Domains for Higher-Order Games
Matthew Hague, Roland Meyer, Sebastian Muskalla

TL;DR
This paper introduces a novel finite domain for analyzing two-player inclusion games over higher-order recursion schemes, enabling an optimal algorithm for program synthesis verification.
Contribution
It develops a new domain based on Boolean formulas and automaton states, providing a direct fixed-point algorithm for two-player inclusion games with proven optimal complexity.
Findings
Finite domain representation of winning regions.
Algorithm with (k+1)EXP complexity for order-k schemes.
Matching lower bound proving optimality.
Abstract
We study two-player inclusion games played over word-generating higher-order recursion schemes. While inclusion checks are known to capture verification problems, two-player games generalize this relationship to program synthesis. In such games, non-terminals of the grammar are controlled by opposing players. The goal of the existential player is to avoid producing a word that lies outside of a regular language of safe words. We contribute a new domain that provides a representation of the winning region of such games. Our domain is based on (functions over) potentially infinite Boolean formulas with words as atomic propositions. We develop an abstract interpretation framework that we instantiate to abstract this domain into a domain where the propositions are replaced by states of a finite automaton. This second domain is therefore finite and we obtain, via standard fixed-point…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\Copyright
Matthew Hague, Roland Meyer, and Sebastian Muskalla
\EventEditorsKim G. Larsen, Hans L. Bodlaender, and Jean-Francois Raskin \EventNoEds3 \EventLongTitle42nd International Symposium on Mathematical Foundations of Computer Science (MFCS 2017) \EventShortTitleMFCS 2017 \EventAcronymMFCS \EventYear2017 \EventDateAugust 21–25, 2017 \EventLocationAalborg, Denmark \EventLogo \SeriesVolume83 \ArticleNo59
Domains for Higher-Order Games
Matthew Hague
Royal Holloway University of London, United Kingdom
Roland Meyer111A part of the work was carried out when the author was at Aalto University.
TU Braunschweig, Germany
{roland.meyer, s.muskalla}@tu-braunschweig.de
Sebastian Muskalla
TU Braunschweig, Germany
{roland.meyer, s.muskalla}@tu-braunschweig.de
Abstract.
We study two-player inclusion games played over word-generating higher-order recursion schemes. While inclusion checks are known to capture verification problems, two-player games generalize this relationship to program synthesis. In such games, non-terminals of the grammar are controlled by opposing players. The goal of the existential player is to avoid producing a word that lies outside of a regular language of safe words.
We contribute a new domain that provides a representation of the winning region of such games. Our domain is based on (functions over) potentially infinite Boolean formulas with words as atomic propositions. We develop an abstract interpretation framework that we instantiate to abstract this domain into a domain where the propositions are replaced by states of a finite automaton. This second domain is therefore finite and we obtain, via standard fixed-point techniques, a direct algorithm for the analysis of two-player inclusion games. We show, via a second instantiation of the framework, that our finite domain can be optimized, leading to a algorithm for order- recursion schemes. We give a matching lower bound, showing that our approach is optimal. Since our approach is based on standard Kleene iteration, existing techniques and tools for fixed-point computations can be applied.
Key words and phrases:
Higher-order recursion schemes, games, semantics, abstract interpretation, fixed points.
1991 Mathematics Subject Classification:
F.1.1 Models of Computation
1. Introduction
Inclusion checking has recently received considerable attention [54, 23, 1, 2, 36]. One of the reasons is a new verification loop, which invokes inclusion as a subroutine in an iterative fashion. The loop has been proposed by Podelski et al. for the safety verification of recursive programs [32], and then been generalized to parallel and parameterized programs [42, 21, 19] and to liveness [20]. The idea of Podelski’s loop is to iteratively approximate unsound data flow in the program of interest, and add the approximations to the specification. Consider a program with control-flow language that is supposed to satisfy a safety specification given by a regular language . If the check succeeds, then the program is correct as the data flow only restricts the set of computations. If a computation is found that lies outside , then it depends on the data flow whether the program is correct. If data is handled correctly, is a counterexample to . Otherwise, is generalized to a regular language of infeasible computations. We set and repeat the procedure.
Podelski’s loop has also been generalized to synthesis [35, 44]. In that setting, the program is assumed to have two kinds of non-determinism. Some of the non-deterministic transitions are understood to be controlled by the environment. They provide inputs that the system has to react to, and are also referred to as demonic non-determinism. In contrast, the so-called angelic non-determinism are the alternatives of the system to react to an input. The synthesis problem is to devise a controller that resolves the angelic non-determinism in a way that a given safety specification is met. Technically, the synthesis problem corresponds to a two-player perfect information game, and the controller implements a winning strategy for the system player. When generalizing Podelski’s loop to the synthesis problem, the inclusion check thus amounts to solving a strategy-synthesis problem.
Our motivation is to synthesize functional programs with Podelski’s loop. We assume the program to be given as a non-deterministic higher-order recursion scheme where the non-terminals are assigned to two players. One player is the system player who tries to enforce the derivation of words that belong to a given regular language. The other player is the environment, trying to derive a word outside the language. The use of the corresponding strategy-synthesis algorithm in Podelski’s loop comes with three characteristics: (1) The algorithm is invoked iteratively, (2) the program is large and the specification is small, and (3) the specification is non-deterministic. The first point means that the strategy synthesis should not rely on costly precomputation. Moreover, it should have the chance to terminate early. The second says that the cost of the computation should depend on the size of the specification, not on the size of the program. Computations on the program, in particular iterative ones, should be avoided. Together with the third characteristic, these two consequences rule out reductions to reachability games. The required determinization would mean a costly precomputation, and the reduction to reachability would mean a product with the program. This discussion in particular forbids a reduction of the strategy-synthesis problem to higher-order model checking [46], which indeed can be achieved (see Appendix A for a comparison to intersection types [41]). Instead, we need a strategy synthesis that can directly deal with non-deterministic specifications.
We show that the winning region of a higher-order inclusion game wrt. a non-deterministic right-hand side can be computed with a standard fixed-point iteration. Our contribution is a domain suitable for this computation. The key idea is to use Boolean formulas whose atomic propositions are the states of the targeted finite automaton. While a formula-based domain has recently been proposed for context-free inclusion games [35] (and generalized to infinite words [44]), the generalization to higher-order is new. Consider a non-terminal that is ground and for which we have computed a formula. The Boolean structure reflects the alternation among the players in the plays that start from this non-terminal. The words generated along the plays are abstracted to sets of states from which these words can be accepted. Determining the winner of the game is done by evaluating the formula when sets of states containing the initial state are assigned the value true. To our surprise, the above domain did not give the optimal complexity. Instead, it was possible to further optimize it by resolving the determinization information. Intuitively, the existential player can also resolve the non-determinism captured by a set. Crucially, our approach handles the non-determinism of the specification inside the analysis, without preprocessing.
Besides offering the characteristics that are needed for Podelski’s loop, our development also contributes to the research program of effective denotational semantics, as recently proposed by Salvati and Walukiewicz [52] as well as Grellois and Melliès [25, 25], with [5, 49] being early works in this field. The idea is to solve verification problems by computing the semantics of a program in a suitable domain. Salvati and Walukiewicz studied the expressiveness of greatest fixed-point semantics and their correspondence to automata [52], and constructions of enriched Scott models for parity conditions [51, 50]. A similar line of investigation has been followed in recent work by Grellois and Melliès [26, 27]. Hofmann and Chen considered the verification of more restricted -path properties with a focus on the domain [33]. They show that explicit automata constructions can be avoided and give a domain that directly captures subsets (so-called patches) of the -language. The work has been generalized to higher order [34]. Our contribution is related in that we focus on the domain (suitable for capturing plays).
Besides the domain, the correctness proof may be of interest. We employ an exact fixed-point transfer result as known from abstract interpretation. First, we give a semantic characterization showing that the winning region can be captured by an infinite model (a greatest fixed point). This domain has as elements (potentially infinite) sets of (finite) Boolean formulas. The formulas capture plays (up to a certain depth) and the atomic propositions are terminal words. The infinite set structure is to avoid infinite syntax. Then we employ the exact fixed-point transfer result to replace the terminals by states and get rid of the sets. The final step is another exact fixed-point transfer that justifies the optimization. We give a matching lower bound. The problem is -complete for order- schemes.
Related Work.
The relationship between recursion schemes and extensions of pushdown automata has been well studied [16, 17, 37, 29]. This means algorithms for recursion schemes can be transferred to extensions of pushdown automata and vice versa. In the sequel, we will use pushdown automata to refer to pushdown automata and their family of extensions.
The decidability of Monadic Second Order Logic (MSO) over trees generated by recursion schemes was first settled in the restricted case of safe schemes by Knapik et al. [37] and independently by Caucal [14]. This result was generalized to all schemes by Ong [46]. Both of these results consider deterministic schemes only.
Related results have also been obtained in the consideration of games played over the configuration graphs of pushdown automata [53, 13, 38, 29]. Of particular interest are saturation methods for pushdown games [7, 22, 12, 8, 30, 31, 9]. In these works, automata representing sets of winning configurations are constructed using fixed-point computations.
A related approach pioneered by Kobayashi et al. operating directly on schemes is that of intersection types [40, 41], where types embedding a property automaton are assigned to terms of a scheme. Recently, saturation techniques were transferred to intersection types by Broadbent and Kobayashi [10]. The typing algorithm is then a least fixed-point computation analogous to an optimized version of our Kleene iteration, restricted to deterministic schemes. This has led to one of the most competitive model-checking tools for schemes [39].
One may reduce our language inclusion problems to many of the above works. E.g. from an inclusion game for schemes, we may build a game over an equivalent kind of pushdown automaton and take the product with a determinization of the NFA. This obtains a reachability game over a pushdown automaton that can be solved by any of the above methods. However, such constructions are undesirable for iterative invocations as in Podelski’s loop.
