


4  Correctness of Reduction

This section is dedicated to the proof of Lemma 1 (Correctness of P−1).

The idea of the proof is that each run of P can be decomposed into a tree: each pushn operation creates a node whose left child is the run up to the matching popn, and whose right child is the run after the matching popn. All other operations create a node with a single child which is the successor configuration.

Each branch of such a tree corresponds to a run of P−1. To prove that P−1 can output an unbounded number of as we prove that any tree containing m edges outputting a must have a branch along which P−1 would output log(m) a characters. Thus, if P can output an unbounded number of a characters, so can P−1.

4.1  Tree Decomposition of Runs

Given a run

    ρ = c0 —b1c1 —b2→ ⋯ —bm→ cm

of P where each pushn operation has a matching popn, we can construct a tree representation of ρ inductively. That is, we define Tree(c) = T[ε] for the single-configuration run c, and, when

    ρ = c —b→ ρ′

where the first rule applied does not contain a pushn operation, we have

    Tree
ρ
b
Tree
ρ′

and, when

    ρ = c0 —ε→ ρ1 —ε→ ρ2

with c1 being the first configuration of ρ2 and where the first rule applied in ρ contains a pushn operation, c0 = ⟨ p, s ⟩ and c1 = ⟨ p′, s ⟩ for some p, p′, s and there is no configuration in ρ1 of the form ⟨ p″, s ⟩, then

    Tree
ρ
= ε
Tree
ρ1
, Tree
ρ2

  .

An accepting run of P has the form ρ —εc where ρ has the property that all pushn operations have a matching popn and the final transition is a popn operation to c = ⟨ p, []n ⟩ for some pF. Hence, we define the tree decomposition of an accepting run to be

    Tree
ρ —ε→ c
= ε
Tree
ρ
, T
ε

 .

4.2  Scoring Trees

In the above tree decomposition of runs, the tree branches at each instance of a pushn operation. This mimics the behaviour of P−1, which performs such branching non-deterministically. Hence, given a run ρ of P, each branch of Tree(ρ) corresponds to a run of P−1.

We formalise this intuition in the following section. In this section, we assign scores to each subtree T of Tree(ρ). These scores correspond directly to the largest number of a characters that P−1 can output while simulating a branch of T.

Note, in the following definition, we exploit the fact that only nodes with exactly one child may have a label other than ε. We also give a general definition applicable to trees with out-degree larger than 2. This is needed in the simultaneous unboundedness section. For the moment, we only have trees with out-degree at most 2.

Let

    
b
 =


0b = ε 
1b = a 
    and    
m
 =


0m = 0 
1m > 0 
 .

Then,

     Score
T
=












T = T
ε
Score
T1
b
 
T = b
T1
 
max
1 ≤ i ≤ m





 Score
Ti
 
 
j ≠ i
 Score
Tj
 





T = ε
T1, …, Tm

We then have the following lemma for trees with out-degree 2.

Lemma 1 (Minimum Scores)   Given a tree T containing m nodes labelled a, we have
        Score
T
≥ log
m

Proof. The proof is by induction over m. In the base case m = 1 and there is a single node η in T labelled a. By definition, the subtree T′ rooted at η has Score(T′) = 1. Since the score of a tree is bounded from below by the score of any of its subtrees, we have Score(T) ≥ log(1) as required.

Now, assume m > 1. Find the smallest subtree T′ of T containing m nodes labelled a. We necessarily have either

  1. T′ = a[T1], or
  2. T′ = ε[T1, T2] where T1 and T2 each have at least one node each labelled a.

In case (1) we have by induction

        Score
T
= 1 + log
m − 1
≥ log
m

In case (2) we have

        Score
T
= max







Score
T1
Score
T2
Score
T2
Score
T1
 
 








 .

We pick whichever of T1 and T2 has the most nodes labelled a. This tree has at least ⌈m / 2⌉ nodes labelled a. Note, since both trees contain nodes labelled a, the right-hand side of the addition is always 1. Hence, we need to show

        log
m / 2

+ 1 ≥ log
m

which follows from

        
log
m
− log
m / 2

= log


m
m / 2



≤ 
log


m
m / 2



= log
2
= 1  . 
 

By our choice of T′ we thus have Score(T) = Score(T′) ≥ log(m) as required.


4.3  From Branches to Runs

Lemma 2 (Scores to Runs)   Given an accepting run ρ of P, if Score(Tree(ρ)) = m then amL(P−1).

Proof. Let pf be the final (accepting) control state of P and let T = Tree(ρ). We begin at the root node of T, which corresponds to the initial configuration of ρ. Let ⟨ p, [s]n ⟩ be this initial configuration and let ⟨ (p, pf), s ⟩ be the initial configuration of P−1.

Thus, assume we have a node η of T, with a corresponding configuration c = ⟨ p, s ⟩ of P and configuration c−1 = ⟨ (p, ppop), topn(s) ⟩ of P−1 and a run ρ−1 of P−1 ending in c−1 and outputting (m − Score(T′)) a characters where T′ is the subtree of T rooted at η. The subtree T′ corresponds to a sub-run ρ′ of ρ where the transition immediately following ρ′ is a popn transition to a control state ppop.

There are two cases when we are dealing with internal nodes.

Finally, we reach a leaf node η with a run outputting the required number of as. We need to show that the run constructed is accepting. Let η′ be the first ancestor of η that contains η in its leftmost subtree. Let T′ be the subtree rooted at η′. This tree corresponds to a sub-run ρ′ of ρ that is followed immediately by a popn rule (p, γ) —ε→ (ppop, popn). Moreover, we have ((p, ppop), γ, Att) —ε→ (f, rewγ) with which we can complete the run of P−1 as required.


4.4  The Other Direction

Finally, we need to show that each accepting run of P−1 gives rise to an accepting run of P containing at least as many as.

Lemma 3 (P−1 to P)   We have Diagonala(P−1) implies Diagonala(P).

