1 Introduction
Algorithmic properties of one-counter automata, including reachability, model checking, and equivalence, have been studied by many authors over several decades [2, 3, 4, 5, 6, 7, 8, 10]. The above references are a small subset of the extensive literature on one-counter automata, but they well illustrate that there are many variations on the basic model and that these variations can lead to the model having substantially different algorithmic properties. Particular features mentioned in the references above, driven by applications to automated verification and program analysis, include equality tests, disequality tests, inequality tests, parametric tests, binary updates, polynomial updates, and parametric updates.
Analysing the complexity of reachability in the presence of the features listed above leads to a rich complexity landscape. It is shown in [10] that control-state reachability is decidable in for a “plain vanilla” model of one-counter machine—namely with a counter taking values in the nonnegative integers with operations increment, decrement, and zero testing. Thinking of one-counter automata as one-dimensional vector addition systems with states (1-VASS), it is natural to allow the counter to be updated by adding integer constants in binary. In this case, still with equality tests, control-state reachability becomes -complete [8]. The upper bound here is non-trivial since, due to the binary encoding of integers, a computation that reaches the goal state may have length exponential in the size of the machine. If one enriches the model further by introducing inequality tests (comparing the counter with an integer constant) then control-state reachability becomes -complete [5]. A model of intermediate complexity is one with equality and disequality tests (introduced in [4], with applications to temporal-logic model checking). In this case the complexity of control-state reachability is open (between and ).
In this paper we consider 1-VASS with disequality tests, but no equality tests. Our main result is that the control-state reachability problem in this setting is solvable in polynomial time. This result confirms the intuition that disequality tests are weaker than equality tests. The main technical challenge to obtaining a polynomial-time bound is that a run witnessing that a given control state is reachable may have length exponential in the description of the counter automaton. A standard way to overcome this obstacle in related settings is to show that one may restrict attention to computations that fit a regular pattern (usually in terms of iterating a “small” number of cycles). Here the presence of disequality tests proves to be surprisingly disruptive: it destroys the monotonicity of the transition relation and prevents from freely iterating positive-weight cycles. (For example, the failure of monotonicity means that it is hard to determine whether all configurations in a given initial location are unbounded—see Figure 1—whereas the same problem for 1-VASS without tests is easily seen to be decidable in polynomial time.) Resolving the complexity of reachability for 1-VASS with both equality and disequality tests remains open. We hope that the techniques developed here can help solve this challenging problem.
To complement our main result we show that for 1-VASS without tests, control-state reachability (and hence also boundedness) is decidable in , i.e., the subclass of ¶ consisting of problems solvable in polylogarithmic parallel time. Problems in are in particular solvable in polylogarithmic space. Related to this Rosier and Yen [11] have shown that boundedness for VASS is -complete in case there are absolute bounds on the dimension and bit-size of integer vectors.
Due to constraints on space, most proofs appear in the appendix.
2 Definitions
We write to denote the set of all nonnegative integers In presenting our results we assume familiarity of the reader with basic graph theory and computational complexity.
One-Dimensional Vector Addition Systems with States and Tests.
A 1-VASS with disequality tests is a tuple , where is a set of states, is a collection of cofinite subsets , is a set of transitions, and is a function that assigns an integer weight to each transition. In the special case that each equals , we simply call a 1-VASS (and we omit the collection ).
A configuration of is a pair comprising a state and a nonnegative integer referred to as the counter value. We write for the set of all configurations. We define a partial order on by if and only if and . A configuration is valid if .
A path in is a sequence of states such that for all . We sometimes refer to such a path as a - path. Let be another path such that , we define . Given states , a set of - paths, and a set of - paths, we define . The weight of is defined to be . A (possibly empty) prefix of is said to be minimal if it has minimal weight among all prefixes of . Define to be the weight of a minimal prefix of .
A run is a sequence of configurations of such that there is a path with for . We write to denote such a run. Observe that runs are not allowed to reach negative counter values. A valid run is a run whose configurations are all valid. Intuitively, a valid run through can proceed if and only if the current counter value is in .
In computational problems all numbers in the description of are given in binary. Given a state we represent the cofinite set as the complement of an explicitly given subset of . Given this convention, we can assume without loss of generality that for all states the set is either or for some ; see Appendix B. For states with , we refer to the single missing value in the domain as the disequality guard on .
The Coverability and Unboundedness Problems.
Let be a 1-VASS with disequality tests, and let and be two distinguished states of . The Coverability Problem asks whether there exists a valid run in from to for some (in which case we say that can cover ). The Unboundedness Problem asks whether the set of configurations reachable from is infinite (in which case we say that is unbounded).