We already discussed the relationship to model-theoretic verification algorithms. Abstract interpretation has also been used by Ramsay [48], Salvati and Walukiewicz [51, 50], and Grellois and Melliès [25, 24] for verification. The former used a Galois connection between safety properties (concrete) and equivalence classes of intersection types (abstract) to recreate decidability results known in the literature. The latter two strands gives a semantics capable of computing properties expressed in MSO. Indeed, abstract interpretation has long been used for static analysis of higher-order programs [4].
Acknowledgments.
This work was supported by the Engineering and Physical Sciences Research Council [EP/K009907/1]. The work instigated while some of the authors were visiting the Institute for Mathematical Sciences, National University of Singapore in 2016. The visit was partially supported by the Institute.
2. Preliminaries
Complete Partial Orders.
Let be a partial order with set and (partial) ordering on . We call pointed if there is a greatest element, called the top element and denoted by . A descending chain in is a sequence of elements in with . We call -complete if every descending chain has a greatest lower bound, called the meet or the infimum, and denoted by . If is pointed and -complete, we call it a pointed -complete partial order (cppo). In the following, we will only consider partial orders that are cppos. Note, cppo is usually used to refer to the dual concept, i.e. partial orders with a least element and least upper bounds for ascending chains.
A function is -continuous if for all descending chains we have . We call a function monotonic if for all , implies . Any function that is -continuous is also monotonic. For a monotonic function, is a descending chain.
If the function is -continuous, then is by Kleene’s theorem the greatest fixed point of , i.e. and is larger than any other element with . We also say is the greatest solution to the equation .
A lattice satisfies the descending chain condition (DCC) if every descending chain has to be stationary at some point. In this case for some index in . With this, we can compute the greatest fixed point: Starting with , we iteratively apply until the result does not change. This process is called Kleene iteration. Note that finite cppos, i.e. with finitely many elements in , trivially satisfy the descending chain condition.
Finite Automata.
A non-deterministic finite automaton (NFA) is a tuple where is a finite set of states, is a finite alphabet, is a (non-deterministic) transition relation, is the initial state, and is a set of final states. We write to denote . Moreover, given a word , we write whenever there is a sequence of transitions, also called run, with and . The run is accepting if and . The language of is \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)=\mathopen{}\mathclose{{}\left\{w\ \middle|\ q_{0}\xrightarrow{w}{\to}q\in Q_{f}}\right\}\ .
3. Higher-Order Recursion Schemes
We introduce higher-order recursion schemes, schemes for short, following the presentation in [28]. Schemes can be understood as grammars generating the computation trees of programs in a functional language. As is common in functional languages, we need a typing discipline. To avoid confusion with type-based approaches to higher-order model checking [40, 47, 41], we refer to types as kinds. Kinds define the functionality of terms, without specifying the data domain. Technically, the only data domain is the ground kind , from which (potentially higher-order) function kinds are derived by composition:
[TABLE]
We usually omit the brackets and assume that the arrow associates to the right. The number of arguments to a kind is called the arity. The order defines the functionality of the arguments: A first-order kind defines functions that act on values, a second-order kind functions that expect functions as parameters. Formally, we have
[TABLE]
Let be the set of all kinds. Higher-order recursion schemes assign kinds to symbols from different alphabets, namely non-terminals, terminals, and variables. Let be a set of such kinded symbols. For each kind , we denote by the restriction of to the symbols with kind . The terms of kind over are defined by simultaneous induction over all kinds. They form the smallest set satisfying
- (1)
, 2. (2)
\bigcup_{\kappa_{1}}\mathopen{}\mathclose{{}\left\{t\ v\ \middle|\ t\in\mathcal{T}^{\kappa_{1}\to\kappa_{2}}(\Gamma),v\in\mathcal{T}^{\kappa_{1}}(\Gamma)}\right\}\subseteq\mathcal{T}^{\kappa_{2}}(\Gamma), and 3. (3)
\mathopen{}\mathclose{{}\left\{\lambda x.t\ \middle|\ x\in\mathcal{T}^{\kappa_{1}}(\Gamma),t\in\mathcal{T}^{\kappa_{2}}(\Gamma)}\right\}\subseteq\mathcal{T}^{\kappa_{1}\to\kappa_{2}}(\Gamma).
If term is of kind , we also write . We use for the set of all terms over . We say a term is -free if it contains no sub-term of the form . A term is variable-closed if all occurring variables are bound by a preceding -expression.
Definition 3.1**.**
A higher-order recursion scheme, (scheme for short), is a tuple , where is a finite set of kinded symbols called variables, is a finite set of kinded symbols called terminals, and is a finite set of kinded symbols called non-terminals with the initial symbol. The sets , , and are pairwise disjoint. The finite set consists of rewriting rules of the form , where is a non-terminal of kind , are variables of the required kinds, and is a -free, variable-closed term of ground kind from \mathcal{T}^{o}(T\mathop{\mathaccent 0{\cdot}\cup}N\mathop{\mathaccent 0{\cdot}\cup}\mathopen{}\mathclose{{}\left\{x_{1}\colon\kappa_{1},\ldots,x_{n}\colon\kappa_{n}}\right\}).
The semantics of is defined by rewriting subterms according to the rules in . A context is a term C[\bullet]\in\mathcal{T}(\Gamma\mathop{\mathaccent 0{\cdot}\cup}\mathopen{}\mathclose{{}\left\{\bullet\colon o}\right\}) in which occurs exactly once. Given a context and a term , we obtain by replacing the unique occurrence of in by . With this, if there is a context , a rule , and a term such that and t^{\prime}=C\mathopen{}\mathclose{{}\left[e[x_{1}\mapsto t_{1},\ldots,x_{n}\mapsto t_{n}]}\right]. In other words, we replace one occurrence of in by a right-hand side of a rewriting rule, while properly instantiating the variables. We call such a replaceable a reducible expression (redex). The rewriting step is outermost to innermost (OI) if there is no redex that contains the rewritten one as a proper subterm. The OI-language \mathcal{L}\mathopen{}\mathclose{{}\left(G}\right) of is the set of all (finite, ranked, labeled) trees over the terminal symbols that can be created from the initial symbol via OI-rewriting steps. We will restrict the rewriting relation to OI-rewritings in the rest of this paper. Note, all words derivable by IO-rewriting are also derivable with OI-rewriting.
Word-Generating Schemes.
We consider word-generating schemes, i.e. schemes with terminals T\mathop{\mathaccent 0{\cdot}\cup}\mathopen{}\mathclose{{}\left\{\:o}\right}$oo\to oa_{1}\ (a_{2}\ (\cdots\ (a_{k}\ $)))a_{1}a_{2}\ldots a_{k}\in T^{*}\mathcal{L}\mathopen{}\mathclose{{}\left(G}\right)$ as a language of finite words.
Determinism.
The above schemes are non-deterministic in that several rules may rewrite a non-terminal. We associate with a non-deterministic scheme a deterministic scheme with exactly one rule per non-terminal. Intuitively, makes the non-determinism explicit with new terminal symbols.
Formally, let be a non-terminal with rules to . We may assume each , where is -free. We introduce a new terminal symbol of arity . Let the set of all these terminals be T^{\mathit{det}}=\mathopen{}\mathclose{{}\left\{\mathit{op}_{F}\ \middle|\ F\in N}\right\}. The set of rules now consists of a single rule for each non-terminal, namely . The original rules in are removed. This yields . The advantage of resolving the non-determinism explicitly is that we can give a semantics to non-deterministic choices that depends on the non-terminal instead of having to treat non-determinism uniformly.
Semantics.
Let be a deterministic scheme. A model of is a pair , where is a family of domains that satisfies the following: is a cppo and . Here, is the set of all -continuous functions from domain to . We comment on this cppo in a moment. The interpretation assigns to each terminal an element .
The ordering on functions is defined component-wise, if for all . For each , we denote the top element of by . For the ground kind, exists since is a cppo, and is the function that maps every argument to . The meet of a descending chain of functions is the function defined by . Note that the sequence on the right-hand side is a descending chain.
The semantics of terms defined by a model is a function
[TABLE]
that assigns to each term built over the non-terminals and terminals again a function. This function expects a valuation and returns an element from the domain. A valuation is a partial function that is defined on all non-terminals and the free variables. We lift to descending chains of valuations with for . We obtain that the set of such valuations is a cppo where the greatest elements are those valuations which assign the greatest elements of the appropriate domain to all arguments.
Since the right-hand sides of the rules in the scheme are variable-closed, we do not need a variable valuation for them. We need the variable valuation, however, whenever we proceed by induction on the structure of terms. The semantics is defined by such an induction:
[TABLE]
We show that \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket is -continuous for all terms . This follows from continuity of the functions in the domain, but requires some care when handling application.
Proposition 3.2**.**
For all , \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket is -continuous (in ) over the respective lattice.
Given , the rules of the (deterministic) scheme give a function
[TABLE]
Since the right-hand sides are variable-closed, the \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{j}}\right\rrbracket are functions in the non-terminals. Provided \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket to \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{k}}\right\rrbracket are -continuous (in the valuation of the non-terminals), the function will be -continuous. This allows us to apply Kleene iteration as follows. The initial value is the greatest element where with the top element of . The approximant is computed by evaluating the right-hand side at the solution, . The greatest fixed point is the tuple defined below. It can be understood as the greatest solution to the equation . We call this greatest solution the semantics of the scheme in the model.
[TABLE]
4. Higher-Order Inclusion Games
Our goal is to solve higher-order games, whose arena is defined by a scheme. We assume that the derivation process is controlled by two players. To this end, we divide the non-terminals of a word-generating scheme into those owned by the existential player and those owned by the universal player . Whenever a non-terminal is to be replaced during the derivation, it is the owner who chooses which rule to apply. The winning condition is given by an automaton , Player attempts to produce a word that is in \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right), while Player attempts to produce a word outside of \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right).
