Model checking Branching-Time Properties of Multi-Pushdown Systems is Hard

# Model checking Branching-Time Properties of Multi-Pushdown Systems is Hard

Mohamed Faouzi Atig Uppsala University, Sweden /    Ahmed Bouajjani LIAFA, Université Paris Diderot, France /    K. Narayan Kumar Chennai Mathematical Institute, India /    Prakash Saivasan Chennai Mathematical Institute, India /
###### Abstract

We address the model checking problem for shared memory concurrent programs modeled as multi-pushdown systems. We consider here boolean programs with a finite number of threads and recursive procedures. It is well-known that the model checking problem is undecidable for this class of programs. In this paper, we investigate the decidability and the complexity of this problem under the assumption of bounded context-switching defined by Qadeer and Rehof [19], and of phase-boundedness proposed by La Torre et al. [24]. On the model checking of such systems against temporal logics and in particular branching time logics such as the modal -calculus or CTL has received little attention. It is known that parity games, which are closely related to the modal -calculus, are decidable for the class of bounded-phase systems (and hence for bounded-context switching as well), but with non-elementary complexity [21]. A natural question is whether this high complexity is inevitable and what are the ways to get around it. This paper addresses these questions and unfortunately, and somewhat surprisingly, it shows that branching model checking for MPDSs is inherently an hard problem with no easy solution. We show that parity games on MPDS under phase-bounding restriction is non-elementary. Our main result shows that model checking a context bounded MPDS against a simple fragment of CTL, consisting of formulas that whose temporal operators come from the set , has a non-elementary lower bound.

## 1 Introduction

The verification of multi-threaded programs is an important topic of research in recent years [5, 4, 13, 14, 15, 16, 19, 25]. One may use pushdown systems to abstract sequential recursive programs and analyze them using the plethora of results available in literature. However, the presence of multiple-threads with their own call stacks means that modeling multi-threaded programs needs systems with multiple pushdowns. Unfortunately, verifying a finite state system equipped in addition with 2 pushdowns is undecidable as it is turing powerful.

Qadeer and Rehof [19] proposed one way to get around this undecidability. They studied under-approximations of the set of behaviors of multi-pushdown systems. They proposed the bounded context-switching restriction, that imposes a bound on the number of times of switches from using one pushdown to another. The control state reachability as well as the global model checking problem (computing, for a given regular set of configurations, the set of configurations from which the given set can be reached) turn out to be decidable. Subsequently, various other classes of under-approximations have been studied including bounded phase, ordered multi-pushdown and bounded scope [2, 1, 3, 7, 18, 22, 24, 26].

A phase is a sequence of computational steps that pops from a fixed stack but is allowed to push values into any stack. By imposing a bound on the number of phases, we obtain an under-approximation that is more general than bounded context switch analysis. This restriction, called the bounded-phase restriction was proposed in [24], where its controls state reachability problem is also shown to be decidable.

In [7, 3] a different restriction called ordered multi-pushdown is studied where there is linear order on the stack and any pop action is only permitted in the smallest nonempty stack. More recently, in [26], a restriction that demands that a value that is pushed be popped within a bounded number of context switches (or not at all) is studied. Most of these works examine the control state reachability problem and its generalization, the global reachability problem and obtain decidability results [2, 22].

On the model checking of such systems against temporal logics and in particular branching time logics such as the modal -calculus or CTL has received little attention. It is known that parity games, which are closely related to the modal -calculus, are decidable for the class of bounded-phase systems (and hence for bounded-context switching as well), but with non-elementary complexity [21]. A natural question is whether this high complexity is inevitable and what are the ways to get around it. This paper addresses these questions and unfortunately, and somewhat surprisingly, it seems that branching model checking for MPDSs is inherently an hard problem with no easy solution. Our main result shows that model checking a context bounded MPDS against a simple fragment of CTL, consisting of formulas that whose temporal operators come from the set , has a non-elementary lower bound.

The complexity of parity games and CTL model-checking for pushdown systems has been well studied. Walukiewicz [28] shows that parity games are solvable in EXPTIME and that model checking of PDSs against even CTL formulas has a EXPTIME lower-bound [27]. As a matter of fact, our proof utilizes ideas from the latter work.