Proof. Let pf be the unique accepting conrol state of P. Take an accepting run ρ−1 of P−1. We show that there exists a corresponding run ρ of P outputting at least as many as.

Let

    c0 —b→ ⋯ —b→ cmε→ ⟨ fs ⟩

for some s be the accepting run of P−1. We define inductively for each 0 ≤ im a pair of runs ρ1i, ρ2i of P such that

  1. ρ2i ends in a configuration ⟨ pf, []n ⟩ (i.e. is accepting), and
  2. if ci= ⟨ (p, ppop), s ⟩ then
    1. the final configuration of ρ1i is ⟨ p, [s s1sl]n ⟩, for some s1, …, sl, and
    2. the first configuration of ρ2i is ⟨ ppop, [s1sl]n ⟩, and
  3. the sum of the number of a characters output by ρ1i and ρ2i is at least the number of a characters output by c0b1→ ⋯ —bici.

Initially we have c0 = ⟨ (pin, pf), s ⟩ and s = [[ γin ]]. We define ρ10 = ⟨ pin, [s]n ⟩ and ρ20 = ⟨ pf, []n ⟩ which immediately satisfy the required conditions.

Assume we have ρ1i and ρ2i as required. We show how to obtain ρ1i+1 and ρ2i+1. There are several cases depending on the rule used on the transition cibi+1ci+1. Let ci= ⟨ (p, ppop), s ⟩, the final configuration of ρ1i be ⟨ p, [s s1sl]n ⟩ and the first configuration of ρ2i be ⟨ ppop, [s1sl]n ⟩.

Finally, when we reach i = m we have from the final transition of the run of P−1 that there is a rule (p, γ) —ε→ (ppop, popn). We combine ρ1m and ρ2m with this pop transition, resulting in an accepting run of P that outputs at least as many a characters as the run of P−1.


5  Multiple Characters

We generalise the previous result to the full diagonal problem. Naïvely, the previous approach cannot work. Consider the HOPDA executing

    push1m; pushn; pop1m; popn; pop1m

where the first sequence of pop1 operations output a1 and the second sequence output a2.

The corresponding run trees are of the form given in Figure 3. In particular, P−1 can only choose one branch, hence all runs of P−1 produce a bounded number of a1s or a bounded number of a2s. They cannot be simultaneously unbounded.

Figure 3: An example showing that following a single branch does not work for simultaneous unboundedness.

For P−1 to be able to output both an unbounded number of a1 and a2 characters, it must be able to output two branches of the tree. To this end, we define a notion of α-branch HOPDA, which output trees with up to α branches. We then show that the reduction from n-PDA to (n−1)-PDA can be generalised to α-branch HOPDA.

5.1  Branching HOPDA

We define n-PDA outputting trees with at most α branches, denoted (n, α)-PDA. Note, an n-PDA that outputs a word is an (n, 1)-PDA. Indeed, any (n, α)-PDA is also an (n, α′)-PDA whenever α ≤ α′.

Definition 1 ((n, α)-PDA)   We define an order-n α-branch pushdown automaton ((n, α)-PDA) to be given by a tuple P = (P, Σ, Γ, R, F, pin, γin, θ) where P, Σ, Γ, F, pin, and γin are as in HOPDA. The set of rules R ⊆ ∪1 ≤ m ≤ α P × Γ × Σ × Opsn × Pm together with a mapping θ : P → {1, …, α} such that for all (p, γ, b, o, p1, …, pm) ∈ R we have θ(p) ≥ θ(p1) + ⋯ + θ(pm).

We use the notation (p, γ) —b→ (p1, …, pm, o) to denote a rule (p, γ, b, o, p1, …, pm) ∈ R. Intuitively, such a rule generates a node of a tree with m children. The purpose of the mapping θ is to bound the number of branches that this tree may have. Hence, at each branching rule, the quota of branches is split between the different subtrees. The existence of such a mapping implies this information is implicit in the control states and an (n, α)-PDA can only output trees with at most α branches.

From the initial configuration c0 = ⟨ pin, [[ γin ]] ⟩ a run of an (n, α)-PDA is a tree T = (D, λ) whose nodes are labelled with n-PDA configurations, and generates an output tree T′ = (D, λ′) whose nodes are labelled with symbols from the output alphabet. Precisely

The run is accepting if for all leaf nodes η we have λ(η) = ⟨ p, []n ⟩ and pF. Let L(P) be the set of output trees of P.

Given an output tree T we write |T|a to denote the number of nodes labelled a in T. For an (n, α)-PDA P, we define

Diagonala1, …, aα
P
=
∀ m . ∃ T ∈ L
P
. ∀ 1 ≤ i ≤ α .
T
ai ≥ m  .

6  Reduction For Simultaneous Unboundedness

Given an (n, α)-PDA P we construct an (n−1, α)-PDA P−1 such that

    Diagonala1, …, aα
P
  ⇐⇒ Diagonala1, …, aα
P−1
 .

Moreover, we show Diagonala1, …, aα(P) is decidable for a (0, α)-PDA (i.e. a regular automaton outputting an α-branch tree) P.

For simplicity, we assume for all rules (p, γ) —b→ (p1, …, pm, o) if m > 1 then o = rewγ (i.e. the stack is unchanged). Additionally we have b = ε.

We also make analogous assumptions to the single character case. That is, we assume Σ = {a1, …, aα, ε} and use b to range over Σ. Moreover, all rules of the form (p, γ) —b→ (p′, o) with o = pushn or o = popn have b = ε. Finally, we assume acceptance is by reaching a unique control state in F with an empty stack.

6.1  Some Intuition

We briefly sketch the intuition behind the algorithm. We illustrate the reduction from (n, α)-PDA to (n−1, α)-PDA in Figure 4.

Figure 4: Illustrating the reduction steps.

6.2  Branching HOPDA with Regular Tests

As before, we instrument our HOPDA with tests. Removing these tests requires a simple adaptation of Broadbent et al. [8].

