General Decidability Results for Asynchronous Shared-Memory Programs: Higher-Order and Beyond
aa r X i v : . [ c s . F L ] J a n General Decidability Results forAsynchronous Shared-Memory Programs:Higher-Order and Beyond
RUPAK MAJUMDAR,
Max Planck Institute for Software Systems (MPI-SWS), Germany
RAMANATHAN S. THINNIYAM,
Max Planck Institute for Software Systems (MPI-SWS), Germany
GEORG ZETZSCHE,
Max Planck Institute for Software Systems (MPI-SWS), GermanyThe model of asynchronous programming arises in many contexts, from low-level systems software to high-level web programming. We take a language-theoretic perspective and show general decidability and undecid-ability results for asynchronous programs that capture all known results as well as show decidability of newand important classes. As a main consequence, we show decidability of safety, termination and boundednessverification for higher-order asynchronous programs—such as OCaml programs using Lwt—and undecidabil-ity of liveness verification already for order-2 asynchronous programs. We show that under mild assumptions,surprisingly, safety and termination verification of asynchronous programs with handlers from a languageclass are decidable iff emptiness is decidable for the underlying language class. Moreover, we show that con-figuration reachability and liveness (fair termination) verification are equivalent, and decidability of theseproblems implies decidability of the well-known “equal-letters” problem on languages. Our results close thedecidability frontier for asynchronous programs.
Asynchronous programming is a common way to manage concurrent requests in a system. In thisstyle of programming, rather than waiting for a time-consuming operation to complete, the pro-grammer can make asynchronous procedure calls which are stored in a task buffer pending laterexecution. Each asynchronous procedure, or handler , is a sequential program. When run, it canchange the global shared state of the program, make internal synchronous procedure calls, and postfurther instances of handlers to the task buffer. A scheduler repeatedly and non-deterministicallypicks pending handler instances from the task buffer and executes their code atomically to comple-tion. Asynchronous programs appear in many domains, such as operating system kernel code, webprogramming, or user applications on mobile platforms. This style of programming is supportednatively or through libraries for most programming environments. The interleaving of differenthandlers hides latencies of long-running operations: the program can process a different handlerwhile waiting for an external operation to finish. However, asynchronous scheduling of tasks in-troduces non-determinism in the system, making it difficult to reason about correctness.An asynchronous program is finite-data if all program variables range over finite domains.Finite-data programs are still infinite state transition systems: the task buffer can contain an un-bounded number of pending instances and the sequential machine implementing an individualhandler can have unboundedly large state (e.g., if the handler is given as a recursive program,the stack can grow unboundedly). Nevertheless, verification problems for finite-data programshave been shown to be decidable for several kinds of handlers [Chadha and Viswanathan 2007;
Authors’ addresses: Rupak Majumdar, Max Planck Institute for Software Systems (MPI-SWS), Paul-Ehrlich-Straße, BuildingG26, Kaiserslautern, 67663, Germany, [email protected]; Ramanathan S. Thinniyam, Max Planck Institute for SoftwareSystems (MPI-SWS), Paul-Ehrlich-Straße, Building G26, Kaiserslautern, 67663, Germany, [email protected]; GeorgZetzsche, Max Planck Institute for Software Systems (MPI-SWS), Paul-Ehrlich-Straße, Building G26, Kaiserslautern, 67663,Germany, [email protected]. XXXX-XXXX/2021/1-ART $15.00https://doi.org/10.1145/nnnnnnn.nnnnnnn , Vol. 1, No. 1, Article . Publication date: January 2021.
Rupak Majumdar, Ramanathan S. Thinniyam, and Georg Zetzsche
Ganty and Majumdar 2012; Jhala and Majumdar 2007; Sen and Viswanathan 2006]. Several algo-rithmic approaches have been studied, which tailor to (i) the kinds of permitted handler programsand (ii) the properties that are checked.
State of the art
We briefly survey the existing approaches and what is known about the decid-ability frontier. The
Parikh approach applies to (first-order) recursive handler programs. Here, thedecision problems for asynchronous programs are reduced to decision problems over Petri nets[Ganty and Majumdar 2012]. The key insight is that since handlers are executed atomically, theorder in which a handler posts tasks to the buffer is irrelevant. Therefore, instead of consider-ing the sequential order of posted tasks along an execution, one can equivalently consider itsParikh image. Thus, when handlers are given pushdown systems, the behaviors of an asynchro-nous program can be represented by a (polynomial sized) Petri net. Using the Parikh approach,safety (formulated as reachability of a global state), termination (whether all executions terminate),and boundedness (whether there is an a priori upper bound on the task buffer) are all decidable forasynchronous programs with recursive handlers, by reduction to corresponding problems on Petrinets [Ganty and Majumdar 2012; Sen and Viswanathan 2006]. Configuration reachability (reacha-bility of a specific global state and task buffer configuration), fair termination (termination under afair scheduler), and fair non-starvation (every pending handler instance is eventually executed) arealso decidable, by separate ad hoc reductions to Petri net reachability [Ganty and Majumdar 2012].A “reverse reduction” shows that Petri nets can be simulated by polynomial-sized asynchronousprograms (already with finite-data handlers).In the downclosure approach , one replaces each handler with a finite-data program that is equiv-alent up to “losing” handlers in the task buffer. Of course, this requires that one can computeequivalent finite-data programs for given handler programs. This has been applied to checkingsafety for recursive handler programs [Atig et al. 2009]. Finally, a bespoke rank-based approach has been applied to checking safety when handlers can perform restricted higher-order recur-sion [Chadha and Viswanathan 2007].
Contribution
Instead of studying individual kinds of handler programs, we consider asynchro-nous programs in a general language-theoretic framework. The class of handler programs is givenas a language class C : An asynchronous program over a language class C is one where each han-dler defines a language from C over the alphabet of handler names, as well as a transformer overthe global state. This view leads to general results: we can obtain simple characterizations of whichclasses of handler programs permit decidability. For example, we do not need the technical assump-tions of computability of equivalent finite-data programs from the Parikh and the downclosureapproach.Our first result shows that, under a mild language-theoretic assumption, safety and terminationare decidable if and only if the underlying language class C has decidable emptiness problem. Similarly, we show that boundedness is decidable iff finiteness is decidable for the language class C . These results are the best possible: decidability of emptiness (resp., finiteness) is a require-ment for safety and termination verification already for verifying the safety or termination (resp.,boundedness) of one sequential handler call. As corollaries, we get new decidability results for allthese problems for asynchronous programs over higher-order recursion schemes , which form thelanguage-theoretic basis for programming in higher-order functional languages such as OCaml[Kobayashi 2009; Ong 2015], as well as other language classes (lossy channel languages, Petri netlanguages, etc.). The “mild language-theoretic assumption” is that the class of languages forms an effective full trio: it is closed underintersections with regular languages, homomorphisms, and inverse homomorphisms. Many language classes studied informal language theory and verification satisfy these conditions., Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 3
Second, we show that configuration reachability, fair termination, and fair starvation are mu-tually reducible; thus, decidability of any one of them implies decidability of all of them. We alsoshow decidability of these problems implies the decidability of a well-known combinatorial prob-lem on languages: given a language over the alphabet { a , b } , decide if it contains a word with anequal number of a s and b s. Viewed contrapositively, we conclude that all these decision problemsare undecidable already for asynchronous programs over order-2 pushdown languages, since theequal-letters problem is undecidable for this class.Together, our results “close” the decidability frontier for asynchronous programs, by demon-strating reducibilities between decision problems heretofore studied separately and connectingdecision problems on asynchronous programs with decision problems on the underlying languageclasses of their handlers.While our algorithms do not assume that downclosures are effectively computable, we use down-closures to prove their correctness. We show that safety, termination, and boundedness problemsare invariant under taking downclosures of runs; this corresponds to taking downclosures of thelanguages of handlers.The observation that safety, termination, and boundedness depend only on the downclosuresuggests a possible route to implementation. If there is an effective procedure to compute thedownclosure for class C , then a direct verification algorithm would replace all handlers by their(regular) downclosures, and invoke existing decision procedures for this case. Thus, we get a di-rect algorithm based on downclosure constructions for higher order recursion schemes, usingthe string of celebrated recent results on effectively computing the downclosure of word schemes [Clemente et al. 2016; Hague et al. 2016; Zetzsche 2015].We find our general decidability result for asynchronous programs to be surprising. Alreadyfor regular languages, the complexity of safety verification jumps from NL (NFA emptiness) to EXPSPACE (Petri net coverability): asynchronous programs are far more expressive than individ-ual handler languages. It is therefore surprising that safety and termination verification remainsdecidable whenever it is decidable for individual handler languages.
Basic Definitions.
We assume familiarity with basic definitions of automata theory (see, e.g.,[Hopcroft et al. 2007; Sipser 1997]). The projection of word 𝑤 onto some alphabet Σ ′ , writtenProj Σ ′ ( 𝑤 ) , is the word obtained by erasing from 𝑤 each symbol which does not belong to Σ ′ . Fora language 𝐿 , define Proj Σ ′ ( 𝐿 ) = { Proj Σ ′ ( 𝑤 ) | 𝑤 ∈ 𝐿 } . The subword order ⊑ on Σ ∗ is defined as 𝑤 ⊑ 𝑤 ′ for 𝑤, 𝑤 ′ ∈ Σ ∗ if 𝑤 can be obtained from 𝑤 ′ by deleting some letters from 𝑤 ′ . For example, 𝑎𝑏𝑏𝑎 ⊑ 𝑏𝑎𝑏𝑎𝑏𝑎 but 𝑎𝑏𝑏𝑎 𝑏𝑎𝑎𝑏𝑎 . The downclosure ↓ 𝑤 with respect to the subword order of aword 𝑤 ∈ Σ ∗ is defined as ↓ 𝑤 : = { 𝑤 ′ ∈ Σ ∗ | 𝑤 ′ ⊑ 𝑤 } . The downclosure ↓ 𝐿 of a language 𝐿 ⊆ Σ ∗ isgiven by ↓ 𝐿 : = { 𝑤 ′ ∈ Σ ∗ | ∃ 𝑤 ∈ 𝐿 : 𝑤 ′ ⊑ 𝑤 } . Recall that the downclosure ↓ 𝐿 of any language 𝐿 isa regular language [Haines 1969].A multiset m : Σ → N over Σ maps each symbol of Σ to a natural number. Let M [ Σ ] be the setof all multisets over Σ . We treat sets as a special case of multisets where each element is mappedonto 0 or 1. As an example, we write m = J a , a , c K for the multiset m ∈ M [{ a , b , c , d }] such that m ( a ) = m ( b ) = m ( d ) =
0, and m ( c ) =
1. We also write | m | = Í 𝜎 ∈ Σ m ( 𝜎 ) .Given two multisets m , m ′ ∈ M [ Σ ] we define the multiset m ⊕ m ′ ∈ M [ Σ ] for which, for all a ∈ Σ , we have ( m ⊕ m ′ ) ( a ) = m ( a ) + m ′ ( a ) . We also define the natural order (cid:22) on M [ Σ ] asfollows: m (cid:22) m ′ iff there exists m Δ ∈ M [ Σ ] such that m ⊕ m Δ = m ′ . We also define m ′ ⊖ m for m (cid:22) m ′ analogously: for all a ∈ Σ , we have ( m ⊖ m ′ ) ( a ) = m ( a ) − m ′ ( a ) . For Σ ⊆ Σ ′ we regard m ∈ M [ Σ ] as a multiset of M [ Σ ′ ] where undefined values are sent to 0. , Vol. 1, No. 1, Article . Publication date: January 2021. Rupak Majumdar, Ramanathan S. Thinniyam, and Georg Zetzsche
Language Classes and Full Trios. A language class is a collection of languages, together withsome finite representation. Examples are the regular (e.g. represented by finite automata) or thecontext-free languages (e.g. represented by pushdown automata or PDA ). A relatively weak andreasonable assumption on a language class is that it is a full trio , that is, it is closed under eachof the following operations: taking intersection with a regular language, taking homomorphicimages, and taking inverse homomorphic images. Equivalently, a language class is a full trio iff itis closed under rational transductions [Berstel 1979].We assume that all full trios C considered in this paper are effective : Given a language 𝐿 from C ,a regular language 𝑅 , and a homomorphism ℎ , we can compute a representation of the languages 𝐿 ∩ 𝑅 , ℎ ( 𝐿 ) , and ℎ − ( 𝐿 ) in C .Many classes of languages studied in formal language theory form effective full trios. Exam-ples include the regular and the context-free languages [Hopcroft et al. 2007], the indexed lan-guages [Aho 1968; Damm and Goerdt 1986], the languages of higher-order pushdown automata[Maslov 1974], higher-order recursion schemes ( HORS ) [Damm 1982; Hague et al. 2008], Petrinets [Greibach 1978; Jantzen 1979], and lossy channel systems (see Section 4.1). (While
HORS areusually viewed as representing a tree or collection of trees, one can also view them as representinga word language, as we explain in Section 5.)Informally, a language class defined by non-deterministic devices with a finite-state control thatallows 𝜀 -transitions and imposes no restriction between input letter and performed configurationchanges (such as non-deterministic pushdown automata) is always a full trio: The three operationsabove can be realized by simple modifications of the finite-state control. The deterministic context-free languages are a class that is not a full trio.An asynchronous transducer T is a tuple T = ( 𝑄, Γ , Σ , 𝐸, 𝑞 , 𝐹 ) with a set of finite states 𝑄 , finiteoutput alphabet Γ , finite input alphabet Σ , a finite set of edges 𝐸 ⊆ 𝑄 × Γ ∗ × Σ ∗ × 𝑄 , initial state 𝑞 ∈ 𝑄 and set of final states 𝐹 ⊆ 𝑄 . We write 𝑝 𝑣 | 𝑢 −−→ 𝑞 if ( 𝑝, 𝑣, 𝑢, 𝑞 ) ∈ 𝐸 and the machine reads 𝑢 in state 𝑝 , outputs 𝑣 and moves to state 𝑞 . We also write 𝑝 𝑤 | 𝑤 ′ −−−−→ 𝑞 if there are states 𝑞 , 𝑞 , . . . , 𝑞 𝑛 and words 𝑢 , 𝑢 , . . . , 𝑢 𝑛 , 𝑣 , 𝑣 , . . . , 𝑣 𝑛 such that 𝑝 = 𝑞 , 𝑞 = 𝑞 𝑛 , 𝑤 ′ = 𝑢 𝑢 · · · 𝑢 𝑛 , 𝑤 = 𝑣 𝑣 · · · 𝑣 𝑛 and 𝑞 𝑖 𝑣 𝑖 | 𝑢 𝑖 −−−→ 𝑞 𝑖 + for all 0 ≤ 𝑖 ≤ 𝑛 .The transduction 𝑇 ⊆ Γ ∗ × Σ ∗ generated by the transducer T is the set of tuples ( 𝑣, 𝑢 ) ∈ Γ ∗ × Σ ∗ such that 𝑞 𝑣 | 𝑢 −−→ 𝑞 𝑓 for some 𝑞 𝑓 ∈ 𝐹 . Given a language 𝐿 ⊆ Σ ∗ , we define 𝑇 𝐿 : = { 𝑣 ∈ Γ ∗ | ∃ 𝑢 ∈ 𝐿 ( 𝑣, 𝑢 ) ∈ 𝑇 } . A transduction 𝑇 ⊆ Γ ∗ × Σ ∗ is rational if it is generated by some asynchronoustransducer.A language class which is closed under rational transductions is called a full trio .The following equivalent characterization of full trios is well known. Theorem 2.1 (Berstel [Berstel 1979]).
A language class C is a full trio if and only if it is closedunder each of the following operations: • intersection with a regular language, • taking homomorphic images, and • taking inverse homomorphic images.Asynchronous Programs: A Language-Theoretic View. We use a language-theoretic model forasynchronous shared-memory programs.
Definition 2.2.