A different generalization of pushdown systems is that of higher-order pushdown systems (HOPDAs). A level 1 pushdown is a normal pushdown and a level pushdown has a pushdown of level pushdowns. A higher level push operation duplicates the top most stack while a pop operation removes such a stack. For a formal definition of these models and the operations on them the reader is referred to [29, 10]. These are extremely powerful models and in [10] it is shown that their configuration graphs capture every graph that lies in the Caucal hierarchy. Cachat [8] also showed the decidability of parity games over HOPDAs. Cachat and Walukiewicz [9] show that parity games on HOPDAs has non-elementary complexity on the number of levels of higher order stacks and subsequently tight lower bounds have been shown for the model checking of HOPDAs w.r.t. various linear and branching time temporal logics [12]. A key ingredient in the lower bound proof of Cachat-Walukiewicz is the use of a certain kind of counters, introduced by L. Stockmeyer [23], and encoding of the configurations of a TM using these counters. We draw heavily on this idea in our lower bound proof for CTL. Unlike the HOPDAs, bounded context switch MPDSs do not posses the ability to duplicate the contents of a stack making our argument somewhat more elaborate.

## 2 Preliminaries

A multi-pushdown system (MPDS) is a generalization of the classical pushdown system with multiple stacks. As it is well known, two stacks suffice to simulate a tape and hence even a two stack MPDS is turing powerful. However, there are a number of restrictions that one may place the behaviors of MPDSs resulting in decidability of many interesting properties.

###### Definition 1

A Multi Pushdown System MPDS is a tuple where is a finite set of states, is an integer giving the number of stacks, is the stack alphabet (not containing the special stack symbol , is the initial state and = is the transition relation, where

In each transition, the MPDS may carry out an internal (or skip) move (), or examine the top symbol of one stack and based on its value a push one symbol that stack () or a pop one symbol from that stack (). We shall write , , to denote the set of pop transitions where the pop is performed on stack and similarly will denote the set of push transitions on stack . The configuration of such a MPDS is naturally given by the current state as well as the contents of the stacks.

###### Definition 2

A configuration of a MPDS is of the form where is a state and is the content of the stack .

Next we define the one step move relation which describes how an MPDS may move from one configuration to another using one of the transitions in .

###### Definition 3

Let be a MPDS. The one step move relation using the transition is defined as follows:

 q(γ1,⋯,γl)\lx@stackrelt→q′(γ′1,⋯,γ′l)

if and only if one of the following conditions holds

1. and .

2. and , and for ,

3. and and and for ,

##### Notation

We write to denote , to denote , to denote and to denote . We use the to denote the reflexive, transitive closure of . We also write with , when the sequence of transitions used is important. We say that there is a run from a configuration to a configuration if and that there is a run over () if .

We write to denote the reflexive transitive closure of , i.e. sequences of moves in which all stack accesses are restricted to the stack . We also use to denote the set .

Informally, a context is a sequence of moves in which only a single stack is accessed. Clearly, each run of an MPDS can be broken up into contiguous segments, where each segment forms a context. Qadeer and Rehof [19] in 2005, showed that by a priori bounding the number of contexts in any execution by a constant (or equivalently by restricting our attention only to runs whose number of contexts is bounded by a constant ) one can effectively analyze multi-pushdown systems. For instance, the control state reachability problem becomes decidable.

###### Definition 4

Let be a configuration. A run is said to be -context if such that for each with , there is an , , such that . We say that is reachable from in context switches if there is a and a -context run .

The idea of a context can be generalized to a phase by focussing only on the pop moves in the run. In a phase of a run of an MPDS, all the pop moves involve the same stack. Each run of an MPDS can be broken up into contiguous segments, wherein each segment forms a phase. The bounded-phase restriction places a bound on the number of phases along any run.

###### Definition 5

Let be a configuration. A run is said to be -phase, if such that for each with , there is an , , such that . Finally, is reachable from in phases if there is a such that is -phase.

