Complexity of Model Checking Recursion Schemes for Fragments of the Modal Mu-Calculus

Logical Methods in Computer Science V ol. 7 (4:09) 2011, pp. 1–23 www .lmcs-online.org Submitted Nov . 29, 2009 Published Dec. 21, 2011 COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES F OR FRA GMENTS OF THE MOD AL MU-CALCULUS NAOKI KOBA Y ASHI AND C.-H. LUKE ON G Graduate School of Information Sciences, T ohoku Universit y , 6-3- 09 Aoba, Aramaki, Aoba-ku Sendai, 980-85 79 Japan URL : koba@ecei.tohoku.a c.jp Department of Computer Science, Universit y of O x ford, W olfson Building, Parks Road, Ox ford OX1 3QD, U K URL : Luke.Ong@cs.ox.ac. uk Abstra ct. Ong has shown that the mo dal mu-calculus model c h ec king problem (equiv- alen tly , the alternating p arit y t ree automaton (APT) acceptance problem) of p ossibly- infinite ranked trees generated by ord er- n recursion schemes is n -EXPTIME complete. W e consider tw o subclasses of APT and in vestig ate the complexit y of the resp ective accep- tance problems. The main results are th at, for A PT with a single priority , the problem is still n -EXPTIME complete; whereas, for APT with a disjunctive transition function, the problem is ( n − 1)-EXPTIME complete. This stud y w as motiv ated by Kobaya shi’s recent w ork showing that the reso urce u sage verification of functional programs can be reduced to the mo del checking of recursion sc hemes. As an application, we show that the resource usage verification problem is ( n − 1)-EXPTIME complete. 1. Introduction The mo del c hec king p roblem for higher-order r ecur sion sc hemes has b een a topic of activ e researc h i n recen t ye ars (for motiv ation as to why the problem is in teresting, see e.g. the in tro duction of O n g’s p ap er [15]). This pap er stud ies the complexit y of the problem with resp ect to certain fragmen ts of the mo dal µ -calculus. A higher-order recur s ion sc heme (recursion sc h eme, for short) is a kind of (deterministic) grammar for generating a p ossibly- infinite ranked tree. The mo d el c hecking problem for recursion sc hemes is to decide, giv en an order- n recurs ion scheme G and a s p ecification ψ for infi nite trees, whether the tree generated by G satisfies ψ . Ong [15] has sho wn that if ψ is a m o dal µ -calculus formula (or equiv alen tly , an alternating p arit y tree automato n), then the mo del chec king pr oblem is n -EXPTIME complete. F ollo wing Ong’s work, Koba y ashi [12] h as recen tly applied th e decidabilit y r esu lt to the m o del chec king of higher-order functional programs (precisely , programs of the simply- t y p ed λ -ca lculus with r ecursion and resource creation/ac cess pr imitiv es). He considered the 1998 ACM Subje ct Cl assific ation: F.3.1, D.2.4. Key wor ds and phr ases: mo del chec king, higher-order recursion sc hemes, modal mu-calculus, complexit y . LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-7 (4:09) 2011 c  N. Kobayashi and C.-H. L. Ong CC  Cre ative Commons 2 N. K OBA Y ASHI AND C.-H. L. ONG r esour c e usage verific ation pr oblem [7]—the p roblem of w hether programs access dynami- cally created resources in a v alid manner (e.g . wh ether ev ery op ened file will eve ntuall y b e closed, a nd thereafter n ev er read from or written to b efore it is r eop ened). He sho w ed that the resource usage v erification prob lem r educes to a mo del chec king pr oblem for recursion sc hemes b y giving a tr ansformation that, giv en a functional program, constructs a recursion sc heme that generates all p ossible resour ce access sequences of the program. F rom On g’s result, it follo ws that the resour ce usage v erification problem is in n -EXPTIME (where, roughly , n is the h ighest order of t yp es in the program). T his result also implies that v ari- ous other verificatio n problems, includ in g (the precise verificatio n of ) r eac hability (“Do es a closed program reac h the fail command?”) and flo w analysis (“D o es a sub-term e ev aluate to a v alue generated at program p oin t l ?”), are also in n -EXPTIME, as they can b e easily recast as resource usage v erification problems. It wa s how ev er unkno wn whether n -EXPT IME is the tigh test upp er-b ound of the re- source u sage ve rification problem. Although the m o del c hec king of recursion sc h emes is n -EXPTIME-hard for the full mo dal µ -calculus, only a certain fr agment of the mo dal µ - calculus is used in Kob ay ashi’s approac h to the resource usage v er ifi cation problem. First, sp ecifications are restricted to s afet y pr op erties, which can b e d escrib ed b y B ¨ uc hi tree au- tomata with a trivial acc eptance cond ition (the class called “trivial automata” b y Aehlig [1]). Secondly , sp ecifications are also restricted to linear-time p rop erties—the br anc h ing str uc- ture of tr ees is ignored, and only the p ath languages of trees are of interest. Th us , one ma y reasonably hop e that th er e is a more tractable mo del chec king algorithm than th e n -EXPTIME algorithm. The goal of this p ap er is, therefore, to study the complexity of the mo del c hec king of r ecursion schemes for v arious fragmen ts of the mo dal µ -calculus (or, alternating parity tree automata) and to apply the result to obtain tigh ter b ound s of th e complexit y of the resource usage v erification problem. The main results of this p ap er are as follo w s: (i) The pr ob lem of wh ether a giv en B ¨ uc hi tree automaton with a tr ivial acceptance condition (or, equiv alently , alternating p arit y tree automaton with a single priority 0) ac- cepts the tree generated by an ord er- n recurs ion scheme is still n -EXPTIME-hard, b oth in the size of the recur sion sc h eme and that of th e automaton. This follo ws fr om the n - EXPTIME-completeness of the w ord acceptance p roblem of higher-order al ternating push- do wn automata 1 [6]. (ii) W e in tro duce a new s ub class of alternating parity tree automata (APT) called disjunctive APT , and show that its acceptance problem for tr ees generated b y order- n recursion sc hemes is ( n − 1)- EXPTIME complete. F r om this general r esu lt, it follo ws that b oth the lin ear-time prop erties (including reac h abilit y , whic h is actually ( n − 1) -EXPTIME- complete) and fin iteness of the tree generated b y a recur sion sc heme are ( n − 1)-EXPTIME. (iii) As an application, we sho w that th e resour ce usage v erification pr ob lem [12] is also ( n − 1)-EXPTIME-complete , where n is the highest order of typ es used in the source program (written in an appropriate language [12 ]). The rest of this secti on is organized as follo ws. Section 2 reviews definitions of recursion sc hemes and alternating parity tree automata (APT). Section 3 in tr o duces the class of trivial APT and s tudies the complexit y of mo d el c hecking recursion s chemes. S ection 4 introdu ces the class of disj unctiv e APT and studies the complexit y of mod el c h ec kin g recursion schemes. 1 Engelfriet’s proof [6] is for a somewhat d ifferen t (but equiv alen t) mac h ine which is called iter ate d push- down automaton . COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 3 Section 5 app lies the resu lt to analyze the complexity of th e resource us age verificatio n. Section 6 discusses related w ork and concludes the pap er. 2. Preliminaries Let Σ b e a ranke d alphab et, i.e. a function that maps a terminal symb ol to its arity , whic h is a non-negativ e integ er. Let N = { 1 , 2 , · · · } . A Σ-lab eled (unranked) tree T is a partial map from N ∗ to dom (Σ), su c h that s k ∈ dom ( T ) (where s ∈ N ∗ , k ∈ N ) implies { s } ∪ { sj | 1 ≤ j < k } ⊆ dom ( T ). A (p ossibly infi nite) sequence π ov er N is a p ath of T just if ev ery fin ite prefix of π is in dom ( T ). A tree is r anke d just if max { j | s j ∈ dom ( T ) } is equal to the arit y of T ( s ) for eac h s ∈ dom ( T ). Higher-Or der R e cursion Schemes. T he set of typ es is defined b y: κ ::= o | κ 1 → κ 2 where o is the type of trees. By conv ent ion, → asso ciates to the right; thus, for example, o → o → o mea ns o → ( o → o ). The or der of κ , written or der ( κ ), is defined b y: or der ( o ) := 0 or der ( κ 1 → κ 2 ) := max ( or der ( κ 1 ) + 1 , or der ( κ 2 )) . A (deterministic) higher-or der r e cursion scheme (recursion sc heme, for short) is a quadr uple G = (Σ , N , R , S ), where (i) Σ is a ranke d alphab et of terminal symb ols . (ii) N is a map fr om a finite set of symb ols cal led non-terminals to t yp es. (iii) R is a set of r ewr ite rules F e x → t . Here e x = x 1 , · · · , x n abbreviates a sequence of v ariables, and t is an applicativ e term constru cted from n on-terminals, terminals, and v ariables x 1 , · · · , x n . (iv) S is a start symb ol . W e requir e that N ( S ) = o . The set of (t yp ed) terms is defined in the stand ard manner: A non-terminal or v ariable of t yp e κ is a term of type κ . A termin al of arit y k is a term of t y p e o → · · · → o | {z } k → o . If terms t 1 and t 2 ha v e typ es κ 1 → κ 2 and κ 1 resp ectiv ely , then t 1 t 2 is a term of t yp e κ 2 . By con ven tion, application asso ciates to the left; thus, for example, s t u means ( s t ) u . F or eac h r ule F e x → t , F e x and t m u s t b e terms of t yp e o . There m ust b e exactly one r ewrite rule for eac h n on-terminal. The or der of a r ecursion sc heme is th e highest order of (the t yp es of ) its non-terminals. A rewrite relatio n on terms is defined inductiv ely by: (i) I f F e x → t ∈ R , then F e s − → G [ e s/ e x ] t . (ii) If t − → G t ′ , then t s − → G t ′ s and s t − → G s t ′ . The value tr e e of a recursion sc heme G , wr itten [ [ G ] ] , is th e (p ossibly infinite) tree obtained b y infinite rewriting of the start sym b ol S . More precisely , let u s d efine t ⊥ b y: a ⊥ := a F ⊥ := ⊥ ( t 1 t 2 ) ⊥ :=  ⊥ if t 1 ⊥ = ⊥ t 1 ⊥ t 2 ⊥ otherwise The v alue tree [ [ G ] ] is the Σ ∪ {⊥ 7→ 0 } -rank ed tree defined b y: [ [ G ] ] := G { t ⊥ | S − → ∗ G t } . 