Definition 4.1**.**
A higher-order game is a triple where is a word-generating scheme, is an NFA, is a partitioning of the non-terminals of .
A play of the game is a sequence of OI-rewriting steps. Since terms generate words, it is unambiguous which term forms the next redex to be rewritten. In particular, all terms are of the form , where is either \$$ or a redex F\ t_{1}\ \cdots\ t_{m}O(F)=\Diamond\DiamondF=\lambda x_{1}\ldots\lambda x_{m}.e\Boxa_{1}\ (a_{2}\ (\cdots\ (a_{k}\ e[x_{1}\mapsto t_{1},\ldots,x_{m}\mapsto t_{m}])))$.
Each play begins at the initial non-terminal , and continues either ad infinitum or until a term a_{1}\ (a_{2}\ (\cdots\ (a_{k}\ \)))w=a_{1}\ldots a_{k}\Diamondw\Diamondw\in\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)\Boxw\in\overline{\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)}\Diamond\Box$ has a winning strategy [43].
Problem 4.2**.**
Our contribution is a fixed-point algorithm to decide . We derive it in three steps. First, we develop a concrete model for higher-order games whose semantics captures the above winning condition. Second, we introduce a framework that for two models and a mapping between them guarantees that the mapping of the greatest fixed point with respect to the one model is the greatest fixed point with respect to the other model. Finally, we introduce an abstract model that uses a finite ground domain. The solution of can be read off from the semantics in the abstract model, which in turn can be computed via Kleene iteration. Moreover, this semantics can be used to define Player ’s winning strategy. We instantiate the framework for the concrete and abstract model to prove the soundness of the algorithm.
Concrete Semantics
Consider a instance . Let be the determinized version of . Our goal is to define a model such that the semantics of in this model allows us to decide . Recall that we only have to define the ground domain. For composed kinds, we use the functional lifting discussed in Section 3.
Our idea is to associate to kind the set of positive Boolean formulas where the atomic propositions are words in . To be able to reuse the definition, we define formula domains in more generality as follows.
Domains of Boolean Formulas
Given a (potentially infinite) set of atomic propositions, the positive Boolean formulas \mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(P}\right)} over are defined to contain , every from , and compositions of formulas via conjunction and disjunction. We work up to logical equivalence, which means we treat and as equal as long as they are logically equivalent.
Unfortunately, if the set is infinite, \mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(P}\right)} is not a cppo, because the meet of a descending chain of formulas might not be a finite formula. The idea of our domain is to have conjunctions of infinitely many formulas. As is common in logic, we represent them as infinite sets. Therefore, we consider the set of all sets of (finite) positive Boolean formulas {\mathcal{P}}\mathopen{}\mathclose{{}\left(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(T^{*}}\right)}}\right)\setminus\mathopen{}\mathclose{{}\left\{\emptyset}\right\} factorized modulo logical equivalence, denoted ({\mathcal{P}}\mathopen{}\mathclose{{}\left(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(T^{*}}\right)}}\right)\setminus\mathopen{}\mathclose{{}\left\{\emptyset}\right\})/_{\Leftrightarrow}. To be precise, the sets may be finite or infinite, but they must be non-empty.
To define the factorization, let an assignment to the atomic propositions be given by a subset of . The atomic proposition is true if . An assignment satisfies a Boolean formula, if the formula evaluates to true in that assignment. It satisfies a set of Boolean formulas, if it satisfies all elements. Given two sets of formulas and , we write , if every assignment that satisfies also satisfies . Two sets of formulas are equivalent, denoted , if and holds.
The ordering on these factorized sets is implication (which by transitivity is independent of the representative). The top element is the set \mathopen{}\mathclose{{}\left\{\mathsf{true}}\right\}, which is implied by every set. The conjunction of two sets is union. Note that it forms the meet in the partial order, and moreover note that meets over arbitrary sets exist, in particular the domain is a cppo. We will also need an operation of disjunction, which is defined by \Phi_{1}\vee\Phi_{2}=\mathopen{}\mathclose{{}\left\{\phi_{1}\vee\phi_{2}\ \middle|\ \phi_{1}\in\Phi_{1},\phi_{2}\in\Phi_{2}}\right\}. We will also use disjunctions of higher (but finite) arity where convenient. Note that the disjunction on finite formulas is guaranteed to result in a finite formula. Therefore, the above is well-defined.
In our case, the assignment of interest is the language of the automaton . Player will win the game iff the concrete semantics assigns a set of formulas to that is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right).
The Concrete Domains and Interpretation of Terminals.
From a ground domain, higher-order domains are defined as continuous functions as in Section 3. Thus we only need
[TABLE]
The endmarker \$$ yields the set of formulas \mathopen{}\mathclose{{}\left{\varepsilon}\right}\mathcal{I}^{\mathit{C}}($)=\mathopen{}\mathclose{{}\left{\varepsilon}\right}a:o\to oaw\mathcal{I}^{\mathit{C}}(a)=\mathsf{prepend}{a}\mathsf{prepend}{a}$ distributes over conjunction and disjunction:
[TABLE]
We apply to sets of formulas by applying it to every element. Finally, where has arity is an -ary conjunction (resp. disjunction) if Player (resp. ) owns .
For to be a model, we need our interpretation of terminals to be -continuous. This follows largely by the distributivity of our definitions.
Lemma 4.3**.**
For all non-ground terminals , is -continuous.
Example 4.4**.**
Consider the higher-order game defined by the scheme S=H\ a\ \\ |\ b\ $H=\lambda f.\lambda x.f\ (f\ x)\ |\ \lambda f.\lambda x.H\ (H\ f)\ xS\DiamondH\Box\mathopen{}\mathclose{{}\left{b}\right}\DiamondSb\ $\sigma_{\mathcal{M}^{\mathit{C}}}(H)f\in\mathit{Cont}(\mathcal{D}^{\mathit{C}}(o),\mathcal{D}^{\mathit{C}}(o))d\in\mathcal{D}^{\mathit{C}}(o)\bigcup_{k>0}f^{2k}(d)\mathit{op}_{H}f2$. With this, the semantics of the initial symbol is
[TABLE]
The assignment \mathopen{}\mathclose{{}\left\{b}\right\} given by the language of the NFA satisfies \mathopen{}\mathclose{{}\left\{a^{2k}\vee b\ \middle|\ k>0}\right\}. Indeed, since evaluates to true, every formula in the set evaluates to true.
Correctness of Semantics and Winning Strategies.
We need to show that the concrete semantics matches the original semantics of the game.
Theorem 4.5**.**
is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) iff there is a winning strategy for Player .
When is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) the concrete semantics gives a winning strategy for : From a term such that \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \sigma_{\mathcal{M}^{\mathit{C}}} is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right), Player , when able to choose, picks a rewrite rule that transforms to , where \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ \sigma_{\mathcal{M}^{\mathit{C}}} remains satisfied. The proof of Theorem 4.5 shows this is always possible, and, moreover, Player is unable to reach a term for which satisfaction does not hold. This does not yet give an effective strategy since we cannot compute \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \sigma_{\mathcal{M}^{\mathit{C}}}. However, the abstract semantics will be computable, and can be used in place of the concrete semantics by Player to implement the winning strategy.
The proof that being unsatisfied implies a winning strategy for Player is more involved and requires the definition of a correctness relation between semantics and terms that is lifted to the level of functions, and shown to hold inductively.
5. Framework for Exact Fixed-Point Transfer
The concrete model does not lead to an algorithm for solving since its domains are infinite. Here, we consider an abstract model with finite domains. The soundness of the resulting Kleene iteration relies on the two semantics being related by a precise abstraction . Since both semantics are defined by fixed points, this requires us to prove . In this section, we provide a general framework to this end.
Consider the deterministic scheme together with two models (left and right) and . Our goal is to relate the semantics in these models in the sense that . Such exact fixed-point transfer results are well-known in abstract interpretation. To generalize them to higher-order we give easy to instantiate conditions on , , and that yield the above equality. Interestingly, exact fixed-point transfer results seem to be rare for higher-order (e.g. [47]). Our development is inspired by Abramsky’s lifting of abstraction functions to logical relations [3], which generalizes [11, 4]. These works focus on approximation and the compatibility we need for exactness is missing. Our framework is easier to apply than [15, 6], which are again concerned with approximation and do not offer (but may lead to) exact fixed-point transfer results.
For the terminology, an abstraction is a function . To lift the abstraction to function domains, we define the notion of being compatible with . Compatibility intuitively states that the function on the concrete domain is not more precise than what the abstraction function distinguishes. This allows us to define the abstraction of a function by applying the function and abstracting the result, . Compatibility ensures the independence of the choice of .
By definition, all ground elements are compatible with . For function domains, compatibility and the abstraction are defined as follows.
Definition 5.1**.**
Assume and the notion of compatibility are defined on and . Let (resp. ) be the greatest element of (resp. ) for each .
- (1)
Function is compatible with , if
- (a)
for all compatible with we have , and 2. (b)
for all compatible we have that is compatible. 2. (2)
We define as follows.
- (a)
If is compatible, we set , provided there is a compatible with , and otherwise. 2. (b)
If is not compatible, .
We lift to valuations by and similar for . We also lift compatibility to valuations by requiring to be compatible for all and similar for .
The conditions needed for the exact fixed-point transfer are the following.
Definition 5.2**.**
Function is precise for and , if
,
is -continuous,
,
for all terminals , and similarly for all terminals and all compatible ,
is compatible for all terminals , and all compatible .
is surjectivity of . states that is well-behaved wrt. . says that the greatest element is mapped as expected. Note that - are only posed for the ground domain. One can prove that they generalize to function domains by the definition of function abstraction. is that the interpretations of terminals in and are suitably related. Finally is compatibility. and are generalized to terms in Lemma 5.3.