## 3 Parity Games over MPDSs

We now define parity games over MPDSs and subsequently consider their restriction to bounded number of phases.

###### Definition 6

A parity game over an MPDS is a MPDS , along with a decomposition into two disjoint sets and (i.e., ) and a a ranking function . The positions of such a game are the configurations of the MPDS. A position belongs to player if belongs to and its rank is . Since the starting state of the MPDS often plays no role in the definition of games we shall usually drop it from the definition of MPDS in the following and write a game as a pair where is an MPDS (w/o a start state) and is a ranking function.

The usual notions of plays, strategies, winning strategies, memoryless strategies, plays consistent with a given strategy and so on are defined on these game graphs as they are just a subclass of parity games.

Classical theorems such as Martin’s determinacy theorem as well as the memoryless determinacy theorem hold for these games as the winning condition is a parity condition. However, since MPDSs with even two stacks are Turing powerful it follows that there is no hope for algorithmic solvability.

In [21] Anil Seth showed that parity games on MPDSs with a bound on the number of phases is decidable.

###### Definition 7

Let be a MPDS parity game where . The positions of the bounded-phase game on are triples of the form where is a configuration of the MPDS , is a stack identifier and is an integer denoting the remaining number of phases. The number indicates an upper bound on the number of phases that are permitted starting at the configuration and the number gives the stack being used in the current phase. The value is used to indicate that the current phase has not used any stack (this is the case at the beginning of the game). The edges of the game graph are given by if

1. or and and

2. , , , and

3. , , ,

4. , , , , , .

Observe that if the game is already in a position of the form then pop moves on any stack other than are no longer available. Thus, even if the original MPDS has no deadlocked configurations, the game graph described above might still have positions with no outgoing edges. As usual, if the game reaches a position with no outgoing edges then the owner of that position loses the game.

The ranking function assigns ranks based on the local state of the MPDS

 Ω(q(γ1,γ2,⋯,γl),i,k)=Ω(q)

We say that a player wins the -phase game starting at a configuration of the MPDS , if the position is winning in the game graph described above. Anil Seth proved the following theorem:

###### Theorem 3.1

(Anil Seth) The MPDS parity game with a phase bound is decidable. That is, one can determine for any starting configuration the winner from that position.

The construction in [21] also shows that the winner’s strategy can be described as a multi-pushdown strategy. The complexity of determining the winner is non-elementary and grows as a tower of exponentials as increases. As our first result, in the next section, we show that this is inevitable by establishing a non-elemenatry lower bound for such games, there by settling an open question posed in [21].

A natural question then is consider weaker models (than bounded phase systems) or weaker properties (than parity games, which are equivalent to the modal -calculus) or both. Surprisingly, we find that even for the weakest model of MPDSs considered, with a bound on the number of context switches, and a fragment of the logic CTL, which in turn is a simple fragment of the modal -calculus, the model checking problem turns out to be non-elementary and grows as a tower whose height grows linearly in . This proof is significantly more complicated and draws heavily from the techniques developed in [27] by Walukiewicz and in [9] by Cachat and Walukiewicz. The rest of the paper describes a proof of this result.

## 4 A lower bound for bounded-phase parity games

A well known result of Stockmeyer [23] shows that deciding the satisfiability of the first order logic with the ordering relation () over (or the validity, since validity is the same as satisfiability over a single model) has non-elementary complexity.

We now show that given a formula in of size and quantifier depth (clearly ) there is an MPDS that is polynomial in size of such that the phase game is winning for player if and only if the formula is satisfiable.

Henceforth we assume that there are no negations in the formula (this can be ensured by pushing the negations down to the atomic formulas using the usual dualties and then replacing by and so on.

### 4.1 The satisfiability game

We define a reachability game whose positions are pairs of the form , where is a formula from and is a function that assigns a natural number to each of the free variables of . If the outer most logical operator of is either a quantifier or then the position of the form belongs to player 1. Otherwise, i.e. if the outermost logical operator is either a quantifier or or the formula is an atomic formula then the position belongs to player .