4 N. K OBA Y ASHI AND C.-H. L. ONG a e a b c e a b b c c e a b b b c · · · a b b b · · · a b b · · · a b · · · · · · Figure 1: The tree generated b y the recursion sc heme of Example 1 Here, F S denotes the least upp er b ound with r esp ect to the tree ord er ⊑ defined by T 1 ⊑ T 2 ⇐ ⇒ ∀ s ∈ dom ( T 1 ) . ( T 1 ( s ) = T 2 ( s ) ∨ T 1 ( s ) = ⊥ ) Note that [ [ G ] ] is alwa ys we ll-defined, as the rewrite relation − → G is confluent . Example 1. Consider the recursion sc heme G = (Σ , N , R , S ) where Σ = { a 7→ 2 , b 7→ 1 , c 7→ 1 , e 7→ 0 } N = { S 7→ o , F 7→ ( o → o ) → o → o , I 7→ o → o , C 7→ ( o → o ) → ( o → o ) → ( o → o ) } R = { S → F I e , F f x → a ( f x ) ( F ( C b f ) ( c x )) , I x → x , C f g x → f ( g x ) } S is reduced as follo w s. S − → F I e − → a ( I e ) ( F ( C b I ) ( c e )) − → a e ( a ( C b I ( c e )) ( F ( C b ( C b I ))) ( c ( c e ))) − → ∗ a e ( a ( b ( c e )) ( F ( C b ( C b I ))) ( c ( c e ))) − → ∗ a e ( a ( b ( c e ))( a ( b 2 ( c 2 e ))( a ( b 3 ( c 3 e )) · · · ))) The v alue tree is sho wn in Figure 2. Eac h path of the tree is labelled by a m +1 b m c m e .  Altern ating p arity tr e e automata. Giv en a finite set X , the set B + ( X ) of p ositive Bo ole an formulas ov er X is defined as follo ws . W e let θ r ange o ver B + ( X ). θ ::= t | f | x | θ ∧ θ | θ ∨ θ COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 5 where x ranges o ver X . W e sa y that a su b set Y of X satisfies θ j ust if assigning tr ue to elemen ts in Y and false to elements in X \ Y make s θ true. An alternating p arity tr e e automaton (or APT for short) o ver Σ-labelled trees is a tuple A = (Σ , Q, δ, q I , Ω) where (i) Σ is a ranke d alphab et; let m b e the la rgest arity of th e terminal sym b ols; (ii) Q is a finite set of state s, an d q I ∈ Q is the initial state; (iii) δ : Q × Σ − → B + ( { 1 , · · · , m } × Q ) is the transition fu nction wh ere, for eac h f ∈ Σ and q ∈ Q , we ha ve δ ( q , f ) ∈ B + ( { 1 , · · · , arity ( f ) } × Q ); and (iv) Ω : Q − → { 0 , · · · , M − 1 } is the p riorit y function. A run-tr e e of an APT A ov er a Σ-lab elled rank ed tree T is a ( dom ( T ) × Q )-lab elled unranked tree r satisfying: (i) ǫ ∈ dom ( r ) and r ( ǫ ) = ( ǫ, q I ); and (ii) for ev ery β ∈ dom ( r ) with r ( β ) = ( α, q ), there is a set S that satisfies δ ( q , T ( α )); and for eac h ( i, q ′ ) ∈ S , th ere is some j such th at β j ∈ dom ( r ) and r ( β j ) = ( α i, q ′ ). Let π = π 1 π 2 · · · b e an infinite path in r ; for eac h i ≥ 0, let the state lab el of the no de π 1 · · · π i b e q n i where q n 0 , the state lab el of ǫ , is q I . W e sa y that π satisfies the p arity condition j u st if the largest pr iorit y that o ccurs infinitely often in Ω( q n 0 ) Ω( q n 1 ) Ω( q n 2 ) · · · is ev en. A ru n-tree r is ac c epting if ev er y infi n ite path in it satisfies the parit y condition. An APT A acce pts a (p ossibly infi nite) ranke d tree T if there is an accepting r un-tree of A o ver T . Ong [15] has shown th at there is a pro cedur e that, giv en a recursion sc heme G and an APT A , decides whether A accepts the v alue tree of G . Theorem 2.1 (Ong) . L et G b e a r e cursion scheme of or der n , and A b e an APT. The pr oblem of de ciding whether A ac c epts [ [ G ] ] is n -EXP TIM E-c omplete. As u sual (follo wing [15]), w e restrict our atten tions to r ecursion schemes whose v alue trees do not con tain ⊥ in the rest of the pap er. Giv en a recursion scheme G that ma y generate ⊥ and an APT A , one can construct G ′ and A ′ suc h that (i) A accepts [ [ G ] ] if and only if A ′ accepts [ [ G ′ ] ], and (ii) G ′ do es not generate ⊥ . 2 3. Trivial APT and the Complexity of Model Checking APT with a trivial ac c e ptanc e c ondition , or trivial APT (for short), is an APT that has exactly one priorit y wh ic h is eve n. Note that tr ivial APT are equiv alen t to Aehlig’s “trivial automata” [1] (for defining language s of ranked trees). The first result of this pap er is a logica l c haracterizatio n of the class of Σ-lab elled rank ed trees accepted b y trivial APT. Call S the follo wing f ragmen t of the mod al mu-calc ulus: φ, ψ ::= t | f | P f | Z | φ ∧ ψ | φ ∨ ψ | h i i φ | ν Z.φ where f ranges o ver symbols in a Σ , and i ranges o v er { 1 , · · · , arity (Σ) } . (W e th ink of S as the “safet y” fragmen t.) W e giv e a charact erization of trivial APT. A pro of is giv en in App end ix A. Prop osition 3.1 (Equi-Expressivit y) . The lo gic S and trivial APT ar e e q u ivalent for defin- ing p ossibly-infinite r anke d tr e es. I.e. for every close d S - f ormula, ther e is a trivial APT that defines the same tr e e language, and vic e versa. 2 Note, how ever, that the transformation do es not preserv e the class of trivial APT considered in S ection 3. 6 N. K OBA Y ASHI AND C.-H. L. ONG W e show that the mo d el c hec king p r oblem for recursion schemes is n -EXPT I ME com- plete for trivial APT. The u p p er-b ound of n -EXPTIME follo ws immediately from Ong’s result [15]. T o sho w th e lo w er-b ound , we reduce the decision pr oblem of w ? ∈ L ( A ), where w is a word and A is an order- n alternating P D A, to the mo del c h ec king pr oblem for recurs ion sc hemes. n -EXPTIME hardness follo w s f rom the reduction, s ince the pr ob lem of w ? ∈ L ( A ) is n -EXPTIME hard [6]. Definition 3.2. An or der- n alternating PDA (ord er- n APD A, for short) f or finite wo rds is a 7-tuple: A = h P, λ, p 0 , Γ , Σ , ∆ , F i where P is a set of states, λ : P → { A , E } partitions states in to univ ersal and existen tial, p 0 is the in itial state, Γ is a stac k alphab et, Σ is an input alphab et, F ⊆ P is the set of final stat es, and ∆ ⊆ P × Γ × (Σ ∪ { ǫ } ) × P × Op n is a transition relation. A c onfigur ation of an order- n APDA is of th e form ( p, s ) where s is an order - n stac k (an order-1 stac k is an ordinary stac k, and an ord er-( k + 1) s tac k is a stac k of order- k stac ks). The induced transition relation on configurations is defined b y the rule: if ( p, t op 1 ( s ) , α, p ′ , θ ) ∈ ∆, then ( p, s ) − → α ( p ′ , θ ( s )) where θ ∈ Op n is an order- n stac k op eration 3 and t op 1 ( s ) is the s tac k top of s . Let w b e a word o v er Σ. W e write w i (where 0 ≤ i < | w | ) for the i -th elemen t of w . A run tr e e of an order- n APD A o ve r a w ord w is a finite , u nranked tree satisfying the follo wing. (i) T he ro ot is lab elled b y ( p 0 , ⊥ n , 0), wh er e ⊥ n is the empt y ord er- n stac k. (ii) If a no de is lab elled by ( p, s, i ), then one of the follo wing conditions holds, where Ξ := { ( p ′ , θ ( s ) , i + 1) | ( p, t op 1 ( s ) , w i , p ′ , θ ) ∈ ∆ ∧ i < | w |} ∪ { ( p ′ , θ ( s ) , i ) | ( p, t op 1 ( s ) , ǫ, p ′ , θ ) ∈ ∆ } . • p ∈ F and i = | w | ; • λ ( p ) = A and the set of lab els of the c hild n o des is Ξ; or • λ ( p ) = E and there is exac tly one child nod e, whic h is lab elled by an elemen t of Ξ. (It follo ws that the lea ves of a run tree are lab elled by ( p, s , | w | ) w ith p ∈ F , or ( p, s, i ) with λ ( p ) = A and Ξ = ∅ .) An order- n APD A A ac c epts w if there exists a run tree of A o v er w . Engelfriet [6] has sho wn that the word acceptance p r oblem for order- n APD A is n - EXPTIME complete. Theorem 3.3 (Engelfriet) . L et A b e an or der- n APDA and w a finite wor d over Σ . The pr oblem of w ? ∈ L ( A ) is n -E X PTIME c omplete. 