Definition 1 ((n, α)-PDA with Tests)   Given a sequence of automata A1, …, Am, an (n, α)-PDA with tests is given by a tuple P = (P, Σ, Γ, R, F, pin, γin, θ) where P, Σ, Γ, F, pin, γin are as in HOPDA. The set of rules R ⊆ ∪1 ≤ m ≤ α P × Γ × {A1, …, Am} × Σ × Opsn × Pm together with a mapping θ : P → {1, …, α} such that for all (p, γ, A, b, o, p1, …, pm) ∈ R we have θ(p) ≥ θ(p1) + ⋯ + θ(pm).

We use the notation (p, γ, A) —b→ (p1, …, pm, o) to denote a rule (p, γ, A, b, o, p1, …, pm) ∈ R.

From the initial configuration c0 = ⟨ pin, [[ γin ]] ⟩ a run of an (n, α)-PDA with tests is a tree T = (D, λ) and generates an output tree ρ = (D, λ′) where

The run is accepting if for all leaf nodes η we have λ(η) = ⟨ p, []n ⟩ and pF. Let L(P) be the set of output trees of P.

Theorem 1 (Removing Tests)   [8, Theorem 3 (adapted)] For every (n, α)-PDA with tests P, we can compute an (n, α)-PDA P with L(P) = L(P′).

Proof. This is a straightforward adaptation of Broadbent et al. [8]. Let the (n, α)-PDA with tests be P = (P, Σ, Γ, R, F, pin, γin, θ) with test automata A1, …, Am. We build an (n, α)-PDA that mimics P almost directly. The only difference is that each character γ appearing in the stack is replaced by

    

γ, 
τ
1, …, 
τ
m


 .

For each test A we have a vector of functions

    
τ
= 
τ1, …, τn
 .

The function τk : QQ intuitively describes runs of A from the bottom of topk+1(s) to the top of popk(topk+1(s)). Thus, we can reconstruct an entire run over pop1(s) from initial state q as

    q′ = τ1
⋯τn
q

and then we can consult Δ to complete the run by adding the effect of reading top1(s).

Thus, let Ai= (Qi, Γ[], qini, Δi, QFi). We define

    PT =
P, Σ, ΓT, RT, F, pin, γinT, θ

where

    ΓT =



γ, 
τ
1, …, 
τ
m


 

 
γ ∈ Γ ∧ ∀ i .
τ
i ∈
QiQi
n


and RT is the smallest set of rules of the form

    
p, γT
b→ 
p1, …, pl
Update
o, γT

where γT = (γ, τ1, …, τm) and (p, γ, Ai) —b→ (p1, …, pl, o) ∈ R and Accepts(γ, τi, Δi, qini, QFi) and we define

    
        Accepts
γ, τ1, …, τn, Δ, qin, QF
         ⇐⇒ 
        q = τ1
⋯ τn
 qin

∧ Δ
q, [n ⋯ [1 γ
∈ QF

where Δ(q, [n ⋯ [1 γ) is shorthand for the repeated application of Δ on γ then [1, back to [n, and we define Update(o, γT) = oT following the cases below. Let γT = (γ, τ1, …, τm).

Finally, we set γinT = (γin, τ1, …, τm) where for each i we have τi = (τ1, …, τn) such that for each k we have τk(q) = Δ(q, ]k ⋯ ]n).


6.3  Building The Automata

Previously we built automata Ap1, p2 to indicate that from p1, the current top stack could be removed, arriving at p2. This is fine for words, however, we now have α-branch trees. It is no longer enough to specify a single control state: the top stack may be popped once on each branch of the tree, hence for a control state p we need to recognise configurations with control state p from which there is a run tree where the leaves of the trees are labelled with configurations with control states p1, …, pm and empty stacks. Moreover we need to recognise the set O of characters output by the run tree. More precisely, for these automata we write

    Ap,p1,…,pmO

where θ(p) ≥ θ(p1) + ⋯ + θ(pm) and O ⊆ {a1, …, aα}. We have sL(Ap,p1,…,pmO) iff there is a run tree T with the root labelled ⟨ p, [s]n ⟩ and m leaf nodes labelled ⟨ p1, []n ⟩, …, ⟨ pm, []n ⟩ respectively. Moreover, we have aO iff the corresponding output tree T′ has |T′|a > 0.

6.3.1  Alternating HOPDA

To construct the required stack automata, we need to do reachability analysis of (n, α)-PDA. We show that such analyses can be rephrased in terms of alternating higher-order pushdown systems (HOPDS), for which the required algorithms are already known [7]. Note, we refer to these machines as “systems” rather than “automata” because they do not output a language.

Definition 2 (Alternating HOPDS)   An alternating order-n pushdown system is a tuple P = (P, Γ, R) where P is a finite set of control states, Γ is a finite stack alphabet, and
            R ⊆
P × Γ × Opsn × P

P × Γ × 2P
is a set of transition rules.

We write (p, γ) → (p, o) to denote (p, γ, o, p) ∈ R and (p, γ) → p1, …, pm to denote (p, γ, {p1, …, pm}) ∈ R.

An run of an alternating HOPDS may split into several configurations, each of which must reach a target state. Hence, the branching of the alternating HOPDS mimics the branching of the (n, α)-PDA. Given a set C of configurations, we define PreP(C) to be the smallest set C′ such that

    
C′ =C  ⋃ 
  






 ⟨ ps ⟩  





 
 

p, γ
→ 
p′, o
∈ R  ∧ 
top1
s
= γ  ∧ 
⟨ p′, 
o
s
 ⟩ ∈ C′ 
 






 ⋃ 
  






 ⟨ ps ⟩  




 
 

p, γ
→ p1, …, pm ∈ R  ∧ 
top1
s
= γ  ∧ 
∀ i . ⟨ pis ⟩ ∈ C′ 
 






 . 
 

