Coverability in 1-VASS with Disequality Tests

by   Shaull Almagor, et al.

We show that the control-state reachability problem for one-dimensional vector addition systems with disequality tests is solvable in polynomial time. For the test-free case we moreover show that control-state reachability is in NC, i.e., solvable in polylogarithmic parallel time.



page 1

page 2

page 3

page 4


Reachability in Two-Dimensional Vector Addition Systems with States: One Test is for Free

Vector addition system with states is an ubiquitous model of computation...

Reachability for Branching Concurrent Stochastic Games

We give polynomial time algorithms for deciding almost-sure and limit-su...

Alleviating State-space Explosion in Component-based Systems with Distributed, Parallel Reachability Analysis Algorithm

In this work, we alleviate the well-known State-Space Explosion (SSE) pr...

Reachability in High Treewidth Graphs

Reachability is the problem of deciding whether there is a path from one...

Minkowski Sum of Polytopes Defined by Their Vertices

Minkowski sums are of theoretical interest and have applications in fiel...

On the Decidability of Reachability in Linear Time-Invariant Systems

We consider the decidability of state-to-state reachability in linear ti...

VASS reachability in three steps

This note is a product of digestion of the famous proof of decidability ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Algorithmic properties of one-counter automata, including reachability, model checking, and equivalence, have been studied by many authors over several decades [2, 3, 4, 5, 6, 7, 8, 10]. The above references are a small subset of the extensive literature on one-counter automata, but they well illustrate that there are many variations on the basic model and that these variations can lead to the model having substantially different algorithmic properties. Particular features mentioned in the references above, driven by applications to automated verification and program analysis, include equality tests, disequality tests, inequality tests, parametric tests, binary updates, polynomial updates, and parametric updates.

Analysing the complexity of reachability in the presence of the features listed above leads to a rich complexity landscape. It is shown in [10] that control-state reachability is decidable in for a “plain vanilla” model of one-counter machine—namely with a counter taking values in the nonnegative integers with operations increment, decrement, and zero testing. Thinking of one-counter automata as one-dimensional vector addition systems with states (1-VASS), it is natural to allow the counter to be updated by adding integer constants in binary. In this case, still with equality tests, control-state reachability becomes -complete [8]. The upper bound here is non-trivial since, due to the binary encoding of integers, a computation that reaches the goal state may have length exponential in the size of the machine. If one enriches the model further by introducing inequality tests (comparing the counter with an integer constant) then control-state reachability becomes -complete [5]. A model of intermediate complexity is one with equality and disequality tests (introduced in [4], with applications to temporal-logic model checking). In this case the complexity of control-state reachability is open (between and ).

In this paper we consider 1-VASS with disequality tests, but no equality tests. Our main result is that the control-state reachability problem in this setting is solvable in polynomial time. This result confirms the intuition that disequality tests are weaker than equality tests. The main technical challenge to obtaining a polynomial-time bound is that a run witnessing that a given control state is reachable may have length exponential in the description of the counter automaton. A standard way to overcome this obstacle in related settings is to show that one may restrict attention to computations that fit a regular pattern (usually in terms of iterating a “small” number of cycles). Here the presence of disequality tests proves to be surprisingly disruptive: it destroys the monotonicity of the transition relation and prevents from freely iterating positive-weight cycles. (For example, the failure of monotonicity means that it is hard to determine whether all configurations in a given initial location are unbounded—see Figure 1—whereas the same problem for 1-VASS without tests is easily seen to be decidable in polynomial time.) Resolving the complexity of reachability for 1-VASS with both equality and disequality tests remains open. We hope that the techniques developed here can help solve this challenging problem.

To complement our main result we show that for 1-VASS without tests, control-state reachability (and hence also boundedness) is decidable in , i.e., the subclass of ¶ consisting of problems solvable in polylogarithmic parallel time. Problems in are in particular solvable in polylogarithmic space. Related to this Rosier and Yen [11] have shown that boundedness for VASS is -complete in case there are absolute bounds on the dimension and bit-size of integer vectors.

Due to constraints on space, most proofs appear in the appendix.