Let C be an (effective) full trio. An asynchronous program ( AP ) over C is a tuple 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) , where 𝐷 is a finite set of global states , Σ is an alphabet of handler names , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ is a family of languages from C , one for each 𝑐 ∈ ℭ where ℭ = 𝐷 × Σ × 𝐷 is the set of contexts , 𝑑 ∈ 𝐷 is the initial state , and m ∈ M [ Σ ] is a multiset of initial pending handler instances . , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 5 global var turn = ref 0 and x = ref 0; let rec s1 () = if * then begin post a; s1(); post b end let rec s2 () = if * then begin post a; s2(); post b end else post b let a () = if !turn = 0 then begin turn := 1; x := !x + 1 end else post a let b () = if !turn = 1 then begin turn := 0; x := !x - 1 end else post b let s3 () = post s3; post s3 global var t = ref 0; let c () = if !t = 0 then t := 1 else post c let d () = if !t = 1 then t := 2 else post d let f () = if !t = 2 then t := 0 else post f let cc x = post c; x let dd x = post d; x let ff x = post f; x let id x = x let h g y = cc (g (dd y)) let rec produce g x = if * then produce (h g) (ff x) else g x let s4 () = produce id () Fig. 1. Examples of asynchronous programs A configuration ( 𝑑, m ) ∈ 𝐷 × M [ Σ ] of 𝔓 consists of a global state 𝑑 and a multiset m of pendinghandler instances. For a configuration 𝑐 , we write 𝑐.𝑑 and 𝑐. m for the global state and the multiset inthe configuration respectively. The initial configuration 𝑐 of 𝔓 is given by 𝑐 .𝑑 = 𝑑 and 𝑐 . m = m .The semantics of 𝔓 is given as a labeled transition system over the set of configurations, with thetransition relation 𝜎 −→⊆ ( 𝐷 × M [ Σ ]) × ( 𝐷 × M [ Σ ]) given by ( 𝑑, m ⊕ J 𝜎 K ) 𝜎 −→ ( 𝑑 ′ , m ⊕ m ′ ) iff ∃ 𝑤 ∈ 𝐿 𝑑𝜎𝑑 ′ : Parikh ( 𝑤 ) = m ′ We use → ∗ for the reflexive transitive closure of the transition relation. A configuration 𝑐 is saidto be reachable in 𝔓 if ( 𝑑 , m ) → ∗ 𝑐 .Intuitively, the set Σ of handler names specifies a finite set of procedures that can be invokedasynchronously. The shared state takes values in 𝐷 . When a handler is called asynchronously, itgets added to a bag of pending handler calls (the multiset m in a configuration). The language 𝐿 𝑑𝜎𝑑 ′ captures the effect of executing an instance of 𝜎 starting from the global state 𝑑 , such that ontermination, the global state is 𝑑 ′ . Each word 𝑤 ∈ 𝐿 𝑑𝜎𝑑 ′ captures a possible sequence of handlersposted during the execution.Suppose the current configuration is ( 𝑑, m ) . A non-deterministic scheduler picks one of the out-standing handlers 𝜎 ∈ m and executes it. Executing 𝜎 corresponds to picking one of the languages 𝐿 𝑑𝜎𝑑 ′ and some word 𝑤 ∈ 𝐿 𝑑𝜎𝑑 ′ . Upon execution of 𝜎 , the new configuration has global state 𝑑 ′ and the new bag of pending calls is obtained by taking m , removing an instance of 𝜎 from it, andadding the Parikh image of 𝑤 to it. This reflects the current set of pending handler calls—the oldones (minus an instance of 𝜎 ) together with the new ones added by executing 𝜎 . Note that a han-dler is executed atomically; thus, we atomically update the global state and the effect of executingthe handler.Let us see some examples of asynchronous programs. It is convenient to present these examplesin a programming language syntax, and to allow each handler to have internal actions that performlocal tests and updates to the global state. As we describe informally below, and formally in the fullversion, when C is a full trio, internal actions can be “compiled away” by taking an intersectionwith a regular language of internal actions and projecting the internal actions away. Thus, we useour simpler model throughout. , Vol. 1, No. 1, Article . Publication date: January 2021. Rupak Majumdar, Ramanathan S. Thinniyam, and Georg Zetzsche
Examples.
Figure 1 shows some simple examples of asynchronous programs in an OCaml-likesyntax. Consider first the asynchronous program in lines 1–5. The alphabet of handlers is s1 , s2 , a , and b . The global states correspond to possible valuations to the global variables turn and x ;assuming turn is a Boolean and x takes values in N , we have that 𝐷 = { , } × { , , 𝜔 } , where 𝜔 abstracts all values other than { , } . Since s1 and s2 do not touch any variables, for 𝑑, 𝑑 ′ ∈ 𝐷 , wehave 𝐿 𝑑, s1 ,𝑑 = { a 𝑛 b 𝑛 | 𝑛 ≥ } , 𝐿 𝑑, s2 ,𝑑 = { a 𝑛 b 𝑛 + | 𝑛 ≥ } , and 𝐿 𝑑, s1 ,𝑑 ′ = 𝐿 𝑑, s2 ,𝑑 ′ = ∅ if 𝑑 ′ ≠ 𝑑 .For the languages corresponding to a and b , we use syntactic sugar in the form of internal actions ;these are local tests and updates to the global state. For our example, we have, e.g., 𝐿 ( , ) , a , ( , ) = { 𝜀 } , 𝐿 ( ,𝑥 ) , a , ( ,𝑥 ) = { a } for all values of 𝑥 , and similarly for b . The meaning is that, starting from a globalstate ( , ) , executing the handler will lead to the global state ( , ) and no handlers will be posted,whereas starting from a global state in which turn is 1, executing the handler will keep the globalstate unchanged but post an instance of a . Note that all the languages are context-free.Consider an execution of the program from the initial configuration (( , ) , J s1 K ) . The executionof s1 puts 𝑛 a s and 𝑛 b s into the bag, for some 𝑛 ≥
0. The global variable turn is used to ensure thatthe handlers a and b alternately update x . When turn is 0, the handler for a increments x and sets turn to 1, otherwise it re-posts itself for a future execution. Likewise, when turn is 1, the handlerfor b decrements x and sets turn back to 0, otherwise it re-posts itself for a future execution. Asa result, the variable x never grows beyond 1. Thus, the program satisfies the safety property thatno execution sets x to 𝜔 .It is possible that the execution goes on forever: for example, if s1 posts an a and a b , andthereafter only b is chosen by the scheduler. This is not an “interesting” infinite execution as itis not fair to the pending a . In the case of a fair scheduler, which eventually always picks aninstance of every pending task, the program terminates: eventually all the a s and b s are consumedwhen they are scheduled in alternation. However, if instead we started with J s2 K , the program willnot terminate even under a fair scheduler: the last remaining b will not be paired and will keepexecuting and re-posting itself forever.Now consider the execution of s3 . It has an infinite fair run, where the scheduler picks aninstance of s3 at each step. However, the number of pending instances grows without bound. Weshall study the boundedness problem , which checks if the bag can become unbounded along somerun. We also study a stronger notion of fair termination, called fair non-starvation , which asksthat every instance of a posted handler is executed under any fair scheduler. The execution of s3 is indeed fair, but there can be a specific instance of s3 that is never picked: we say s3 can starve an instance.The program in lines 9–20 is higher-order ( produce and h take functions as arguments). Thelanguage of s4 is the set { c 𝑛 d 𝑛 f 𝑛 | 𝑛 ≥ } , that is, it posts an equal number of c s, d s, and f s. It isan indexed language; we shall see (Section 5) how this and other higher-order programs can berepresented using higher-order recursion schemes ( HORS ). Note the OCaml types of produce : ( o → o ) → o → o and h : ( o → o ) → o → o are higher-order.The program is similar to the first: the handlers c , d , and f execute in “round robin” fashionusing the global state t to find their turns. Again, we use internal actions to update the globalstate for readability. We ask the same decision questions as before: does the program ever reach aspecific global state and does the program have an infinite (fair) run? We shall see later that safetyand termination questions remain decidable, whereas fair termination does not. We now describe decision problems on runs of asynchronous programs. , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 7
Runs, preruns, and downclosures. A prerun of an AP 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) is a finite orinfinite sequence 𝜌 = ( 𝑒 , n ) , 𝜎 , ( 𝑒 , n ) , 𝜎 , . . . of alternating elements of tuples ( 𝑒 𝑖 , n 𝑖 ) ∈ 𝐷 × M [ Σ ] and symbols 𝜎 𝑖 ∈ Σ . The set of preruns of 𝔓 will be denoted Preruns ( 𝔓 ) . Note that if twoasynchronous programs 𝔓 and 𝔓 ′ have the same 𝐷 and Σ , then Preruns ( 𝔓 ) = Preruns ( 𝔓 ′ ) . The length , denoted | 𝜌 | , of a finite prerun 𝜌 is the number of configurations in 𝜌 . The 𝑖 𝑡ℎ configurationof a prerun 𝜌 will be denoted 𝜌 ( 𝑖 ) .We define an order E on preruns as follows: For preruns 𝜌 = ( 𝑒 , n ) , 𝜎 , ( 𝑒 , n ) , 𝜎 , . . . and 𝜌 ′ = ( 𝑒 ′ , n ′ ) , 𝜎 ′ , ( 𝑒 ′ , n ′ ) , 𝜎 ′ , . . . , we define 𝜌 E 𝜌 ′ if | 𝜌 | = | 𝜌 ′ | and 𝑒 𝑖 = 𝑒 ′ 𝑖 , 𝜎 𝑖 = 𝜎 ′ 𝑖 and n 𝑖 (cid:22) n ′ 𝑖 foreach 𝑖 ≥
0. The downclosure ↓ 𝑅 of a set 𝑅 of preruns of 𝔓 is defined as ↓ 𝑅 = { 𝜌 ∈ Preruns ( 𝔓 ) |∃ 𝜌 ′ ∈ 𝑅. 𝜌 E 𝜌 ′ } .A run of an AP 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) is a prerun 𝜌 = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ) , 𝜎 , . . . startingwith the initial configuration ( 𝑑 , m ) , where for each 𝑖 ≥
0, we have ( 𝑑 𝑖 , m 𝑖 ) 𝜎 𝑖 + −−−→ ( 𝑑 𝑖 + , m 𝑖 + ) .The set of runs of 𝔓 is denoted Runs ( 𝔓 ) and ↓ Runs ( 𝔓 ) is its downclosure with respect to E .An infinite run 𝑐 𝜎 −→ 𝑐 𝜎 −→ . . . is fair if for all 𝑖 ≥
0, if 𝜎 ∈ 𝑐 𝑖 . m then there is some 𝑗 ≥ 𝑖 suchthat 𝑐 𝑗 𝜎 −→ 𝑐 𝑗 + . That is, whenever an instance of a handler is posted, some instance of the handleris executed later. Fairness does not preclude that a specific instance of a handler is never executed.An infinite fair run starves handler 𝜎 if there exists an index 𝐽 ≥ 𝑗 ≥ 𝐽 , wehave (i) 𝑐 𝑗 . m ( 𝜎 ) ≥ 𝑐 𝑗 𝜎 −→ 𝑐 𝑗 + , we have 𝑐 𝑗 . m ( 𝜎 ) ≥
2. In this case, even if therun is fair, a specific instance of 𝜎 may never be executed.Now we give the definitions of the various decision problems. Definition 3.1 (Properties of finite runs).
The
Safety (Global state reachability) problem asks,given an asynchronous program 𝔓 and a global state 𝑑 𝑓 ∈ 𝐷 , is there a reachable configuration 𝑐 such that 𝑐.𝑑 = 𝑑 𝑓 ? If so, 𝑑 𝑓 is said to be reachable (in 𝔓 ) and unreachable otherwise. The Bound-edness (of the task buffer) problem asks, given an asynchronous program 𝔓 , is there an 𝑁 ∈ N such that for every reachable configuration 𝑐 , we have | 𝑐. m | ≤ 𝑁 ? If so, the asynchronous program 𝔓 is bounded ; otherwise it is unbounded . The Configuration reachability problem asks, givenan asynchronous program 𝔓 and a configuration 𝑐 , is 𝑐 reachable? Definition 3.2 (Properties of infinite runs).
All the following problems take as input an asyn-chronous program 𝔓 . The Termination problem asks if all runs of 𝔓 are finite. The Fair Non-termination problem asks if 𝔓 has some fair infinite run. The Fair Starvation problem asks if 𝔓 has some fair run that starves some handler.Our main result in this section shows that many properties of an asynchronous program 𝔓 only depend on the downclosure ↓ Runs ( 𝔓 ) of the set Runs ( 𝔓 ) of runs of the program 𝔓 . Theproof is by induction on the length of runs. Please see Appendix B for details. For any AP 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) , we define the AP ↓ 𝔓 = ( 𝐷, Σ , (↓ 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) , where ↓ 𝐿 𝑐 is the down-closure of the language 𝐿 𝑐 under the subword order. Proposition 3.3.
Let
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) be an asynchronous program. Then ↓ Runs (↓ 𝔓 ) = ↓ Runs ( 𝔓 ) . In particular, the following holds. (1) For every 𝑑 ∈ 𝐷 , 𝔓 can reach 𝑑 if and only if ↓ 𝔓 can reach 𝑑 . (2) 𝔓 is terminating if and only if ↓ 𝔓 is terminating. (3) 𝔓 is boundedif and only if ↓ 𝔓 is bounded. Intuitively, safety, termination, and boundedness is preserved when the multiset of pendinghandler instances is “lossy”: posted handlers can get lost. This corresponds to these handlers neverbeing scheduled by the scheduler. However, if a run demonstrates reachability of a global state, ornon-termination, or unboundedness, in the lossy version, it corresponds also to a run in the originalproblem (and conversely). , Vol. 1, No. 1, Article . Publication date: January 2021.
Rupak Majumdar, Ramanathan S. Thinniyam, and Georg Zetzsche
In contrast, simple examples show that configuration reachability, fair termination, and fairnon-starvation properties are not preserved under downclosures.
In this section, we characterize those full trios C for which particular problems for asynchronousprograms over C are decidable. Our decision procedures will use the following theorem, summa-rizing the results from [Ganty and Majumdar 2012], as a subprocedure. Theorem 4.1 ([Ganty and Majumdar 2012]).
Safety, boundedness, configuration reachability,termination, fair non-termination, and fair non-starvation are decidable for asynchronous programsover regular languages.
Our first main result concerns the problems of safety and termination.
Theorem 4.2.