6.3.2  Constructing the Tests

In order to use standard results to obtain Ap,p1,…,pmO we construct an alternating HOPDS P and automaton A such that checking c ∈ PreP(A) for a suitably constructed c allows us to check whether sL(Ap,p1,…,pmO).

The alternating HOPDS P will mimic the branching of P with alternating transitions1 (p, γ) → p1, …, pm of P. It will maintain in its control states information about which characters have been output, as well as which control states should appear on the leaves of the branches. This final piece of information prevents all copies of the alternating HOPDS from verifying the same branch of P.

Definition 3 (P)   Given an (n, α)-PDA P described by the tuple (P, Σ, Γ, R, F, pin, γin), of P, we define
        P =
P, Γ, R
where
        P =






p, O, p1, …, pm
 




 
1 ≤ m ≤ α ∧ 
O ⊆ 

a1, …, aα

 ∧ 
p1, …, pm∈ P 






and R is the set of rules containing, for each
        
p, γ
b→ 
p′, o
∈ R
all rules
        

p, O, p1, …, pi
, γ

→ 



p1, O ∖ 

b

, p1, …, pi


o


and for each
        
p, γ
ε→ 
p1, …, pm, rewγ
∈ R
with m > 1 all alternating rules
            

p, O, p1, …, pi
, γ

→ 

p1, O1, p11, …, pi11
, …
pm, Om, p1m, …, pimm
where p1, …, pi is a permutation of p11, …, pi11, … p1m, …, pimm and O = O1 ∪ ⋯ ∪ Om.

In the above definition, the permutation condition ensures that the target control states are properly distributed amongst the newly created branches.

Lemma 1   We have sL(Ap,p1,…,pmO) iff
        ⟨ 

p, O, p1, …, pm

s
n
 ⟩ ∈ PreP
A
where A is such that
        L
A
=

⟨ 

p, ∅, p


n
 ⟩
 

 
p ∈ 

p1, …, pm



 .

Proof. First take sL(Ap,p1,…,pmO) and the run tree witnessing this membership. We can move down the tree, maintaining a frontier c1, …, cl and building a tree witnessing that ⟨ (p, O, p1, …, pm), [s]n ⟩ ∈ PreP(A). Initially we have the frontier ⟨ p, [s]n ⟩ and the initial configuration ⟨ (p, O, p1, …, pm), [s]n ⟩.

Hence, take a configuration c = ⟨ p′, s′ ⟩ from the frontier and corresponding configuration c′ = ⟨ (p′, O′, p1, …, pi), s′ ⟩. If the rule applied to c is not a branching rule, we simply take the matching rule of P and apply it to c′. Note, that if the rule output b we remove b from O′. Hence, O′ contains only characters that have not been output on the path from the initial configuration.

If the rule applied is branching, that is (p′, γ) —ε→ (p1, …, pj, rewγ) then we apply the rule

    

p′, O, p1, …, pi
, γ

→ 

p1, O1, p11, …, pi11
, …
pj, Oj, p1j, …, pijj

where p1, …, pi is a permutation of p11, …, pi11, … p1j, …, pijm and O = O1 ∪ ⋯ ∪ Om. These partitions are made in accordance with the distribution of the leaves and outputs of the run tree of P. I.e. if a control state p″ appears on the i′th subtree, then it should appear in the i′th target state of P. Similarly, if the i′th subtree outputs an bO, then b should be placed in Oi. Applying this alternating transition creates a matching configuration for each new branch in the frontier.

We continue in this way until we reach the leaf nodes of the frontier. Each leaf ⟨ p′, s ⟩ has a matching ⟨ (p′, ∅, p′), s ⟩ and hence is in L(A). Thus, we have witnessed ⟨ (p, O, p1, …, pm), [s]n ⟩ ∈ PreP(A) as required.

To prove the other direction, we mirror the previous argument, showing that the witnessing tree for P can be used to build a run tree of P.


It is known that PreP(A) is computable for alternating HOPDS.

Theorem 2   [7, Theorem 1 (specialised)] Given an alternating HOPDS P and a top-down automaton A, we can construct an automaton A accepting PreP(A).

Hence, we can now build Ap,p1,…,pmO from the control state p and top-down automaton representation of PreP(A) since we can effectively translate from top-down to bottom-up stack automata.

6.4  Reduction to Lower Orders

We generalise our reduction to (n, α)-PDA. Let Att be the automata accepting all configurations. Note, in the following definition we allow all transitions (including branching) to be labelled by sets of output characters. To maintain our assumed normal form we have to replace these transitions using intermediate control states to ensure all branching transitions are labelled by ε and all transitions labelled O are replaced by a sequence of transitions outputting a single instance of each character in O.

The construction follows the intuition of the single character case, but with a lot more bookkeeping. Given an (n, α)-PDA P we define an (n−1, α)-PDA with tests P−1 such that P satisfies the diagonal problem iff P−1 also satisfies the diagonal problem. The main control states of P−1 take the form

        
pp1, …, pmOB

where p, p1, …, pm are control states of P and both O and B are sets of output characters. We explain the purpose of each of these components.

We will define P−1 to generate up to m branches of the tree decomposition of a run of P. In particular, for each of the characters a ∈ {a1, …, aα} there will be a branch of the run of P−1 responsible for outputting “enough” of the character a to satisfy the diagonal problem. Note that two characters a and a′ may share the same branch. When a control state of the above form appears on a node of the run tree, the final component B makes explicit which characters the subtree rooted at that node is responsible for generating in large numbers. Thus, the initial control state will have B = {a1, …, aα} since all characters must be generated from this node. However, when the output tree branches – i.e. a node has more than one child – the contents of B will be partitioned amongst the children. That is, the responsibility of the parent to output enough of the characters in B is divided amongst its children.

The remaining components play the role of a test Ap,p1,…,pmO. That is, the current node is simulating the control state p of P, and is required to produce m branches, where the stack is emptied on each leaf and the control states appearing on these leaves are p1, …, pm. Moreover, the tree should output at least one of each character in O.