3 Assume an order- n stack, where n ≥ 2. A n or der-1 push op eration is just the standard op eration that pushes a sym b ol onto th e top of the top order-1 stac k ; the or der-1 p op op eration remo ves the top symbol from the top ord er- 1 stack. F or 2 ≤ i ≤ n , the or der- i pus h op eration d uplicates th e top order-( i − 1) stac k of the order- n stack; th e or der- i p op op eration remov es the top order-( i − 1) stac k. The set Op n of order- n stac k op erations consists of order- i push and order- i pop for eac h 1 ≤ i ≤ n . F or a formal definition, see, for example, th e F oSSaCS 2002 pap er [10] of Knapik et al. COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 7 T o redu ce the w ord acceptance p roblem of order- n APD A to the mo del c hec king prob- lem f or recursion sc hemes, w e use the equiv alence [10] b et w een ord er - n safe 4 recursion sc hemes and order- n PD A as (deterministic) devices for generating trees. Definition 3.4. An or der- n tr e e-g e ner ating PDA is a tuple A = h Σ , Γ , Q, δ, q 0 i where Σ is a ranked alphab et, Γ is a stac k alphab et, Q is a fin ite set of states, q 0 ∈ Q is the initial state, and δ : Q × Γ − → ( Q × Op n ∪ { ( f ; q 1 , · · · , q arity ( f ) ) | f ∈ Σ , q i ∈ Q } ) is th e transition fu nction. A c onfigur ation is either a pair ( q , s ) where q ∈ Q and s is an order- n stac k, or a trip le of the form ( f ; q 1 · · · q arity ( f ) ; s ) wher e f ∈ Σ and q 1 · · · q arity ( f ) ∈ Q ∗ . Let Σ b e the lab el-set { ( f , i ) | f ∈ Σ , 1 ≤ i ≤ arity ( f ) } ∪ { a ∈ Σ | arity ( a ) = 0 } . W e define the labelled trans ition r elation b et w een configurations induced b y δ : ( q , s ) ǫ → ( q ′ , θ ( s )) if δ ( q , t op 1 ( s )) = ( q ′ , θ ) ( q , s ) ǫ → ( f ; q ; s ) if δ ( q , t op 1 ( s )) = ( f ; q ) and arity ( f ) ≥ 1 ( q , s ) a → ( a ; ǫ ; s ) if δ ( q , t op 1 ( s )) = ( a ; ǫ ) and arity ( a ) = 0 ( f ; q ; s ) ( f ,i ) → ( q i , s ) where 1 ≤ i ≤ arity ( f ) Let w b e a fin ite or infinite word o v er the alphab et Σ. W e say that w is a tr ac e of A just if there is a p ossibly-infinite sequence of transitions ( q 0 , ⊥ n ) ℓ 1 → γ 1 · · · ℓ m → γ m ℓ m +1 → · · · such that w = ℓ 1 ℓ 2 · · · . W e say that A gener ates a Σ -lab elled tree t ju st in case the branch language 5 of t coincides with the set of maximal traces of A . Theorem 3.5 (Knapik et al. [10]) . Ther e is an effe ctive tr ansformation that, given an or der- n tr e e-gener ating PDA M , r eturns an or der- n safe r e cursion scheme G that g ener ates the same tr e e as M . M or e over, b oth the running time of the tr ansformatio n algorithm and the size of G ar e p olynomial i n the size of M . By Theorems 3.3 and 3.5, it suffices to show that, giv en a w ord w and an order- n APD A A , one can construct an order- n tree-generating PD A M A ,w and a trivial APT B suc h that w is acce pted b y A if, and on ly if , th e tree generated b y M A ,w is acce pted b y B . Let w b e a w ord o ve r Σ. F r om w and A = h P , λ, p 0 , Γ , Σ , ∆ , F i ab o ve, we construct a n order- k PD A M A ,w for generating a { A , E , R , T } -labelled tree, which is a kind of run tr ee of A o ve r the inpu t wo rd w . The n o de lab el A ( E , resp ectiv ely) means th at A is in a universal (existen tial, resp ectiv ely) state; T m eans that A h as accepted th e wo rd, and R means that A is stuc k (no outgoing transition). 4 An order- n recursion scheme is safe if it satisfies a certain condition called safet y [11]. W e use the equiv alence betw een safe recursion schemes and h igher-order PDA just to prov e th e lo wer-boun d, so that the kn o wledge about the safet y constraint is not requ ired. See [11, 2] for details of th e safet y constrain t. 5 The br anch language of t : dom ( t ) − → Σ consists of (i) infinite words ( f 1 , d 1 )( f 2 , d 2 ) · · · just if there exists d 1 d 2 · · · ∈ { 1 , 2 , · · · , m } ω (where m is the ma ximum arit y of the Σ-symbols) suc h that t ( d 1 · · · d i ) = f i +1 for ev ery i ≥ 0; and (ii) finite w ords ( f 1 , d 1 ) · · · ( f n , d n ) f n +1 just if there exists d 1 · · · d n ∈ { 1 , · · · , m } ∗ such that t ( d 1 · · · d i ) = f i +1 for 0 ≤ i ≤ n , and the arity of f n +1 is 0. 8 N. K OBA Y ASHI AND C.-H. L. ONG Let N b e max q ∈ P ,a ∈ Σ ,γ ∈ Γ |{ ( q ′ , a ′ , θ ) | ( q , γ , a ′ , q ′ , θ ) ∈ ∆ , a ′ ∈ { a, ǫ }}| . I.e. N is the degree of non-determinacy of A . W e defin e M A ,w = h{ A 7→ N , E 7→ N , T 7→ 0 , R 7→ 0 } , Γ , Q, δ , ( p 0 , 0) i where: − Q = ( P × { 0 , . . . , | w |} ) ∪ { q ⊤ , q ⊥ } ∪ ( P × { 0 , . . . , | w | } × Op n ) − δ : Q × Γ − → ( Q × O p n ∪ { ( g ; q 1 , . . . , q k ) : g ∈ { A , E , T , R } , k ≥ 0 , q 1 , . . . , q k ∈ Q } ) is g iv en b y: (1) δ (( p, | w | ) , γ ) = ( T ; ǫ ) , if p ∈ F (2) δ (( p, i ) , γ ) = ( A ; ( p 1 , j 1 , θ 1 ) , . . . , ( p m , j m , θ m ) , q ⊤ , . . . , q ⊤ | {z } N − m ) if λ ( p ) = A and { ( p 1 , j 1 , θ 1 ) , . . . , ( p m , j m , θ m ) } is: { ( p ′ , i + 1 , θ ) | ( p, γ , w i , p ′ , θ ) ∈ ∆ ∧ i < | w |} ∪ { ( p ′ , i, θ ) | ( p, γ , ǫ, p ′ , θ ) ∈ ∆ } (3) δ (( p, i ) , γ ) = ( E ; ( p 1 , j 1 , θ 1 ) , . . . , ( p m , j m , θ m ) , q ⊥ , . . . , q ⊥ | {z } N − m ) if λ ( p ) = E and { ( p 1 , j 1 , θ 1 ) , . . . , ( p m , j m , θ m ) } is: { ( p ′ , i + 1 , θ ) | ( p, γ , w i , p ′ , θ ) ∈ ∆ ∧ i < | w |} ∪ { ( p ′ , i, θ ) | ( p, γ , ǫ, p ′ , θ ) ∈ ∆ } (4) δ (( p, i, θ ) , γ ) = (( p, i ) , θ ) (5) δ ( q ⊤ , γ ) = ( T ; ǫ ) (6) δ ( q ⊥ , γ ) = ( R ; ǫ ) Rules (2) and (3) are applied only when ru le (1) is inapplicable. M A ,w sim ulates A o ve r the wo rd w , and constructs a tree representi ng the computation of A . A state ( p, i ) ∈ P × { 0 , . . . , | w | − 1 } sim ulates A in state p reading the letter w i . A state ( p, i, θ ) simulat es an in termediate transition state of A , where θ is the stac k op eration to b e applied. Th e states q ⊤ and q ⊥ are for creating d u mm y subtr ees of nodes lab elled with A or E , so that the n umber of c hildren of these no d es adds up to N , the arity of A and E . Ru le (1) ensures that when A h as r ead the inp ut word and reac h ed a final state, M A ,w stops sim ulating A and outputs T . Rule (2) is used to sim ulate transitions of A in a universal state, reading the i -th in put: M A ,w constructs a no de lab elled A (to record that A was in a u n iv ersal state) and spa wns threads to simulate all p ossible trans itions of A . Rule (3) is for s imulating A in an existent ial state. Note that, if A g ets stuc k (i.e. if there is n o outgoing tr ansition), all c h ildren of the E -no de are lab elled R ; th u s failure of the computation can b e recog nized by the trivial APT giv en in the follo win g. Rule (4) is jus t for inte rmediate transitions. Note that a transition of A is simulate d b y M A ,w in tw o steps: the fi rst for outputting A or E , and the seco nd for c hanging the stac k. No w we construct a trivial APT B that accepts the tree generated b y M A ,w if, and only if, w is not accepted by A . The trivial APT B is giv en by: B := h { A , E , T , R } , { q 0 } , δ, q 0 , { q 0 7→ 0 }i where: δ ( q 0 , A ) = W N i =1 ( i, q 0 ) δ ( q 0 , E ) = V N i =1 ( i, q 0 ) δ ( q 0 , T ) = f δ ( q 0 , R ) = t In tuitiv ely , B accepts all trees represen ting a failure computation tree of A . If the automaton in state q 0 reads T (whic h corresp onds to an accepting state of A ), it gets stuck. Up on reading A , the automaton non-deterministically chooses one of th e sub trees, and c h ec ks COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 9 whether the su btree represen ts a failure computation of A . On the other hand, u p on reading E , the automa ton c h ec ks that al l subtrees represent failure computation trees of A . By the abov e constru ction, w e h a ve: Theorem 3.6. L et w b e a wor d, and A an or der- n APDA. Then w is not ac c epte d by A if, and only if, the tr e e gener ate d b y M A ,w is ac c epte d by B . Corollary 3.7. The trivial A PT ac c e ptanc e pr oblem for the tr e e gener ate d b y an or der- n r e cursion scheme (i.e. whether the tr e e gener ate d by a given or der- n r e cursion scheme is ac c epte d by a given trivial A PT) is n - EXPTIME har d in the size of the r e cursion sc heme. By mo difying the enco d ing, w e can also sho w that the mo del c hecking problem is n - EXPTIME-hard in the size of the APT. The idea is to mo dify M A ,w so that it generates a tree representing computation of A ov er n ot just w but all p ossible inp ut w ords, and let a trivial APT c hec k th e part of the tree corresp onding to the inp ut word w . As a result, the trivial APT dep ends on the input word w , but the tree-generating PD A do es not. W e mak e the follo wing