To prove , we need that is an exact abstract transformer of . The following lemma states this for all terms , in particular those that occur in the equations. The generalization to product domains is immediate. Note that the result is limited to compatible valuations, but this will be sufficient for our purposes. The proof proceeds by induction on the structure of terms, while simultaneously proving \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket compatible with . With this result, we obtain the required exact fixed-point transfer for precise abstractions.
Lemma 5.3**.**
Assume , , and hold. For all terms and all compatible , we have \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \nu compatible and \alpha(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \nu)=\mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \alpha(\nu).
Theorem 5.4** (Exact Fixed-Point Transfer).**
Let be a scheme with models and . Let and be the corresponding semantics. If is precise, we have .
6. Domains for Higher-Order Games
We propose two domains, abstract and optimized, that allow us to solve . The computation is a standard fixed-point iteration, and, in the optimized domain, this iteration has optimal complexity. Correctness follows by instantiating the previous framework.
Abstract Semantics.
Our goal is to define an abstract model for games that (1) suitably relates to the concrete model from Section 4 and (2) is computable. By a suitable relation, we mean the two models should relate via an abstraction function. Provided the conditions on precision hold, correctness of the abstraction then follows from Theorem 5.4. Combined with Theorem 4.5, this will allow us to solve . Computable in particular means the domain should be finite and the operations should be efficiently computable.
We define the as follows. Again, we resolve the non-determinism into Boolean formulas. But rather than tracking the precise words generated by the scheme, we only track the current set of states of the automaton. To achieve the surjectivity required by precision, we restrict the powerset to those sets of states from which a word is accepted. Let \mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)=\mathopen{}\mathclose{{}\left\{q\ \middle|\ q\xrightarrow{w}{\to}q_{f}\in Q_{f}}\right\}. For a language we have \mathsf{acc}\mathopen{}\mathclose{{}\left(L}\right)=\mathopen{}\mathclose{{}\left\{\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)\ \middle|\ w\in L}\right\}. The abstract domain for terms of ground kind is \mathcal{D}^{\mathit{A}}(o)=\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)}\right)}. The lifting to functions is as explained in Section 3. Satisfaction is now defined relative to a set of elements of {\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right) (cf. Section 4). With finitely many atomic propositions, there are only finitely many formulas (up to logical equivalence). This means we no longer need sets of formulas to represent infinite conjunctions, but can work with plain formulas. The ordering is thus the ordinary implication with the meet being conjunction and top being .
The interpretation of ground terms is \mathcal{I}^{\mathit{A}}(\)=Q_{f}\mathcal{I}^{\mathit{A}}(a)=\mathsf{pre}{a}\mathsf{pre}{a}a\mathsf{pre}{a}(Q)=\mathopen{}\mathclose{{}\left{q^{\prime}\in Q{\mathit{NFA}}\ \middle|\ q^{\prime}\xrightarrow{a}{\to}q\in Q}\right}\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)\mathcal{I}^{\mathit{A}}(s)\sqcap$-continuous is standard.
Lemma 6.1**.**
The interpretations are defined on the abstract domain.
Lemma 6.2**.**
For all terminals , is -continuous over the respective lattices.
Recall our concrete model is , where \mathcal{D}^{\mathit{C}}={\mathcal{P}}\mathopen{}\mathclose{{}\left(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(T^{*}}\right)}}\right). To relate this model to , we define the abstraction function . It leaves the Boolean structure of a formula unchanged but maps every word (which is an atomic proposition) to the set of states from which this word is accepted. For a set of formulas, we take the conjunction of the abstraction of the elements. This conjunction is finite as we work over a finite domain, so there is no need to worry about infinite syntax. Technically, we define on \mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(T^{*}}\right)} by for a set of formulas \Phi\in{\mathcal{P}}\mathopen{}\mathclose{{}\left(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(T^{*}}\right)}}\right), and
[TABLE]
This definition is suitable in that entails the following.
Theorem 6.3**.**
is satisfied by \mathopen{}\mathclose{{}\left\{Q\in\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)\ \middle|\ q_{0}\in Q}\right\} iff Player wins .
To see that the theorem is a consequence of the exact fixed-point transfer, observe that \mathopen{}\mathclose{{}\left\{Q\in\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)\ \middle|\ q_{0}\in Q}\right\}=\mathsf{acc}\mathopen{}\mathclose{{}\left(\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)}\right). Then, by we have \mathsf{acc}\mathopen{}\mathclose{{}\left(\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)}\right) satisfies iff it also satisfies . This holds iff \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) satisfies (a simple induction over formulas). By Theorem 4.5, this occurs iff Player wins the game.
It remains to establish . With the framework, the exact fixed-point transfer follows from precision, Theorem 5.4. The proof of the following is routine.
Proposition 6.4**.**
is precise. Hence, .
Optimized Semantics.
The above model yields a decision procedure for via Kleene iteration. Unfortunately, the complexity is one exponential too high: The height of the domain for a symbol of order in the abstract model is -times exponential, where the height is the length of the longest strictly descending chain in the domain. This gives the maximum number of steps of Kleene iteration needed to reach the fixed point.
We present an optimized version of our model that is able to close the gap: In this model, the domain for an order- symbol is only -times exponentially high. The idea is to resolve the atomic propositions in , which are sets of states, into disjunctions among the states. The reader familiar with inclusion algorithms will find this decomposition surprising.
We first define \alpha:\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)}\right)}\rightarrow\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}. The optimized domain will then be based on the image of . This guarantees surjectivity. For a set of states , we define . For a formula, the abstraction function is defined to distribute over conjunction and disjunction. The optimized model is with ground domain \alpha(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)}\right)}). The interpretation is \mathcal{I}^{\mathit{O}}(\)=\bigvee Q_{f}a\mathcal{I}^{\mathit{O}}(a)\ q=\bigvee\mathsf{pre}{a}(\mathopen{}\mathclose{{}\left{q}\right})\mathcal{I}^{\mathit{O}}(\mathit{op}{F})\sqcap$-continuous as required.
Lemma 6.5**.**
The interpretations are defined on the optimized domain.
Lemma 6.6**.**
For all terminals , is -continuous over the respective lattices.
We again show precision, enabling the required exact fixed-point transfer.
Proposition 6.7**.**
is precise. Hence, .
Theorem 6.8**.**
is satisfied by \mathopen{}\mathclose{{}\left\{q_{0}}\right\} iff Player wins .
It is sufficient to show is satisfied by \mathopen{}\mathclose{{}\left\{Q\in\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)\ \middle|\ q_{0}\in Q}\right\} iff is satisfied by \mathopen{}\mathclose{{}\left\{q_{0}}\right\}. Theorem 6.3 then yields the statement. Propositions in are resolved into disjunctions in . For such a proposition, we have Q\in\mathopen{}\mathclose{{}\left\{Q\in\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)\ \middle|\ q_{0}\in Q}\right\} iff is satisfied by \mathopen{}\mathclose{{}\left\{q_{0}}\right\}. This equivalence propagates to the formulas and as the Boolean structure coincides. The latter follows from .
Complexity.
To solve , we compute the semantics and then evaluate at the assignment \mathopen{}\mathclose{{}\left\{q_{0}}\right\}. For the complexity, assume that the highest order of any non-terminal in is . We show the number of iterations needed to compute the greatest fixed point is at most -times exponential. We do this via a suitable upper bound on the length of strictly descending chains in the domains assigned by .
Proposition 6.9**.**
The semantics can be computed in , where is the highest order of any non-terminal in the input scheme.
The lower bound is via a reduction from the word membership problem for alternating -iterated pushdown automata with polynomially-bounded auxiliary work-tape. This problem was shown by Engelfriet to be -hard. We can reduce this problem to via well-known translations between iterated stack automata and recursion schemes, using the regular language specifying the winning condition to help simulate the work-tape.
Proposition 6.10**.**
Determining whether Player wins is -hard for .
Together, these results show the following corollary and final result.
Corollary 6.11**.**
is -complete for order- schemes and .
Appendix A Relation to Higher-Order Model Checing
We elaborate on the relation of our work to the influential line of research on intersection types as pioneered by [41]. With intersection types, it is usually proven that there is a word or tree derivable by a HORS that is accepted by an automaton, i.e. a well-typed type environment can be certificate for the non-emptiness of the intersection \mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{scheme}}\right)\cap\mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{Automaton}}\right)\neq\emptyset. If the HORS is deterministic, \mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{scheme}}\right) consists of a single tree, so this is also decides the inclusion \mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{scheme}}\right)\subseteq\mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{Automaton}}\right). If we naively extend intersection types to non-deterministic schemes, this is not true anymore. To prove the inclusion in this case, we will need to complement the automaton and prove the emptiness of the intersection, i.e. \mathcal{L}\mathopen{}\mathclose{{}\left(\mathit{scheme}}\right)\cap\mathcal{L}\mathopen{}\mathclose{{}\left(\overline{\mathit{Automaton}}}\right)=\emptyset. Note that a well-typing (a well-typed type environment) cannot prove the emptiness by itself: If the type for the initial symbol does not contain a transition from a final to an initial state, that can either stem from the non-existence of a such a transition sequence, or from the typing not being strong enough. For example, the empty typing that does not assign any type to any symbol (or the empty intersection, if you want), is a well-typing and does not prove anything. Therefore, an algorithm that decides the non-emptiness of the intersection by using intersection-types has to guarantee that it constructs a well-typing strong enough to prove the existence of an accepting transition sequence if such a sequence exists. Note that algorithms that compute intersection types usually allow alternating automata as the specification. It is conceptually easier to complement an alternating automaton than it is to complement a non-deterministic automaton: The transition for each origin and label is given as a Boolean formula, and we can get the complement automaton by considering the dual formula (i.e. the formula in which conjunctions and disjunctions are swapped). Note that usually, the transition formulas are normalized to disjunctive normal form (DNF), so computing the dual formula (which will then be in CNF) and re-normalizing it to DNF can lead to an exponential blowup.