Note, P−1 also has (external) tests of the form Ap,p1,…,pmO that it can use to make decisions, just like in the single character case. However, it also performs tests “online” in its control states. This is necessary because the tests were used to check what could have happened on branches not followed by P−1. In the single character case, there was only one branch, hence P−1 would uses tests to check all the branches not followed, and then continue down a single branch of the tree. In the multi-character case the situation is different. Suppose a subtree rooted at a given node was responsible for outputting enough of both a1 and a2. Amongst the possible children of this node we may select two children: one for outputting enough a1 characters, and one for outputting enough a2 characters. The alternatives not taken will be checked using tests as before. However, the child responsible for outputting a1 may have also wanted to run a test on the child responsible for outputting a2. Thus, as well as having to output enough a2 characters, this latter child will also have to run the test required by the former. Thus, we have to build these tests into the control state. As a sanity condition we enforce OB = ∅ since a branch outputting a should never ask itself if it is able to produce at least one a.

We explain the rules of P−1 intuitively. It will be beneficial to refer to the formal definition (below) while reading the explanations. The case for Rpush is illustrated in Figure 5 since it covers most of the situations appearing in the other rules as well.

Figure 5: Illustrating the rules in Rpush.

Before giving the formal definition, we summarise the discussion above by recalling the meaning of the various components. A control state (p, p1, …, pm, O, B) means we’re currently simulating a node at control state p that is required to produce m branches terminating in control states p1, …, pm respectively, that the produced tree should output at least one of each character in O and the entire subtree should output enough of each character in B to satisfy the diagonal problem. In the definition below, the set O′ is the set of new single character output obligations produced when the automaton decides which branches to follow faithfully and which to test (for the output of at least one of each character). The sets X1, …, Xi and Y1, …, Yj represent the partitioning of the single character output obligations amongst the tests and new branches.

The correctness of the reduction is stated after the definition. A discussion of the proof appears in Section 7.

Definition 4 (P−1)   Given an (n, α)-PDA P described by (P, Σ, Γ, R, {pf}, pin, γin, θ) and automata Ap,p1,…,pmO for all 1 ≤ m ≤ α, p, p1, …, pmP, and O ⊆ {a1, …, aα} we define an (n−1, α)-PDA with tests
        P−1 = 
 P−1, Σ, Γ, R−1, F−1, pin−1, γin, θ−1
where P−1 is the set
        






 
pp1, …, pmOB
 





 
 
1 ≤ m ≤ α  ∧ 
pp1, …, pm∈ P  ∧ 
OB ⊆ 

a1, …, aα

 ∧ 
O ⋂ B = ∅ 
 






 ⊎ 


pin−1f

 
and
R−1 =Rinit ⋃ Rsim ⋃ Rbr ⋃ Rfin ⋃ Rpush ⋃ Rpop 
F−1 =


f

 
and θ−1((p, p1, …, pm, O, B)) = |B| and is 1 for all other control states. We define the sets of rules, where in all cases, p1, …, pmP and O, O′, B ⊆ {a1, …, aα}, to be as follows:

In Section 7 we show that the reduction is correct.

Lemma 2 (Correctness of P−1)  
            Diagonala1, …, aα
P
  ⇐⇒ Diagonala1, …, aα
P−1

To complete the reduction, we convert the (n, α)-PDA with tests into a (n, α)-PDA without tests.

Lemma 3 (Reduction to Lower Orders)   For every (n, α)-PDA P we can build an order-(n−1) α-branch HOPDA P such that
        Diagonala1, …, aα
P
  ⇐⇒ Diagonala1, …, aα
P
 .

Proof. From Definition 4 (P−1) and Lemma 2 (Correctness of P−1), we obtain from P an (n−1, α)-PDA with tests P−1 satisfying the conditions of the lemma. To complete the proof, we invoke Theorem 1 (Removing Tests) to find P′ as required.


We show correctness of the reduction in Section 7. First we show that we have decidability once we have reduced to order-0.

6.5  Decidability at Order-0

We show that the problem becomes decidable for a 0-PDA P. This is essentially a finite state machine and we can linearise the trees generated by saving the list of states that have been branched to in the control state. After one branch has completed, we run the next in the list, until all branches have completed. Hence, a tree of P becomes a run of the linearised 0-PDA, and vice-versa. Since each output tree has a bounded number of branches, the list length is bounded. Thus, we convert P into a finite state word automaton, for which the diagonal problem is decidable. Note, this result can also be obtained from the decidability of the diagonal problem for pushdown automata.

Definition 5 (P)   Given an (0, α)-PDA P described by the tuple (P, Σ, Γ, R, F, pin, γin, θ) we define a 0-PDA
        
P
 =

P
, Σ, Γ,
R
, F, pin, γin


such that
        P =




pp1, γ1, … pm, γm
 


 
pp1, …, pm∈ P  ∧ 
γ1, …, γm∈ Γ  ∧ 
0 ≤ m ≤ α 
 






f

and R is the set containing all rules of the form
        

pp1, γ1, …, pm, γm
, γ

b→ 



p1
p1, γ1, …, pm, γm
p2, σ, …, pl, σ 


, rewσ


for each
        
p, γ
b→ 
p1, …, pl, rewσ
 ∈ R
and all rules
        

pp1, γ1, …, pm, γm
, γ

ε→ 

p1p2, γ2, …, pm, γm
, rewγ1

whenever pF.
Lemma 4 (Decidability at Order-0)   We have
        Diagonala1, …, aα
P
  ⇐⇒ Diagonala1, …, aα

P


and hence Diagonala1, …, aα(P) is decidable.