tw o assu m ptions on A (w ith ou t loss of generalit y): (i) I n eac h s tate, if A can p erform an ǫ -transition, then A cannot p erform an y input transition i.e. { ( p ′ , θ ) | ∃ a ∈ Σ . ( p, γ , a, p ′ , θ ) ∈ ∆ } 6 = ∅ implies { ( p ′ , θ ) | ( p, γ , ǫ, p ′ , θ ) ∈ ∆ } = ∅ . (ii) T h ere is no tran s ition from a final state i.e. if p ∈ F then { ( p ′ , θ ) | ∃ a ∈ Σ ∪ { ǫ } . ( p, γ , a, p ′ , θ ) ∈ ∆ } = ∅ . Giv en an order- n APDA A and a wo rd w , we shall construct M ′ A and B w , such that w is not accepted by A if, and only if, the tree generated by M ′ A is accepted by B w . The difference from the construction of M A ,w and B ab o ve is that M ′ A do es not dep end on w . The idea is to let M ′ A generate a tree representing the computations of A ov er all p ossible inputs. W e then let B w tra verse the p art of the tree corresp onding to the compu tation o v er w , and chec k w h ether the co mputation is successful. W e define a tree-g enerating PD A M ′ A = h Σ ′ , Γ , Q, δ, q 0 i where: - Σ ′ = { Read 7→ | Σ | , Accept 7→ 0 , Epsilon 7→ 1 , A 7→ N , E 7→ N , T 7→ 0 , R 7→ 0 } - Q = P ∪ ( P × (Σ ∪ { ǫ } )) ∪ { q ⊤ , q ⊥ } ∪ ( P × Op k ) - q 0 = p 0 - δ is giv en by: δ ( p, γ ) = ( Accept ; ǫ ) if p ∈ F δ ( p, γ ) = ( Epsilon ; (( p, ǫ ) , id )) if { ( p ′ , θ ) | ( p, γ , ǫ, p ′ , θ ) ∈ ∆ } 6 = ∅ . δ ( p, γ ) = ( Read ; (( p, a 1 ) , id ) , . . . , (( p, a n ) , id )) if p 6∈ F , { ( p ′ , θ ) | ( p, γ , ǫ, p ′ , θ ) ∈ ∆ } = ∅ and Σ = { a 1 , . . . , a n } . δ (( p, α ) , γ ) = ( A ; (( p 1 , θ 1 ) , . . . , ( p m , θ m ) , q ⊤ , . . . , q ⊤ )) if λ ( p ) = A and { ( p 1 , θ 1 ) , . . . , ( p m , θ m ) } = { ( p ′ , θ ) | ( p, γ , α, p ′ , θ ) ∈ ∆ } δ (( p, α ) , γ ) = ( E ; (( p 1 , θ 1 ) , . . . , ( p m , θ m ) , q ⊥ , . . . , q ⊥ )) if λ ( p ) = E and { ( p 1 , θ 1 ) , . . . , ( p m , θ m ) } = { ( p ′ , θ ) | ( p, γ , α, p ′ , θ ) ∈ ∆ } δ (( p, θ ) , γ ) = ( p, θ ) δ ( q ⊤ , γ ) = ( T ; ǫ ) δ ( q ⊥ , γ ) = ( R ; ǫ ) 10 N. K OBA Y ASHI AND C.-H. L. ONG In a final state of A , M ′ A outputs a no de lab elled with Ac cept , to ind icate that A has reac h ed a fi nal s tate, and stops s imulating A (as, by assu mption (ii) ab ov e, there is n o outgoing transition). In a state w h ere A has ǫ -transitions, M ′ A outputs a no d e lab elled with Epsilon , and then sim ulates all the p ossible ǫ -transitions of A . In a state where A has input transitions, M ′ A outputs a no de lab elled with Read to indicate that A mak es an input transition, and then simulat es the input transition for eac h p ossible inp ut symb ol. Note that b y th e assumptions (i) and (ii) ab o v e, these thr ee transitions are disjoin t. Th e remaining transition rules are analog ous to those of M A ,w . Define the trivial APT B w b y B w = h Σ ′ , Q ′ , δ, q 0 , Ω i where: Q ′ = { q 0 , . . . , q | w | } δ ( q , E psilon ) = (1 , q ) for ev ery q ∈ Q ′ δ ( q i , Read ) = ( j, q i +1 ) if 0 ≤ i ≤ | w | − 1 and w i = a j δ ( q | w | , Read ) = t δ ( q i , A ) = (1 , q i ) ∨ · · · ∨ ( N , q i ) δ ( q i , E ) = (1 , q i ) ∧ · · · ∧ ( N , q i ) δ ( q | w | , Accep t ) = f δ ( q i , Accep t ) = t for every 0 ≤ i < | w | δ ( q , T ) = f for ev ery q ∈ Q ′ δ ( q , R ) = t for ev ery q ∈ Q ′ and Ω is the trivial p riorit y function. The trivial APT B w tra verses the tree generated by M ′ A (whic h represents transitions of A for all p ossib le inputs), wh ile k eeping trac k of the p osition of the inpu t head of A in its state ( q i means that A is reading the i -th letter of the wo rd w ). Up on reading Read in state q i , B w pro ceeds to tr a verse the br anc h corresp onding to the i -th letter (i.e. w i ). Reading Accept in state q | w | means that A accepts the w ord w , so that th e run of B w fails (recall that B w accepts the tree just if A do es not accept w ). Reading Accept in state q i (with i < | w | ) on the other hand means that A do es not accept w , so that th e run of B w succeeds. The remaining transition rules are analog ous to those of B . By the constru ction ab o v e, w is not accepted by A if, and on ly if, th e tree generated b y M ′ A is accepted b y B w . Since only B w dep ends on the input w ord w , we get: Theorem 3.8. The trivial APT ac c eptanc e pr oblem of tr e es gener ate d by or der- n r e cursion schemes is n -EXPTIM E -har d in the size of the AP T. T o our kno wledge, the lo wer b ound (of the complexit y of mod el-c hec king recursion sc hemes) in terms of the size of APT for the entire cla ss of APT is new. 4. Disjunctive APT and Comple xity of Mo del Checking A disjunc tiv e APT is an APT whose transition fu nction δ is d isj unctiv e, i.e. δ maps eac h state to a p ositiv e b o olean formula θ th at cont ains only disjun ctions and n o conjunctions, as giv en by the grammar θ ::= t | f | ( i, q ) | θ ∨ θ . Disjunctiv e APT can b e used to d escrib e path (or linear-time) prop erties of trees. First w e giv e a logic al c haracterizati on of disjunctiv e APT as follo ws . Call D the follo wing “disjunctive fr agmen t” of the mo d al m u-calculus: φ, ψ ::= t | f | P f ∧ φ | Z | φ ∨ ψ | h i i φ | ν Z.φ | µZ.φ COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 11 where f ranges o v er sym b ols in Σ, and i o ver { 1 , · · · , m } where m is the largest arit y of the sym b ols in Σ. A p ro of of the follo wing prop osition is giv en in App endix A. Prop osition 4.1 (Equi-Expr essivit y) . The lo gic D and disjunctive APT ar e e qu ivalent for defining p ossibly-infinite r anke d tr e es. I. e . for every close d D -formula, ther e is a disjunctive APT that defines the same tr e e language, and vic e versa. Remark 1. F or definin g languages of ranke d trees, disjun ctiv e APT are a p rop er subset of th e disjunctive formulas in the s en se of W alukiewicz and J anin [8]. F or example, the disjunctive formula (1 → { t } ) ∧ (2 → { t } ) is not equiv alen t to an y disjun ctiv e APT. In the rest of the section, we sho w that the mo d el c hec king problem for order- n recurs ion sc hemes is ( n − 1)-EXPTIME complete for disjunctiv e APT. 4.1. Upp er Bound. Since our p ro of is based on Kobay ashi and Ong’s t yp e s ystem for recursion sc hemes [13] and relies hea vily on the mac h inery and tec hniques dev elop ed therein, w e shall j u st sket c h a pro of here; a detailed pr o of w ill b e present ed in the journal version of [13]. An alternativ e pro of, also sket c hed but b ased on v ariable pr ofiles [15], is giv en in App end ix B. Theorem 4.2. L et G b e an or der- n r e cursion scheme and B a disjunc tiv e APT. It is de cidable in ( n − 1) -E X PTIME whether B ac c epts the value tr e e [ [ G ] ] . In a recent pap er [13], w e constructed an intersectio n t yp e system equiv alent to the mo dal m u-calculus mo del c hec king of recursion sc hemes, in the sense that for ev ery APT, there is a type system suc h that the tree generated b y a recursion scheme is accepted by the APT if, and only if, the recursion sc heme is t ypable in the t yp e system. T he mo del c hec king problem is thus reduced to a t yp e c hec king problem. The main idea of th e type system is to refin e the tree type o b y the stat es and priorities of an APT. The typ e q describ es a tree that is accepted by the APT with q as th e start s tate. The t yp e ( θ 1 , m 1 ) ∧ ( θ 2 , m 2 ) → q , whic h refines the t yp e o → o , describ es a tree function that tak es an argument which has t y p es θ 1 and θ 2 , and returns a tr ee of type q . The t yp e c hec king algorithm p resen ted in [13] is n -EXPTIME in the com b ined size of the order- n recursion sc heme and the APT (more precisely , 6 O ( r 1+ ⌊ m/ 2 ⌋ exp n (( a | Q | m ) 1+ ǫ )) for n ≥ 2, where r is the n umber of rules, a is the largest arit y of the symb ols in the scheme, m is the largest priorit y , and | Q | is the n um b er of states). T he b ottlenec k of the algorithm is the num b er of (atomic) int ersection t yp es, where the set T ( κ ) of ato mic types refin in g a simple t yp e κ is inductiv ely defined b y : T ( o ) := Q T ( κ 1 → κ 2 ) := { V S → θ | θ ∈ T ( κ 2 ) , S ⊆ T ( κ 1 ) × P } where Q and P are the sets of states and priorities resp ectiv ely . According to the syn tax of atomic t yp es ab o ve, the num b er of atomic t yp es refinin g a simple t yp e of order n is n -exp onen tial in general. In the case of disjun ctiv e APT, ho w ev er, for eac h t yp e of the form o → · · · → o → o , we n eed to consider only atomic types of the form V S 1 → · · · → V S k → q , wh ere at most one of the S i ’s is a singleton set and the other S j ’s are empt y . Intuiti ve ly , th is is b ecause a r un-tree of a disjun ctiv e APT consists 6 According to S chew e’s recent result [17] on the complexit y of parity ga mes, the part r 1+ ⌊ m/ 2 ⌋ can be further reduced to roughly r 1+ m/ 3 . 