If is an atomic formula then it has no outgoing edges. If is or then there are edges from any position of the form to the positions and . If (or then there are edges from to all positions of the form where for and is also defined at .

The play is winning for player if it ends at a node of the form and or it ends at a node of the form and . Otherwise, player wins the game. The following is quite easy to see.

A winning strategy for player picks positions for the existential variables in such a way that no matter which positions are picked for the universal variables by the opponent the resulting quantifier-free formula is satisfied. It is easy to see that

###### Theorem 4.1

Given a formula and a valuation for the free variables of , is satisfiable/valid w.r.t. iff player 0 has a winning strategy from the position in the satisfiability game. In particular, if is a sentence then it is satisfiable/valid iff player has a winning strategy from the position .

### 4.2 The bounded phase game for FO(<) satisfiability

We now show that the satisfiability game can be reformulated as a bounded-phase MPDS game. Let be the given formula. Informally, the MPDS maintains the current valuation in its first stack and the formula in the state. In each step, the automaton strips off one operator from the formula. Stripping a quantifier corresponds to modifying the contents of the stack to reflect the new valuation.

We translate a valuation into a word as follows: If the domain of is empty then we represent it using the empty word. Otherwise, it is represented by any word over the alphabet where is the domain of , , every element of occurs precisely once in and if for then .

Let be the set of sub-formulas of the formula and let be its set of variables. We describe the MPDS in two parts. The first part describes the moves till we reach an atomic formula. The set of states of used for this purpose is . The transitions are defined as follows (we write to stand for and ):

1. .

2. .

3. . Guess whether the next variable is to be inserted between existing variables or to their right.

4. . Push an to increase the possible number for . (Observe that we use the symbol to denote that there is no constraint on the top of the stack.)

5. . Mark the position for and shift to the sub-formula.

6. . Begin copying some elements from Stack 1 to Stack 2.

7. . Read and pop a value from stack 1.

8. . Write the read value on to stack 2.

9. . Write on stack 1 and change to copying back from Stack 2.

10. . Read and pop a value from stack 2.

11. . Write the read value on to stack 1.

12. . Copying is complete, move to the sub-formula.

States where where the formula component either begins with a or has as the outer most operator belongs to player and the other states belongs to player .

In the second part we describe the state space starting at a state of the form or that determines the winner of the game. This involves additional states of the form . All these positions belong to player . The transitions (and states) are described as follows:

1. . Pop till or are found.

2. , if .

3. , start looking for

4. , start looking for

5. , skip other variables ().

6. . Player 1 should win now.

7. . Player 0 should win now.

8. . Pop till you find .

9. . Skip other variables ().

10. . Player wins.

11. . is seen first, make sure there is an before the .

12. , .

13. . Player wins.

14. .

15. .

It is quite easy to check that starting at a configuration of the form , the play enters iff the valuation defined by satisfies and similarly for . Further there is no phase change and every play eventually either enters or . The state has parity ensuring victory for player and state has parity .

However, starting at a configuration with quantifiers does not guarantee that each play is terminating. This because of the loop in states of the form . However, we can make this unprofitable for the owner by setting the parity to be a if and setting the parity to be if , thus forcing the player to exit such states. All other states are transient and hence their parity does not matter and can be assigned anything.

Thus, any winning strategy for either player in this game corresponds to a winning strategy for the player in the satisfiability game. Translating a winning strategy in the satisfiability game to a winning strategy in this game is even easier. Further, observe that any run of this MPDS cannot change phases more than 2 times the number of quantifiers in the formula and thus it naturally defines a bounded phase game. All this gives us the following theorem.

###### Theorem 4.2

For any formula of size there is a MPDS game with at most polynomial states in , for which the bounded phase game is equivalent to the satisfiability game for . Thus, solving parity games on bounded-phase MPDSs is non-elementary.

We also wish to remark that the alphabet of the MPDS need not grow with the number of variables. We can encode the variables using two letters and this will increase the state space (which will stay polynomial). Thus, the result holds for fixed size alphabets as well.