Proof. Take an accepting run tree ρ of P. If this tree contains no branching, then it is straightforward to construct an accepting run of P. Hence, assume all trees with fewer than α branches have a corresponding run of P. At a subtree c[T1, …, Tm] we take the run trees ρ1, …, ρm corresponding to the subtrees. Let c = ⟨ p, γ ⟩ and c1 = ⟨ p1, γ ⟩, …, cm= ⟨ pm, γ ⟩ be the configurations at the roots of the subtrees. We build a run beginning at c and transitioning to ⟨ (p1, p2, γ, …, pm, γ), γ ⟩. The run then follows ρ1 with the extra information in its control state. After ρ1 accepts, we transition to ⟨ (p2, p3, γ, …, pm, γ), γ ⟩ and then replay ρ2. We repeat until all subtrees have been dispatched. This gives an accepting run of P outputting the same number of each a.

In the other direction, we replay the accepting run ρ of P until we reach a configuration ⟨ (p1, p2, γ, …, pm, γ), γ ⟩ via a rule

        
p, σ
ε→ 

p1p2, γ, …, pm, γ
, rewγ

At this point we apply

        
p, σ
ε→ 
p1, …, pm, rewγ

of P. We obtain runs for each of the new children as follows. We split the remainder of the run ρ′ into m parts ρ′1, …, ρ′m where the break points correspond to each application of a rule of the second kind. For each i we replay the transitions of ρ′1 from ⟨ pi, γ ⟩ to obtain a new run of P with fewer applications of the second rule. Inductively, we obtain an accepting run of P that we plug into the ith child. This gives us an accepting run of P outputting the same number of each a.


6.6  Decidability of The Diagonal Problem

We thus have the following theorem.

Theorem 3 (Decidability of the Diagonal Problem)   For an n-PDA P and output characters a1, …, aα, it is decidable whether Diagonala1, …, aα(P).

Proof. We first interpret P as an (n, α)-PDA and then construct via Lemma 3 (Reduction to Lower Orders) an (n−1, α)-PDA P′ such that Diagonala1, …, aα(P) iff Diagonala1, …, aα(P′). We repeat this step until we have an (0, α)-PDA. Then, from Lemma 4 (Decidability at Order-0) we obtain decidability as required.


7  Correctness for Simultaneous Unboundedness

In this section we prove Lemma 2 (Correctness of P−1). The proof follows the same outline as the single character case. To show there is a run with at least m of each character, we take via Lemma 1 (Section 7.2), m′ = (α+1)m, and a run of P outputting at least this many of each character. Then from Lemma 2 (Section 7.3) a run of P−1 outputting at least m of each character as required. The other direction is shown in Lemma 3 (Section 7.4).

We first generalise our tree decomposition and notion of scores. We then show that every α-branch subtree of a tree decomposition generates a run tree of P−1 matching the scores of the tree. Finally we prove the opposite direction.

7.1  Tree Decomposition of Output Trees

Given an output tree T of P where each pushn operation has a matching popn on all branches, we can construct a decomposed tree representation of the run inductively as follows. We define Tree(T[ε]) = T[ε] and, when

    T = b
T1, …, Tm

where the rule applied at the root does not contain a pushn operation, we have

    Tree
T
= b
Tree
T1
, …, Tree
Tm

 .

In the final case, let

    T = ε
T

where the rule applied at the root contains a pushn operation and the corresponding popn operations occur at nodes η1, …, ηm.

Note, if the output trees had an arbitrary number of branches, m may be unbounded. In our case, m ≤ α, without which our reduction would fail: P−1 would be unable to accurately count the number of popn nodes. In fact, our trees would have unbounded out degree and Lemma 1 (Minimum Scores) would not generalise.

Let T1, …, Tm be the output trees rooted at η1, …, ηm respectively and let T′ be T with these subtrees removed. Observe all branches of T are cut by this operation since the pushn must be matched on all branches. We define

    Tree
T
= ε
Tree
T
, Tree
T1
, …, Tree
Tm

 .

An accepting run of P has an extra popn operation at the end of each branch leading to the empty stack. Let T′ be the tree obtained by removing the final popn-induced edge leading to the leaves of each branch. The tree decomposition of an accepting run is

    Tree
T
= ε
Tree
T
, T
ε
, …, T
ε

where there are as many T[ε] as there are leaves of T.

Notice that our trees have out-degree at most (α + 1).

7.2  Scoring Trees

We score branches in the same way as the single character case. We simply define Scorea(ρ) to be Score(ρ) when a is considered as the only output character (all others are replaced with ε).

We have to slightly modify our minimum score lemma to accommodate the increased out-degree of the nodes in the trees.

Lemma 1 (Minimum Scores)   Given a tree T with maximum out-degree (α + 1), containing, for each a ∈ {a1, …, aα}, at least m nodes labelled a, for each a ∈ {a1, …, aα} we have
        Scorea
T
≥ log(α+1)
m

Proof. This is a simple extension of the proof of Lemma 1 (Minimum Scores). We simply replace the two-child case with a tree with up to (α+1) children. In this case, we have to use log(α+1) rather than log to maintain the lemma.


7.3  From Branches to Runs

Lemma 2 (Scores to Runs)   Given an accepting output tree ρ of P, if for all a ∈ {a1, …, aα} we have Scorea(Tree(ρ)) ≥ m, then TL(P−1) with |T|am for all a ∈ {a1, …, aα}.

Proof. We will construct a tree ρ−1 in L(P−1) top down. At each step we will maintain a “frontier” of ρ−1 and extend one leaf of this frontier until the whole tree is constructed. The frontier is of the form

    
c1, η1O1B1, …, cl, ηl, OlBl

which means that there are l nodes in the frontier. We have B1 ⊎ ⋯ ⊎ Bl= {a1, …, aα} and each Bi indicates that the ith branch, ending in configuration ci, is responsible for outputting enough of each of the characters in Bi. Each ηi is the corresponding node in Tree(ρ) that is being tracked by the ith branch of the output of P−1.

Let pf be the final (accepting) control state of P and let T = Tree(ρ). We begin at the root node of T, which corresponds to the initial configuration of ρ. Let ⟨ p, [s]n ⟩ be this initial configuration and let c = ⟨ (p, pf, …, pf, ∅, {a1, …, aα}), s ⟩ be the configuration of P−1 after an application of a rule from Rinit. The initial frontier is (c, ε, {a1, …, aα}).