Let C be a full trio. The following are equivalent:(i) Safety is decidable for asynchronous programs over C .(ii) Termination is decidable for asynchronous programs over C .(iii) Emptiness is decidable for C . We begin with “(i) ⇒ (iii)”. Let 𝐾 ⊆ Σ ∗ be given. We construct 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) suchthat m = J 𝜎 K , 𝐷 = { 𝑑 , 𝑑 } , 𝐿 𝑑 ,𝜎,𝑑 = 𝐾 and 𝐿 𝑐 = ∅ for 𝑐 ≠ ( 𝑑 , 𝜎, 𝑑 ) . We see that 𝔓 can reach 𝑑 iff 𝐾 is non-empty. Next we show “(ii) ⇒ (iii)”. Consider the alphabet Γ = ( Σ ∪ { 𝜀 }) × { , } and thehomomorphisms 𝑔 : Γ ∗ → Σ ∗ and ℎ : Γ ∗ → { 𝜎 } ∗ , where for 𝑥 ∈ Σ ∪ { 𝜀 } , we have 𝑔 (( 𝑥, 𝑖 )) = 𝑥 for 𝑖 ∈ { , } , ℎ (( 𝑥, )) = 𝜎 , and ℎ (( 𝑥, )) = 𝜀 . If 𝑅 ⊆ Γ ∗ is the regular set of words in which exactlyone position belongs to the subalphabet ( Σ ∪ { 𝜀 }) × { } , then the language 𝐾 ′ : = ℎ ( 𝑔 − ( 𝐾 ) ∩ 𝑅 ) belongs to C . Note that 𝐾 ′ is ∅ or { 𝜎 } , depending on whether 𝐾 is empty or not. We construct 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) with 𝐷 = { 𝑑 } , m = J 𝜎 K , 𝐿 𝑑 ,𝜎,𝑑 = 𝐾 ′ and all languages 𝐿 𝑐 = ∅ for 𝑐 ≠ ( 𝑑 , 𝜎, 𝑑 ) . Then 𝔓 is terminating iff 𝐾 is empty.To prove “(iii) ⇒ (i)”, we design an algorithm deciding safety assuming decidability of emptiness.Given asynchronous program 𝔓 and state 𝑑 as input, the algorithm consists of two semi-decisionprocedures: one which searches for a run of 𝔓 reaching the state 𝑑 , and the second which enumer-ates regular overapproximations 𝔓 ′ of 𝔓 and checks the safety of 𝔓 ′ using Theorem 4.1. Each 𝔓 ′ consists of a regular language 𝐴 𝑐 overapproximating 𝐿 𝑐 for each context 𝑐 of 𝔓 . We use decidabilityof emptiness to check that 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 𝑐 ) = ∅ to ensure that 𝔓 ′ is indeed an overapproximation.Algorithm 1 clearly gives a correct answer if it terminates. Hence, we only have to argue that italways does terminate. Of course, if 𝑑 is reachable, the first semi-decision procedure will terminate.In the other case, termination is due to the regularity of downclosures: if 𝑑 is not reachable in 𝔓 ,then Proposition 3.3 tells us that ↓ 𝔓 cannot reach 𝑑 either. But ↓ 𝔓 is an asynchronous programover regular languages; this means there exists a safe regular overapproximation and the secondsemi-decision procedure terminates.To prove “(iii) ⇒ (ii)”, we adopt a similar method as for safety. Algorithm 2 for termination con-sists of two semi-decision procedures. By standard well-quasi-ordering arguments, an infinite runof an asynchronous program 𝔓 is witnessed by a finite self-covering run. The first semi-decisionprocedure enumerates finite self-covering runs (trying to show non-termination). The second pro-cedure enumerates regular asynchronous programs 𝔓 ′ that overapproximate 𝔓 . As before, tocheck termination of 𝔓 ′ , it applies the procedure from Theorem 4.1. Clearly, the algorithm’s an-swer is always correct. Moreover, it gives an answer for every input. If 𝔓 does not terminate, itwill find a self-covering sequence. If 𝔓 does terminate, then Proposition 3.3 tells us that ↓ 𝔓 is a , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 9 Algorithm 1:
Checking Safety
Input:
Asynchronous program
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C , state 𝑑 ∈ 𝐷 run concurrentlybegin /* find a safe overapproximation */ foreach tuple ( 𝐴 𝑐 ) 𝑐 ∈ ℭ of regular languages 𝐴 𝑐 ⊆ Σ ∗ doif 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 𝑐 ) = ∅ for each 𝑐 ∈ ℭ thenif 𝔓 ′ = ( 𝐷, Σ , ( 𝐴 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) does not reach 𝑑 thenreturn 𝑑 is not reachable. begin /* find a run reaching 𝑑 */ foreach prerun 𝜌 of 𝔓 doif 𝜌 is a run that reaches 𝑑 thenreturn 𝑑 reachable. Algorithm 2:
Checking Termination
Input:
Asynchronous program
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C run concurrentlybegin /* find a terminating overapproximation */ foreach tuple ( 𝐴 𝑐 ) 𝑐 ∈ ℭ of regular languages 𝐴 𝑐 ⊆ Σ ∗ doif 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 𝑐 ) = ∅ for each 𝑐 ∈ ℭ thenif 𝔓 ′ = ( 𝐷, Σ , ( 𝐴 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) terminates thenreturn 𝔓 terminates. begin /* find a self-covering run */ foreach prerun 𝜌 of 𝔓 doif 𝜌 is a self-covering run thenreturn 𝔓 does not terminate. terminating finite-state overapproximation. This implies that the second procedure will terminatein that case.Let us point out a particular example. The class L of languages of lossy channel systems isdefined like the class of languages of WSTS with upward-closed sets of accepting configurationsas in [Geeraerts et al. 2007], except that we only consider lossy channel systems [Abdulla et al.1998] instead of arbitrary Well-Structured Transition Systems (WSTS). Then L forms a full triowith decidable emptiness. Although downclosures of lossy channel languages are not effectivelycomputable (an easy consequence of [Mayr 2003]), our algorithm employs Theorem 4.2 to decidesafety and termination. Theorem 4.3.
Let C be a full trio. The following are equivalent:(i) Boundedness is decidable for asynchronous programs over C .(ii) Finiteness is decidable for C . Clearly, the construction for “(i) ⇒ (iii)” of Theorem 4.2 also works for “(i) ⇒ (ii)”: 𝔓 is unboundediff 𝐾 is infinite. , Vol. 1, No. 1, Article . Publication date: January 2021. Algorithm 3:
Checking Boundedness
Input:
Asynchronous program
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C 𝐹 ← ∅ , 𝐼 ← ∅ ; foreach context 𝑐 = ( 𝑑, 𝜎, 𝑑 ′ ) ∈ ℭ doif 𝐿 𝑐 is infinite thenif 𝑐 is reachable in 𝔓 then /* using algorithm for safety */ return 𝔓 is unbounded. 𝐼 ← 𝐼 ∪ { 𝑐 } else 𝐹 ← 𝐹 ∪ { 𝑐 } foreach context 𝑐 ∈ 𝐹 doforeach finite set 𝐴 ⊆ Σ ∗ do /* find a finite 𝐴 with 𝐿 𝑐 = 𝐴 */ if 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 ) = ∅ and 𝐿 𝑐 ∩ { 𝑤 } ≠ ∅ for each 𝑤 ∈ 𝐴 then 𝐴 𝑐 ← 𝐴 ; break ; /* end inner foreach */ foreach context 𝑐 ∈ 𝐼 do 𝐴 𝑐 ← ∅ if 𝔓 ′ = ( 𝐷, Σ , ( 𝐴 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) is bounded thenreturn 𝔓 is bounded. elsereturn 𝔓 is unbounded. For the converse, we first note that if finiteness is decidable for C then so is emptiness. Given 𝐿 ⊆ Σ ∗ from C , consider the homomorphism ℎ : ( Σ ∪ { 𝜆 }) ∗ → Σ ∗ with ℎ ( a ) = a for every a ∈ Σ and ℎ ( 𝜆 ) = 𝜀 . Then ℎ − ( 𝐿 ) belongs to C and ℎ − ( 𝐿 ) is finite if and only if 𝐿 is empty: in the inversehomomorphism, 𝜆 can be arbitrarily inserted in any word. By Theorem 4.2, this implies that wecan also decide safety. As a consequence of considering only full trios, it is easy to see that theproblem of context reachability reduces to safety: a context ˆ 𝑐 = ( ˆ 𝑑, ˆ 𝜎, ˆ 𝑑 ′ ) ∈ ℭ is reachable in 𝔓 ifthere is a reachable configuration ( ˆ 𝑑, m ) in 𝔓 with m ( ˆ 𝜎 ) ≥ 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) . For every context 𝑐 , we first check if 𝐿 𝑐 is infinite (feasible by assumption).This paritions the set of contexts of 𝔓 into sets 𝐼 and 𝐹 which are the contexts for which thecorresponding language 𝐿 𝑐 is infinite and finite respectively. If any context in 𝐼 is reachable, then 𝔓 is unbounded. Otherwise, all the reachable contexts have a finite language. For every finitelanguage 𝐿 𝑐 for some 𝑐 ∈ 𝐹 , we explicitly find all the members of 𝐿 𝑐 . This is possible becauseany finite set 𝐴 can be checked with 𝐿 𝑐 for equality. 𝐿 𝑐 ⊆ 𝐴 can be checked by testing whether 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 ) = ∅ and 𝐿 𝑐 ∩ ( Σ ∗ \ 𝐴 ) effectively belongs to C . On the other hand, checking 𝐴 ⊆ 𝐿 𝑐 just means checking whether 𝐿 𝑐 ∩ { 𝑤 } ≠ ∅ for each 𝑤 ∈ 𝐴 , which can be done the same way. Wecan now construct asynchronous program 𝔓 ′ which replaces all languages for contexts in 𝐼 by ∅ and replaces those corresponding to 𝐹 by the explicit description. Clearly 𝔓 ′ is bounded iff 𝔓 isbounded (since no contexts from 𝐼 are reachable) and the former can be decided by Theorem 4.1.We observe that boundedness is strictly harder than safety or termination: There are full trios forwhich emptiness is decidable, but finiteness is undecidable, such as the languages of reset vectoraddition systems [Dufourd et al. 1998] (see [Thinniyam and Zetzsche 2019] for a definition of thelanguage class) and languages of lossy channel systems. , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 11 Theorems 4.2 and 4.3 completely characterize for which full trios safety, termination, and bound-edness are decidable. We turn to configuration reachability, fair termination, and fair starvation.We suspect that it is unlikely that there is a simple characterization of those language classes forwhich the latter problems are decidable. However, we show that they are decidable for a limitedrange of infinite-state systems. To this end, we prove that decidability of any of these problems im-plies decidability of the others as well, and also implies the decidability of a simple combinatorialproblem that is known to be undecidable for many expressive classes of languages.Let 𝑍 ⊆ { a , b } ∗ be the language 𝑍 = { 𝑤 ∈ { a , b } ∗ | | 𝑤 | a = | 𝑤 | b } . The 𝑍 -intersection problem fora language class C asks, given a language 𝐾 ⊆ { a , b } ∗ from C , whether 𝐾 ∩ 𝑍 ≠ ∅ . Informally, 𝑍 isthe language of all words with an equal number of a s and b s and the 𝑍 -intersection problem asksif there is a word in 𝐾 with an equal number of a s and b s. Theorem 4.4.
Let C be a full trio. The following statements are equivalent:(i) Configuration reachability is decidable for asynchronous programs over C .(ii) Fair termination is decidable for asynchronous programs over C .(iii) Fair starvation is decidable for asynchronous programs over C .Moreover, if decidability holds, then 𝑍 -intersection is decidable for C . We prove Theorem 4.4 by providing reductions among the three problems and showing that 𝑍 -intersection reduces to configuration reachability. We use diagrams similar to automata to describeasynchronous programs. Here, circles represent global states of the program and we draw an edge 𝑑 𝑑 ′ 𝜎 | 𝐿 in case we have 𝐿 𝑑,𝜎,𝑑 ′ = 𝐿 in our asynchronous program 𝔓 . Furthermore, we have 𝐿 𝑑,𝜎,𝑑 ′ = ∅ whenever there is no edge that specifies otherwise. To simplify notation, we draw anedge 𝑑 𝑤 | 𝐿 −−−→ 𝑑 ′ in an asynchronous program for a word 𝑤 ∈ Σ ∗ , 𝑤 = 𝜎 . . . 𝜎 𝑛 with 𝜎 , . . . , 𝜎 𝑛 ∈ Σ ,to symbolize a sequence of states 𝑑 · · · 𝑛 𝑑 ′ 𝜎 |{ 𝜀 } 𝜎 |{ 𝜀 } 𝜎 𝑛 − |{ 𝜀 } 𝜎 𝑛 | 𝐿 which removes J 𝜎 , . . . , 𝜎 𝑛 K from the task buffer and posts a multiset of handlers specified by 𝐿 . Proof of “(ii) ⇒ (i)” Given an asynchronous program
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) and a configuration ( 𝑑 𝑓 , m 𝑓 ) ∈ 𝐷 × M [ Σ ] , we construct asynchronous program 𝔓 ′ as follows. Let z be a fresh letter andlet m 𝑓 = J 𝜎 , . . . , 𝜎 𝑛 K . We obtain 𝔓 ′ from 𝔓 by adding a new state 𝑑 ′ 𝑓 and including the followingedges: 𝑑 𝑓 𝑑 ′ 𝑓 z 𝜎 · · · 𝜎 𝑛 |{ z } z |{ z } Starting from ( 𝑑 , m ⊕ J z K ) , the program 𝔓 ′ has a fair infinite run iff ( 𝑑 𝑓 , m 𝑓 ) is reachable in 𝔓 .The ‘if’ direction is obvious. Conversely, z has to be executed in any fair run 𝜌 of 𝔓 ′ which impliesthat 𝑑 ′ 𝑓 is reached by 𝔓 ′ in 𝜌 . Since only z can be executed at 𝑑 ′ 𝑓 in 𝜌 , this means that the multisetis exactly m 𝑓 when 𝑑 𝑓 is reached during 𝜌 . Clearly this initial segment of 𝜌 corresponds to a runof 𝔓 which reaches the target configuration. Proof of “(iii) ⇒ (ii)” We construct 𝔓 ′ = ( 𝐷, Σ ′ , ( 𝐿 ′ 𝑐 ) 𝑐 ∈ ℭ ′ , 𝑑 , m ′ ) given 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C as follows. Let Σ ′ = Σ ∪ { s } , where s is a fresh handler. Replace each edge 𝑑 𝑑 ′ 𝜎 | 𝐿 by 𝑑 𝑑 ′ 𝜎 | 𝐿 ∪ 𝐿 s s | 𝜀 at every state 𝑑 ∈ 𝐷 . Moreover, we set m ′ = m ⊕ J s , s K . Then 𝔓 ′ has an infinite fair run thatstarves some handler if and only if 𝔓 has an infinite fair run. From an infinite fair run 𝜌 of 𝔓 , we , Vol. 1, No. 1, Article . Publication date: January 2021. obtain an infinite fair run of 𝔓 ′ which starves s , by producing s while simulating 𝜌 and consumingit in the loop. Conversely, from an infinite fair run 𝜌 ′ of 𝔓 ′ which starves some 𝜏 , we obtain aninfinite fair run 𝜌 of 𝔓 by omitting all productions and consumptions of s and removing two extrainstances of s from all configurations. Proof of “(i) ⇒ (iii)” From