Work by Neatherway et al. [45] and Ramsay [47] considers schemes with non-determinism in the form of case statements. To handle this non-determinism they introduce union types as a ground type. Neatherway et al. give an optimised algorithm for checking such schemes against deterministic trivial automata (where all infinite runs are accepting – i.e. a Büchi condition where all states are accepting). In his thesis, Ramsay extends this to checking non-deterministic schemes against non-deterministic trivial automata using abstract interpretation from schemes to types. In our work, we generalise non-determinism to games (played over word-generating schemes), with a non-deterministic target language.
Appendix B Proofs for Section 3
B.1. Proof of Proposition 3.2
Proof B.1**.**
Let \mathopen{}\mathclose{{}\left(\nu_{i}}\right)_{i\in{\mathbb{N}}} be a descending chain of evaluations, i.e. for all . It is to show that for all , \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket is -continuous (in the argument ) over the respective lattice, i.e.
[TABLE]
We proceed by induction over .
- (1)
**Case or .
**Both of these cases are identical, hence we only show the former. We have
[TABLE]
where the first and final equalities are by definition of the concrete semantics, and the second is by definition of over valuations . 2. (2)
**Case for some terminal .
**Similar to the previous case, we have
[TABLE]
by definition. 3. (3)
**Case .
**We have
[TABLE]
We have to argue the step indicated above. That is,
[TABLE]
The right-hand side is greater than the left-hand side, because terms of the form ((\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu_{i})\ (\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{2}}\right\rrbracket\ \nu_{j})) where are missing in the RHS. To see that it is in fact equal, note that for two indices , we have either or , since the valuations form a descending chain. Let m=\min\mathopen{}\mathclose{{}\left\{i,j}\right\}. We now use that -continuity implies monotonicity, and thus we have
[TABLE]
Hence, for any expression ((\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu_{i})\ (\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t_{2}}\right\rrbracket\ \nu_{j})) that is missing in the meet in the RHS, the meet in the RHS contains an expression that is smaller, hence, they are equal. 4. (4)
**Case .
**We have
[TABLE]
B.2. Substitution Lemma
Since we have not syntactically defined the evaluation of a -term, our development will need a simple substitution lemma.
Lemma B.2**.**
For all , we have \mathcal{M}\mathopen{}\mathclose{{}\left\llbracket(\lambda x.t)\ t^{\prime}}\right\rrbracket\ \nu=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t[x\mapsto t^{\prime}]}\right\rrbracket\ {\nu}.
Proof B.3**.**
We show that for all and all suitable terms , we have
[TABLE]
We have by definition
[TABLE]
and show by induction over that
[TABLE]
In the base cases we have
- (1)
\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ {\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}=\mathopen{}\mathclose{{}\left(\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}\right)(F)=\nu(F)=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ {\nu}=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket F[x\mapsto t^{\prime}]}\right\rrbracket\ {\nu}, 2. (2)
\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket s}\right\rrbracket\ {\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}=\mathcal{I}(s)=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket s}\right\rrbracket\ {\nu}=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket s[x\mapsto t^{\prime}]}\right\rrbracket\ {\nu}, 3. (3)
\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket x}\right\rrbracket\ {\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket x[x\mapsto t^{\prime}]}\right\rrbracket\ {\nu}, and 4. (4)
\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket y}\right\rrbracket\ {\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}=\mathopen{}\mathclose{{}\left(\nu[x\mapsto\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu}]}\right)(y)=\nu(y)=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket y}\right\rrbracket\ {\nu}=\mathcal{M}\mathopen{}\mathclose{{}\left\llbracket y[x\mapsto t^{\prime}]}\right\rrbracket\ {\nu}, for variable .
Then, for the induction step, we first consider application. That is
[TABLE]
which is equal to, by induction,
[TABLE]
Finally, for abstraction, we can assume by -conversion that , and we have
[TABLE]
which is by induction equal to the function
[TABLE]
Thus, by induction, we have the lemma as required.
Appendix C Proofs for Section 4
C.1. Proof of Lemma 4.3
Proof C.1**.**
We show that for all non-ground terminals , is -continuous. We need to treat the terminals of the original scheme and the terminals that were introduced for the determinisation separately. In each case, assume a descending chain of arguments .
- (1)
**Case .
**Since and we have
[TABLE]
by definition of , we have the property as required. 2. (2)
**Case .
**We show the property when is owned by , and thus interpreted as -fold disjunction, conjunction is similar. We proceed by induction on the arity . In the base case , is the identity function that is -continuous
Now assume has arity , and is an -fold disjunction. We have
[TABLE]
In the above we required to distribute over , which can be seen by induction over types. In the base case, that distributes over is standard. For the step case, we have for all , , and
[TABLE]
C.2. Proof of Theorem 4.5
We are required to show is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) iff there is a winning strategy foryer Player . The theorem is shown in the following two lemmas.
First, we introduce some notation. We write for to abbreviate .
Lemma C.2** (Player ).**
If is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) there is a winning strategy for .
Proof C.3**.**
In what follows, whenever we refer to a term , we mean a term built over , but not over . The terminals are excluded because they do not occur in the game, they are only introduced in the determinized scheme.
We will demonstrate a strategy for that maintains the invariant that the current (variable-free) term reached is such that \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \sigma_{\mathcal{M}^{\mathit{C}}} is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). All plays are infinite or generate a word . Since we maintain \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}} is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right), if represents a word , we know is accepted by and Player wins the game.
Initially, we have \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket S}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}}=\sigma_{\mathcal{M}^{\mathit{C}}}(S) which is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) by assumption. Thus, suppose play reaches a term such that \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}} is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). There are two cases.
In the first case t=a_{1}\ (\cdots\ (a_{n}\ \))w=a_{1}\ldots a_{n}$. Since
[TABLE]
and is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right), we know w\in\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) and Player has won the game.
In the second case, we have . By assumption, we know
[TABLE]
is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). Let , …, be the rewrite rules for . There are two subcases.
- (1)
If is owned by , then since \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket=\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{1}}\right\rrbracket\lor\cdots\lor\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{\ell}}\right\rrbracket there must exist some such that
[TABLE]
is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). The strategy of Player is to choose the rewrite rule.
We need to show the invariant is maintained. Let . We have (using the substitution lemma, Lemma B.2),
[TABLE]
Note that the term is the result of Player rewriting via . Since the satisfaction by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) passes through the equalities, Player ’s move maintains the invariant as required. 2. (2)
If is owned by the argument proceeds as in the previous case. The key difference is that we have to show satisfaction is maintained no matter which move chooses. However, since in this case \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket=\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{1}}\right\rrbracket\land\cdots\land\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{\ell}}\right\rrbracket then for all we have
[TABLE]
is satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). The remainder of the argument is identical.
Lemma C.4** (Player ).**
If is not satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) there is a winning strategy for .
Proof C.5**.**
In what follows, whenever we refer to a term , we mean a term built over , but not over . The terminals are excluded because they do not occur in the game, they are only introduced in the determinized scheme.
For and a variable-closed term of kind , we define to be sound for , denoted , if for all such that is not satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right), Player has a winning strategy from term . For , we set and let . We can now restate the lemma as
[TABLE]
In particular, since is not satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) it is the case that is not satisfied. This means Player has a winning strategy from .
In general, for , we will also define for terms of kind . That is, for a variable-closed term of kind and a function , we define to hold whenever for all variable-closed terms of kind and such that we have :
[TABLE]
Similarly, we need to extend to terms with free variables . Here, we make the free variables explicit and write . We define for that by requiring that for any variable-closed terms and any with for all , we have , where maps to .
We now show the following. For every number of iterations in the fixed-point calculation, we have \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}^{i}}\vdash t, for all terms built over the terminals and non-terminals in the scheme of interest. After the induction, we will show that the result holds for the greatest fixed point. Note that we have a nested induction: the outer induction is along , the inner is along the structure of terms.
Since we are inducting over non-closed terms, we will have to extend to assign valuations to free-variables. Thus we will write to denote a valuation such that for any non-terminal .
Base case .
In the base case, we have and for all non-terminals. We proceed by induction on the structure of terms. We will emphasize if an argumentation is independent of the iteration count. This is the case for all terms except non-terminals.
Base case .
The base cases of the inner induction that are independent of the iteration count are the following.
- (1)
**Case $t=$$.
**For all , we have \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket\}\right\rrbracket\ {\nu^{i}}=\varepsilonw\mathsf{prepend}_{w}(\varepsilon)\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right)w(\varepsilon)\Box$ has won the game. 2. (2)
Case .
We again reason over all and show that
[TABLE]
for any variable-closed term and any so that . Take any word such that is not satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). It follows that is also not satisfied by \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right). From , Player has a winning strategy from . Since we are done. 3. (3)
Case .
For all and all extensions of , we have
[TABLE]
Take any and any variable-closed term with . Then is immediate.
The only base case of the inner induction that depends on the iteration count is . Let take arguments and consider variable-closed terms with corresponding such that . We have
[TABLE]
Thus, trivially \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ {\nu^{0}}\vdash F since true is never unsatisfied.
Step case .
In both cases, the argumentation is independent of the actual iteration count. Therefore, we give it for a general rather than for [math].
- (1)
Case .
Assume we already know that
[TABLE]
Our task is to show that
[TABLE]
Let the free variables be and consider to . Let map to for all . By the definition of for terms with free variables, we have \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}}\right\rrbracket\ {\nu^{i}}\vdash t^{\prime}[\forall j:x_{j}\mapsto t_{j}] and \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t^{\prime\prime}}\right\rrbracket\ {\nu^{i}}\vdash t^{\prime\prime}[\forall j:x_{j}\mapsto t_{j}]. Then, by the definition of for functions, we obtain
[TABLE]
This means \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t^{\prime}\ t^{\prime\prime}}\right\rrbracket\ {\nu^{i}}\vdash t^{\prime}\ t^{\prime\prime} as required. 2. (2)
Case .