The Coverability problem reduces to the Unboundedness problem by, intuitively, forcing to be unbounded using a positive cycle, and removing all states that cannot reach in the underlying graph of . In fact, the following holds.
There is an -computable many-one reduction from the Coverability Problem to the Unboundedness Problem for 1-VASS with disequality tests.
Henceforth, we focus on the complexity of deciding the Unboundedness Problem. In Section 3 we prove that the Unboundedness Problem for 1-VASS with disequality tests is decidable in polynomial time. Since , by Lemma 2 we also have that the Coverability Problem in this setting is decidable in polynomial time. In Section 4 we prove that the Unboundedness Problem for 1-VASS (without disequality tests) is in , and we deduce that the Coverability Problem for 1-VASS is decidable in .
3 Unboundedness for 1-VASS with Disequality Tests
Fix a -VASS with disequality tests and a distinguished state . We are interested in determining whether the configuration is unbounded.
For a (possibly infinite) path , denote by the set of such that does not lift to a valid run from the configuration , i.e., the unique induced run either contains a negative counter value or violates a disequality guard.
Example. In Figure 2, since is the guard on the run is not valid and . Observe that and .
Recall that for a path , is the weight of a minimum-weight prefix of . Let be the set of states such that there is a positive-weight simple cycle on in the underlying graph of . For we pick a simple cycle such that for any other positive-weight simple cycle on ; write for . Define .
Define a path to be primitive if no proper infix is a positive cycle (note though that a primitive path may itself be a positive cycle). We say that a run is primitive if the underlying path is primitive. Observe that if is a valid run, none of whose internal configurations lies in , then is primitive.
Example. In Figure 2, for we pick the simple cycle with . Since , we have that . Moreover, the path is primitive, but is not primitive.
A configuration is unbounded if, and only if, can reach an unbounded configuration in .
In order to decide whether is unbounded, by Proposition 3, it suffices to compute the set of unbounded configurations in and determine whether can reach this set. Define to be the set of all unbounded configurations in . Observe that every configuration with can take the cycle arbitrarily many times and is thus included in . However, even if , it may still be the case that is unbounded, by traversing more complicated paths.
Example. In Figure 2, all configurations with in are trivially unbounded and thus included in . It will transpire that even though .
In order to reason about the aforementioned complicated paths, we proceed as follows. In Section 3.1 we introduce residue classes and chains, which form a partition of , and are the building blocks of our analysis. In Section 3.2 we characterize as the limit of an inductive construction. This enables us to reason about the structure of in Section 3.3. Finally, in Section 3.4 we show how to compute and decide unboundedness.
3.1 Residue Classes and Chains
Given and , we call the set of configurations a -residue class. We simply speak of a residue class if we do not want to specify the state . Given a -residue class , a set is called a -chain if it is a maximal subset of with the property that every pair of configurations with are connected by a valid run obtained by iterating the cycle . Again, we speak of a chain if we do not want to specify the state .
We draw a distinction between bounded chains and unbounded chains, where a chain is bounded if and only if the associated set of counter values is bounded. An unbounded -chain is contained in since the cycle can be taken arbitrarily many times from any configuration in to yield a valid run.
For each -residue class , each guard value induces at most two bounded chains, namely configurations below , and the singleton (which is vacuously a chain). Since there are at most guards, each residue class decomposes as a disjoint union of at most bounded chains and a single unbounded chain. Intuitively, within each bounded chain we can iterate the cycle until hitting a guard. We call a residue class trivial if it consists solely of a single unbounded chain. Note that the union of all bounded -chains is equal to .
Example. As indicated in Figure 3 for the running example, the residue classes with are indeed trivial, while each residue class with consists of two bounded chains and , and a single unbounded chain .
One of the main ideas in this section is to show that a configuration is unbounded if and only if it can reach an unbounded chain via a valid run whose underlying path has the form
where are primitive paths and are non-negative integers. Moreover, we give a polynomial bound on the length of the and the magnitude of in terms of the size of the underlying 1-VASS (in general, the exponents may be exponential in the size of the 1-VASS). We also show how to detect the existence of such a path in polynomial time.
Recall the structure of as a partially ordered set. We will use standard order-theoretic terminology and notation to refer to sets of configurations: in particular given sets of configurations , we say that is downward closed in if for all and with , we have .
3.2 Inductive Characterization of
We now give an inductive backward-reachability construction of the set of all configurations in that can reach an unbounded chain. Since unbounded configurations can, in particular, reach unbounded chains, this set is exactly .