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C , for each subset Γ ⊆ Σ and 𝜏 ∈ Σ , weconstruct an asynchronous program 𝔓 Γ ,𝜏 = ( 𝐷 ′ , Σ ′ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ ′ , 𝑑 ′ , m ′ ) over C such that a particularconfiguration is reachable in 𝔓 Γ ,𝜏 if and only if 𝔓 has a fair infinite run 𝜌 Γ ,𝜏 , where Γ is the setof handlers that is executed infinitely often in 𝜌 Γ ,𝜏 and 𝜌 Γ ,𝜏 starves 𝜏 . Since there are only finitelymany choices for Γ and 𝜏 , decidability of configuration reachability implies decidability of fairstarvation. The idea is that run 𝜌 Γ ,𝜏 exists if and only if there exists a run ( 𝑑 , m ) 𝜎 −→ · · · 𝜎 𝑛 −−→ ( 𝑑 𝑛 , m 𝑛 ) = ( 𝑒 , n ) 𝛾 −→ ( 𝑒 , n ) 𝛾 −→ · · · 𝛾 𝑘 −−→ ( 𝑒 𝑘 , n 𝑘 ) , (1)where Ð 𝑘𝑖 = { 𝛾 𝑖 } = Γ , for each 1 ≤ 𝑖 ≤ 𝑘 n 𝑖 ∈ M [ Γ ] , m 𝑛 (cid:22) n 𝑘 , and for each 𝑖 ∈ { , . . . , 𝑘 } with 𝛾 𝑖 = 𝜏 , we have n 𝑖 − ( 𝜏 ) ≥
2. In such a run, we call ( 𝑑 , m ) 𝜎 −→ · · · 𝜎 𝑛 −−→ ( 𝑑 𝑛 , m 𝑛 ) its first phase and ( 𝑒 , n ) 𝛾 −→ · · · 𝛾 𝑘 −−→ ( 𝑒 𝑘 , n 𝑘 ) its second phase .Let us explain how 𝔓 Γ ,𝜏 reflects the existence of a run as in Eq. (1). The set Σ ′ of handlers of 𝔓 Γ ,𝜏 includes Σ , ¯ Σ and ˆ Σ , where ¯ Σ = { ¯ 𝜎 | 𝜎 ∈ Σ } and ˆ Σ = { ˆ 𝜎 | 𝜎 ∈ Σ } are disjoint copies of Σ . Thismeans, a multiset M [ Σ ′ ] contains multisets m ′ = m ⊕ ¯ m ⊕ ˆ m with m ∈ M [ Σ ] , ¯ m ∈ M [ ¯ Σ ] , and ˆ m ∈ M [ ˆ Σ ] . A run of 𝔓 Γ ,𝜏 simulates the two phases of 𝜌 . While simulating the first phase, 𝔓 Γ ,𝜏 keepstwo copies of the task buffer, m and ¯ m . The copying is easily accomplished by a homomorphismwith 𝜎 ↦→ 𝜎 ¯ 𝜎 for each 𝜎 ∈ Σ . At some point, 𝔓 Γ ,𝜏 switches into simulating the second phase. There, ¯ m remains unchanged, so that it stores the value of m 𝑛 in Eq. (1) and can be used in the end tomake sure that m 𝑛 (cid:22) n 𝑘 .Hence, in the second phase, 𝔓 Γ ,𝜏 works, like 𝔓 , only with Σ . However, whenever a handler 𝜎 ∈ Σ is executed, it also produces a task ˆ 𝜎 . These handlers are used at the end to make sure that every 𝛾 ∈ Γ has been executed at least once in the second phase. Also, whenever 𝜏 is executed, 𝔓 Γ ,𝜏 checks that at least two instances of 𝜏 are present in the task buffer, thereby ensuring that 𝜏 isstarved.In the end, a distinguished final state allows 𝔓 Γ ,𝜏 to execute handlers in Γ and ¯ Γ simultaneouslyto make sure that m 𝑛 (cid:22) n 𝑘 . In its final state, 𝔓 Γ ,𝜏 can execute handlers ˆ 𝛾 ∈ ˆ Γ and 𝛾 ∈ Γ (withoutcreating new handlers). In the final configuration, there can be no ˆ 𝜎 with 𝜎 ∈ Σ \ Γ , and therehas to be exactly one ˆ 𝛾 for each 𝛾 ∈ Γ . This guarantees that (i) each handler in Γ is executed atleast once during the second phase, (ii) every handler executed in the second phase is from Γ , and(iii) m 𝑛 contains only handlers from Γ (because handlers from ¯ Σ cannot be executed in the secondphase).Let us now describe 𝔓 Γ ,𝜏 in detail. We have Σ ′ = Σ ∪ ¯ Σ ∪ ˆ Γ ∪ { z } , where z is a fresh letter. Theset of states is 𝐷 ′ = 𝐷 ∪ ˜ 𝐷 ∪ { 𝑑 𝑓 } , where ˜ 𝐷 = { ˜ 𝑑 | 𝑑 ∈ 𝐷 } is a disjoint copy of 𝐷 for simulating thesecond phase, and 𝑑 𝑓 is a fresh state. Moreover, we change the languages 𝐿 𝑐 in the following way: 𝑑 𝑑 ′ 𝜎 | 𝐿 ❀ 𝑑 𝑑 ′ 𝜎 ¯ 𝜎 | ℎ ± ( 𝐿 ) where ℎ ± : Σ ∗ → ( Σ ∪ ¯ Σ ) ∗ is the homomorphism with 𝜎 ↦→ 𝜎 ¯ 𝜎 for every 𝜎 ∈ Σ . This means,for every context 𝑐 = ( 𝑑, 𝜎, 𝑑 ′ ) , we have 𝑑 𝜎 ¯ 𝜎 | ℎ ± ( 𝐿 ) −−−−−−−→ 𝑑 ′ in 𝔓 Γ ,𝜏 . Note that since C is a full trio,it is in particular closed under homomorphisms. Hence, ℎ ± ( 𝐿 ) belongs to C . Moreover, 𝔓 Γ ,𝜏 can , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 13 spontaneously switch to simulating the second phase: For each 𝑑 ∈ 𝐷 , we have 𝑑 ˜ 𝑑 z |{ z } Here, the handler z merely allows us to move to state ˜ 𝑑 without interfering with the other handlers.In the second phase, 𝔓 Γ ,𝜏 simulates 𝔓 slightly differently. We perform the following replacement: 𝑑 𝑑 ′ 𝜎 | 𝐿 ❀ ˜ 𝑑 ˜ 𝑑 ′ 𝜎 | 𝐿 ˆ 𝜎 if 𝜎 ≠ 𝜏 ˜ 𝑑 ˜ 𝑑 ′ 𝜏𝜏 | 𝐿𝜏 ˆ 𝜏 if 𝜎 = 𝜏 (2)Note that since C is a full trio, the languages 𝐿𝑣 = { 𝑢𝑣 | 𝑢 ∈ 𝐿 } belong to C for every word 𝑣 . Finally, 𝔓 Γ ,𝜏 can spontaneously switch to its distinguished state 𝑑 𝑓 , so that we have for every ˜ 𝑑 ∈ ˜ 𝐷 and every 𝛾 ∈ Γ : ˜ 𝑑 𝑑 𝑓 z |{ 𝜀 } 𝛾 ¯ 𝛾 |{ 𝜀 } 𝛾 |{ 𝜀 } ˆ 𝛾 |{ 𝜀 } (3)The initial configuration of 𝔓 Γ ,𝜏 is ( 𝑑 , m ′ ) , where m ′ = m ⊕ ¯ m ⊕ J z K , where ¯ m is obtainedfrom m by replacing every occurrence of 𝜎 ∈ Σ in m with ¯ 𝜎 . The final configuration is ( 𝑑 𝑓 , m 𝑓 ) ,where m 𝑓 ∈ M [ ˆ Γ ] is the multiset with m 𝑓 ( ˆ 𝛾 ) = for every 𝛾 ∈ Γ . It is now straightforward tocheck that ( 𝑑 𝑓 , m 𝑓 ) is reachable in 𝔓 Γ ,𝜏 if and only if 𝔓 has an infinite fair run that starves 𝜏 . Decidability of 𝑍 -intersection To complete the proof of Theorem 4.4, we reduce 𝑍 -intersection toconfiguration reachability. Given 𝐾 ⊆ { a , b } ∗ from C , we construct the asynchronous program 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) over C where 𝐷 = { 𝑑 , , } , Σ = { a , b , c } , by including the followingedges: 𝑑 c | 𝐾 a |{ 𝜀 } b |{ 𝜀 } The initial task buffer is m = J c K . Then clearly, the configuration ( , JK ) is reachable in 𝔓 if andonly if 𝐾 ∩ 𝑍 ≠ ∅ .If the construction seems abstract, recall the example from Section 2: the procedure s1 playsthe role of 𝐾 and generates strings from its language in { 𝑎, 𝑏 } ∗ , procedures a and b take turns toensure there is an equal number of them; the states and are values of turn .Theorem 4.4 is useful in the contrapositive to show undecidability. For example, one can showundecidability of 𝑍 -intersection for languages of lossy channel systems (see Section 4.1): One ex-presses reachability in a non-lossy FIFO system by making sure that the numbers of enqueue-and dequeue-operations match. Thus, for asynchronous programs over lossy channel systems, theproblems of Theorem 4.4 are undecidable. We also use Theorem 4.4 in Section 5 to conclude unde-cidability for higher-order asynchronous programs, already at order . We apply our general decidability results to asynchronous programs over (deterministic) higher-order recursion schemes (
HORS ). Kobayashi [Kobayashi 2009] has shown how higher-order func-tional programs can be modeled using
HORS . In his setting, a program contains instructions thataccess certain resources. The path language of the
HORS produced by Kobayashi is the set of , Vol. 1, No. 1, Article . Publication date: January 2021. possible sequences of instructions. For us, the input program contains post instructions and wetranslate higher-order programs with post instructions into a
HORS whose path language is usedas the language of handlers.We recall some definitions from [Kobayashi 2009]. The set of types is defined by the grammar 𝐴 : = o | 𝐴 → 𝐴 . The order ord ( 𝐴 ) of a type 𝐴 is inductively defined as ord ( o ) = ( 𝐴 → 𝐵 ) : = max ( ord ( 𝐴 ) + , ord ( 𝐵 )) . The arity of a type is inductively defined by arity ( o ) = ( 𝐴 → 𝐵 ) = arity ( 𝐵 ) +
1. We assume a countably infinite set Var of typed variables 𝑥 : 𝐴 . For aset Θ of typed symbols, the set ˜ Θ of terms generated from Θ is the least set which contains Θ suchthat whenever 𝑠 : 𝐴 → 𝐵 and 𝑡 : 𝐴 belong to ˜ Θ , then also 𝑠 𝑡 : 𝐵 belongs to ˜ Θ . By convention thetype o → . . . ( o → ( o → o )) is written o → . . . → o → o and the term (( 𝑡 𝑡 ) 𝑡 · · · ) 𝑡 𝑛 is written 𝑡 𝑡 · · · 𝑡 𝑛 . We write ¯ 𝑥 for a sequence ( 𝑥 , 𝑥 , . . . , 𝑥 𝑛 ) of variables.A higher-order recursion scheme ( HORS ) is a tuple S = ( Σ , N , R , 𝑆 ) where Σ is a set of typed terminal symbols of types of order 0 or 1, N is a set of typed non-terminal symbols (disjointfrom terminal symbols), 𝑆 : o is the start non-terminal symbol and R is a set of rewrite rules 𝐹𝑥 𝑥 · · · 𝑥 𝑛 ։ 𝑡 where 𝐹 : 𝐴 → · · · → 𝐴 𝑛 → o is a non-terminal in N , 𝑥 𝑖 : 𝐴 𝑖 for all 𝑖 arevariables and 𝑡 : o is a term generated from Σ ∪ N ∪ V ar. The order of a HORS is the maximumorder of a non-terminal symbol. We define a rewrite relation ։ on terms over Σ ∪ N as follows: 𝐹 ¯ 𝑎 ։ 𝑡 [ ¯ 𝑥 / ¯ 𝑎 ] if 𝐹 ¯ 𝑥 ։ 𝑡 ∈ R , and if 𝑡 ։ 𝑡 ′ then 𝑡𝑠 ։ 𝑡 ′ 𝑠 and 𝑠𝑡 ։ 𝑠𝑡 ′ . The reflexive, transitiveclosure of ։ is denoted ։ ∗ . A sentential form 𝑡 of S is a term over Σ ∪ N such that 𝑆 ։ ∗ 𝑡 .If 𝑁 is the maximum arity of a symbol in Σ , then a (possibly infinite) tree over Σ is a partialfunction 𝑡𝑟 from { , , . . . , 𝑁 − } ∗ to Σ that fulfills the following conditions: 𝜀 ∈ dom ( 𝑡𝑟 ) , dom ( 𝑡𝑟 ) isclosed under prefixes, and if 𝑡𝑟 ( 𝑤 ) = 𝑎 and arity ( 𝑎 ) = 𝑘 then { 𝑗 | 𝑤 𝑗 ∈ dom ( 𝑡𝑟 )} = { , , . . . , 𝑘 − } .A deterministic HORS is one where there is exactly one rule of the form 𝐹𝑥 𝑥 · · · 𝑥 𝑛 → 𝑡 for ev-ery non-terminal 𝐹 . Following [Kobayashi 2009], we show how a deterministic HORS can be usedto represent a higher-order pushdown language arising from a higher-order functional program.Sentential forms can be seen as ranked trees over Σ ∪N ∪ Var. A sequence Π over { , , . . . , 𝑛 − } is a path of 𝑡𝑟 if every finite prefix of Π ∈ dom ( 𝑡𝑟 ) . The set of paths in a tree 𝑡𝑟 will be denoted Paths ( 𝑡𝑟 ) . Note that we are only interested in finite paths in our context. Associated with any path Π = 𝑛 , 𝑛 , . . . , 𝑛 𝑘 is the word 𝑤 Π = 𝑡𝑟 ( 𝑛 ) 𝑡𝑟 ( 𝑛 𝑛 ) · · · 𝑡𝑟 ( 𝑛 𝑛 · · · 𝑛 𝑘 ) .We associate a value tree T S associated with a deterministic HORS S in the following way. Fora sentential form 𝑡 define the finite tree 𝑡 ⊥ by case analysis: 𝑡 ⊥ = 𝑓 if 𝑓 is a terminal symbol and 𝑡 ⊥ = 𝑡 ⊥ 𝑡 ⊥ if 𝑡 = 𝑡 𝑡 and 𝑡 ⊥ ≠ ⊥ , and 𝑡 ⊥ = ⊥ otherwise.Intuitively, the tree 𝑡 ⊥ is obtained by replacing any subterm whose root is a non-terminal by thenullary symbol ⊥ . We define the partial order ≤ 𝑡 on dom ( Σ ) ∪ {⊥} by ⊥ ≤ 𝑡 𝑎 for all 𝑎 ∈ dom ( Σ ) ,which is extended to trees by 𝑡 ≤ 𝑡 𝑠 ⇐⇒ ∀ ¯ 𝑛 ∈ dom ( 𝑡 ) : ¯ 𝑛 ∈ dom ( 𝑠 ) ∧ 𝑡 ( ¯ 𝑛 ) ≤ 𝑡 𝑠 ( ¯ 𝑛 ) The value tree generated by a
HORS S is denoted T S and is obtained by repeated applicationof the rewrite rules to the start symbol 𝑆 . To make this formal, we write lub ( 𝑇 ) for the least upperbound of a collection 𝑇 of trees with respect to the order ≤ 𝑡 . Then we set T S : = lub ({ 𝑡 ⊥ | 𝑆 → ∗ 𝑡 }) .Any HORS for which the value tree T S is well-defined is called productive . All HORS dealt within this paper are assumed to be productive. Checking if a given
HORS is productive is decidable,see, e.g., [Grellois 2016].Let Σ : = { 𝑎 ∈ Σ | arity ( 𝑎 ) = } . The path language L p ( S ) of a deterministic HORS S isdefined as { Proj Σ ( 𝑤 Π ) | Π ∈ Paths (T S )} . The tree language L t ( S ) associated with a HORS isthe set of finite trees over Σ generated by S . , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 15 The deterministic
HORS corresponding to the higher-order function s3 from Figure 1 is givenby S = ( Σ , N , R , 𝑆 ) , where Σ = { br : o → o → o , c , d , f : o → o , e : o }N = { 𝑆 : o , 𝐹 : ( o → o ) → o → o , 𝐻 : ( o → o ) → o → o , 𝐼 : o → o }R = { 𝑆 ։ 𝐹 𝐼 e , 𝐼 𝑥 ։ 𝑥, 𝐹 𝐺 𝑥 ։ br ( 𝐹 ( 𝐻 𝐺 ) ( f 𝑥 )) ( 𝐺 𝑥 ) , 𝐻 𝐺 𝑥 ։ c ( 𝐺 ( d 𝑥 ))} The path language L p ( S ) = { c 𝑛 d 𝑛 f 𝑛 | 𝑛 ≥ } . To see this, apply the reduction rules to get thevalue tree T S shown on the right: 𝑆 ։ 𝐹 𝐼 e ։ br ( 𝐹 ( 𝐻𝐼 ) ( fe )) ( 𝐼 e ) ։ br ( 𝐹 ( 𝐻𝐼 ) ( fe )) e ։ br ( br ( 𝐹 ( 𝐻 𝐼 ) ( f 𝑒 )) ( 𝐻𝐼 )( fe )) e ։ br ( br ( 𝐹 ( 𝐻 𝐼 ) ( f e )) c ( 𝐼 ( dfe )) e ։ br ( br ( 𝐹 ( 𝐻 𝐼 ) ( f e )) cdfe ) e ։ · · · bre brc brdfe .. .. A HORS S is called a word scheme if it has exactly one nullary terminal symbol e and allother terminal symbols ˜ Σ are of arity one. The word language L w ( S ) ⊆ ˜ Σ ∗ defined by S is L w ( S ) = { 𝑎 𝑎 · · · 𝑎 𝑛 | ( 𝑎 ( 𝑎 · · · ( 𝑎 𝑛 ( e )) · · · )) ∈ L t ( S )} . We denote by H the class of languages L w ( S ) that occur as the word language of a higher-order recursion scheme S . Note that pathlanguages and languages of word schemes are both word languages over the set ˜ Σ of unary symbolsconsidered as letters. They are connected by the following proposition, a proof of which is givenin Appendix C. Proposition 5.1.
For every order- 𝑛 HORS S = ( Σ , N , 𝑆, R) there exists an order- 𝑛 word scheme S ′ = ( Σ ′ , N ′ , 𝑆 ′ , R ′ ) such that L p ( S ) = L w ( S ′ ) . A consequence of [Kobayashi 2009] and Prop. 5.1 is that the “post” language of higher-orderfunctional programs can be modeled as the language of a word scheme. Hence, we define an asyn-chronous program over
HORS as an asynchronous program over the language class H and we canuse the following results on word schemes. Theorem 5.2.