Figure 1: A 1-VASS with disequality tests, derived from a 3-CNF formula having propositional variables and clauses . Let be the first primes and write for their product. Define by if and only if . We have states —one state for each clause—and an initial state . Suppose that state corresponds to a clause that mentions variables . Then we place a self-loop on with increment and define the domain of allowable counter values in state to exclude all values such that satisfies the clause . Given , the configuration is bounded iff satisfies . Hence is unbounded for all iff is unsatisfiable (see Appendix A for a complete proof).

2 Definitions

We write to denote the set of all nonnegative integers In presenting our results we assume familiarity of the reader with basic graph theory and computational complexity.

One-Dimensional Vector Addition Systems with States and Tests.

A 1-VASS with disequality tests is a tuple , where is a set of states, is a collection of cofinite subsets , is a set of transitions, and is a function that assigns an integer weight to each transition. In the special case that each equals , we simply call  a 1-VASS (and we omit the collection ).

A configuration of is a pair comprising a state  and a nonnegative integer  referred to as the counter value. We write for the set of all configurations. We define a partial order on by if and only if and . A configuration is valid if .

A path in is a sequence of states such that for all . We sometimes refer to such a path as a - path. Let be another path such that , we define . Given states , a set of - paths, and a set of - paths, we define . The weight of is defined to be . A (possibly empty) prefix of  is said to be minimal if it has minimal weight among all prefixes of . Define to be the weight of a minimal prefix of .

A run is a sequence of configurations of such that there is a path with for . We write to denote such a run. Observe that runs are not allowed to reach negative counter values. A valid run is a run whose configurations are all valid. Intuitively, a valid run through can proceed if and only if the current counter value is in .

In computational problems all numbers in the description of  are given in binary. Given a state  we represent the cofinite set  as the complement of an explicitly given subset of . Given this convention, we can assume without loss of generality that for all states  the set  is either  or for some ; see Appendix B. For states  with , we refer to the single missing value  in the domain as the disequality guard on .

The Coverability and Unboundedness Problems.

Let be a 1-VASS with disequality tests, and let and be two distinguished states of . The Coverability Problem asks whether there exists a valid run in from to for some  (in which case we say that can cover ). The Unboundedness Problem asks whether the set of configurations reachable from is infinite (in which case we say that is unbounded).

The Coverability problem reduces to the Unboundedness problem by, intuitively, forcing  to be unbounded using a positive cycle, and removing all states that cannot reach  in the underlying graph of . In fact, the following holds.

There is an -computable many-one reduction from the Coverability Problem to the Unboundedness Problem for 1-VASS with disequality tests.

Henceforth, we focus on the complexity of deciding the Unboundedness Problem. In Section 3 we prove that the Unboundedness Problem for 1-VASS with disequality tests is decidable in polynomial time. Since , by Lemma 2 we also have that the Coverability Problem in this setting is decidable in polynomial time. In Section 4 we prove that the Unboundedness Problem for 1-VASS (without disequality tests) is in , and we deduce that the Coverability Problem for 1-VASS is decidable in .

3 Unboundedness for 1-VASS with Disequality Tests

Fix a -VASS with disequality tests and a distinguished state . We are interested in determining whether the configuration is unbounded.

For a (possibly infinite) path , denote by the set of such that does not lift to a valid run from the configuration , i.e., the unique induced run either contains a negative counter value or violates a disequality guard.

Example. In Figure 2, since  is the guard on  the run is not valid and . Observe that and .

Recall that for a path , is the weight of a minimum-weight prefix of . Let be the set of states such that there is a positive-weight simple cycle on in the underlying graph of . For we pick a simple cycle such that for any other positive-weight simple cycle  on ; write for . Define .

Figure 2: A 1-VASS with disequality tests. Disequality guards are denoted by . For example, in state  the set is , and no run goes through  if its current counter value is .

Define a path to be primitive if no proper infix is a positive cycle (note though that a primitive path may itself be a positive cycle). We say that a run is primitive if the underlying path is primitive. Observe that if is a valid run, none of whose internal configurations lies in , then is primitive.

Example. In Figure 2, for we pick the simple cycle with . Since , we have that . Moreover, the path is primitive, but is not primitive.

A configuration  is unbounded if, and only if, can reach an unbounded configuration in .