##### Remark:

In order to simply our presentation in the following sections, where the constructions tend be much more involved, we shall often explain the role of some subset of the state space in an informal manner when it is clear how it can be formalized. For instance, instead of writing out the state space beginning at above, we shall simply say that “there is a subroutine beginning at a state that pops the stack till it encounter or and then verifies that the other is also encountered before any ’s and if so enters the state and otherwise the state . It is easy to see that the state space needed for this subroutine is constant in size and it does not make any phase (or context) changes”.

## 5 MPDS, CTL and model checking

In this section we show that model checking of bounded context-switch MPDSs w.r.t. CTL formulas has a non-elementary lower bound.

### 5.1 The logic CTL

The logic CTL is a simple temporal logic to describe branching time properties of systems. The syntax of CTL is given by

 α := P ∣ α1∧α2 ∣ ¬α ∣ EXα ∣ EFα ∣ EGα ∣ α1EUα2

where is a propositional variable drawn from a suitable set.

Models of CTL formulas are Kripke structures or LTSs. For our purposes we may think of them as graphs where each node is labelled by the set of propositions true at that node. The formula is true at a state if belongs to the label of . The boolean operators have the usual meaning. The formula is true at if there is an edge to node and satisfies . is true at if there is a reachable node where is true. asserts that there is a complete path (finite ending at a node with no outgoing edges or infinite) such that every state appearing in that path satisfies . Finally, is satisfied at if there is a path such that satisfies in and satisfies for .

The model-checking problem for CTL is to determine for a given formula and a labelled graph and a node whether satisfies . For a formal semantics and detailed introduction to CTL model-checking may be found for instance in [6, 11].

We may turn any MPDS into a model by taking the set of control states as the set of propositions with the obvious labeling – is true only at the state . The problem we consider is, given an MPDS and a CTL formula over its states , and a constant , restrict its transition graph to at most context switches and check if the initial configuration satisfies the formula . We call this the bounded-context switch CTL model checking problem.

Our main theorem is the following:

###### Theorem 5.1

Fix any constant . The problem of model checking CTL formulas of size against MPDSs of size with a context bound has complexity that is at least where the height of the tower is , a linear function of and is a polynomial in .

### 5.2 Stockmeyer’s Nested Counters

Our proof draws heavily from the techniques developed by L. Stockmeyer in [23] and used heavily by Igor Walukiewicz and Thierry Cachat [9] in showing that deciding reachability games for higher-order pushdown systems is non-elementary. We combine these with some ideas from a proof of Igor Walukiewicz showing that model checking pushdown systems against CTL formulas is EXPTIME-complete. In the rest of this section, we recall some of these ideas from the aforementioned papers.

The number is inductively defined as follows: and for . The function grows as a tower of exponents of . A key idea from [9] that we will need is that of a level -counter. These counters are parametrized by a natural number . For instance when is , a level counter stores a value in the range to . In addition to storing a sequence of bits needed to describe values in this range, a level -counter also stores the address of each of these bits using level counters.

Let , . We also write for . The letters and are used to denote the and values of the level counter respectively. We are now in a position to formally define level counters.

###### Definition 8

([9]) Fix an integer .

• A level -counter is a word of length over the alphabet . Thus interpreting and as and respectively, the values that a -counter takes varies from to . The largest value denoted by a level counter is denoted is .

• A level -counter is a word over the alphabet of the form with where, each is a (k-1) level counter, is the (k-1) level counter representation of the value , represents the value . and .

We shall often write counter to mean a level counter. Quite clearly, .

### 5.3 Coding Counters properties using MPDSs and CTL formulae

Our lower bound construction involves maintaining configurations of a bounded-space turing machine on the stacks of a multi-pushdown system. The configurations are further encoded using the nested counters described in the previous section. In order to achieve this we need to be able to check certain basic properties regarding counters and configurations stored on the stacks. In this section we address the properties regarding counters and then follow it in the next section with properties of configurations. We intend to store the counters on the stack with the Most Significant Bit (MSB) on top of stack.

###### Definition 9
1. : Assuming that the top of the first counter contains a valid counter check that it has the minimum possible counter value.