HORS and word schemes form effective full trios [Clemente et al. 2016]. Emptiness[Kobayashi and Ong 2011] and finiteness [Parys 2018] of order- 𝑛 word schemes are ( 𝑛 − ) - EXPTIME -complete.
Now Theorems 4.2 and 4.3, together with Proposition 5.1 imply the decidability results inCorollary 5.3. The undecidability result is a consequence of Theorem 4.4 and the undecidabil-ity of the 𝑍 -intersection problem for indexed languages or equivalently, order-2 pushdown au-tomata as shown in [Zetzsche 2015]. Order-2 pushdown automata can be effectively turned intoorder-2 OI grammars [Damm and Goerdt 1986], which in turn can be translated into order-2 wordschemes [Damm 1982]. See also [Kobayashi 2019, Theorem 4]. Corollary 5.3.
For asynchronous programs over
HORS : (1) Safety, termination, and boundednessare decidable. (2) Configuration reachability, fair termination, and fair starvation are undecidablealready at order-2. The models of
HORS (used in model checking higher order programs [Kobayashi 2009]) and word schemes (used inlanguage-theoretic exploration of downclosures [Clemente et al. 2016; Hague et al. 2016]) are somewhat different. Thus,we show an explicit reduction between the two formalisms. , Vol. 1, No. 1, Article . Publication date: January 2021.
We say that downclosures are computable for a language class C if for a given description of alanguage 𝐿 in C , one can compute an automaton for the regular language ↓ 𝐿 . A consequenceof Proposition 3.3 and Theorem 4.1 is that if one can compute downclosures for some languageclass, then one can avoid the enumerative approaches of Section 4 and get a “direct algorithm.” Thedirect algorithm replaces each handler by its downclosure and then invokes the decision proceduresummarized in Theorem 4.1. The direct algorithm for asynchronous programs over
HORS relies on the recent breakthroughresults on computing downclosures.
Theorem 6.1 ([Clemente et al. 2016; Hague et al. 2016; Zetzsche 2015]).
Downclosures areeffectively computable for H . Unfortunately, current techniques do not yet provide a complexity upper bound based on theabove theorem. To understand why, we describe the current algorithm for computing downclo-sures. In [Zetzsche 2015], it was shown that in a full trio, downclosures are computable if and onlyif the diagonal problem for C is decidable. The latter asks, given a language 𝐿 ⊆ Σ ∗ , whether forevery 𝑘 ∈ N , there is a word 𝑤 ∈ 𝐿 with | 𝑤 | 𝜎 ≥ 𝑘 for every 𝜎 ∈ Σ . The diagonal problem wasthen shown to be decidable for higher-order pushdown automata [Hague et al. 2016] and then forword schemes [Clemente et al. 2016]. Unfortunately, the algorithm from [Zetzsche 2015] to com-pute downclosures using an oracle for the diagonal problem employs enumeration to compute adownclosure automaton, thus we have hidden the enumeration into the downclosure computation.We conjecture that downclosures can in fact be computed in elementary time (for word schemesof fixed order). This would imply an elementary time procedure for asynchronous programs over HORS as well.
For handlers over context-free languages, given e.g., as pushdown automata, Ganty and Majum-dar show an
EXPSPACE upper bound. Precisely, the algorithm of [Ganty and Majumdar 2012]constructs for each handler a polynomial-size Petri net with certain guarantees (forming so-called adequate family of Petri nets ) that accepts a Parikh equivalent language. These Petri nets are thenused to construct a larger Petri net, polynomial in the size of the asynchronous program and theadequate family of Petri nets, in which the respective property (safety, boundedness, or termina-tion) can be phrased as a query decidable in
EXPSPACE . A natural question is whether there is adownclosure-based algorithm with the same asymptotic complexity.Our goal is to replace the Parikh-equivalent Petri nets with Petri nets recognizing the downclo-sure of a language. It is an easy consequence of Proposition 3.3 that the resulting Petri nets can beused in place of the adequate families of Petri nets in the procedures for safety, termination, andboundedness of [Ganty and Majumdar 2012]. Thus, if we can ensure these Petri nets are polyno-mial in the size of the handler, we get an
EXPSPACE upper bound. Unfortunately, a finite automa-ton for ↓ 𝐿 may require exponentially many states in the pushdown automaton [Bachmeier et al.2015]. Thus a naive approach gives a upper bound.We show here that that for each context-free language 𝐿 , one can construct in polynomial timea 1-bounded Petri net accepting ↓ 𝐿 . (Recall that a 1-bounded Petri net if every reachable markinghas at most one token in each place.) This is a language theoretic result of independent interest.When used in the construction of [Ganty and Majumdar 2012], this matches the EXPSPACE upperbound. , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 17
As a byproduct, our translation yields a simple direct construction of a finite automaton for ↓ 𝐿 when 𝐿 is given as a pushdown automaton. This is of independent interest because earlierconstructions of ↓ 𝐿 always start from a context-free grammar and produce (of necessity!) expo-nentially large NFAs [Bachmeier et al. 2015; Courcelle 1991; van Leeuwen 1978].We begin with some preliminary definitions. Pushdown automata. If Γ is an alphabet, we write ¯ Γ = { ¯ 𝛾 | 𝛾 ∈ Γ } . Moreover, if 𝑥 = ¯ 𝛾 , thenwe define ¯ 𝑥 = 𝛾 . For a word 𝑣 ∈ ( Γ ∪ ¯ Γ ) ∗ , 𝑣 = 𝑣 · · · 𝑣 𝑛 , 𝑣 , . . . , 𝑣 𝑛 ∈ Γ ∪ ¯ Γ , we set ¯ 𝑣 = ¯ 𝑣 𝑛 · · · ¯ 𝑣 . A pushdown automaton is a tuple A = ( 𝑄, Σ , Γ , 𝐸, 𝑞 , 𝑞 𝑓 ) , where 𝑄 is a finite set of states , Σ is its inputalphabet , Γ is its stack alphabet , 𝐸 is a finite set of edges , 𝑞 ∈ 𝑄 is its initial state , and 𝐹 ⊆ 𝑄 is itsset of final states . An edge is a four-tuple ( 𝑝, 𝑅, 𝑣, 𝑞 ) , where 𝑝, 𝑞 ∈ 𝑄 , 𝑅 ⊆ Σ ∗ is a regular language,and 𝑣 ∈ Γ ∪ ¯ Γ ∪ { 𝜀 } . A configuration of A is a pair ( 𝑞, 𝑤 ) with 𝑞 ∈ 𝑄 and 𝑤 ∈ Γ ∗ . For configurations ( 𝑞, 𝑤 ) and ( 𝑞 ′ , 𝑤 ′ ) , we write ( 𝑞, 𝑤 ) 𝑢 −→ ( 𝑞 ′ , 𝑤 ′ ) if there is an edge ( 𝑞, 𝑅, 𝑣, 𝑞 ′ ) in A such that 𝑢 ∈ 𝑅 and (i) if 𝑣 = 𝜀 , then 𝑤 ′ = 𝑤 , (ii) if 𝑣 ∈ Γ , then 𝑤 ′ = 𝑤𝑣 and (iii) if 𝑣 = ¯ 𝛾 for 𝛾 ∈ Γ , then 𝑤 = 𝑤 ′ 𝛾 .A run in A is a sequence ( 𝑞 , 𝑤 ) , . . . , ( 𝑞 𝑛 , 𝑤 𝑛 ) of configurations and words 𝑢 , . . . , 𝑢 𝑛 ∈ Σ ∗ suchthat ( 𝑞 𝑖 − , 𝑤 𝑖 − ) 𝑢 𝑖 −→ ( 𝑞 𝑖 , 𝑤 𝑖 ) for ≤ 𝑖 ≤ 𝑛 . Its length is 𝑛 and its initial and final configuration are ( 𝑞 , 𝑤 ) and ( 𝑞 𝑛 , 𝑤 𝑛 ) , respectively. The run is said to read the word 𝑢 · · · 𝑢 𝑛 . The stack height ofthe run is defined as max {| 𝑤 𝑖 | | ≤ 𝑖 ≤ 𝑛 } . We call the run positive (resp. negative ) if | 𝑤 𝑖 | ≥ | 𝑤 | (resp. | 𝑤 𝑖 | < | 𝑤 | ) for every 1 ≤ 𝑖 ≤ 𝑛 , i.e. if the stack never drops below its initial height (resp. isalways below its initial height).We write ( 𝑞, 𝑤 ) 𝑢 = ⇒ ( 𝑞 ′ , 𝑤 ′ ) for configurations ( 𝑞, 𝑤 ) , ( 𝑞 ′ , 𝑤 ′ ) if there is a run with initial config-uration ( 𝑞, 𝑤 ) and final configuration ( 𝑞 ′ , 𝑤 ′ ) that reads 𝑢 . If there is such a run with stack height ≤ ℎ , then we write ( 𝑞, 𝑤 ) 𝑢 = ⇒ ℎ ( 𝑞 ′ , 𝑤 ′ ) . The language accepted by A is L (A) = { 𝑢 ∈ Σ ∗ | ∃( 𝑞 , 𝜀 ) 𝑢 = ⇒ ( 𝑞 𝑓 , 𝜀 )} . There is also a language accepted with bounded stack height. For ℎ ∈ N , we define L ℎ (A) = { 𝑢 ∈ Σ ∗ | ( 𝑞 , 𝜀 ) 𝑢 = ⇒ ℎ ( 𝑞 𝑓 , 𝜀 )} . In order to exploit the symmetry between forward and backward computations in pushdown au-tomata, we will consider dual pushdown automata. The dual automaton of A , denoted ¯ A , is ob-tained from A by changing each edge 𝑝 𝑅 | 𝑣 −−→ 𝑞 into 𝑞 𝑅 rev | ¯ 𝑣 −−−−→ 𝑝 . Then L ( ¯ A) = L (A) rev . We willsometimes argue by duality , which is the principle that every statement that is true for any A isalso true for any ¯ A . Petri nets. A (labeled) Petri net is a tuple 𝑁 = ( Σ , 𝑆,𝑇 , 𝜕 , 𝜕 , 𝜆, m , m 𝑓 ) where Σ is its input alpha-bet , 𝑆 is a finite set of places , 𝑇 is a finite set of transitions , 𝜕 , 𝜕 : 𝑇 → M [ 𝑆 ] are maps that specifyan input marking 𝜕 ( 𝑡 ) and an output marking 𝜕 ( 𝑡 ) for each transition 𝑡 ∈ 𝑇 , 𝜆 : 𝑇 → Σ ∪ { 𝜀 } assigns labels to transitions, and m , m 𝑓 are its initial and final marking . More generally, multisets m ∈ M [ 𝑆 ] are called markings of 𝑁 .For markings m , m ∈ M [ 𝑆 ] and 𝑎 ∈ Σ ∪ { 𝜀 } , we write m 𝑎 −→ m if there is a transition 𝑡 ∈ 𝑇 with 𝜆 ( 𝑡 ) = 𝑎 , m ≥ 𝜕 ( 𝑡 ) , and m = m ⊖ 𝜕 ( 𝑡 ) ⊕ 𝜕 ( 𝑡 ) . Moreover, we write m 𝑤 == ⇒ m if there are 𝑛 ∈ N , 𝑎 , . . . , 𝑎 𝑛 ∈ Σ ∪ { 𝜀 } , and markings m ′ , . . . , m ′ 𝑛 such that 𝑤 = 𝑎 · · · 𝑎 𝑛 and m = m ′ 𝑎 −→ m ′ 𝑎 −→ · · · 𝑎 𝑛 −−→ m ′ 𝑛 = m . Furthermore, we write m = ⇒ m if there exists a 𝑤 ∈ Σ ∗ with m 𝑤 == ⇒ m . The language accepted by 𝑁 is L ( 𝑁 ) = { 𝑤 ∈ Σ ∗ | m 𝑤 == ⇒ m 𝑓 } . , Vol. 1, No. 1, Article . Publication date: January 2021. For 𝑘 ∈ N , a Petri net 𝑁 is 𝑘 -bounded if for every marking m ∈ M [ 𝑆 ] with m = ⇒ m , we have | m | ≤ 𝑘 .Our main results are as follows. Theorem 6.2 (Succinct Downclosures for PDAs).
Given a pushdown automaton A , one canconstruct in polynomial time a pushdown automaton ˆ A so that ↓ L ( ˆ A) = ↓ L (A) . Moreover, if ℎ is abound on the stack height and denoting by L ℎ (A) the language of words accepted by A using a runbounded by ℎ , L ( ˆ A) = L ℎ ( ˆ A) where ℎ is polynomial in the size of A . As a pushdown automaton with bounded stack can be simulated by a 1-bounded Petri net (es-sentially, by keeping places for each position in the stack), we get the following corollary and alsothe promised
EXPSPACE upper bound.
Corollary 6.3.