In order to decide whether  is unbounded, by Proposition 3, it suffices to compute the set of unbounded configurations in and determine whether can reach this set. Define to be the set of all unbounded configurations in . Observe that every configuration  with can take the cycle arbitrarily many times and is thus included in . However, even if , it may still be the case that is unbounded, by traversing more complicated paths.

Example. In Figure 2, all configurations  with in are trivially unbounded and thus included in . It will transpire that even though .

In order to reason about the aforementioned complicated paths, we proceed as follows. In Section 3.1 we introduce residue classes and chains, which form a partition of , and are the building blocks of our analysis. In Section 3.2 we characterize as the limit of an inductive construction. This enables us to reason about the structure of in Section 3.3. Finally, in Section 3.4 we show how to compute and decide unboundedness.

3.1 Residue Classes and Chains

Given and , we call the set of configurations a -residue class. We simply speak of a residue class if we do not want to specify the state . Given a -residue class , a set is called a -chain if it is a maximal subset of with the property that every pair of configurations with are connected by a valid run obtained by iterating the cycle . Again, we speak of a chain if we do not want to specify the state .






















Figure 3: We focus on states , , and in the 1-VASS in Figure 2, each of which lies on a simple positive cycle. We also indicate which counter values prevent taking the associated positive cycle. For example, state  has the simple cycle  with and taking from  is not allowed due to disequality guards along . The columns underneath each state represent residue classes of that state in . We colour all unbounded chains in blue and all bounded chains in pink; thus all blue configurations form the set .

We draw a distinction between bounded chains and unbounded chains, where a chain is bounded if and only if the associated set of counter values is bounded. An unbounded -chain is contained in since the cycle can be taken arbitrarily many times from any configuration in to yield a valid run.

For each -residue class , each guard value induces at most two bounded chains, namely configurations below , and the singleton (which is vacuously a chain). Since there are at most guards, each residue class decomposes as a disjoint union of at most  bounded chains and a single unbounded chain. Intuitively, within each bounded chain we can iterate the cycle until hitting a guard. We call a residue class trivial if it consists solely of a single unbounded chain. Note that the union of all bounded -chains is equal to .

Example. As indicated in Figure 3 for the running example, the residue classes with are indeed trivial, while each residue class with consists of two bounded chains and , and a single unbounded chain .

One of the main ideas in this section is to show that a configuration is unbounded if and only if it can reach an unbounded chain via a valid run whose underlying path has the form

where are primitive paths and are non-negative integers. Moreover, we give a polynomial bound on the length of the  and the magnitude of in terms of the size of the underlying 1-VASS (in general, the exponents may be exponential in the size of the 1-VASS). We also show how to detect the existence of such a path in polynomial time.

Recall the structure of as a partially ordered set. We will use standard order-theoretic terminology and notation to refer to sets of configurations: in particular given sets of configurations , we say that is downward closed in if for all and with , we have .

3.2 Inductive Characterization of

We now give an inductive backward-reachability construction of the set of all configurations in that can reach an unbounded chain. Since unbounded configurations can, in particular, reach unbounded chains, this set is exactly .

In order for our inductive construction to converge in a polynomial number of steps, we essentially consider meta-transitions of the form for a simple cycle, , and  a primitive path. Formally, we define an increasing sequence of subsets of such that . Define to be the union of the collection of unbounded chains. Given we inductively construct as follows. First, define as the set of configurations whose distance to is minimal among all configurations in (here the distance of a configuration to is the length of the shortest valid run from to ). Now define to be the smallest set such that and is downward closed in every chain . Then is the set of configurations in that can reach an unbounded chain which, as noted above, is equal to .

By definition, a shortest run from a configuration to has no internal configurations in , and is therefore primitive.

blocked at

blocked at

blocked at

bounded -chains(excluding guards)





relevant sectionof -chains



(a) The set  is obtained from  in Figure 3.

the bounded-chain









relevant sectionof -chains





(b) The set .
Figure 4: The sets and of the running example. The blue configurations are in ; green ones are in ; yellow one is in . The pink configurations are in  and , respectively. While computing , the green configurations  and take the primitive path to . In all other pink configurations in -chains, although enabled, the path  either hits a guard or ends in .