12 N. K OBA Y ASHI AND C.-H. L. ONG of a single path, so th at the run-tree visits only one of the argumen ts, at most once. In fact, we can sh o w that, if a r ecursion scheme is t ypable in the t yp e system for a disjunctiv e APT, the recursion s cheme is typable in a restricted t yp e system in whic h order-1 types are constrained as describ ed abov e: this follo ws f rom the pro of of completeness of the type system [13], alo ng with the prop ert y of the accepting run-tree men tioned ab o ve. Thus, the n umber of atomic t yp es is k × | Q | × | P | × | Q | (whereas it is exp onen tial for an arbitrary APT). Therefore, the n umber of ato mic types p ossib ly assigned to a sym b ol of order n is ( n − 1)- exp onent ial. By running the same t yp e c hec king algorithm as ibid. (bu t with order-1 types constrained as ab o v e), ord er- n recursion sc hemes can b e t yp e-c heck ed (i.e. mo d el-c heck ed) in ( n − 1)-EXPTIME. 4.2. Lo w er Bound. W e sho w the lo wer b ound by a redu ction of the emptiness problem of the finite-wo rd language accepted b y an order- n deterministic PD A, w hic h is ( n − 1)- EXPTIME complete [6]. Let A b e an ord er - n deterministic PD A, giv en by A = h P , p 0 , Γ , Σ , δ, F i wh ere δ is a partial fu nction fr om P × (Σ ∪ { ǫ } ) × Γ to P × Op n . W e shall construct an order- n tree- generating PDA M A , w hic h simulates all p ossible inp ut and ǫ -transitions of A , and outputs e only when A reac hes a final state. The order- n PD A M A is giv en b y: M A = h{ e 7→ 0 } ∪ { br m 7→ m | 0 ≤ m ≤ N } , Γ , P ∪ ( P × Op n ) , δ ′ , p 0 i N = max p ∈ P ,γ ∈ Γ |{ ( p ′ , θ ′ ) | ∃ α ∈ Σ ∪ { ǫ } .δ ( p, α, γ ) = ( p ′ , θ ′ ) }| δ ′ ( p, γ ) = ( e ; ǫ ) if p ∈ F δ ′ ( p, γ ) = ( br m ; ( p 1 , θ 1 ) , . . . , ( p m , θ m )) if p 6∈ F and { ( p 1 , θ 1 ) , . . . , ( p m , θ m ) } = { ( p ′ , θ ′ ) | ∃ α ∈ Σ ∪ { ǫ } .δ ( p, α, γ ) = ( p ′ , θ ′ ) } δ ′ (( p, θ ) , γ ) = ( p, θ ) A state of M A is either a state of A (i.e . an elemen t of P ), or a pair ( p, θ ). In state p ∈ P , M A constructs a n o de lab eled b y br m , and sp awns sub tr ees for sim ulating p ossible in put or ǫ -transitions of A from stat e p . By a r esult of Kn apik et al. [10 ], we can construct an equi-expressive order- n s afe recursion sc heme G . Let G ′ b e the r ecursion sc heme obtained fr om G by (i) replacing eac h terminal symbol br m ( m > 2) with a non -termin al Br m of the same arit y , and (ii) addin g the rule: Br m x 1 · · · x m → br 2 x 1 ( br 2 x 2 ( · · · ( br 2 x m − 1 x m ))) . By the constru ction, the finite w ord-language acce pted by A is non-empt y if, and only if, the v alue tree of G ′ has a n o de lab elled e . The latter prop ert y can b e expressed by the follo wing disju nctiv e APT B . (The purp ose of transforming G into G ′ w as to mak e th e disjunctive APT ind ep endent of A .) B := h { q 0 } , { e , br 2 } , δ, q 0 , { q 0 7→ 1 }i where δ ( q 0 , br 2 ) = (1 , q 0 ) ∨ (2 , q 0 ) and δ ( q 0 , e ) = t Th us, we ha v e: Theorem 4.3. The disjunctive AP T ac c eptanc e pr oblem for the tr e e ge ner ate d by an or der- n r e cursion scheme is ( n − 1) -EXPTIME -har d in the size of the r e cursion scheme. COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 13 The problem is ( n − 1)- EXPTIME h ard also in th e size of th e d isjunctiv e APT. As ab ov e, let A = h P , p 0 , Γ , Σ , δ, F i b e an order- n d eterministic PD A for w ords. W e ma y assu me that the stac k alphab et is { γ 0 , γ 1 } (as w e can enco d e an arbitrary stac k symbol as a sequence of γ 0 and γ 1 ). W e first define an order- n tree -generating PDA M by: M = h { γ 0 , γ 1 } , { γ 0 , γ 1 } , { q 0 , θ 1 , . . . , θ k } , q 0 , δ M i δ M ( q 0 , γ i ) = ( γ i ; θ 1 , . . . , θ k ) δ M ( θ i , γ j ) = ( q 0 , θ i ) where { θ 1 , . . . , θ k } is the set of ord er- n stac k op erations. The role of M is to generate a tree sim ulating a ll the possib le c hanges o f th e stac k top. Note that M is indep end en t of A . No w let us define a d isjunctiv e APT D A = h P , { γ 0 , γ 1 } , δ ′ , p 0 , Ω i as follo ws. δ ′ ( p, γ i ) =  W { ( j, p ′ ) |∃ α.δ ( p, γ i , α ) = ( p ′ , θ j ) } if p 6∈ F t if p ∈ F Ω( p ) = 1 The idea of th e ab o v e encodin g is to let D A sim ulate transitions of A , while extracti ng information ab ou t the stac k top from th e tree generated b y M . Let G b e an order- n recursion sc heme that generates th e same tree as M . By the ab ov e construction, the language of A is non-emp t y if, and only if, D A accepts th e tree generated by G . Since the size of G do es not dep end on A , and the size of D A is p olynomial in the size of A , w e ha ve: Theorem 4.4. The disjunctive A PT ac c eptanc e pr oblem for tr e e s gener ate d by or der- n r e cursion schemes is ( n − 1) -EXPTIM E har d in the size of the A PT. 4.3. P a t h Prop erties. P ath p rop erties of Σ-lab elled trees are relev ant to program v erifi- cation, as demonstrated in the application to resource usage analysis in S ection 5. The p ath language of a Σ-lab elled tree t is the image of the map F , whic h acts on the elements of the branc h language of t b y “forgetting the argument p ositions” i.e. F :  ( f 1 , d 1 ) ( f 2 , d 2 ) · · · 7→ f 1 f 2 · · · ( f 1 , d 1 ) · · · ( f n , d n ) f n +1 7→ f 1 · · · f n f ω n +1 . F or example { f a ω , f f a ω , f f b ω } is the path language of the term-tree f a ( f a b ). Let G b e a recursion sc h eme. W e w rite W ( G ) for the p ath language of [ [ G ] ] . Thus elements of W ( G ) are infinite words o ve r the alphab et Σ whic h is no w considered unrank ed (i.e. arities of th e sym b ols are forgotten). Theorem 4.5. L et G b e an or der- n r e cu rsion scheme. The fol lowing pr oblems ar e ( n − 1) - EXPTIME c omplete. (i) W ( G ) ∩ L ( C ) ? = ∅ , wher e C is a non-deterministic p arity wor d automaton. (ii) W ( G ) ? ⊆ L ( C ) , wher e C is a deterministic p arity wor d automaton. F urthermor e, the pr oblem (i) is ( n − 1 )-EXPTIM E har d not only in the size of G but also in the size of C . Pr o of. (i) Let C = h Q, Σ , ∆ , q I , Ω i b e a non-deterministic p arit y word automaton, where ∆ ⊆ Q × Σ × Q and Ω : Q − → { 0 , · · · , p } . L et m b e the largest arit y of the sym b ols in Σ. (B ¨ uc hi automata are equiv alent to parit y automata with t w o pr iorities.) W e h a ve 14 N. K OBA Y ASHI AND C.-H. L. ONG W ( G ) ∩ L ( C ) 6 = ∅ if, and only if, [ [ G ] ] is accepted b y th e APT B = h Q, Σ , δ , q I , Ω i where δ : Q × Σ − → B + ( { 1 , · · · , m } × Q ) is a disjunctive transition function δ : ( q , f ) 7→ _ { ( i, p ) : 1 ≤ i ≤ Σ( f ) , ( q , f , p ) ∈ ∆ } . It follo ws from Theorem 4.2 that the p roblem W ( G ) ∩ L ( C ) ? = ∅ can be decided in ( n − 1)- EXPTIME. Let C b e a parity w ord automaton that accepts Σ ∗ e ω , and G ′ b e the recursion sc h eme in Section 4.2. Then, W ( G ′ ) ∩ L ( C ) 6 = ∅ if, and only if, G ′ has a no de lab elled e . Th us, th e problem W ( G ) ∩ L ( C ) ? = ∅ is ( n − 1)-EXPTIME-hard in the size of G . T o sh o w the lo w er b ound in the size of C , w e mo dify the construction of M and D A as follo ws. Let M ′ b e the order- n tree-generating PD A giv en b y: M := h { γ 0 , γ 1 , θ 1 , . . . , θ k } , { γ 0 , γ 1 } , { q 0 , q 1 , . . . , q k , θ 1 , . . . , θ k , } , q 0 , δ i δ ( q 0 , γ i ) = ( γ i ; q 1 , . . . , q k ) for 0 ≤ i ≤ 1 δ ( q j , γ i ) = ( θ i ; θ i ) for 0 ≤ i ≤ 1 , 1 ≤ j ≤ k δ ( θ j , γ i ) = ( q 0 , θ i ) for 0 ≤ i ≤ 1 , 1 ≤ j ≤ k The d ifference fr om M is that M ′ outputs not only stac k top symbols but also stac k op erations (w h ic h we re co ded as bran ch information in the case of M ). Let C A b e the non-deterministic parit y wo rd automaton giv en by: C A := h P ∪ ( P × { 0 , 1 } ) , { γ 0 , γ 1 } , δ ′ , p 0 , Ω i δ ′ ( p, γ i ) = { ( p, i ) } if p 6∈ F δ ′ (( p, i ) , θ j ) = { p ′ | ∃ α.