Given a pushdown automaton A , one can construct in polynomial time a -bounded Petri net 𝑁 with L ( 𝑁 ) = ↓ L (A) . The augmented automaton ˆ A = ( 𝑄, Σ , ˆ Γ , ˆ 𝐸, 𝑞 , 𝑞 𝑓 ) is defined as follows. We first compute the set Δ 𝑝,𝑞 (A) = { 𝑎 ∈ Σ | ∃ 𝑢 ∈ 𝑀 𝑝,𝑞 (A) , | 𝑢 | 𝑎 ≥ } , where 𝑀 𝑝,𝑞 (A) = { 𝑢 ∈ Σ ∗ | ∃ 𝑣 ∈ Γ ∗ : ( 𝑝, 𝜀 ) 𝑢 = ⇒ ( 𝑝, 𝑣 ) , ( 𝑞, 𝑣 ) = ⇒ ( 𝑞, 𝜀 )} . Note that it is easy toconstruct in polynomial time a pushdown automaton A 𝑝,𝑞 for the language 𝑀 𝑝,𝑞 (A) : A 𝑝,𝑞 has a set 𝑄 ∪ 𝑄 𝑝 ∪ 𝑄 𝑞 of states consisting of three disjoint copies of the states of A . Thetransitions between two states in 𝑄 𝑝 is inherited from A while for two states in 𝑄 𝑞 we replace theinput on any transition by 𝜖 but retain the stack operations from A . The start state is 𝑝 ∈ 𝑄 𝑝 andthe final state is 𝑞 ∈ 𝑄 𝑞 .There is an epsilon transition from 𝑝 ∈ 𝑄 𝑝 to the corresponding copy 𝑝 ∈ 𝑄 which places a newsymbol (i.e. ∉ Γ ) on the stack. Similarly, there is an 𝜖 transition from 𝑞 ∈ 𝑄 to 𝑞 ∈ 𝑄 𝑞 whichpops . The new symbol is used to ensure that the stack contents when leaving 𝑝 ∈ 𝑄 𝑝 is thesame as that when entering 𝑞 ∈ 𝑄 𝑞 . This concludes the construction of A 𝑝,𝑞 .Since 𝑎 ∈ Δ 𝑝,𝑞 (A) iff 𝑀 𝑝,𝑞 (A) ∩ Σ ∗ 𝑎 Σ ∗ ≠ ∅ , we can decide in polynomial time whether a given 𝑎 ∈ Σ belongs to Δ 𝑝,𝑞 (A) by checking the PDA for 𝑀 𝑝,𝑞 (A) ∩ Σ ∗ 𝑎 Σ ∗ ≠ ∅ obtained by productconstruction for emptiness. Thus, we can compute Δ 𝑝,𝑞 (A) in polynomial time. We construct ˆ A as follows. For any 𝑝, 𝑞 ∈ 𝑄 , we introduce a fresh stack symbol [ 𝑝, 𝑞 ] and then we add edges 𝑝 Δ 𝑝,𝑞 (A) ∗ |[ 𝑝,𝑞 ] −−−−−−−−−−−−→ 𝑝, 𝑞 Δ 𝑞,𝑝 ( ¯ A) ∗ |[ 𝑝,𝑞 ] −−−−−−−−−−−−→ 𝑞. (4)The following lemma tells us that L ( ˆ A) has the same downward closure as A . Lemma 6.4. L (A) ⊆ L ( ˆ A) ⊆ ↓ L (A) . Since the inclusion L (A) ⊆ L ( ˆ A) is obvious, we prove L ( ˆ A) ⊆ ↓ L (A) . We proceed by induc-tion on the number 𝑚 of executions of new edges (i.e. those from Eq. (4)).More specifically, we show that if 𝑢 ∈ L ( ˆ A) is accepted using 𝑚 executions of new edges, thenthere is a 𝑢 ′ ∈ L ( ˆ A) that is accepted using 𝑚 ′ < 𝑚 executions of new edges and we have 𝑢 ⊑ 𝑢 ′ .Suppose 𝑢 is accepted using a run 𝜌 with 𝑚 > executions of new edges. Then 𝜌 must applyone edge 𝑝 Δ 𝑝,𝑞 (A) |[ 𝑝,𝑞 ] −−−−−−−−−−−→ 𝑝 and thus also the edge 𝑞 Δ 𝑞,𝑝 ( ¯ A) |[ 𝑝,𝑞 ] −−−−−−−−−−−→ 𝑞 to remove the letter [ 𝑝, 𝑞 ] fromthe stack. Thus, 𝜌 can be decomposed as 𝜌 = 𝜌 𝜌 𝜌 𝜌 𝜌 , where 𝜌 and 𝜌 are the executions ofthe new edges. Let 𝑢 = 𝑢 𝑢 𝑢 𝑢 𝑢 be the corresponding decomposition of 𝑢 .The run 𝜌 must end in state 𝑝 and with some stack content 𝑤 ∈ Γ ∗ . Then, 𝜌 is a run from ( 𝑝, 𝑤 [ 𝑝, 𝑞 ]) to ( 𝑞, 𝑤 [ 𝑝, 𝑞 ]) and 𝜌 is a run from ( 𝑞, 𝑤 ) to ( 𝑞 𝑓 , 𝜀 ) with 𝑞 𝑓 ∈ 𝐹 . , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 19 Since 𝑢 and 𝑢 are read while executing the new edges, we have 𝑢 ∈ Δ 𝑝,𝑞 (A) ∗ and 𝑢 ∈ Δ 𝑞,𝑝 ( ¯ A) ∗ . We can therefore write 𝑢 = 𝑟 · · · 𝑟 𝑘 and 𝑢 = 𝑠 · · · 𝑠 ℓ with 𝑟 , . . . , 𝑟 𝑘 ∈ Δ 𝑝,𝑞 (A) and 𝑠 , . . . , 𝑠 ℓ ∈ Δ 𝑞,𝑝 ( ¯ A) . By definition, this means for each ≤ 𝑖 ≤ 𝑘 , there is a word ˜ 𝑟 𝑖 ∈ 𝑀 𝑝,𝑞 (A) that contains the letter 𝑟 𝑖 . Likewise, for every ≤ 𝑖 ≤ ℓ , there is a ˜ 𝑠 𝑖 ∈ 𝑀 𝑞,𝑝 ( ¯ A) that contains 𝑠 𝑖 .Since ˜ 𝑟 𝑖 ∈ 𝑀 𝑝,𝑞 (A) and ˜ 𝑠 𝑗 ∈ 𝑀 𝑞,𝑝 ( ¯ A) for ≤ 𝑖 ≤ 𝑘 and ≤ 𝑗 ≤ ℓ , there are words 𝑥 𝑖 and 𝑦 𝑗 in Γ ∗ so that ( 𝑝, 𝜀 ) ˜ 𝑟 𝑖 == ⇒ ( 𝑝, 𝑥 𝑖 ) and ( 𝑞, 𝑥 𝑖 ) = ⇒ ( 𝑞, 𝜀 )( 𝑝, 𝜀 ) = ⇒ ( 𝑝, 𝑦 𝑗 ) and ( 𝑞, 𝑦 𝑖 ) ˜ 𝑠 𝑗 == ⇒ ( 𝑞, 𝜀 ) We can therefore construct a new run 𝜌 ′ = 𝜌 𝜌 ′ 𝜌 ′ 𝜌 ′ 𝜌 , where 𝜌 ′ : ( 𝑝, 𝑤 ) ˜ 𝑟 == ⇒ · · · ˜ 𝑟 𝑘 == ⇒ ( 𝑝, 𝑤𝑥 · · · 𝑥 𝑘 ) = ⇒ · · · = ⇒ ( 𝑝, 𝑤𝑥 · · · 𝑥 𝑘 𝑦 ℓ · · · 𝑦 ) 𝜌 ′ : ( 𝑞, 𝑤𝑥 · · · 𝑥 𝑘 𝑦 ℓ · · · 𝑦 ) ˜ 𝑠 == ⇒ · · · ˜ 𝑠 ℓ == ⇒ ( 𝑞, 𝑤𝑥 · · · 𝑥 𝑘 ) = ⇒ · · · = ⇒ ( 𝑞, 𝑤 ) . Moreover, since 𝜌 is a positive run from ( 𝑝, 𝑤 ) to ( 𝑞, 𝑤 ) , we obtain 𝜌 ′ from 𝜌 by replacing theprefix 𝑤 of every stack by 𝑤𝑥 · · · 𝑥 𝑘 𝑦 · · · 𝑦 ℓ .Then 𝜌 ′ reads some word 𝑢 ˜ 𝑟 · · · ˜ 𝑟 𝑘 𝑓 𝑢 ˜ 𝑠 · · · ˜ 𝑠 ℓ 𝑔𝑢 for 𝑓 , 𝑔 ∈ Σ ∗ . Note that since 𝑟 𝑖 occurs in ˜ 𝑟 𝑖 and 𝑠 𝑖 occurs in ˜ 𝑠 𝑗 , we have 𝑢 = 𝑢 𝑢 𝑢 𝑢 𝑢 ⊑ 𝑢 ˜ 𝑟 · · · ˜ 𝑟 𝑘 𝑓 𝑢 ˜ 𝑠 · · · ˜ 𝑠 ℓ 𝑔𝑢 .We now show that every word in ˆ A is accepted by a run with bounded stack height. Lemma 6.5. L ( ˆ A) = L ℎ ( ˆ A) , where ℎ = | 𝑄 | . Before we prove Lemma 6.5, we need another observation. Just like Lemma 6.4, one can showthat for any 𝑝, 𝑞 ∈ 𝑄 , we have 𝑀 𝑝,𝑞 (A) ⊆ 𝑀 𝑝,𝑞 ( ˆ A) ⊆ ↓ 𝑀 𝑝,𝑞 (A) and in particular Δ 𝑝,𝑞 (A) = Δ 𝑝,𝑞 ( ˆ A) Δ 𝑞,𝑝 ( ¯ A) = Δ 𝑞,𝑝 ( ¯ˆ A) , (5)where the second identity follows from the first: Duality yields Δ 𝑞,𝑝 ( ¯ A) = Δ 𝑞,𝑝 ( ˆ¯ A) and since ˆ¯ A and ¯ˆ A are isomorphic (i.e. they are the same up to a renaming of stack symbols), we have Δ 𝑞,𝑝 ( ˆ¯ A) = Δ 𝑞,𝑝 ( ¯ˆ A) .We now prove Lemma 6.5. Let 𝑢 ∈ L ( ˆ A) . We show that any minimal length accepting run 𝜌 reading 𝑢 must have stack height ≤ ℎ and hence 𝑢 ∈ L ℎ ( ˆ A) .Suppose the stack height of 𝜌 is larger than ℎ = | 𝑄 | . Claim: 𝜌 decomposes into runs 𝜌 , 𝜌 , 𝜌 , 𝜌 , 𝜌 reading 𝑢 , 𝑢 , 𝑢 , 𝑢 , 𝑢 , respectively, so thatthere are 𝑝, 𝑞 ∈ 𝑄 and 𝑤 ∈ Γ ∗ with • 𝜌 is a positive run from ( 𝑝, 𝑤 ) to ( 𝑝, 𝑤𝑣 ) of length ≥ • 𝜌 is a positive run from ( 𝑝, 𝑤𝑣 ) to ( 𝑞, 𝑤𝑣 )• 𝜌 is a negative run from ( 𝑞, 𝑤𝑣 ) to ( 𝑞, 𝑤 ) Let 𝑐 ℎ be a configuration along 𝜌 with stack height at least | 𝑄 | + . Then there exist | 𝑄 | con-figurations 𝑐 → ∗ 𝑐 → ∗ · · · → ∗ 𝑐 | 𝑄 | → ∗ 𝑐 ℎ along 𝜌 such that 𝑐 𝑖 is the last time that the stackheight is 𝑖 . Symmetrically, we have 𝑐 ℎ → ∗ 𝑐 ′ | 𝑄 | → ∗ · · · 𝑐 ′ → ∗ 𝑐 ′ where 𝑐 ′ 𝑖 is the last occurrenceof stack height 𝑖 . Clearly by definition the runs between consecutive 𝑐 𝑖 (resp. 𝑐 ′ 𝑖 ) configurationsis positive (resp. negative). Additionally, the length of the run between them must be at least 2.Considering the pair of states at each 𝑐 𝑖 , 𝑐 ′ 𝑖 , there are | 𝑄 | possibilities. Hence there must existindices 𝑖 < 𝑗 such that the 𝑐 𝑖 and 𝑐 𝑗 have the same state 𝑝 and 𝑐 ′ 𝑖 and 𝑐 ′ 𝑗 have the same state , Vol. 1, No. 1, Article . Publication date: January 2021. 𝑞 . It is now clear that 𝜌 = 𝑐 𝑖 → ∗ 𝑐 𝑗 , 𝜌 = 𝑐 𝑗 → ∗ 𝑐 ′ 𝑗 and 𝜌 = 𝑐 ′ 𝑗 → ∗ 𝑐 ′ 𝑖 satisfy the conditionsof the claim.These conditions imply that 𝑢 ∈ 𝑀 𝑝,𝑞 ( ˆ A) and 𝑢 ∈ 𝑀 𝑞,𝑝 ( ¯ˆ A) . Therefore, we have 𝑢 ∈ Δ 𝑝,𝑞 ( ˆ A) ∗ = Δ 𝑝,𝑞 (A) ∗ and 𝑢 ∈ Δ 𝑞,𝑝 ( ¯ˆ A) ∗ = Δ 𝑞,𝑝 ( ¯ A) ∗ by Eq. (5).We obtain the run 𝜌 ′ from 𝜌 as follows. We replace 𝜌 by a single execution of the edge 𝑝 Δ 𝑝,𝑞 (A) ∗ |[ 𝑝,𝑞 ] −−−−−−−−−−−−→ 𝑝 reading 𝑢 . Moreover, we replace 𝜌 by a single execution of the edge 𝑞 Δ 𝑞,𝑝 ( ¯ A) ∗ |[ 𝑝,𝑞 ] −−−−−−−−−−−−→ 𝑞 . Then 𝜌 ′ is clearly a run reading 𝑢 = 𝑢 𝑢 𝑢 𝑢 𝑢 . Furthermore, since 𝜌 haslength ≥ , but the single edge used instead in 𝜌 ′ only incurs length , 𝜌 ′ is strictly shorter than 𝜌 .This is in contradiction to the minimal length of 𝜌 . Remark.
The augmented automaton ˆ A yields a very simple construction of a finite automaton(of exponential size) for ↓ L (A) . First, it is easy to construct a finite automaton for L ℎ ( ˆ A) . Then, byintroducing 𝜀 -edges, we get a finite automaton for ↓ L ℎ ( ˆ A) , which, by Lemmas 6.4 and 6.5, equals ↓ L (A) . It is now straightforward to construct a polynomial size -bounded Petri net 𝑁 = ( Σ , 𝑆,𝑇 , 𝜕 , 𝜕 , m , m 𝑓 ) with L ( 𝑁 ) = L ℎ ( ˆ A) . First, by adding states, we turn ˆ A into a pushdownautomaton A ′ = ( 𝑄 ′ , Σ , ˆ Γ , 𝐸 ′ , 𝑞 , 𝑞 𝑓 ) , where every edge reads at most one letter, i.e. every edge 𝑝 𝑅 | 𝑣 −−→ 𝑞 in A ′ has 𝑅 = { 𝑥 } for some 𝑥 ∈ Σ ∪ { 𝜀 } (this is done by ‘pasting’ the automaton for 𝑅 inplace of the edge). Moreover, we add 𝜀 -edges, so that for every edge 𝑝 { 𝑥 }| 𝑣 −−−−→ 𝑞 , we also have anedge 𝑝 { 𝜀 }| 𝑣 −−−−→ 𝑞 . Then clearly L ℎ (A ′ ) = ↓ L ℎ ( ˆ A) = ↓ L (A) .The net 𝑁 has a place 𝑝 for each state 𝑝 of A ′ and for each 𝑖 ∈ { , . . . , ℎ } and 𝛾 ∈ ˆ Γ , it has a place ( 𝑖, 𝛾 ) . Moreover, for each 𝑖 ∈ { , . . . , ℎ } , it has a place 𝑠 𝑖 . Here, the idea is that a configuration 𝑐 = ( 𝑝, 𝛾 · · · 𝛾 𝑛 ) of A ′ with 𝛾 , . . . , 𝛾 𝑛 ∈ ˆ Γ is represented as a marking m 𝑐 = J 𝑝, ( , 𝛾 ) , . . . , ( 𝑛, 𝛾 𝑛 ) , 𝑠 𝑛 K .We call a marking of this form a stack marking and will argue that every reachable marking in 𝑁 is a stack marking. The transitions in 𝑁 correspond to edges in A ′ . For each edge 𝑝 { 𝑥 }| 𝑣 −−−−→ 𝑞 in ˆ A ,we add the following transitions: • if 𝑣 = ¯ 𝛾 for some 𝛾 ∈ ˆ Γ , then we have for every ≤ 𝑛 ≤ ℎ a transition 𝑡 with 𝜕 ( 𝑡 ) = J 𝑝, ( 𝑛, 𝛾 ) , 𝑠 𝑛 K , 𝜕 ( 𝑡 ) = J 𝑞, 𝑠 𝑛 − K , and 𝜆 ( 𝑡 ) = 𝑥 . • if 𝑣 ∈ ˆ Γ , then for every ≤ 𝑛 < ℎ , we add a transition 𝑡 with 𝜕 ( 𝑡 ) = J 𝑝, 𝑠 𝑛 K , 𝜕 ( 𝑡 ) = J 𝑞, ( 𝑛 + , 𝑣 ) , 𝑠 𝑛 + K , and 𝜆 ( 𝑡 ) = 𝑥 . • if 𝑣 = 𝜀 , then we add a transition 𝑡 with 𝜕 ( 𝑡 ) = J 𝑝 K , 𝜕 ( 𝑡 ) = J 𝑞 K , and 𝜆 ( 𝑡 ) = 𝑥 .Then clearly every reachable marking is a stack marking and we have 𝑐 𝑥 −→ 𝑐 ′ for configurations 𝑐, 𝑐 ′ of A ′ of stack height ≤ ℎ if and only if m 𝑐 𝑥 −→ m 𝑐 ′ . Therefore, if we set m = J 𝑞 , 𝑠 K and m 𝑓 = J 𝑞 𝑓 , 𝑠 K as initial and final marking, we have L ( 𝑁 ) = L ℎ (A ′ ) = ↓ L (A) . This completes theproof of Corollary 6.3. , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 21 REFERENCES
Parosh Aziz Abdulla, Ahmed Bouajjani, and Bengt Jonsson. 1998. On-the-Fly Analysis of Systems with Unbounded, LossyFIFO Channels. In
Proceedings of the 10th International Conference on Computer Aided Verification (CAV 1998) . 305–318.https://doi.org/10.1007/BFb0028754Alfred V. Aho. 1968. Indexed Grammars - An Extension of Context-Free Grammars.
J. ACM
15, 4 (1968), 647–671.https://doi.org/10.1145/321479.321488Mohamed Faouzi Atig, Ahmed Bouajjani, and Shaz Qadeer. 2009. Context-Bounded Analysis for Concurrent Programswith Dynamic Creation of Threads. In
Proceedings of TACAS 2009 . 107–123.Georg Bachmeier, Michael Luttenberger, and Maximilian Schlund. 2015. Finite Automata for the Sub- and SuperwordClosure of CFLs: Descriptional and Computational Complexity. In
Proceedings of LATA 2015 . 473–485.Jean Berstel. 1979.