Example. Figure 3 indicates the set  for the running example. Note that contains all trivial residue classes. Observe that ; see Figure 3(a). These two configurations belong to two distinct chains. The downward closure of  in its chain is , and the downward closure of  in its chain is . We have that . The second iteration to compute  only adds the configuration  to ; see Figure 3(b). The sequence stabilizes in this iteration.

3.3 The Structure of

In this section we analyze the structure of , based on its inductive characterization. This analysis will be key in obtaining a polynomial-time algorithm to compute .

The guiding intuition is that for all the set is almost upward closed in each residue class . By this we mean that if  is the least configuration in , then all but polynomially many configurations of  above  are also in . More specifically, we show that for any bounded chain in that lies above , although the number of configurations in may be exponential in , the size of is bounded by a polynomial in . (Note here that the unique unbounded chain in is contained in and hence is contained in for all .) Using this observation, we provide a polynomial bound on the number of iterations until the inductive construction converges. Indeed, in every iteration, unless a fixed point has been reached, there must exist some bounded chain such that the size of strictly decreases. After showing that is of polynomial size, we obtain a polynomial bound on the number of iterations until convergence by Remark 3.1.

We start by characterizing the paths between chains. Let and let be a (not necessarily valid) run such that is a primitive path. Then there exists a run of length at most such that , , and the -residue class of is either trivial or identical to that of .

Given a -residue class , in general is not an upward closed subset of . The following definitions are intended to measure the defect of in this regard.

We say that a bounded chain that is contained in a residue class is -active if there exists a configuration in that lies below some configuration in . Let be an -active chain. Recall that is downward closed in and hence is upward closed in . Suppose that is non-empty, write and , and define . Thus contains all configurations in , as well as all configurations “between” elements of , apart from those that are themselves in . If then we define . Finally for a residue class we write


For the least element in we have that .

Example. In Figure 3(a) consider the -active chain . Since we have that .

For all and every chain we have that .

We now come to the central technical part of the paper, controlling the growth of as a function of :

There exists a polynomial such that for each residue class and all we have if contains a chain that is -active but not -active.

Before proceeding to prove Lemma 3.3, we demonstrate the underlying intuition. Consider a configuration that has a primitive path to a configuration . To prove Lemma 3.3, we argue that lifts to a valid run from a “dense” subset of configurations in . There are two main cases in this argument based on whether one of the larger configurations in the chain induces a valid run ending in a trivial residue class.

Example. The first case occurs in obtaining  from  in the running example; see Figure 3(a). Consider the -chain . The primitive path  from the largest configuration  in  leads to a non-trivial -residue class (out of ). However, one among the -next largest configurations in , for , lifts to a valid run to a trivial -residue class. In the example, this is the case for . The second case occurs in obtaining  from  in the running example; see Figure 3(b). Consider the -chain . The primitive path , from none of the configurations in this chain, ends in a trivial -residue class. However, we provide a subtle argument to bound with .

Proof of Lemma 3.3.

Pick the minimal element . Moreover, let and be such that is a shortest run from to . By Remark 3.2, is a primitive path. By Proposition 3.3 there is a run , for some , such that has length at most , and the residue class of is either trivial or the same as the residue class of . (Note that we do not claim that , nor that lifts to a valid run.) We now identify two cases according to the order of in the group of integers modulo , which is . Recall that this quantity is the smallest such that .

Case (i): . We first show that for every -active chain in .

Let be an -active chain of and suppose for a contradiction that . Since is -active, for every configuration we have . Further, since , can only be blocked on a configuration due to a violation of a disequality guard. Since the length of is at most , it follows that at most elements of lie in .

Recall that is upward closed in , so by the assumption that , there exists a set of “consecutive” elements of , for some , such that no element of lies in . Then lifts to a valid run from each element of . Moreover, since the order of in is assumed to be greater than , the images of the elements of , after following , lie in pairwise distinct -residue classes. But the number of non-trivial -residue classes is at most and hence some configuration in has a run over to a trivial -residue class and hence to . But then such a configuration lies in , which is a contradiction.

We conclude that for every -active chain in . But then by Lemma 3.3. Finally, since comprises at most bounded chains by Remark 3.1, we have that .

Case (ii): . For the residue classes and as above, define an injective partial mapping by if and only if and