Thus, assume we have a frontier

    
c1, η1O1B1, …, ch, ηh, Oh, Bh

and for each of the sequences c−1, η, O, B of the frontier we have

  1. T′ is the subtree of T rooted at η, and
  2. c = ⟨ p, s ⟩ labelling η, and
  3. c−1 = ⟨ (p, p1, …, pm, O, B), topn(s) ⟩, and
  4. the node of ρ corresponding to η has m locations where the topn stack is first popped via rules reaching p1, …, pm, moreover, these leaves have corresponding leaves in T′, and
  5. the branch from the root of the constructed run to the node labelled c−1 in the frontier outputs, for each aB, at least (m − Scorea(T′)) occurrences of a, and
  6. OB = ∅ and for each aO there is at least one node labelled by a in T′.

Pick such a sequence c−1, η, O, B. We replace this sequence using a transition of P−1 in a way that produces a new frontier with the above properties and moves us a step closer to reaching leaves of T. There are three cases when we are dealing with internal nodes.

Finally, we reach a leaf node η with a run outputting the required number of as. We need to show that the run constructed is accepting. From the tree decomposition, we know that the corresponding node of ρ is immediately followed by a popn. Thus, from our conditions on the frontier, we must have m = 1 and O = ∅. We also have a rule (p, γ) —ε→ (p1, popn) and therefore ((p, p1, ∅, B), γ, Att) —ε→ (f, rewγ) with which we can complete the run of P−1 as required.


7.4  The Other Direction

Finally, we need to show that each accepting run tree of P−1 gives rise to an accepting run tree of P containing at least as many of each output character a.

Lemma 3 (P−1 to P)   We have Diagonala1, …, aα(P−1) implies Diagonala1, …, aα(P).

Proof. Take an accepting run tree ρ−1 of P−1. We show that there exists a corresponding run tree ρ of P outputting at least as many as.

We maintain a frontier

    c1, …, ch

of ρ−1 and a run ρ of P “with holes” such that

Initially after a rule from Rinit we have the frontier c = ⟨ (p, pf, …, pf, ∅, {a1, …, aα}), s ⟩ with corresponding run ρ of P being

    
⟨ p

s
n
 ⟩

c
⟨ pf


n
 ⟩, …, ⟨ pf


n
 ⟩


 .

Pick a configuration c−1 = ⟨ (p, p1, …, pm, O, B), topn(s) ⟩ of the frontier that is not a leaf of ρ−1 and its corresponding node in ρ with parent labelled c = ⟨ p, s ⟩. Let ρ′−1 be the subtree of P−1 rooted at this configuration.

We show how to extend the frontier closer to the leaves of ρ−1. There are several cases depending on the transition of P−1 used to exit our chosen node.

Thus, the frontier moves towards the leaves of the tree and finally is empty. At this point we have an accepting run of P as required. To see that the run outputs enough of each character, one needs to observe that at each stage the tests and O component of the control state ensured at least one character output for each that appeared in some O′ labelling a transition. Then, for characters output along branches followed were reproduced faithfully.


8  Conclusions

We have shown, using a recent result by Zetzsche, that the downward closures of languages defined by HOPDA are computable. We believe this to be a useful foundational result upon which new analyses may be based. Our result already has several immediate consequences, including separation by piecewise testability and asynchronous parameterised systems.

Regarding the complexity of the approach. We are unaware of any complexity bounds implied by Zetzsche’s techniques. Due to the complexity of the reachability problem for HOPDA, the test automata may be a tower of exponentials of height n for HOPDA of order n. These test automata are built into the system before proceeding to reduce to order (n−1). Thus, we may reach a tower of exponentials of height O(n2).

A natural next step is to consider collapsible pushdown systems, which are equivalent to recursion schemes (without the safety constraint). However, it is not currently clear how to generalise our techniques due to the non-local behaviour introduced by collapse. We may also try to adapt our techniques to a higher-order version of BS-automata [3], which may be used, e.g., to check boundedness of resource usage for higher-order programs.

Acknowledgements

We thank Georg Zetzsche for keeping us up to date with his work, Jason Crampton for knowing about logarithms when they were most required, and Chris Broadbent for discussions. This work was supported by the Engineering and Physical Sciences Research Council [EP/K009907/1 and EP/M023974/1].