Let the free variables of be . For \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket\lambda x.e}\right\rrbracket\ {\nu^{i}}\vdash\lambda x.e, we have to argue that for any to with mapping to for all , we get
[TABLE]
This in turn means that for any , we have to show
[TABLE]
By the definition of the semantics, we have
[TABLE]
Moreover, since the are variable-closed, they in particular are not affected by replacing and we get
[TABLE]
In the game, -redexes of the form do not occur at all: When a non-terminal is rewritten to its right-hand side , this yields within a single step. This means the game equates with . Hence, all that remains to be shown is
[TABLE]
This holds by the hypothesis of the inner induction, showing \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e}\right\rrbracket\ {\nu^{i}}\vdash e.
Step case .
We again do an induction along the structure of terms. The only case that has not been treated in full generality is . We now show that \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ {\nu^{i+1}}\vdash F. Let take arguments and consider to . The task is to prove \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ {\nu^{i+1}}\ \Xi_{1}\ \ldots\ \Xi_{m}\vdash F\ t_{1}\ \ldots\ t_{m}. To ease the notation, assume there are two right hand sides for , i.e. we have the rules and . This means the right-hand side in the determinised scheme is . Then,
[TABLE]
Here, is a conjunction or disjunction, depending on the owner of . Recall that the conjunction and disjunction of functions are defined by evaluating the argument functions separately and combining the results. This means
[TABLE]
With the same reasoning, we obtain
[TABLE]
We have to prove that for any , if \mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) does not satisfy the formula
[TABLE]
then Player has a winning strategy from .
Assume Player owns and the formula is not satisfied. If Player owns , the reasoning is similar. Since we have a disjunction for Player , \mathsf{prepend}_{w}(\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{1}^{\prime}}\right\rrbracket\ {\nu^{i}}\ \Xi_{1}\ \ldots\ \Xi_{m}) is not satisfied. By the hypothesis of the outer induction, we obtain \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{1}^{\prime}}\right\rrbracket\ {\nu^{i}}\ \vdash e_{1} and thus \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{1}^{\prime}}\right\rrbracket\ {\nu^{i}}\ \Xi_{1}\ \ldots\ \Xi_{m}\vdash e_{1}^{\prime}\ t_{1}\ \ldots\ t_{m}. As in the case of -abstraction above, we use that the game identifies and . Hence, Player has a winning strategy from . The same argumentation applies to \mathsf{prepend}_{w}(\mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket e_{2}}\right\rrbracket\ {\nu^{i}}\ \Xi_{1}\ \ldots\ \Xi_{m}). Consequently, whichever move Player makes at , Player has a winning strategy.
This finishes the outer induction, proving that \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}^{i}}\vdash t for all terms and all . We would like to conclude \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}}\vdash t. Since the cppo under consideration is not finite, this needs to be proven separately.
Limit case.
We have shown \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}^{i}}\vdash t for all ; we now show \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}}\vdash t noting by Kleene that . Once we have this we have which proves the lemma.
We formulate a slightly more general induction hypothesis for induction over kinds: Given a descending sequence of for all such that each , we have . In the base case we have is of kind and we assume . We now argue .
Take any and suppose is not satisfied, then we need to show by the definition of that Player has a winning strategy. Since is conjunction, if
[TABLE]
is not satisfied, it must be the case that for some we have is not satisfied. In this case, we have by assumption and thus by the definition of that Player has a winning strategy from . This proves .
If is of kind we need to show for all that . We have by the definition of over functions
[TABLE]
Since by assumption on and definition of for function kinds, we have for each . By the induction on the kind, we obtain . Since we establish the desired statement that finishes the induction.
Finally, since \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}^{i}} satisfies the conditions of the above induction hypothesis and because we have already shown \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ {\sigma_{\mathcal{M}^{\mathit{C}}}^{i}}\vdash t for all , we obtain
[TABLE]
Then, since using continuity of \mathcal{M}^{\mathit{C}}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket we have
[TABLE]
we obtain the lemma as required.
Appendix D Proofs for Section 5
D.1. Generalising Precision Properties to Functions
We show that several properties needed for precision can be lifted from the ground domain to function domains.
Lemma D.1**.**
If holds, then for every and every there is a compatible with .
Proof D.2**.**
We show that, if holds, then for every and every there is a compatible with . We proceed by induction on kinds. The base case is given by the assumption (P1) and the fact that every ground element is compatible. Assume we have the required surjectivity of for and and consider . The task is to find a compatible function so that . Assume . By surjectivity for , there are compatible elements in , and similar for . Let be a compatible element that is mapped to by . We define for all compatible . Since is total on , this assigns a value to all compatible . We do not impose any requirements on how to map elements that are not compatible.
We argue that is compatible. To this end, consider compatible and with . By definition, both are mapped identically by , . Hence, in particular the abstractions coincide. Moreover, given a compatible , we defined to be a compatible element.
Concerning the equality of the functions, we have . The first equality is the definition of abstraction for functions and the fact that contains compatible elements, one of them being , the second is the fact that is mapped to , and the last is by .
Lemma D.3**.**
If and hold, then for all and all descending chains of compatible elements in , we have compatible and .
Proof D.4**.**
We proceed by induction on kinds to show that, if and hold, then for all kinds and for all descending chains of compatible values , we have again compatible and . The base case is the assumption.
In the induction step, let and be a descending chain of compatible elements. Let be compatible. The following equalities will be helpful:
[TABLE]
The first equality is the definition of on functions, the second is the induction hypothesis for , the third is compatibility of the and , the last is again on functions.
To show compatibility, note that the above implies as long as , for all compatible . For compatibility of with compatible, note that . The latter is the meet over a descending chain of compatible elements in . By the induction hypothesis on , it is again compatible.
For -continuity, consider a value . By Lemma D.1, there is a compatible with . We have
[TABLE]
The first equality is the definition of abstraction on functions. Note that we need here the fact that is compatible by the induction hypothesis. The second equality is the auxiliary one from above. The last equality is by .
Lemma D.5**.**
If holds, then for all .
Proof D.6**.**
We show that, if holds, then for all . We proceed by induction on kinds. The base case is given by the assumption (P3). Assume for , we have . Consider function . We have to show . If the given top element is not compatible, this holds. Assume it is. For , there are two cases. If there is no compatible with , we have
[TABLE]
If there is such a , we obtain
[TABLE]
The first equality is the definition of abstraction for functions, the next is the fact that maps every element to . The image of is by the induction hypothesis. The last equality is the definition of .
D.2. Proof of Lemma 5.3
Proof D.7**.**
Assume , , and hold. We show, for all terms and all compatible , \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \nu is compatible and \alpha(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \nu)=\mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket t}\right\rrbracket\ \alpha(\nu). We proceed by structural induction on .
- (1)
Case , .
By the assumption, \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket F}\right\rrbracket\ \nu=\nu(F) is compatible. Moreover,
[TABLE]
holds. For , the reasoning is similar. 2. (2)
Case terminal .
Note that \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket s}\right\rrbracket\ \nu=\mathcal{I}_{l}(s). If is ground, the claim holds by . Let . For compatibility, consider compatible with . Then
[TABLE]
The first equality is , the next is , and the last is again . The second requirement on compatibility is satisfied by .
To show \alpha(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket s}\right\rrbracket\ \nu)=\mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket s}\right\rrbracket\ \alpha(\nu), consider a value . By Lemma D.1, there is some compatible with . We have
[TABLE]
The first equality is compatibility of and the definition of function abstraction. The next equality is . The last is .
For the induction step, assume the claim holds for and .
- (1)
Case .
For compatibility, observe that \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}\ t_{2}}\right\rrbracket\ \nu=(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu)\ (\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{2}}\right\rrbracket\ \nu). Moreover, \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu and \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{2}}\right\rrbracket\ \nu are both compatible by the induction hypothesis. By definition of compatibility, applying a compatible function to a compatible argument yields a compatible value. Hence, \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}\ t_{2}}\right\rrbracket\ \nu is compatible.
For the equality, note that
[TABLE]
The first equality is by the definition of the semantics, the second is the induction hypothesis. Compatibility justifies the first of the following equalities. The second is again the definition of the semantics:
[TABLE] 2. (2)
Case .
We argue for compatibility. Consider compatible and with . By definition of the semantics and the induction hypothesis, we have
[TABLE]
For , the reasoning is similar. Since , we have . Hence, \mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \alpha(\nu[x\mapsto v_{l}])=\mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \alpha(\nu[x\mapsto v_{l}^{\prime}]). We conclude the desired equality.
For the second requirement in compatibility, let be compatible. By definition of the semantics, (\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket\lambda x.t_{1}}\right\rrbracket\ \nu)\ v_{l}=\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu[x\mapsto v_{l}]. Since and are compatible, is compatible. Hence, \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu[x\mapsto v_{l}] is compatible by the induction hypothesis.
To prove \mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket\lambda x.t_{1}}\right\rrbracket\ \alpha(\nu)=\alpha(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket\lambda x.t_{1}}\right\rrbracket\ \nu), consider an arbitrary value . Let be compatible with , which exists by Lemma D.1. We have:
[TABLE]
We showed above that \mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket\lambda x.t_{1}}\right\rrbracket\ \nu is compatible. Using the definition of abstraction for functions and the definition of the semantics, the other function yields
[TABLE]
With the induction hypothesis, \alpha(\mathcal{M}_{l}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \nu[x\mapsto v_{l}])=\mathcal{M}_{r}\mathopen{}\mathclose{{}\left\llbracket t_{1}}\right\rrbracket\ \alpha(\nu[x\mapsto v_{l}]).