δ ( p, γ i , α ) = ( p ′ , θ j ) } δ ′ ( p, γ i ) = { p } if p ∈ F δ ′ ( p, θ j ) = { p } Ω( p ) =  2 if p ∈ F A 1 otherwise Let G b e a recursion sc heme that generates the same tree as M ′ . Then, the language of A is empt y if, and only if, W ( G ) ∩ L ( C A ) = ∅ . Since G d o es not d ep end on A , W ( G ) ∩ L ( C ) ? = ∅ is ( n − 1)-EXPTIME hard also in the size of C . (ii) Let C b e a deterministic parit y wo rd automaton C = h Q, Σ , δ C , q 0 , Ω i , where δ C : Q × Σ − → Q and Ω : Q − → { 0 , · · · , p } . Define A = h Q , Σ , δ C , q 0 , Ω i where Ω : q 7→ (Ω( q ) + 1). Note th at b ecause of determinacy , L ( C ) = Σ ω \ L ( C ). No w w e ha v e W ( G ) ⊆ L ( C ) if, and only if, W ( G ) ∩ L ( C ) = ∅ . Th us, the pr oblem W ( G ) ? ⊆ L ( C ) is ( n − 1)- EXPTIME. Moreo ver, since the language Σ ∗ e ω is accepted b y a deterministic p arit y wo rd automaton, the problem is also ( n − 1) -EXPTIME hard (in the size of G ). The decision problems Rea chability (i.e. whether [ [ G ] ] has a no de lab elled b y a giv en sym b ol e ) and Finiteness (i.e. whether [ [ G ] ] is finite) are instances of Problem (i) of Theo- rem 4.5; hence they are in ( n − 1)-EXPTIME (the former is ( n − 1)-EXPTIME complete, b y the pro of of Sectio n 4.2). Consider the problem L TL Model-Checking : COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 15 “Giv en an L TL-formula φ (generated from atomic pr op ositions of the f orm P f with f ∈ Σ) and an order- n recur sion sc heme G , do es ev ery p ath in [ [ G ] ] satisfy φ ? (Pr ecisely , is W ( G ) ⊆ [ [ φ ] ]?)” As a corol lary of Theorem 4.5, w e ha v e: Corollary 4.6. L TL Model-Chec king (i.e. given or der- n r e cursion scheme G and L TL- formula φ , i s W ( G ) ⊆ [ [ φ ] ] ?) is ( n − 1) -EX PTIME c omplete in the size of G . Pr o of. The upp er boun d follo ws from Theorem 4.5(i): n ote that W ( G ) ⊆ [ [ φ ] ] is equiv alen t to W ( G ) ∩ [ [ ¬ φ ] ] = ∅ , and b ecause [ [ ¬ φ ] ] is ω -regular, it is recognizable [18] b y a parit y automaton. The lo we r b ound follo ws from the ( n − 1)-EXPTIME hardness of Re achability : chec k- ing w hether a recursion sc h eme satisfies the form ula G ( ¬ e ) is ( n − 1)-EXPTIME hard in the size of the recursion sc heme. Note ho we v er that L TL Mod el-Checking is n -EXPTIME in the size of the L TL-formula φ , as the size of th e corresp onding parit y w ord automaton is exp onent ial in φ in general [19]. 5. Applica tion to Resource Usage Verifica tion No w we ap p ly the r esult of the p r evious s ection to show that the resource usage v erifi cation problem [7] is ( n − 1)-EXPTIME complete. The aim of r esource u sage verificatio n is to c h ec k whether a program accesses eac h resource according to a giv en resource sp ecification. F or example, consider the follo wing pr ogram. let rec g x = if rand() then close(x) else (read(x); g(x)) in let r = open_in "foo" in g(r) Here, ran d() returns a n on-deterministic b o olean. The program fi rst defin es a recursive function g th at tak es a file p ointe r x as an argument p arameter, closes it after some read op erations. T he program then op ens a r ead-only fi le “ foo ”, and passes it to g . F or this program, the goal of the verificati on is to staticall y c h ec k that the file is eve ntuall y closed b efore the program terminates, and afte r it is closed, it is nev er read from or w ritten to. Koba y ashi [12] recen tly show ed that the resource usage v erification pr oblem is decidable for the simply-t yp ed λ -calculus w ith recursion, generated fr om a b ase t yp e of b o oleans, and augmen ted by resource creation/ac cess primitiv es, by reduction to the m o del chec king problem for recursion schemes. Prior to Kobay ashi’s work [12], only sound but incomplete v erification metho ds ha v e b een prop osed. F ollo wing [12], we consider b elo w a simply-t yp ed, call-b y-name functional language with only top-lev el fu n ction defin itions and resource u sage p r imitiv es. 7 A pr o gr am is a triple ( D , S, C ) wh ere D is a set of function defin itions, S is a function name (represen ting the main f unction), and C = ( Q C , Σ C , δ C , q 0 , C , F C ) is a d eterministic word automato n, whic h describ es how the state of a resource is c hanged b y eac h access p rimitiv e. A function definition is of the form F e x = e , where e is give n by: e ::= ⋆ | x | F | e 1 e 2 | I f ∗ e 1 e 2 | N e w q e | Acc a e 1 e 2 The term ⋆ is the u nit v alue. Th e term If ∗ e 1 e 2 is a non-deterministic branc h b et w een e 1 and e 2 . The term New q e creates a fr esh resour ce, and p asses it to e (wh ic h is a fun ction 7 Note that programs in call-by-v alue languages can b e transformed into th is language by using t he standard CPS transformation and λ - lifting. 16 N. K OBA Y ASHI AND C.-H. L. ONG that tak es a resource as an argumen t). Here, q rep resen ts the initial state of a r esource; the automaton C sp ecifies ho w the resource should b e ac cessed afterwards: see the op erational seman tics giv en later. Th e term Acc a e 1 e 2 accesses the r esour ce e 1 with the pr imitiv e of name a ( ∈ Σ C ) and then executes e 2 . Programs must b e sim p ly t yp ed ; the tw o base t yp es are unit for unit v alues and R for resour ces. Th e b o d y of eac h d efinition must ha v e t yp e unit (in other words, resources cannot b e u sed as return v alues; this requiremen t can b e enforced by the CPS transformation [16, 5]). T h e constan ts I f ∗ , New q , and Acc a are giv en th e f ollo wing t y p es. If ∗ : unit → unit → unit , New q : ( R → unit ) → unit , Acc a : R → unit → unit Example 5.1. Th e program given at the b eginning of this section can b e expressed as ( D , S, C ) wh ere D = { S = N ew q 1 ( G ⋆ ) , G k x = If ∗ ( Acc c x k ) ( Acc r x ( G k x )) } C = ( { q 1 , q 2 } , { r , c } , δ , q 1 , { q 2 } ) δ ( q 1 , r ) = q 1 δ ( q 1 , c ) = q 2 Here, G corresp onds to the function g in the original program, and the additional parameter k represen ts a cont inuati on. The automaton C sp ecifies that the resource should b e accessed according to r ∗ c . W e in tro duce the op erational seman tics to f orm ally defin e the resource usage v erifi cation problem. A run-time state is either an error state Error or a p air ( ρ, e ) where ρ is a fi n ite map from v ariables to Q C , wh ich r ep resen ts the state of eac h resource. The r ed uction relation − → D , C on run-time states is defined by: F e x = e ′ ∈ D ( ρ, F e e ) − → D , C ( ρ, [ e e/ e x ] e ′ ) ( ρ, If ∗ e 1 e 2 ) − → D , C ( ρ, e 1 ) ( ρ, If ∗ e 1 e 2 ) − → D , C ( ρ, e 2 ) x 6∈ dom ( ρ ) ( ρ, New q e ) − → D , C ( ρ { x 7→ q } , e x ) δ C ( q , a ) = q ′ ( ρ { x 7→ q } , Acc a x e ) − → D , C ( ρ { x 7→ q ′ } , e ) δ C ( q , a ) is undefined ( ρ { x 7→ q } , Acc a x e ) − → D , C Error COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 17 Example 5.2. Recall the program in Example 5.1. It can b e reduced as follo ws. ( ∅ , S ) − → D , C ( ∅ , New q 1 ( G ⋆ )) − → D , C ( { y 7→ q 1 } , G ⋆ y ) − → D , C ( { y 7→ q 1 } , If ∗ ( Acc c y ⋆ ) ( Acc r y ( G ⋆ y ))) − → D , C ( { y 7→ q 1 } , Acc r y ( G ⋆ y )) − → D , C ( { y 7→ q 1 } , G ⋆ y ) − → D , C ( { y 7→ q 1 } , If ∗ ( Acc c y ⋆ ) ( Acc r y ( G ⋆ y ))) − → D , C ( { y 7→ q 1 } , Acc c y ⋆ ) − → D , C ( { y 7→ q 2 } , ⋆ ) W e can no w f orm ally define the resource us age v erification pr oblem. Definition 5.3 (resour ce usage v erification problem) . A p rogram ( D , S, C ) is r esour c e- safe if (i) ( ∅ , S ) 6− → ∗ D , C Error , and (ii) if ( ∅ , S ) − → ∗ D , C ( ρ, ⋆ ) then ρ ( x ) ∈ F C for eve ry x ∈ dom ( ρ ). Th e r esour c e usage verific ation is the problem of c hec king whether a program is resource-safe. Example 5.4. Th e p r ogram giv en in Example 5.1 is resource-safe. T he p rogram obtained b y replacing the b o d y of G (i.e. If ∗ ( Acc c x k ) ( Acc r x ( G k x ))) w ith Acc r x ( G k x ) is also resource-safe; it do es not terminate, so th at it satisfies condition (ii) of Definition 5.3 v acuously . The program D ′ obtained b y replacing the definition of G w ith: G k x = If ∗ k ( Acc r x ( G k x )) is not resource-safe, as ( ∅ , S ) − → ∗ D ′ , C ( { y 7→ q 1 } , ⋆ ) and q 1 6∈ F C . W e sho w b elow that th e resource usage v erification is ( n − 1)-EXPTIME complete for n ≥ 3, where n is the largest ord er of typ es of terms in th e sour ce program. Here, the ord er of a t yp e is defin ed by: or der ( unit ) = 0 or der ( R ) = 1 or der ( κ 1 → κ 2 ) = max ( or der ( κ 1 ) + 1 , or der ( κ 2 )) Note that 3 is the lo w est ord er of a closed p r ogram that creates a resource, sin ce New q has order 3. The lo w er-b ound can b e sh o wn by redu ction of the reac habilit y problem for a r ecur- sion scheme to th e resource us age ve rification p roblem: Give n a recursion sc heme G = (Σ , N , R , S ), let ( D , S, C ) b e the program giv en by: D = { F e x = g2p ( t ) | F e x → t ∈ R} ∪ { F ail x = Acc fail x ⋆ } g2p ( F t 1 · · · t m ) = F g2p ( t 1 ) · · · g2p ( t m ) g2p ( e ) = New q F ail g2p ( a t 1 · · · t m ) = If ∗ g2p ( t 1 ) ( · · · ( If ∗ g2p ( t m − 1 ) g2p ( t m ))) ( a 6 = e ) C = ( { q } , { fail } , ∅ , q , { q } ) Then, the v alue tree of G contai ns e if and only if the program ( D , S, C ) is not resource-safe. Since resource pr imitiv es occur only in the enco din g of e , the order of the program is th e maxim um of 3 and the order of the recursion sc heme. T o sho w the up p er-b ound, we transform a program ( D , S, C ) in to a r ecursion sc heme G ( D, S , C ) , which generates a tree represen ting all p ossible (resource-wise) acc ess sequences of the program [12], and a d isjunctiv e APT D ( D, S , C ) , which accepts trees con taining an in v alid resource access sequence, so that ( D , S, C ) is resour ce-safe if, and only if, D ( D, S , C ) rejects the v alue tree of G ( D, S , C ) . 