Transductions and context-free languages . Teubner-Verlag.Rohit Chadha and Mahesh Viswanathan. 2007. Decidability Results for Well-Structured Transition Systems with AuxiliaryStorage. In
CONCUR ’07: Proc. 18th Int. Conf. on Concurrency Theory (LNCS) , Vol. 4703. Springer, 136–150.Lorenzo Clemente, Pawel Parys, Sylvain Salvati, and Igor Walukiewicz. 2016. The Diagonal Problem for Higher-OrderRecursion Schemes is Decidable. In
Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science,LICS ’16, New York, NY, USA, July 5-8, 2016 . ACM, 96–105. https://doi.org/10.1145/2933575.2934527Bruno Courcelle. 1991. On constructing obstruction sets of words.
Bulletin of the EATCS
44 (1991), 178–186.Werner Damm. 1982. The IO-and OI-hierarchies.
Theoretical Computer Science
20, 2 (1982), 95–207.Werner Damm and Andreas Goerdt. 1986. An automata-theoretical characterization of the OI-hierarchy.
Information andControl
71, 1 (1986), 1–32.Catherine Dufourd, Alain Finkel, and Philippe Schnoebelen. 1998. Reset Nets Between Decidability and Undecidability. In
Proceedings of ICALP 1998 . 103–115.Pierre Ganty and Rupak Majumdar. 2012. Algorithmic verification of asynchronous programs.
ACM Transactions onProgramming Languages and Systems (TOPLAS)
34, 1 (2012), 6.Gilles Geeraerts, Jean-François Raskin, and Laurent Van Begin. 2007. Well-structured languages.
Acta Inf.
44, 3-4 (2007),249–288. https://doi.org/10.1007/s00236-007-0050-3Sheila A. Greibach. 1978. Remarks on blind and partially blind one-way multicounter machines.
Theoretical ComputerScience
7, 3 (1978), 311 – 324. https://doi.org/10.1016/0304-3975(78)90020-8Charles Grellois. 2016.
Semantics of linear logic and higher-order model-checking . Ph.D. Dissertation. Univeristé DenisDiderot Paris 7.Matthew Hague, Jonathan Kochems, and C.-H. Luke Ong. 2016. Unboundedness and downward closures of higher-orderpushdown automata. In
POPL 2016: Principles of Programming Languages . ACM, 151–163.Matthew Hague, Andrzej S. Murawski, C.-H. Luke Ong, and Olivier Serre. 2008. Collapsible Pushdown Automata andRecursion Schemes. In
Proceedings of the Twenty-Third Annual IEEE Symposium on Logic in Computer Science, LICS 2008,24-27 June 2008, Pittsburgh, PA, USA . 452–461. https://doi.org/10.1109/LICS.2008.34Leonard H Haines. 1969. On free monoids partially ordered by embedding.
Journal of Combinatorial Theory
6, 1 (1969),94–98.John E. Hopcroft, Rajeev Motwani, and Jeffrey D. Ullman. 2007.
Introduction to automata theory, languages, and computation,3rd Edition . Addison-Wesley.Matthias Jantzen. 1979. On the hierarchy of Petri net languages.
RAIRO - Theoretical Informatics and Applications - Infor-matique Théorique et Applications
POPL ’07: Proc. 34th ACMSIGACT-SIGPLAN Symp. on Principles of Programming Languages . ACM Press, 339–350.Naoki Kobayashi. 2009. Types and higher-order recursion schemes for verification of higher-order programs. In
Proceedingsof the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA,January 21-23, 2009 . 416–428. https://doi.org/10.1145/1480881.1480933Naoki Kobayashi. 2019. Inclusion between the frontier language of a non-deterministic recursive program scheme and theDyck language is undecidable.
Theoretical Computer Science
777 (2019), 409–416.Naoki Kobayashi and C.-H. Luke Ong. 2011. Complexity of Model Checking Recursion Schemes for Fragments of the ModalMu-Calculus.
Logical Methods in Computer Science
7, 4 (2011).AN Maslov. 1974. The hierarchy of indexed languages of an arbitrary level.
Doklady Akademii Nauk
Theoretical Computer Science . 1–15. https://doi.org/10.1109/LICS.2015.9, Vol. 1, No. 1, Article . Publication date: January 2021.
Pawel Parys. 2018. The Complexity of the Diagonal Problem for Recursion Schemes. In
Proceedings of FSTTCS 2017 (LeibnizInternational Proceedings in Informatics (LIPIcs)) , Vol. 93. 45:1–45:14.Koushik Sen and Mahesh Viswanathan. 2006. Model Checking Multithreaded Programs with Asynchronous Atomic Meth-ods. In
CAV ’06: Proc. 18th Int. Conf. on Computer Aided Verification (LNCS) , Vol. 4144. Springer, 300–314.Michael Sipser. 1997.
Introduction to the theory of computation . PWS Publishing Company.Ramanathan S. Thinniyam and Georg Zetzsche. 2019. Regular separability and intersection emptiness are independent prob-lems. In
Proceedings of FSTTCS 2019 (Leibniz International Proceedings in Informatics (LIPIcs)) , Vol. 150. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 51:1–51:15. https://doi.org/10.4230/LIPIcs.FSTTCS.2019.51Jan van Leeuwen. 1978. Effective constructions in well-partially-ordered free monoids.
Discrete Mathematics
21, 3 (1978),237–252. https://doi.org/10.1016/0012-365X(78)90156-5Georg Zetzsche. 2015. An Approach to Computing Downward Closures. In
ICALP 2015 , Vol. 9135. Springer, 440–451. Theundecidability of 𝑍 intersection is shown in the full version: http://arxiv.org/abs/1503.01068. A COMPILING AWAY INTERNAL ACTIONS
We have commented in the examples of Section 2 that internal actions and internal updates ofthe global state are useful in modeling asynchronous programs from their programming languagesyntax. Indeed, we note that the definition of asynchronous programs in [Ganty and Majumdar2012] additionally uses a separate alphabet of internal actions , in addition to the alphabet of handlerposts.We end the section by showing how a model of asynchronous programs with internal actionscan be reduced to our, simpler, model.Let C be a language class over an alphabet Σ of handler names. The definition of asynchronousprograms with internal actions, as used by [Ganty and Majumdar 2012; Jhala and Majumdar 2007;Sen and Viswanathan 2006], is as follows. An asynchronous program over C with internal actions (aka AP over C with internal actions) is a tuple 𝔓 = ( 𝐷, Σ , Σ i , L , 𝑅, 𝑑 , m ) , where 𝐷 , Σ , 𝑑 , m are as in Definition 2.2, Σ i is an alphabet of internal actions disjoint from Σ , the set L = ( 𝐿 𝜎 ) 𝜎 ∈ Σ consists of languages from C (one for each handler 𝜎 ∈ Σ ) , and an automaton 𝑅 = ( 𝐷, Σ ∪ Σ i , 𝛿 ) where 𝐷 is the set of states, Σ ∪ Σ i the alphabet and 𝛿 the transition relation specifying the effect ofeach internal action on the global state 𝐷 . We will write 𝑑 𝑤 ⇒ 𝑅 ∗ 𝑑 ′ to mean that there is a sequenceof transitions with labels 𝑤 𝑤 ...𝑤 𝑛 = 𝑤 in the automaton 𝑅 using which we can reach 𝑑 ′ from 𝑑 .For an alphabet, Σ , the Parikh map
Parikh : Σ ∗ → M [ Σ ] maps a word 𝑤 ∈ Σ ∗ to a mul-tiset Parikh ( 𝑤 ) such that Parikh ( 𝑤 ) ( 𝑎 ) is the number of occurrences of 𝑎 in 𝑤 . For example, Parikh ( 𝑎𝑏𝑏𝑎𝑏 ) ( 𝑎 ) = , Parikh ( 𝑎𝑏𝑏𝑎𝑏 ) ( 𝑏 ) = and Parikh ( 𝜀 ) = JK . For a language 𝐿 , we define Parikh ( 𝐿 ) = { Parikh ( 𝑤 ) | 𝑤 ∈ 𝐿 } . If the alphabet Σ is not clear from the context, we write Parikh Σ .The semantics of a 𝔓 is given as a labeled transition system over the set of configurations, witha transition relation →⊆ ( 𝐷 × M [ Σ ]) × Σ × ( 𝐷 × M [ Σ ]) defined as follows: let m , m ′ ∈ M [ Σ ] , 𝑑, 𝑑 ′ ∈ 𝐷 and 𝜎 ∈ Σ ( 𝑑, m ⊕ J 𝜎 K ) 𝜎 → 𝔓 ( 𝑑 ′ , m ⊕ m ′ ) iff ∃ 𝑤 ∈ ( Σ ∪ Σ i ) ∗ : 𝑑 𝑤 ⇒ 𝑅 ∗ 𝑑 ′ ∧ 𝑤 ∈ 𝐿 𝜎 ∧ m ′ = Parikh Σ ( 𝑤 ) . We now show that internal actions can be compiled away. Thus, for the algorithms that fol-low, we use the more abstract, language-theoretic version of Definition 2.2, while we use internalactions as syntactic sugar in examples. The language class C in [Ganty and Majumdar 2012] is fixed to be the class of context free languages. Their definitiongeneralizes to any language class., Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 23 Lemma A.1.
Let C be a full trio. Given an AP 𝔓 i with internal actions over C , one can constructan AP 𝔓 over C such that both have identical sets of runs. Proof.
The proof is along similar lines to that of Lemmas 4.3, 4.5 in [Ganty and Majumdar 2012].Given 𝔓 i = ( 𝐷, Σ , Σ i , L , 𝑅, 𝑑 , m ) we construct 𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) such that ( 𝑑, m ⊕ J 𝜎 K ) 𝜎 → 𝔓 ( 𝑑 ′ , m ⊕ m ′ ) iff ( 𝑑, m ⊕ J 𝜎 K ) 𝜎 → 𝔓 i ( 𝑑 ′ , m ⊕ m ′ ) Let 𝐿 ( 𝑅 𝑑,𝑑 ′ ) be the language of the automaton 𝑅 when 𝑑 is the initial state and 𝑑 ′ is the acceptingstate. We define 𝐿 𝑑𝜎𝑑 ′ as: 𝐿 𝑑𝜎𝑑 ′ : = Proj Σ ( 𝐿 𝜎 ∩ 𝐿 ( 𝑅 𝑑,𝑑 ′ )) First observe that the projection operation is a homomorphism and 𝐿 ( 𝑅 𝑑,𝑑 ′ )) is a regular language;hence by virtue of C being a full trio 𝐿 𝑑𝜎𝑑 ′ as defined above is in C . The conditions ∃ 𝑤 ∈ ( Σ ∪ Σ i ) ∗ : 𝑑 𝑤 ⇒ 𝑅 ∗ 𝑑 ′ ∧ 𝑤 ∈ 𝐿 𝜎 ∧ m ′ = Parikh Σ ( 𝑤 ) and ∃ 𝑤 ∈ 𝐿 𝑑𝜎𝑑 ′ : Parikh ( 𝑤 ) = m ′ are seen to beequivalent from the definition of 𝐿 𝑑𝜎𝑑 ′ , concluding the proof of the lemma. B PROOF OF PROPOSITION 3.3
We prove the following proposition.Let
𝔓 = ( 𝐷, Σ , ( 𝐿 𝑐 ) 𝑐 ∈ ℭ , 𝑑 , m ) be an asynchronous program. Then ↓ Runs (↓ 𝔓 ) = ↓ Runs ( 𝔓 ) . Inparticular,(1) For every 𝑑 ∈ 𝐷 , 𝔓 can reach 𝑑 if and only if ↓ 𝔓 can reach 𝑑 .(2) 𝔓 is terminating if and only if ↓ 𝔓 is terminating.(3) 𝔓 is bounded if and only if ↓ 𝔓 is bounded. Proof.