D.3. Proof of Theorem 5.4
Proof D.8**.**
Recall and are the greatest elements of the respective domains. We have
[TABLE]
The first equality is Kleene’s theorem. The second equality uses the fact that each is compatible and that they form a descending chain (both by induction on ), and then applies Lemma D.3. The third equality also relies on compatibility of the and invokes Lemma 5.3. Moreover, it needs by Lemma D.5. The last equality is again Kleene’s theorem.
Appendix E Proofs for Section 6
E.1. Proof of Lemma 6.1
Proof E.1**.**
Observe \mathcal{I}^{\mathit{A}}(\)=Q_{f}=\mathsf{acc}\mathopen{}\mathclose{{}\left(\varepsilon}\right)\phi\in\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{}}\right)}\right)}\mathsf{pre}_{a}(\phi)\in\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{}}\right)}\right)}\mathsf{pre}{a}Q=\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)\mathcal{I}^{\mathit{A}}(a)\ \mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)=\mathsf{pre}{a}(\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right))=\mathsf{acc}\mathopen{}\mathclose{{}\left(a.w}\right)\mathcal{I}^{\mathit{A}}(\mathit{op}_{F})F\in N$ is conjunction or disjunction, and there is nothing to do as the formula structure is not modified.
E.2. Proof of Lemma 6.2
Proof E.2**.**
We require, for all terminals , is -continuous over the respective lattices. We remark that the case is identical to Lemma 4.3. Hence, we show the case . Given a descending chain , we have to show . Recall that the meet of formulas is conjunction, and that we are in a finite domain. The latter means that the infinite conjunction is really the conjunction of finitely many formulas. Now is defined to distribute over finite conjunctions. We have
[TABLE]
as required.
E.3. Proof of Proposition 6.4
Proof E.3**.**
To show is precise, we have to show to . For , it is sufficient to argue that for every set of states Q\in\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right) there is a word that is mapped to it — which holds by definition. For formulas, note that distributes over conjunction and disjunction, which means we can take the same connectives in the concrete as in the abstract and replace the leaves appropriately. Note that we only need a set consisting of one formula.
is satisfied by the concrete meet being the union of sets of formulas and being defined by an element-wise application.
For , note that the greatest elements are \mathopen{}\mathclose{{}\left\{\mathsf{true}}\right\} for and for . By definition, \alpha(\mathopen{}\mathclose{{}\left\{\mathsf{true}}\right\})=\alpha(\mathsf{true})=\mathsf{true}.
For , consider \$$. We have \alpha(\mathcal{I}^{\mathit{C}}($))=\alpha(\mathopen{}\mathclose{{}\left{\varepsilon}\right})=\mathsf{acc}\mathopen{}\mathclose{{}\left(\varepsilon}\right)=Q_{f}=\mathcal{I}^{\mathit{A}}($)\alpha\varepsilon$$ in the abstract domain.
For a letter and a word , we have
[TABLE]
The first equality is the interpretation of in the concrete, the second is the definition of prepending a letter, the third is the definition of the abstraction, the next is how taking predecessors changes the set of states from which a word is accepted, and the last equality is the interpretation of in the abstract domain and the definition of the abstraction function. The relation generalizes to formulas by noting that both the concrete interpretation and the abstract interpretation of distribute over conjunction and disjunction. It also generalizes to sets of formulas by noting that is applied to all elements in the set and, in the abstract domain, distributes over conjunction.
Let be a non-terminal owned by . To simplify the notation, let the associated operation be binary, . Let be sets of formulas. We have
[TABLE]
The first equality is the concrete interpretation of . The second is the definition of the abstraction function. The third equality holds as we work up to logical equivalence. The last is the abstract interpretation of and again the definition of the abstraction.
Assume is owned by and is again binary. Consider . It will be convenient to denote \mathopen{}\mathclose{{}\left\{\phi_{1}\vee\phi_{2}\ \middle|\ \phi_{1}\in\Phi_{1},\phi_{2}\in\Phi_{2}}\right\} by . We have
[TABLE]
The first equality is the concrete interpretation of , the second is the definition of on sets of formulas. The third equality is the fact that distributes over disjunctions and rewrites the iteration over the elements of . The following equality is distributivity of conjunction over disjunction, and the fact that we work up to logical equivalence. The last is the abstract interpretation of and the definition of the abstraction function.
It remains to show . For \mathcal{I}^{\mathit{C}}(\)\mathcal{I}^{\mathit{C}}(a)F\Box\mathit{op}{F}\Diamond\Phi\Phi\cup-(\mathsf{P4})\phi{1}$, we have
[TABLE]
Hence, if , then . That is compatible holds as the element is ground.
E.4. Proof of Lemma 6.5
Proof E.4**.**
v We have \mathcal{I}^{\mathit{O}}(\)=\bigvee Q_{f}=\alpha(Q_{f})=\alpha(\mathsf{acc}\mathopen{}\mathclose{{}\left(\varepsilon}\right))\mathcal{I}^{\mathit{O}}(a)Q=\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)$. We have
[TABLE]
The first equality is the definition of the abstraction function. Then we apply distributivity of the optimized interpretation of over disjunctions. The following equality is the actual interpretation of in the optimized model. The next equality uses . The following is again the definition of the abstraction function. Then we replace by its definition. Finally, we note the interplay between and \mathsf{acc}\mathopen{}\mathclose{{}\left(-}\right).
For conjunction and disjunction, which are used as the interpretation of depending on the player, we note that distributes to the arguments. Hence, if the arguments are and , we have .
E.5. Proof of Lemma 6.6
Proof E.5**.**
We need, for all terminals , is -continuous over the respective lattices. We remark that the case is identical to Lemma 4.3. The case follows from distributivity of as in the proof of Lemma 6.2.
E.6. Proof of Proposition 6.7
Proof E.6**.**
We show the optimized abstraction is precise. Surjectivity in holds by definition as does . Also -continuity in is by the fact that the meets over the concrete domain are finite, and hence the definition of already yields continuity. We argue for .
For \$$, Lemma [6.5](#S6.Thmtheorem5) yields \mathcal{I}^{\mathit{O}}($)=\alpha(Q_{f})\alpha(\mathcal{I}^{\mathit{A}}($))a\mathcal{I}^{\mathit{O}}(a)\ \alpha(\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right))=\alpha(\mathsf{pre}{a}(\mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right)))\alpha(\mathcal{I}^{\mathit{A}}(a)\ \mathsf{acc}\mathopen{}\mathclose{{}\left(w}\right))\mathit{op}{F}$, assume it is a binary conjunction. We have
[TABLE]
The first equality is the definition of the interpretation in the optimized model, the next is distributivity of over conjunction. Finally, we have the interpretation of in the abstract model.
For , there is nothing to do for \mathcal{I}^{\mathit{C}}(\)\mathcal{I}^{\mathit{C}}(a)\phi\phi\wedge-\phi_{1}\phi_{2}\alpha(\phi_{1})=\alpha(\phi_{2})$. Then
[TABLE]
The first equality is distributivity of the abstraction function over conjunctions. The next is the assumed equality. The third is again distributivity. Compatibility of holds as ground values are always compatible.
E.7. Proof of Corollary 6.11
To show the complexity, we argue the upper and lower bounds separately.
Proof E.7** (Proof of Proposition 6.9).**
We need to argue that can be computed in -times exponential time. We have that . Since the domains are finite for all kinds , there is an index such that . In the following, we will see that the number of iterations, i.e. the index is at most -times exponential, and that one iteration can be executed in -times exponentially many steps.
First, we reason about the number of iterations. For a partial order , we define its height as the length of the longest strictly descending chain, i.e. the height is if the longest such chain is of the shape
[TABLE]
The height of the domain is an upper bound for by its definition: If for some index we have , we know and thus . Such an index has to exist and has to be smaller than the height of the domain, otherwise the sequence of the would form a chain that is strictly longer than the height, a contradiction to the definition.
It remains to see what the height of our optimized domain is. Recall that has the type signature . Our goal in the following is to determine . We can identify with , where are the non-terminals of the scheme. The height of this product domain is the sum of its height. We are done if we show that even the domain with the maximal height is -times exponentially high, since the number of non-terminals is polynomial in the input scheme.
In the following we prove: If kind is of order , then has -times exponential height. For the induction step, we also need to consider the cardinality of , therefore, we strengthen the statement and also prove that the cardinality \mathopen{}\mathclose{{}\left|\mathcal{D}^{\mathit{O}}(\kappa)}\right| is -times exponential.
We proceed by induction on .
In the base case , we necessarily have , and indeed the domain \alpha(\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(\mathsf{acc}\mathopen{}\mathclose{{}\left(T^{*}}\right)}\right)})\subseteq\mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)} is singly exponentially high. To see that this is the case, consider a strictly decreasing chain of positive boolean formulas over , i.e. a chain where each formula is strictly implied by the next. To each formula, , we assign the set \mathcal{Q}_{j}=\mathopen{}\mathclose{{}\left\{Q\subseteq Q_{\mathit{NFA}}\ \middle|\ Q\text{ satisfies }\phi_{j}}\right\} of assignments under which evaluates to true. That is strictly implied by translates to the fact that is a strict subset of . This gives us that the sets themselves form a strictly ascending chain in {\mathcal{P}}\mathopen{}\mathclose{{}\left({\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right), and it is easy to see that such a chain has length at most \mathopen{}\mathclose{{}\left|{\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right|=2^{\mathopen{}\mathclose{{}\left|Q_{\mathit{NFA}}}\right|}.
Furthermore, we can represent each equivalence class of formulas in \mathsf{PBool}\mathord{\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)} by a representative in conjunctive normal form, i.e. by an element of {\mathcal{P}}\mathopen{}\mathclose{{}\left({\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right). This shows that the cardinality of the domain is indeed bounded by \mathopen{}\mathclose{{}\left|{\mathcal{P}}\mathopen{}\mathclose{{}\left({\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right)}\right|=2^{\mathopen{}\mathclose{{}\left|{\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right|}=2^{2^{\mathopen{}\mathclose{{}\left|Q_{\mathit{NFA}}}\right|}}.