18 N. K OBA Y ASHI AND C.-H. L. ONG ν q 1 br i c ⋆ i r br · · · · · · br k c ⋆ k r br · · · · · · Figure 2: The tree generated b y the recursion sc heme of Example 5.5 The recursion sc h eme G ( D, S , C ) = (Σ , N , R , S ) is giv en b y: Σ = { a 7→ 1 | a ∈ A } ∪ { ν q 7→ 2 | q ∈ Q C } ∪ { ⋆ 7→ 0 , i 7→ 1 , k 7→ 1 , br 7→ 2 } N = (the set of f unction sym b ols in D ) ∪{ If ∗ 7→ o → o → o } ∪ { Acc a 7→ ( o → o ) → o → o | a ∈ A } ∪{ New q 7→ (( o → o ) → o ) → o | q ∈ Q C } R = { F e x → e | F e x = e ∈ D } ∪{ If ∗ x y → br x y , Acc a x k → x ( a k ) , New q k → ν q ( k i ) ( k k ) } Here, A is the set of the names of access primitiv es that o ccur in D . The preceding enco d ing is slightly differen t from the one present ed in [12 ]. The terminal sym b ol br represents a non -d eterministic c hoice. In the ru le for Ne w q , a fresh r esource is instan tiated to either i or k of arity 1. This is a tric k used to extract r esource-wise access sequences, by trac king or ignorin g the new resource in a n on-deterministic manner. In the first-branch, the resource is instan tiated to i , s o that all the accesses to the resource are k ept trac k of. In the s econd branc h, the resource is instan tiated to k , so that all the accesses to the resource should b e ignored. The ab o ve transformation preserves t yp es, except that unit and R are r ep laced b y o and o → o resp ectiv ely . Example 5.5. The p r ogram in Examp le 5.1 is transformed into th e recursion s cheme consisting of the follo wing ru les: S → New q 1 ( G ⋆ ) G k x → If ∗ ( Acc c x k ) ( Acc r x ( G k x )) If ∗ x y → br x y Acc a x k → x ( a k ) New q 1 k → ν q 1 ( k i ) ( k k ) Figure 2 sho w s the v alue tree of the recursion sc h eme. The ro ot n o de repr esents creation of a n ew resource (whose initial state is q 1 ). T he no d es lab eled by c or r express resource accesses. The left and righ t c hildren are the same, except that eac h resource access is prefixed b y i in the le ft c hild, wh ile it is p refixed b y k in the righ t c hild. COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 19 ν q 1 ν q 1 br i c i c ⋆ i r i r br · · · · · · br i c k c ⋆ i r k r br · · · · · · ν q 1 br k c i c ⋆ k r i r br · · · · · · br k c k c ⋆ k r k r br · · · · · · Figure 3: The tree generated b y the recursion sc heme of Example 5.6 Example 5.6. Consider the follo wing program, whic h creates and accesses t wo resources: S = New q 1 F F x = New q 1 ( G ⋆ x ) G k x y = If ∗ ( Acc c x ( Acc c y k )) ( Acc r x ( Acc r y ( G k x y ))) It is transformed in to the recursion sc heme consisting of the follo w ing rules: S → New q 1 F F x → New q 1 ( G ⋆ x ) G k x y → If ∗ ( Acc c x ( Acc c y k )) ( Acc r x ( Acc r y ( G k x y ))) If ∗ x y → br x y Acc a x k → x ( a k ) New q 1 k → ν q 1 ( k i ) ( k k ) Figure 3 shows th e v alue tree of the recursion sc heme. O f the four su btrees w hose ro ots are lab eled by br , the leftmost subtr ee represen ts accesses to b oth resour ces x and y ; in other w ords, all the accesses to x and y are prefixed by i . In the second su b tree, only the acce sses to x are prefixed b y i . I n the third sub tree, on ly the acc esses to y are prefixed b y i , while in the righ tmost subtree, no ac cesses are pr efi xed by i . 20 N. K OBA Y ASHI AND C.-H. L. ONG The d isjunctiv e APT D ( D, S , C ) = (Σ , Q, δ, q I , Ω), which accepts trees ha ving a path corresp onding to an in v alid access sequence, is giv en by: Q = Q C ∪ { q | q ∈ Q C } ∪ { q I } δ ( q I , a ) =        (1 , q I ) ∨ (2 , q I ) if a = br (1 , q ) ∨ (2 , q I ) if a = ν q f if a = ⋆ (1 , q I ) otherwise δ ( q , a )(wh ere q ∈ Q C ) =                        (1 , q ) ∨ (2 , q ) if a = br (1 , q ) if a = i (1 , q ) if a = k (2 , q ) if a = ν q f if a = ⋆ and q ∈ F C t if a = ⋆ and q 6∈ F C (1 , q ′ ) if a ∈ A and δ C ( q , a ) = q ′ t if a ∈ A and δ C ( q , a ) is u ndefined δ ( q , a )(where q ∈ Q C ) = (1 , q ) Ω( q ) = 1 for ev ery q ∈ Q Σ is the same as that of G ( D, S , C ) . The APT r eads th e ro ot of a tree with state q I , and trav erses a tree to find a path corresp onding to an inv alid resour ce access sequence. After r eading ν q in s tate q I , the APT either (i) chooses the left br anc h and c hanges its state to q , the initial state of the new resour ce, tracking accesses to the resource afte rwards; or (ii) chooses the righ t branc h, ignoring acc esses to the new resource. In the mo de to track r esource acc esses (i.e., in state q ∈ Q ), the APT changes its stat e according to resource accesses, except: (i) up on reading k , it skips the next symbol, whic h represen ts an access to a resource not b eing trac k ed, (ii) up on reading ν q , it only reads the right branc h, ignoring the resource created by this ν q (as it is already k eeping tr ack of another resource), (iii) up on reading a ∈ A such that C ( q, a ) is undefin ed or reading ⋆ when q 6∈ F C , it terminates successfully (as an in v alid access sequence has b een found), and (iv) u p on reading ⋆ at state q ∈ F C , it ab orts (as a p ath b eing read w as actually a v alid access sequence). The priorit y function maps ev ery state to 1, so that no infinite run (that corresp onds to an infinite execution sequence of the program without an y in v alid resource access) is considered an acc epting r un. F rom th e co nstru ction ab o ve, w e ha ve: Theorem 5.7. ( D , S, C ) i s r esour c e -safe if, and only if, the value tr e e of G ( D, S , C ) is not ac c epte d by D ( D, S , C ) . The pro of is similar to the corresp onding theorem in [12], hence omitted. 8 Note that the order of G ( D, S , C ) is the same as that of D . Thus, as a corolla ry of the ab o v e theorem an d T h eorem 4.2, w e obtain that the resour ce usage v erification is ( n − 1)- EXPTIME. 8 As mentioned ab ov e, the enco ding presen ted in this article is sligh tly different from the one in [12], but the pro ofs are similar: they are tedious but rather straigh tforw ard. COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 21 6. Rela ted Work Our analysis of the lo w er b oun d is based on Engelfriet’s earlier work on the complexit y of the iterated pushdown au tomata w ord acceptance and emptiness problems, and the results of K n apik et al. on the r elationship b etw een higher-order PDA and safe r ecursion sc hemes. The mo del c hecki ng of recursion sc hemes for the cla ss of trivial APT has b een studied b y Aehlig [1] (under the name “trivial automata”). He ga v e a mo del chec king algorithm, but d id not d iscuss its complexit y . F or the same class, Kobay ashi [12 ] sh o wed that the complexit y is linear in the size of r ecursion sc hemes, if the t yp es and automata are fixed. F or the full mo dal µ -calculus, Koba yashi and Ong [13] hav e s ho wn th at the complexit y is n -EXPTIME in the largest arit y of s y mb ols in the recur sion sc heme, the n umber of states of the APT, and the largest pr iory , but p olynomial in the n umb er of the rules of the recursion sc heme. Our enco ding of th e w ord acceptance p roblem of an order- n alternating PDA in to the mo del c hec k in g problem of an order- n tr ee-ge nerating PD A (the construction of M A ,w in Section 3) is similar to Cac hat and W alukiewicz’s enco d ing of the word acceptance pr oblem in to the reac habilit y game on a higher-order pus hdo wn system [3]. In fact, the tree generated b y M A ,w seems to corresp ond to the unr av elling of the game graph of the higher-order pushd o w n system (where the nod es lab elled by E are Pla ye r’s p ositions, and those lab elled b y A are Opp on ent’s p ositions). Thus, n -EXPTIME-hardness of mod el c h ec king for trivial APT (in the size of the recur sion scheme) would follo w also from n -EXPTIME hardness of the reac h abilit y game on higher-order pushd o wn systems [3, 4]. 