Formally, a configuration satisfies if , with and is a valid counter implies that every digit of is (denoting ).

2. : Assuming that the top of the first counter contains a valid counter check that it has the maximum possible counter value.

Formally, a configuration satisfies if , with and is a valid counter implies that every digit of is (denoting ).

3. : Assuming that the top of both the stacks contains valid counters, check that these values are equal.

Formally, a configuration satisfies iff and with and being a valid counters and and do not belong to implies that .

4. : Assuming that the top of both the stacks contains valid counters, check that the value of on the second stack is the successor of the value on the first stack.

Formally, a configuration satisfies iff and with valid counters, and do not belong to implies is and

5. : Verify that the contents of the first stack begins with a valid counter followed by some letter not in the alphabet .

Formally, a configuration satisfies iff , is a valid counter and .

We shall next show that each of these properties can be ensured by the addition of subroutines and restricting their behaviors via CTL formula in a manner to be described below.

#### 5.3.1 Implementing maxval(k) and minval(k)

We first add a new state, that pops the first stack till it encounters a letter outside and further enters the state if it ever encounters the letter in doing so. Then, if there is an internal transition from a state to then, a configuration , in which begins with a valid counter satisfies iff it does NOT satisfy the CTL formula . One can implement quite similarly (using a state instead of and replacing by .)

Clearly this can be achieved by an automaton with a constant number of states (and transitions since the alphabet depends on ) and it needs no context switches. The size of the CTL formula is a constant. Across all the levels, we thus add states and make no context-switches.

#### 5.3.2 Implementing k−Eq.

##### Simple Case:

Remember that we need to check this only for configurations where both stacks contain a valid -counter, i.e. a word of length over , on top. Add a subroutine, with new states, that guesses a number , pops symbols from both the stacks and if the following symbols on the two stacks are different enters the state .

We can do this using at most one context switch. Pop the values from stack 1 before doing the same in stack , maintaining a counter in the state that counts the number of pops on stack 1 so that we may pop the same number from the other stack. The set of new states, denoted has size (since we also need to remember the th letter from stack 1 while popping stack 2). Let the starting state of this new subroutine be . Now, if there is an internal transition from a state to , a configuration is which and begin with valid -counters satisfies iff it does NOT satisfy the CTL formula . We also record the fact that any run beginning at makes at most one context switch.

Note that this subroutine has size and makes at most context switch. The size of the associated CTL formula is constant.

##### Induction:

The contents of the two stacks are of the form and and and are valid counters. Thus and . Since the counters are well-formed it suffices to check that it is NOT the case that there is a and such that and . This ability to decouple the indices on the two stacks is made possible by the special structure of the nested counters and permits us to bound the number of context switches needed.

Our subroutine begins, in a state , by popping a number of words of the form , where and from stack 1. This can be achieved by adding a constant number of states (but transitions linear in the alphabet and hence .) It then removes a similar sequence (not necessarily of the same length) from stack 2, again requiring the addition of only constant number of states. Let the set of new states added be , and we may assume w.l.o.g. that a successful run of this routine terminates in a state which is entered for the first time at this point. Suppose, there is an internal transition from a state to the state , then starting at some configuration a run of our subroutine will result in a configuration of the form .

We add internal transitions from to to verify whether . We also add an internal transition from another state .

The subroutine, with state space beginning at checks whether . It first pops a counter from stack 2 and then such a counter from stack and enters if the values following these in the two stacks are different. Again this can be done using at most 3 states and needs only one context switch.

If there is an internal transition from to then a configuration with valid counters and on top of the two stacks satisfies if and only if it does NOT satisfy the CTL formula .

The size of this subroutine, which includes the corresponding subroutine for all values less than , is bounded by the sum of the size of the corresponding subroutine for (contributed by ) and a constant dependent on (contributed by the states in ). Thus the size of is . Also observe that the maximum number of context switches possible is plus the number of context-switches possible starting at . Thus, the maximum number of context switches possible is . The size of the CTL formula is .