A run of the asynchronous program 𝔓 is defined as a sequence 𝑐 , 𝜎 , 𝑐 , 𝜎 , . . . con-taining alternating elements of configurations 𝑐 𝑖 and letters 𝜎 𝑖 beginning with the configuration 𝑐 = ( 𝑑 , m ) . First we observe that Runs ( 𝔓 ) ⊆ Runs (↓ 𝔓 ) (6)because every transition enabled in 𝔓 is also enabled in ↓ 𝔓 . Next, we claim: ∀ 𝜌 ∈ Runs (↓ 𝔓 ) ∃ 𝜌 ′ ∈ Runs ( 𝔓 ) 𝜌 E 𝜌 ′ (7)Let 𝜌 | 𝑘 = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ) , 𝜎 , ..., 𝜎 𝑘 , ( 𝑑 𝑘 , m 𝑘 ) be the 2 𝑘 + − length prefix of 𝜌 . We show that foreach 𝜌 | 𝑘 there exists 𝜌 ′ 𝑘 ∈ Runs ( 𝔓 ) such that 𝜌 | 𝑘 E 𝜌 ′ 𝑘 and in addition, ∀ 𝑘 ∀ 𝑖 ≤ 𝑘 𝜌 ′ 𝑘 ( 𝑖 ) = 𝜌 ′ 𝑘 + ( 𝑖 ) .We can then define 𝜌 ′ ( 𝑖 ) : = 𝜌 ′ 𝑖 ( 𝑖 ) and clearly 𝜌 E 𝜌 ′ .We prove by induction on 𝑘 .Base Case: 𝜌 | = 𝜌 ′ | = ( 𝑑 , m ) .Induction Step: Let 𝜌 | 𝑘 = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ) , 𝜎 , ..., ( 𝑑 𝑘 , m 𝑘 ) ∈ Runs (↓ 𝔓 ) . By induction hypothe-sis there is 𝜌 ′ 𝑘 − = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ′ ) , 𝜎 , ..., ( 𝑑 𝑘 − , m ′ 𝑘 − ) ∈ Runs ( 𝔓 ) such that 𝜌 𝑘 − E 𝜌 ′ 𝑘 − . , Vol. 1, No. 1, Article . Publication date: January 2021. ( 𝑑 𝑘 − , m 𝑘 − ) 𝜎 𝑘 → ↓ 𝔓 ( 𝑑 𝑘 , m 𝑘 )⇒ ∃ m ′′ 𝑘 − : m 𝑘 − = m ′′ 𝑘 − ⊕ J 𝜎 𝑘 K ∧ ( 𝑑 𝑘 − , m ′′ 𝑘 − ⊕ J 𝜎 𝑘 K ) 𝜎 𝑘 → ↓ 𝔓 ( 𝑑 𝑘 , m 𝑘 )⇒ ∃ 𝑤 ∈ Σ ∗ : 𝑤 ∈ ↓ 𝐿 𝑑 𝑘 − 𝜎 𝑘 𝑑 𝑘 ∧ Parikh ( 𝑤 ) ⊕ m ′′ 𝑘 − = m 𝑘 ⇒ ∃ 𝑤 ′ ∈ Σ ∗ : 𝑤 ⊑ 𝑤 ′ ∧ 𝑤 ′ ∈ 𝐿 𝑑 𝑘 − 𝜎 𝑘 𝑑 𝑘 ⇒ ( 𝑑 𝑘 − , m 𝑘 − ) 𝜎 𝑘 → 𝔓 ( 𝑑 𝑘 , m 𝑘 ⊕ m Δ ) where m Δ ⊕ Parikh ( 𝑤 ) = Parikh ( 𝑤 ′ )⇒ ( 𝑑 𝑘 − , m ′ 𝑘 − ) 𝜎 𝑘 → 𝔓 ( 𝑑 𝑘 , m ′ 𝑘 ) where m ′ 𝑘 = m 𝑘 ⊕ m Δ ⊕ ( m ′ 𝑘 − ⊖ m 𝑘 − ) Defining 𝜌 ′ 𝑘 : = 𝜌 ′ 𝑘 − , 𝜎 𝑘 , ( 𝑑 𝑘 , m ′ 𝑘 ) we see that 𝜌 | 𝑘 E 𝜌 ′ 𝑘 , completing the proof of Equation 7. We arenow ready to show that ↓ Runs (↓ 𝔓 ) = ↓ Runs ( 𝔓 ) . The direction ↓ Runs ( 𝔓 ) ⊆ ↓ Runs (↓ 𝔓 ) followsimmediately from Equation 6. Conversely, let 𝜌 = ( 𝑠 , n ) , 𝜎 , ( 𝑠 , n ) , 𝜎 , ... ∈ ↓ Runs (↓ 𝔓 )⇒∃ 𝜌 ′ ∈ Runs (↓ 𝔓 ) 𝜌 E 𝜌 ′ ⇒∃ 𝜌 ′′ ∈ Runs ( 𝔓 ) 𝜌 ′ E 𝜌 ′′ by Equation 7 ⇒ 𝜌 ∈ ↓ Runs ( 𝔓 ) We have proved that ↓ Runs (↓ 𝔓 ) = ↓ Runs ( 𝔓 ) . We now show that each of the three properties i.e.safety, termination and boundedness only depend on the downclosure of the runs.Safety: 𝑑 is reachable in 𝔓 iff ∃ 𝜌 = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ) , 𝜎 , ..., 𝜎 𝑘 , ( 𝑑 𝑘 , m 𝑘 ) ∈ Runs ( 𝔓 ) : 𝑑 𝑘 = 𝑑 By Equation 6, we know 𝜌 ∈ Runs ( 𝔓 ) implies 𝜌 ∈ ↓ Runs ( 𝔓 ) . Conversely, if there is 𝜌 ′ = ( 𝑠 , n ) , 𝜎 , ( 𝑠 , n ) , 𝜎 , ..., 𝜎 𝑘 , ( 𝑠 𝑘 , n 𝑘 ) ∈ ↓ Runs ( 𝔓 ) with 𝑠 𝑘 = 𝑑 , then by Equation 7, there is 𝜌 = ( 𝑑 , m ) , 𝜎 , ( 𝑑 , m ) , 𝜎 , ..., 𝜎 𝑘 , ( 𝑑 𝑘 , m 𝑘 ) ∈ Runs ( 𝔓 ) with 𝜌 ′ E 𝜌 which implies 𝑑 𝑘 = 𝑑 . Hencewe have 𝑑 is reachable in 𝔓 iff ∃ 𝜌 = ( 𝑠 , n ) , 𝜎 , ( 𝑠 , n ) , 𝜎 , ..., 𝜎 𝑘 , ( 𝑠 𝑘 , n 𝑘 ) ∈ ↓ Runs ( 𝔓 ) : 𝑠 𝑘 = 𝑑 By a similar argument as above we also have:Termination: 𝔓 does not terminateiff ∃ 𝜌 ∈ Runs ( 𝔓 ) : 𝜌 is infiniteiff ∃ 𝜌 ∈ ↓ Runs ( 𝔓 ) : 𝜌 is infiniteBoundedness: 𝔓 is boundediff ∃ 𝑁 ∈ N ∀ 𝜌 ∈ Runs ( 𝔓 ) ∀ 𝑖 | 𝜌 ( 𝑖 ) .𝑚 | < 𝑁 iff ∃ 𝑁 ∈ N ∀ 𝜌 ∈ ↓ Runs ( 𝔓 ) ∀ 𝑖 | 𝜌 ( 𝑖 ) .𝑚 | < 𝑁 , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 25 In each of the three cases, the property only depends on the downclosure and hence one mayequivalently replace 𝔓 by ↓ 𝔓 since ↓ Runs (↓ 𝔓 ) = ↓ Runs ( 𝔓 ) . C PROOF OF PROPOSITION 5.1
We begin with a simple observation. For every
HORS S = ( Σ , N , 𝑆, R) , there exists another HORS S ′ = ( Σ ′ , N ′ , 𝑆, R ′ ) where Σ ′ = { br , e } ∪ ˜ Σ with br of arity 2, e of arity 0 and all symbols in ˜ Σ ofarity 1; such that L p ( S ) = L p ( S ′ ) .By rewriting every terminal symbol 𝐴 of arity 𝑛 using the rule 𝐴𝑥 𝑥 · · · 𝑥 𝑛 ։ br ( 𝑥 br ( 𝑥 br (· · · br ( 𝑥 𝑛 − 𝑥 𝑛 )) , we get S ′ , which has the same path language.We assume due to the above observation that Σ = { br , e } ∪ ˜ Σ where br is binary, e is nullary andall letters in ˜ Σ are unary. Define S ′ = ( Σ ′ , N ′ , 𝑆 ′ , R ′ ) as Σ ′ = ˜ Σ ∪ { e } , N ′ = N ∪ { 𝐵 : o → ( o → o )} , R ′ = { 𝑟 [ br / 𝐵 ] | 𝑟 ∈ R} ∪ { 𝐵𝑥𝑦 ։ 𝑥, 𝐵𝑥𝑦 ։ 𝑦 } , where by 𝑟 [ br / 𝐵 ] we mean the rule 𝑟 with br uniformly replaced by 𝐵 . Note that the only new non-terminal symbol introduced is 𝐵 , whichis of order 1. Hence the obtained word scheme S ′ is of the same order as S . L p ( S ) ⊆ L w ( S ′ ) : Let 𝑤 ∈ L p ( S ) . Therefore there exists a finite path Π and a sentential form 𝑡 such that ∀ ¯ 𝑛 ∈ 𝑑𝑜𝑚 ( Π ) 𝑡 ( ¯ 𝑛 ) = Π ( ¯ 𝑛 ) ∧ Π ( ¯ 𝑛 ) ∈ Σ . We derive 𝑡 ′ : = 𝑡 [ br / 𝐵 ] using the correspondingrules in R ′ . Note that the corresponding path Π ′ in 𝑡 ′ satisfies ∀ ¯ 𝑛 ∈ dom ( Π ′ ) ∈ Σ ∪ { 𝐵 } . We thenapply either 𝐵𝑥𝑦 ։ 𝑥 or 𝐵𝑥𝑦 ։ 𝑦 to each 𝐵 in 𝑡 ′ according to the path Π ′ to obtain 𝑤 in the wordscheme. L w ( S ′ ) ⊆ L p ( S ) : We define the order ≤ pre on sequences of natural numbers ¯ 𝑛, ¯ 𝑚 as ¯ 𝑛 ≤ pre ¯ 𝑚 if ¯ 𝑚 = ¯ 𝑛 ¯ 𝑘 for some sequence ¯ 𝑘 .Suppose that for given a sentential form 𝑡 ′ of S ′ there exists a sentential form 𝑡 of S and a map 𝛼 : dom ( 𝑡 ′ ) → dom ( 𝑡 ) (simply called embedding henceforth) satisfying the following conditions: • ∀ ¯ 𝑛 ∈ dom ( 𝑡 ′ ) 𝑡 ′ ( ¯ 𝑛 ) = ( 𝐵 if 𝑡 ( 𝛼 ( ¯ 𝑛 )) = br 𝑡 ( 𝛼 ( ¯ 𝑛 )) otherwise . (8) • ∀ ¯ 𝑛, ¯ 𝑚 ∈ dom ( 𝑡 ′ ) , ¯ 𝑛 ≤ pre ¯ 𝑚 implies 𝛼 ( ¯ 𝑛 ) ≤ pre 𝛼 ( ¯ 𝑚 ) (9) (∀ ¯ 𝑙 ( ¯ 𝑛 < pre ¯ 𝑙 < pre ¯ 𝑚 ) implies 𝑡 ′ ( ¯ 𝑙 ′ ) ∉ ˜ Σ ) implies (∀ ¯ 𝑘 𝛼 ( ¯ 𝑛 ) < pre ¯ 𝑘 < pre 𝛼 ( ¯ 𝑚 ) implies 𝑡 ( ¯ 𝑘 ) ∉ ˜ Σ ) (10)Informally, Equations 8,9 and 10 state the following: 𝛼 preserves labels, except for the case of br where it maps to 𝐵 , 𝛼 preserves the order ≤ pre and the images of any two nodes with nodelabels from ˜ Σ with no node label from ˜ Σ in between are mapped to two such labels with the sameproperty.We will show by induction on the length of the derivation that such a pair ( 𝑡, 𝛼 ) always existsgiven some 𝑡 ′ . Let us see how the existence of such 𝑡 and 𝛼 gives us the proposition. Considera word 𝑤 = 𝑤 𝑤 ...𝑤 𝑛 ∈ L w ( S ′ ) . In other words, there is a term 𝑡 ′ = 𝑤 ( 𝑤 ... ( 𝑤 𝑛 ( e )) ... ) suchthat 𝑆 ′ ։ S ′ ∗ 𝑡 ′ . Corresponding to this, we have a sentential form 𝑆 ։ S ∗ 𝑡 and 𝛼 satisfying the givenconditions. In particular, there exists a path Π with dom ( Π ) ⊆ 𝑑𝑜𝑚 ( 𝑡 ) which is the path in 𝑡 connecting the 𝛼 ( 𝜖 ) to 𝛼 ( 𝑛 ) . It is immediate that Proj ˜ Σ ( Π ) = 𝑤 . It remains to show the existenceof 𝑡 and 𝛼 by induction on the length of derivations.Base case: This is trivial since 𝑡 = 𝑡 ′ = 𝑆 .Induction step: Suppose 𝑡 ′ ։ 𝑟 ∈R ′ 𝑡 ′ where 𝑡 ′ is a sentential form. By induction hypothesis, there isa sentential form 𝑡 of S and 𝑡 ′ embeds into 𝑡 via map 𝛼 . Assume that the rule 𝑟 is applied at , Vol. 1, No. 1, Article . Publication date: January 2021. 𝑡 ′ ¯ 𝑛 𝑢 ′ 𝑙 ′ 𝑟 ′ 𝐵𝑥𝑦 ։ 𝑥 S ′ 𝑡 ′ ¯ 𝑛 𝑢 ′ 𝑙 ′ 𝑡 𝛼 ( ¯ 𝑛 ) 𝑢 𝑙 𝑟 𝛼 𝑡 𝑢 𝛼 ( ¯ 𝑛 ) 𝑙 𝑟 𝛼 Fig. 2. Construction of embedding 𝛼 from 𝛼 in the case of the rule 𝐵𝑥𝑦 ։ 𝑥 . position ¯ 𝑛 on 𝑡 ′ . We now have two cases to consider:Case 1: The rule 𝑟 is 𝐵𝑥𝑦 ։ S ′ 𝑥 (the case 𝐵𝑥𝑦 ։ S ′ 𝑦 being symmetric). By induction hypothesis, wehave 𝑡 and and an embedding 𝛼 of 𝑡 ′ into 𝑡 . Refering to Figure 2, we see that 𝑡 can be taken tobe 𝑡 and 𝛼 maps all nodes in the subtree 𝑢 ′ into 𝑢 as before, while the subtree 𝑙 ′ rooted at ¯ 𝑛 ismapped into 𝑙 . It is immediate that 𝛼 preserves the order and since by induction hypothesis 𝛼 ( ¯ 𝑛 ) has label br , Equation 10 is also satisfied by 𝛼 since no new ˜ Σ labelled nodes have been added.Case 2: We demonstrate for the case when a non-terminal of arity two is replaced for an easierreading of the proof: the rule 𝑟 is 𝑁 𝑥𝑦 ։ S ′ 𝑡 for some nonterminal 𝑁 ≠ 𝐵 . Refering to Figure 3, therule replaces the subtree rooted at ¯ 𝑛 in 𝑡 ′ with 𝑡 [ 𝑥 / 𝑙 ′ , 𝑦 / 𝑟 ′ ] where 𝑙 ′ , 𝑟 ′ are respectively the leftand right subtrees of the subtree rooted at ¯ 𝑛 in 𝑢 ′ . For nodes in the subtree 𝑢 ′ of 𝑡 ′ , 𝛼 mimics 𝛼 .By induction we know that the subtrees 𝑙 ′ , 𝑟 ′ of 𝑡 ′ embed respectively into 𝑙 , 𝑟 of 𝑡 . Thus 𝛼 maps , Vol. 1, No. 1, Article . Publication date: January 2021. ecidability for Asynchronous Shared-Memory Programs 27 𝑡 ′ ¯ 𝑛 𝑢 ′ 𝑙 ′ 𝑟 ′ 𝑁 𝑥𝑦 ։ 𝑡 S ′ 𝑡 ′ ¯ 𝑛 𝑢 ′ ¯ 𝑚 ¯ 𝑘𝑙 ′ 𝑟 ′ 𝑡 [ 𝑥 / 𝑙 ′ , 𝑦 / 𝑟 ′ ] 𝑡 𝛼 ( ¯ 𝑛 ) 𝑢 𝑙 𝑟 𝛼 𝑁 𝑥𝑦 ։ 𝑡 S 𝑡 𝛼 ( ¯ 𝑛 ) 𝑢 𝛼 ( ¯ 𝑚 ) 𝛼 ( ¯ 𝑘 ) 𝑙 𝑟 𝑡 [ 𝑥 / 𝑙 , 𝑦 / 𝑟 ] 𝛼 Fig. 3. Construction of embedding 𝛼 from 𝛼 when the rule is 𝑁 𝑥𝑦 ։ 𝑡 . every subtree 𝑙 ′ (resp. 𝑟 ′ ) rooted at ¯ 𝑚 (resp. ¯ 𝑘 ) in 𝑡 [ 𝑥 / 𝑙 ′ , 𝑦 / 𝑟 ′ ] into the corresponding subtree 𝑙 (resp. 𝑟 ) rooted at 𝛼 ( ¯ 𝑚 ) (resp. 𝛼 ( ¯ 𝑘 ) ). Nodes in 𝑡 [ 𝑥 / 𝑙 ′ , 𝑦 / 𝑟 ′ ] which are not in any of the 𝑙 ′ (or 𝑟 ′ )subtrees (i.e.) between ¯ 𝑛 and ¯ 𝑚 (or ¯ 𝑘 ) ) have corresponding nodes in 𝑡 [ 𝑥 / 𝑙 , 𝑦 / 𝑟 ] to which theycan be mapped. Label preservation and order preservation immediately follow by appeal to theinduction hypothesis. In order to see that Equation 10 holds, consider consecutive ˜ Σ nodes ¯ 𝑛 ′ , ¯ 𝑚 ′ in 𝑡 ′ (i.e. ¯ 𝑛 ′ (cid:22) ¯ 𝑚 ′ and there are no ˜ Σ labels in between). If both ¯ 𝑛 ′ and ¯ 𝑚 ′ are in 𝑢 ′ or in one of the 𝑙 (or 𝑟 ′ ) then the induction hypothesis applies. In the case where ¯ 𝑛 ′ ∈ 𝑢 ′ and ¯ 𝑚 ′ ∈ 𝑙 ′ (resp. 𝑟 ′ ,)this means that no ˜ Σ labels are present in the path from ¯ 𝑛 to ¯ 𝑚 (resp. ¯ 𝑘 ), ¯ 𝑛 ′ to ¯ 𝑛 or ¯ 𝑚 (resp. ¯ 𝑘 ) to ¯ 𝑚 ′ . The path from 𝛼 ( ¯ 𝑛 ) to 𝛼 ( ¯ 𝑚 ) is identical to that from ¯ 𝑛 to ¯ 𝑚 (resp. ¯ 𝑘 ). The induction hypothesisalso implies that the first a label for some s ∈ ˜ Σ in 𝑙 ′ must be mapped to first a label in 𝑙 (or 𝑢 ′ does not contain any ˜ Σ labels). Hence there are no ˜ Σ labels between 𝛼 ( ¯ 𝑚 ) (resp. 𝛼 ( ¯ 𝑘 ) ) and 𝛼 ( ¯ 𝑚 ′ ) , Vol. 1, No. 1, Article . Publication date: January 2021. and similarly between 𝛼 ( ¯ 𝑛 ′ ) and 𝛼 ( ¯ 𝑛 ) . The final case is when either ¯ 𝑛 ′ or ¯ 𝑚 ′ lies between 𝛼 ( ¯ 𝑛 ) and 𝛼 ( ¯ 𝑚 ) (resp. 𝛼 ( ¯ 𝑘 ) ). There are subcases here to consider when the other point lies in 𝑢 ′ , 𝑙 oralso between ¯ 𝑛 and ¯ 𝑚 . In all of these subcases, it easily follows that there are no extra ˜ Σ labelsintroduced in between two consecutive nodes which are in the image of 𝛼 ..