References

[1]
K. Aehlig, J. G. de Miranda, and C.-H. L. Ong. Safety is not a restriction at level 2 for string languages. In Foundations of Software Science and Computational Structures, 8th International Conference, FOSSACS 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4-8, 2005, Proceedings, pages 490–504, 2005.
[2]
A. V. Aho. Indexed grammars - an extension of context-free grammars. J. ACM, 15(4):647–671, 1968.
[3]
Mikolaj Bojanczyk. Beyond omega-regular languages. In 27th International Symposium on Theoretical Aspects of Computer Science, STACS 2010, March 4-6, 2010, Nancy, France, pages 11–16, 2010.
[4]
Ahmed Bouajjani, Markus Müller-Olm, and Tayssir Touili. Regular symbolic analysis of dynamic networks of pushdown systems. In CONCUR, pages 473–487, 2005.
[5]
C. H. Broadbent, A. Carayol, M. Hague, and O. Serre. C-shore: a collapsible approach to higher-order verification. In ICFP, pages 13–24, 2013.
[6]
C. H. Broadbent and N. Kobayashi. Saturation-based model checking of higher-order recursion schemes. In CSL, pages 129–148, 2013.
[7]
Christopher H. Broadbent, Arnaud Carayol, Matthew Hague, and Olivier Serre. A saturation method for collapsible pushdown systems. In Automata, Languages, and Programming - 39th International Colloquium, ICALP 2012, Warwick, UK, July 9-13, 2012, Proceedings, Part II, pages 165–176, 2012.
[8]
Christopher H. Broadbent, Arnaud Carayol, C.-H. Luke Ong, and Olivier Serre. Recursion schemes and logical reflection. In Proceedings of the 25th Annual IEEE Symposium on Logic in Computer Science, LICS 2010, 11-14 July 2010, Edinburgh, United Kingdom, pages 120–129, 2010.
[9]
B. Courcelle. On constructing obstruction sets of words. Bulletin of the EATCS, 44:178–186, 1991.
[10]
A. Cyriac, P. Gastin, and K. N. Kumar. MSO decidability of multi-pushdown systems via split-width. In CONCUR, pages 547–561, 2012.
[11]
W. Czerwiński and W. Martens. A note on decidable separability by piecewise testable languages. CoRR, abs/1410.1042, 2014.
[12]
J. Esparza, A. Kucera, and S. Schwoon. Model checking LTL with regular valuations for pushdown systems. Inf. Comput., 186(2):355–376, 2003.
[13]
Javier Esparza and Pierre Ganty. Complexity of pattern-based verification for multithreaded programs. In POPL, pages 499–510, 2011.
[14]
Javier Esparza and Andreas Podelski. Efficient algorithms for pre* and post* on interprocedural parallel flow graphs. In POPL, pages 1–11, 2000.
[15]
M. Hague. Saturation of concurrent collapsible pushdown systems. In FSTTCS, pages 313–325, 2013.
[16]
M. Hague. Senescent ground tree rewrite systems. In Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), CSL-LICS ’14, Vienna, Austria, July 14 - 18, 2014, pages 48:1–48:10, 2014.
[17]
M. Hague and A. W. Lin. Synchronisation- and reversal-bounded analysis of multithreaded programs with counters. In Computer Aided Verification - 24th International Conference, CAV 2012, Berkeley, CA, USA, July 7-13, 2012 Proceedings, pages 260–276, 2012.
[18]
M. Hague, A. S. Murawski, C.-H. Luke Ong, and O. Serre. Collapsible pushdown automata and recursion schemes. In LICS, pages 452–461, 2008.
[19]
L.H. Haines. On free monoids partially ordered by embedding. J. Combinatorial Theory, 6:94–98, 1969.
[20]
Vineet Kahlon. Boundedness vs. unboundedness of lock chains: Characterizing decidability of pairwise CFL-reachability for threads communicating via locks. In LICS, pages 27–36, 2009.
[21]
T. Knapik, D. Niwinski, and P. Urzyczyn. Higher-order pushdown trees are easy. In FoSSaCS ’02: Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures, pages 205–222, London, UK, 2002. Springer-Verlag.
[22]
T. Knapik, D. Niwinski, P. Urzyczyn, and I. Walukiewicz. Unsafe grammars and panic automata. In ICALP, pages 1450–1461, 2005.
[23]
N. Kobayashi. Model-checking higher-order functions. In PPDP, pages 25–36, 2009.
[24]
N. Kobayashi. GTRecS2: A model checker for recursion schemes based on games and types. A tool available at http://www-kb.is.s.u-tokyo.ac.jp/~koba/gtrecs2/, 2012.
[25]
N. Kobayashi and A. Igarashi. Model-checking higher-order programs with recursive types. In ESOP, pages 431–450, 2013.
[26]
N. Kobayashi, R. Sato, and H. Unno. Predicate abstraction and cegar for higher-order model checking. In PLDI, pages 222–233, 2011.
[27]
Akash Lal and Thomas W. Reps. Reducing concurrent analysis under a context bound to sequential analysis. Formal Methods in System Design, 35(1):73–97, 2009.
[28]
P. Madhusudan and G. Parlato. The tree width of auxiliary storage. In POPL, pages 283–294, 2011.
[29]
A. N. Maslov. Multilevel stack automata. Problems of Information Transmission, 15:1170–1174, 1976.
[30]
R. P. Neatherway, S. J. Ramsay, and C.-H. L. Ong. A traversal-based algorithm for higher-order model checking. In ICFP, pages 353–364, 2012.
[31]
P. Parys. On the significance of the collapse operation. In Proceedings of the 27th Annual IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25-28, 2012, pages 521–530, 2012.
[32]
V. Penelle. Rewriting higher-order stack trees. In Computer Science - Theory and Applications - 10th International Computer Science Symposium in Russia, CSR 2015, Listvyanka, Russia, July 13-17, 2015, Proceedings, pages 364–397, 2015.
[33]
G. Ramalingam. Context-sensitive synchronization-sensitive analysis is undecidable. ACM Trans. Program. Lang. Syst., 22(2):416–430, 2000.
[34]
S. J. Ramsay, R. P. Neatherway, and C.-H. L. Ong. A type-directed abstraction refinement approach to higher-order model checking. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, pages 61–72, 2014.
[35]
A. Seth. Games on higher order multi-stack pushdown systems. In RP, pages 203–216, 2009.
[36]
S. La Torre, A. Muscholl, and I. Walukiewicz. Safety of parametrized asynchronous shared-memory systems is almost always decidable. In CONCUR, 2015. To appear.
[37]
Salvatore La Torre and Margherita Napoli. Reachability of multistack pushdown systems with scope-bounded matching relations. In CONCUR, pages 203–218, 2011.
[38]
H. Unno, N. Tabuchi, and N. Kobayashi. Verification of tree-processing programs via higher-order model checking. In APLAS, 2010.
[39]
J. van Leeuwen. Effective constructions in well-partially-ordered free monoids. Discrete Mathematics, 21(3):237–252, 1978.
[40]
Georg Zetzsche. An approach to computing downward closures. In Automata, Languages, and Programming - 42nd International Colloquium, ICALP 2015, Kyoto, Japan, July 6-10, 2015, Proceedings, Part II, pages 440–451, 2015.
1
We slightly alter the alternation rule from ICALP 2012 [7] by matching the top stack character as well as the control state. This is a benign alteration since it one can track the top of stack character in the control state.
This document was translated from LATEX by HEVEA.