#### 5.3.3 Implementing k−Succ.

We use once again use an observation used by Cachat-Walukiewicz. The binary representation of the number can be obtained from that of as follows: Let be the first position, starting from the LSB, where a occurs in . Just flip all the bits in the positions up to . Thus, given the binary representations of two numbers and , in order to show that is not , it suffices to either find a position between the and the LSB where the bits are identical or a position between the MSB and that are different. We call such a position as a faulty position.

##### Base case:

. Pop elements from stack , . This is our guess of the faulty position. Remember in the state and pop more elements to learn whether to check for equality or inequality w.r.t. position in stack 2. Then do the appropriate check on stack 2 entering the state if is indeed a faulty position. The number of states added for this subroutine is linear in and we use to denote this set and to denote the initial state of this subroutine. Then, a configuration satisfies iff it does NOT satisfy the CTL formula .

The number of states needed of and any run starting at the state makes at most one context switch. Further, the size of the CTL formula is constant.

##### Induction:

The contents of the two stacks are of the form and and and are valid counters. Thus and . Again, the structure of the construction remains the same. Repeat what was done for except that instead of counting out the position numbers in the two stacks use the addresses available in the nested counters.

The subroutine begins by removing some sequence of address value pairs from both the stacks (using at most one context switch and needing only 3 states) as in the case of equality check. This phase ends in a state . At this point the configuration should be of the form .

There are internal transitions from to to check if and to three other states

• , which we have already seen in the previous subsection, beginning a subroutine which enters only if .

• , beginning a subroutine which enters only if .

• which pops the remaining part of from the first stack entering or depending on whether there is a with (i.e. ) or not.

Thus, is not if and only if the subroutine reports that the , and either enters and enters or enters and enters .

Let be the set of new states added in the subroutine described above. Let be the initial state of this subroutine. Suppose there is an internal transition from a state to the state . Then, any configuration satisfies if and only if it does NOT satisfy the CTL formula .

Observe that only a constant number of states are added (the subroutine call to does not create new states as we may use the same copy used for the equality check). Thus, the size of this subroutine is . Once again we record that the number of context switches in any run starting at is bounded 2 plus the number of context switches from and thus bounded . Finally, observe that the size of the CTL formula described above is since it is a constant plus the size of the formula .

#### 5.3.4 Implementing k−Val

##### Base case:

. It is sufficient to check that the stack contents begin with a sequence of length over followed by a symbol not in . Our subroutine does this and enters the state if this is not the case. Let be the set of states and let be the initial state of this subroutine. If there is an internal transition from a state to the state then, a configuration satisfies iff it does NOT satisfy the CTL formula .

We note that the size of is bounded by and routine performs no context switches. The size of the CTL formula is evidently constant.

##### Induction:

Suppose the configuration is . Let for some , . Further let with , . We need to check that

1. Each is a valid counter.

2. is the maximum possible counter (i.e. with a for each digit.)

3. is the minimum possible counter (i.e. with a for each digit.)

4. For each .

In order to verify the first condition above, we set up a subroutine beginning at state which begins by popping a sequence belonging to and then enters . The state has an internal transition to Thus, if there is an internal transition from to then the configuration satisfies the first condition above iff it does NOT satisfy the CTL formula . Also note that the subroutine beginning at adds only a constant number of states and any run of this subroutine has at most as many context switches as . The formula has size bounded by a constant plus the size of .

Checking the second condition, assuming that the first condition is satisfied, corresponds to checking . In effect, if has a internal transition to and is a configuration satisfying property 1 then it satisfies property 2 iff it does NOT satisfy the CTL formula . This subroutine does not involve any context-switches and adds only a constant number of states. The size of the formula is constant.

Again, assuming that the first condition is satisfied, checking the third condition can be achieved using the subroutine that begins at state which begins by popping a sequence belonging to and then enters , with some on top of the stack. The state has internal transitions to (to check holds for ) as well as to a state . The state pops a sequence of elements of , then pops an element of and verifies that the following letter does not belong to and enters on successfully carrying out this task. In effect the run from ends at iff . Thus, if a state has an internal transition to and is a configuration satisfying the first two conditions then it does NOT satisfy property 3 iff it satisfies the CTL formula