7. Conclusion W e ha v e considered t w o sub classes of APT, and shown that the mo del chec king of an order- n recursion sc h eme is n -EXPTIME complete for trivial APT, and ( n − 1)-EXPTIME complete for disj unctiv e APT , b oth in the size of th e recur sion sc heme and in the size of the APT. As an application, w e sho w ed th at the resour ce us age v erification pr oblem is ( n − 1)-EXPTIME complete. The low er b ound for the fin iteness problem (reca ll Section 4.3) is left as an op en problem. Ac kn o w ledgments. W e wo uld like to thank the anon ymous reviewe rs for u seful comments. This w ork w as partially supp orted b y Kak en h i 20240 001 and EPSR C EP/F0363 61. Referen ces [1] K. A ehlig. A finite semantics of s imply-typ ed lam b da terms for infin ite runs of automata. L o gic al Metho ds in Computer Scienc e , 3(3), 2007. [2] W. Blum and C.-H. L. Ong. Safe lambd a calculus. In Pr o c e e dings of th e 8th Internat ional Confer enc e on T yp e d L amb da Calculi and Applic ations (TLCA07) , pages 39–53. Springer-V erlag, 2007. LNCS 4583. [3] T. Cachat and I. W alukiewicz. The complexity of games on h igher order pushdown automata. CoRR , abs/0705. 0262, 20 07. [4] A. Cara yol , M. H ague, A. Mey er, C.-H. L. Ong, a nd O. Serre. Winning regions of higher-order pushdown games. I n LICS , pages 193–204, 2008. [5] O. Danvy and A. Filinski. Representing control: A study of the cp s transformation. Mathematic al Structur es in Computer Scienc e , 2(4):361–391, 1992. [6] J. Engelfriet. Iterated stac k automata and complexity classes. Information and Computation , 95(1):21– 75, 1991 . 22 N. K OBA Y ASHI AND C.-H. L. ONG [7] A. Igarashi and N. Koba yashi. Resource usage analysis. A CM T r ansactions on Pr o gr amming L anguages and Systems , 27(2):264–313, 2005. [8] D. Janin and I. W alukiewicz. Automata for the modal mu-calculus and related results. I n Pr o c. MFCS , pages 552–562, 1995. [9] M. Jurdzi ´ nski. Small p rogress measures for solving parity games. I n Pr o c. ST ACS , volume 1770 of L e ctur e Notes in Computer Scienc e , pages 290–3 01, 2000. [10] T. Knapik , D. N iwinski, and P . Urzyczyn . H igher-order pushdown trees are easy . In F oSSaCS 2002 , vol ume 2303 of L e ctur e Notes i n Computer Scienc e , pages 205–222. S pringer-V erlag, 2002. [11] T. Knapik, D. Niwi´ nsk i, and P . Urzyczyn . Higher-order pushdown trees are easy . In FOSSA CS’ 02 , pages 205–222 . Springer, 2002. LNCS V ol. 2303. [12] N. Koba yashi. T yp es and higher-order recursion schemes for v erification of higher-order progra ms. In Pr o c e e dings of ACM SIGPLAN/SIGACT Symp osium on Principles of Pr o gr amming L anguages , pages 416–428 , 20 09. [13] N. Kobay ashi and C.-H. L. Ong. A t yp e system equiv alen t to the mo dal m u-calculus mo del chec king of higher-order recursion schemes. In Pr o c e e dings of LICS 2009 , p ages 179–18 8. IEEE Computer So ciety Press, 2009. [14] O. Kupferman, M. Y . V ardi, and P . W olp er. An automata-theoretic app roac h to branching-time model chec king. J. ACM , 47(2):312– 360, 20 00. [15] C.-H. L. Ong. On mo del-chec king trees generated by higher-order recursion schemes. In LI CS 2006 , pages 81–90. IEEE Computer So ciety Press, 2006. [16] G. D. Plotkin. Ca ll-by-name, call-by-v alue and the lambd a- calculus. T he or. Comput. Sci. , 1(2):125–159, 1975. [17] S. Schew e. Solving p arit y games in big steps. In Pr o c e e dings of FSTTCS 2007 , vo lume 4855 of L e ctur e Notes in Computer Scienc e , pages 449–460. Springer-V erlag, 2007. [18] W. Thomas. Languages , automata and log ic. In G. Rozen b erg and A. Salomaa, editors, Handb o ok of F ormal L anguages , v olume 3. Springer-V erlag, 1997. [19] M. Y . V ardi and P . W olp er. Reasoning about infinite compu t ations. Information and Computation , 115:137 , 19 94. [20] I. W alukiewicz. Pushdown processes: games and mo del-chec king. Information and Computation , 157:234 –263, 2001. COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 23 Appendix A. Characterizing tr ivial APT a nd disjunct ive A PT as modal mu-calculu s fragments F r om L o gic to Automata . Consider the follo win g set of mo dal m u-calculus form ulas: φ, ψ ::= t | f | P f | Z | φ ∧ ψ | φ ∨ ψ | h i i φ | ν Z .φ | µZ.φ This is a sup erset of the fragments S and D introd uced in Sectio ns 3 and 4, resp ectiv ely . W e can apply the translation of Kupferman et al. [14] to a mo dal m u-calculus form ula to get an equiv alen t alternating parit y tree au tomaton. W e just need to mo dify th e defi n ition of δ ([14, page 339]) b y: δ ( P f , g ) =  t if g = f f if g 6 = f δ ( h i i φ, g ) =  split ( i, φ ) if 1 ≤ i ≤ Σ( g ) f otherwise It is easy to see that th e translation maps a S -form ula to a trivial automaton, and a D - form ula to a disjunctiv e automaton. F r om Automata to L o gic. Ou r presen tation h ere follo ws W alukiewicz [20]. Fix an APT A = h Σ , Q, δ, q 1 , Ω i wher e Q = { q 1 , · · · , q n } . Supp ose the ordering q 1 , · · · , q n satisfies Ω( q i ) ≥ Ω( q j ) f or ev ery i < j . Consider the follo wing n -tup le of mo dal mu-calc ulus form ulas—call it χ A —sim ultaneously defined by least and greatest fixp oints: σ 1    Z 11 . . . Z 1 n    . · · · . σ n    Z n 1 . . . Z nn    .    χ 1 . . . χ n    where σ i := µ if Ω( q i ) is od d , and ν otherw ise. F or eac h 1 ≤ i ≤ n χ i := _ f ∈ Σ ( P f ∧ p δ ( q i , f ) q ) . W e define p δ ( q i , f ) q b y: p ( d, q i ) q := h d i Z ii p t q := t p f q := f p ϕ 1 ∧ ϕ 2 q := p ϕ 1 q ∧ p ϕ 2 q p ϕ 1 ∨ ϕ 2 q := p ϕ 1 q ∨ p ϕ 2 q W rite π i ( χ A ) to b e a mo d al m u-calculus formula (seman tically) equiv alen t to χ A pro- jected on to the i -th comp onent (whic h is we ll-defined by an application of the Beki˘ c Prin- ciple). Let A b e an APT and t a Σ-labelled ranke d tree. W alukiewicz [20] has sho wn th at t is accepted b y A if, and o nly if, it satisfies π 1 ( χ A ) at the root. Prop osition A.1. ( i) If A is a trivial APT, then π 1 ( χ A ) is a S -formula. (ii) If A is a disjunctiv e APT, then π 1 ( χ A ) is a D -formula. Pr o of. (i): If A has only one priority 0, then it follo ws fr om the defin ition that χ A is constructed using only ν -fixp oint op erator. (ii) S in ce δ ( q i , f ) is a disju nctiv e formula , it follo ws th at ev ery conjunction subformula of χ A is of the f orm P f ∧ φ . 24 N. K OBA Y ASHI AND C.-H. L. ONG Appendix B. Al tern a tive Proof of ( n − 1) -EXP TIME Upp er-Bound for Disjunctive APT W e sk etc h an alternativ e pro of of Lemma 4.2, using Ong’s varia ble pr ofiles [15]. In ord er to appreciate the pro of sk etc h ed b elo w, some knowledge of the workings of a tra versal simula ting APT is r equired. In particular it is n ecessary to kn o w ab out variable pr ofiles and ho w they are emplo yed. Since B is disjunctiv e, it h as an accepting run-tree on [ [ G ] ] just in case it h as an accepting run-tree that do es not branch (i.e. eac h no d e of the ru n-tree has at most one child). It follo ws that B has an accepting tra v ersal tree if and only if it has an accepting trav ersal tree that do es not branc h . The k ey observ ation is that the trav ersal-sim ulating APT C thus need only ‘guess’ one exit p oin t when it r eac hes a no de lab elled by a v ariable of order one, ev en if its t yp e has arit y greater than one. It follo ws th at w e can simplify the d efi nition of v ariable pr ofiles. A profile of a groun d-t yp e v ariable has the sh ap e ( x, q , m, ∅ ) where q is a state and m a colour, wh ic h is the same as the general case. How ev er a profi le of a v ariable φ of a fi rst- order t yp e o → · · · → o | {z } k → o n o w has the shap e ( φ, q , m, c ) where c is either empty or a singleton set consisting of a profile of a groun d -t yp e v ariable, as opp osed to a set of suc h profiles. The profiles of v ariables of order tw o or higher are defined as in th e general case. Th us the num b er of v ariable p rofiles of a giv en ord er (at least one) is reduced by one level of exp onen tiation compared to th e general case. Now viewing VP ( A ) as denoting the set of v ariable pr ofiles of type A (of order at least one) restricted to con taining either empty or singleton in terfaces: X A order i type | VP ( A ) | = O ( exp i − 1 ( | Gr G | × | Q | × p )) where Q is the state space of B , p is th e num b er of priorities, and Gr G is the (finite) graph that unrav els to the computation tree λ ( G ). Th e num b er of no des in the p arit y game induced b y th e trav ersal-sim ulating APT C and the compu tation tree λ ( G ) will thus also ha v e b ound O ( exp n − 1 ( | Gr G | × | Q | × p )) and u sing Ju r dzi ´ nski’s algo rithm [9] w e ha ve it that the acceptance parity game can b e solved in time O ( exp n − 1 ( | Gr G | × | Q | × p )). The problem th us lies in ( n − 1)-EXPTIME. This wor k is licensed under the Creative Commons Attribution-No Derivs License. T o view a copy of this license, visit http://cr eativecommons.org/licenses/by-nd/2.0/ o r send a letter to Cr eative Co mmons, 17 1 Second St, Suite 300, San F rancisco, CA 94105, USA , or Eisenacher Strasse 2, 10777 Berlin, Ger many