In order for our inductive construction to converge in a polynomial number of steps, we essentially consider meta-transitions of the form for a simple cycle, , and a primitive path. Formally, we define an increasing sequence of subsets of such that . Define to be the union of the collection of unbounded chains. Given we inductively construct as follows. First, define as the set of configurations whose distance to is minimal among all configurations in (here the distance of a configuration to is the length of the shortest valid run from to ). Now define to be the smallest set such that and is downward closed in every chain . Then is the set of configurations in that can reach an unbounded chain which, as noted above, is equal to .
By definition, a shortest run from a configuration to has no internal configurations in , and is therefore primitive.
|
|
Example. Figure 3 indicates the set for the running example. Note that contains all trivial residue classes. Observe that ; see Figure 3(a). These two configurations belong to two distinct chains. The downward closure of in its chain is , and the downward closure of in its chain is . We have that . The second iteration to compute only adds the configuration to ; see Figure 3(b). The sequence stabilizes in this iteration.
3.3 The Structure of
In this section we analyze the structure of , based on its inductive characterization. This analysis will be key in obtaining a polynomial-time algorithm to compute .
The guiding intuition is that for all the set is almost upward closed in each residue class . By this we mean that if is the least configuration in , then all but polynomially many configurations of above are also in . More specifically, we show that for any bounded chain in that lies above , although the number of configurations in may be exponential in , the size of is bounded by a polynomial in . (Note here that the unique unbounded chain in is contained in and hence is contained in for all .) Using this observation, we provide a polynomial bound on the number of iterations until the inductive construction converges. Indeed, in every iteration, unless a fixed point has been reached, there must exist some bounded chain such that the size of strictly decreases. After showing that is of polynomial size, we obtain a polynomial bound on the number of iterations until convergence by Remark 3.1.
We start by characterizing the paths between chains. Let and let be a (not necessarily valid) run such that is a primitive path. Then there exists a run of length at most such that , , and the -residue class of is either trivial or identical to that of .
Given a -residue class , in general is not an upward closed subset of . The following definitions are intended to measure the defect of in this regard.
We say that a bounded chain that is contained in a residue class is -active if there exists a configuration in that lies below some configuration in . Let be an -active chain. Recall that is downward closed in and hence is upward closed in . Suppose that is non-empty, write and , and define . Thus contains all configurations in , as well as all configurations “between” elements of , apart from those that are themselves in . If then we define . Finally for a residue class we write
(1) |
For the least element in we have that .
Example. In Figure 3(a) consider the -active chain . Since we have that .
For all and every chain we have that .
We now come to the central technical part of the paper, controlling the growth of as a function of :
There exists a polynomial such that for each residue class and all we have if contains a chain that is -active but not -active.
Before proceeding to prove Lemma 3.3, we demonstrate the underlying intuition. Consider a configuration that has a primitive path to a configuration . To prove Lemma 3.3, we argue that lifts to a valid run from a “dense” subset of configurations in . There are two main cases in this argument based on whether one of the larger configurations in the chain induces a valid run ending in a trivial residue class.
Example. The first case occurs in obtaining from in the running example; see Figure 3(a). Consider the -chain . The primitive path from the largest configuration in leads to a non-trivial -residue class (out of ). However, one among the -next largest configurations in , for , lifts to a valid run to a trivial -residue class. In the example, this is the case for . The second case occurs in obtaining from in the running example; see Figure 3(b). Consider the -chain . The primitive path , from none of the configurations in this chain, ends in a trivial -residue class. However, we provide a subtle argument to bound with .
Proof of Lemma 3.3.
Pick the minimal element . Moreover, let and be such that is a shortest run from to . By Remark 3.2, is a primitive path. By Proposition 3.3 there is a run , for some , such that has length at most , and the residue class of is either trivial or the same as the residue class of . (Note that we do not claim that , nor that lifts to a valid run.) We now identify two cases according to the order of in the group of integers modulo , which is . Recall that this quantity is the smallest such that .
Case (i): . We first show that for every -active chain in .
Let be an -active chain of and suppose for a contradiction that . Since is -active, for every configuration we have . Further, since , can only be blocked on a configuration due to a violation of a disequality guard. Since the length of is at most , it follows that at most elements of lie in .
Recall that is upward closed in , so by the assumption that , there exists a set of “consecutive” elements of , for some , such that no element of lies in . Then lifts to a valid run from each element of . Moreover, since the order of in is assumed to be greater than , the images of the elements of , after following , lie in pairwise distinct -residue classes. But the number of non-trivial -residue classes is at most and hence some configuration in has a run over to a trivial -residue class and hence to . But then such a configuration lies in , which is a contradiction.
We conclude that for every -active chain in . But then by Lemma 3.3. Finally, since comprises at most bounded chains by Remark 3.1, we have that .
Case (ii): . For the residue classes and as above, define an injective partial mapping by if and only if and