Now assume the statement holds for , and consider of order . We need an inner induction on the arity of .
Since is the only kind of arity [math], and does not have order for any , there is nothing to do in the base case.
Now assume that . By the definitions of arity and order, we know that is of order at most , therefore we now by the outer induction that the height of is at most -times exponential. The order of is at most , but the arity of is strictly less than the arity of , thus we get by the inner induction that the height of is at most -times exponential.
The domain is a subset of all functions from to . Let us reason about the height of this more general function domain. We know that its height is the height of the target times the size of the source, i.e. h(\mathcal{D}^{\mathit{O}}(\kappa_{2}))\cdot\mathopen{}\mathclose{{}\left|\mathcal{D}^{\mathit{O}}(\kappa_{1})}\right|. The induction completes the proof, as both and \mathopen{}\mathclose{{}\left|\mathcal{D}^{\mathit{O}}(\kappa_{1})}\right| are at most -times exponential.
It remains to argue that each iteration can be implemented in at most -times exponentially many steps. To this end, we argue that each element of can be represented by an object of size -times exponential, where is the order of . It is easy to see that all operations that need to be executed on these objects, namely evaluation, conjunction, disjunction, and predecessor computation can be implemented in polynomial time in the size of the objects.
Let , i.e. . We again represent each element of by a formula over in conjunctive normal form, i.e. as an element of {\mathcal{P}}\mathopen{}\mathclose{{}\left({\mathcal{P}}\mathopen{}\mathclose{{}\left(Q_{\mathit{NFA}}}\right)}\right). In the worst case, one single formula contains everyone of the many clauses, each clause having size at most \mathopen{}\mathclose{{}\left|Q_{\mathit{NFA}}}\right|. This means that one formula needs at most singly exponential space.
For the induction step, consider of order . As above, we need an inner induction on the arity of , for which the base case is trivial.
Let . An element of is a function that assigns to each of the \mathopen{}\mathclose{{}\left|\mathcal{D}^{\mathit{O}}(\kappa_{1})}\right|-many elements of an element of . In the previous part of the proof, we have argued, that \mathopen{}\mathclose{{}\left|\mathcal{D}^{\mathit{O}}(\kappa_{1})}\right| is at most times exponential. By the induction on the arity, we know that each object in can be represented in at most -times exponential space. This shows that objects of can be represented using -times exponential space, and finishes the proof.
We show that determining the winner in a higher-order word game is -hard for an order- recursion scheme.
Proof E.8** (Proof of Proposition 6.10).**
We begin with a result due to Engelfriet [18] that shows alternating -iterated pushdown automata with a polynomially bounded auxiliary work-tape (-PDA*+*) characterize the word languages. We fix any -hard language and its corresponding alternating -PDA . Let \mathcal{L}\mathopen{}\mathclose{{}\left(B}\right) be the set of words accepted by . Deciding if a given word is in the language defined by is -hard in the size of (recall is fixed). We show that this problem can be reduced in polynomial time to an inclusion problem \mathcal{L}\mathopen{}\mathclose{{}\left(B^{\prime}}\right)\subseteq\mathcal{L}\mathopen{}\mathclose{{}\left(A}\right) for some -iterated pushdown automaton (without work-tape) (-PDA) and NFA of size polynomial in the length of . From , we can construct in polynomial time an equivalent game over a scheme . This will show the game language inclusion problem for order- schemes is -hard.
In an alternating -PDA*+, there are two Players and . When decided whether a word is in the language of a -PDA+*, will attempt to prove the word is in the language, while will try to refute it.
We first describe how to obtain from . Since the word is fixed, we can force to output the word by forming a product of with the states of . Call this automaton . This reduces the word membership problem to the problem of determining whether can reach an accepting state. Next, to remove the worktape from (and form ) we replace the output of (which will always be or empty) with a series of guesses of the worktape. That is, a transition of will be simulated by by first making a transition as expected, and then outputting a guess (consistent with the transition) of what the worktape of should be. The automaton will accept a guessed sequence of worktapes iff it is able to find an error in the sequence. The word will be in the language of if is able to reach a final state and produce a word that is correct; that is, is not in the language of .
Note, here, the reversal of the roles of the Players. In , control states are owned by or . When determining if w\in\mathcal{L}\mathopen{}\mathclose{{}\left(B}\right) for some , the first Player tries to show the word is accepted, while the second Player tries to force a non-accepting run. In , however, is accepted iff the output of is not included in the language of . Thus, will effectively be aiming to prove that w\in\mathcal{L}\mathopen{}\mathclose{{}\left(B}\right).
In more detail, we take any -hard language and its equivalent (fixed) alternating -PDA*+*. Given a word , deciding w\in\mathcal{L}\mathopen{}\mathclose{{}\left(B}\right) is -hard. We define directly from rather than going through the intermediate .
A transition of means the following. From control state , upon reading a character from , apply operation to the work-tape (which may become stuck if not applicable) and operation to the stack (which may also become stuck if not applicable). Next, move to control state , from which the remainder of is to be read.
Let be the polynomial bound on the size of the work-tape of given the input word . Let be the alphabet of the work-tape. Let the set of work-tape operations O=\mathopen{}\mathclose{{}\left\{o_{1},\ldots,o_{n}}\right\} and work-tape positions P=\mathopen{}\mathclose{{}\left\{1,\ldots,m}\right\} be disjoint from . Also, let be the initial symbol appearing in each cell of the initial work-tape. We will construct such that
[TABLE]
That is, outputs a sequence of work-tape configurations separated by positions in and operations in . That is, will simulate a run of over .
For every control state of , we will have control states of , where is a suffix of . We will also have where is a work-tape operation to be applied. Then for each transition of we have a transition of . From the automaton will output some character from (a guess at the work-tape head position), followed by (to indicate the operation applied). It will then be able to output any word from (a guess of the work-tape contents) before moving to and continuing the simulation. Initially, will simply output and move to control state where is the initial control state of .
The final step in defining is to assign ownership of the control states. Recall, we needed to switch the roles of the Players. Thus, we define whenever belongs to in . All other control states of are owned by . We define the accepting control states to be those of the form where is accepting in . Observe these have no outgoing transitions.
Next we define the regular automaton which detects mistakes in the work-tape. Such an error is either due to a poorly updated cell, or due to a poorly updated head position. The set of work-tape operations is such that there is a mapping
[TABLE]
where and
- •
means if the head is at position , it is at position after operation , and
- •
means, if the head is at position , is the contents of the cell at position , and operation is applied, then is the contents of the cell after applying . If then could not be applied to this work-tape and became stuck. (E.g. if and the operation required the head to read a character other than .)
Thus, we require the following regular language, for which a polynomially-sized regular automaton is straightforward to construct. Let .
[TABLE]
We have thus defined a -PDA that produces some word not accepted by iff is accepted by .
The final step is to produce a game over a scheme that is equivalent to the game problem for -iterated pushdown automata. This is in fact a straightforward adaptation of the techniques introduced by Knapik et al. [37]. However, we choose to complete the sketch using definitions from Hague et al. [29] as we believe these provide a clearer reference. In particular, we adapt their Definition 4.3.
The key to the reduction is a tight correspondence (given in op. cit.) between configurations of a -iterated pushdown automaton, and terms of the form222In fact, in op. cit. non-terminals had the form . where and are used to handle collapse links, which we do not need here.
. That is, every configuration is represented (in a precise sense) by such a term and every term of such a form represents a configuration. Moreover, for every transition of the pushdown automaton, when we can associate a rewrite rule of the scheme
[TABLE]
such that the term obtained by applying the rewrite rule to is a term where represents the configuration reached by the transition. That is, . When we simply omit , that is
[TABLE]
To each non-terminal, we assign whenever is a control state. Otherwise, . For every accepting control state we introduce the additional rule
[TABLE]
Finally, we have an initial rule
[TABLE]
where is the term representing the initial configuration.
Given the tight correspondence between configurations and transitions of the -PDA and terms and rewrite steps of , alongside the direct correspondence between the owner of a control state and the owner of a non-terminal of , it is straightforward to see, via induction over the length of an accepting run in one direction, or derivation sequence in the other, that is able to produce a word not in iff a word not in is derivable from . Thus, we have reduced the word acceptance problem for some alternating -PDA*+* to the game problem for language inclusion of a scheme. This shows the problem is -hard.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] P. A. Abdulla, Y. Chen, L. Clemente, L. Holík, C.-D. Hong, R. Mayr, and T. Vojnar. Simulation subsumption in Ramsey-based Büchi automata universality and inclusion testing. In CAV , volume 6174 of LNCS , pages 132–147. Springer, 2010.
- 2[2] P. A. Abdulla, Y. Chen, L. Clemente, L. Holík, C.-D. Hong, R. Mayr, and T. Vojnar. Advanced Ramsey-based Büchi automata inclusion testing. In CONCUR , volume 6901 of LNCS , pages 187–202. Springer, 2011.
- 3[3] S. Abramsky. Abstract interpretation, logical relations and Kan extensions. J. Log. Comp. , 1(1):5–40, 1990.
- 4[4] S. Abramsky and C. Hankin. An introduction to abstract interpretation. In Abstract Interpretation of declarative languages , volume 1, pages 63–102. Ellis Horwood, 1987.
- 5[5] K. Aehlig. A finite semantics of simply-typed lambda terms for infinite runs of automata. LMCS , 3(3):1–23, 2007.
- 6[6] K. Backhouse and R. C. Backhouse. Safety of abstract interpretations for free, via logical relations and Galois connections. Sci. Comp. Prog. , 51(1-2):153–196, 2004.
- 7[7] A. Bouajjani, J. Esparza, and O. Maler. Reachability analysis of pushdown automata: Application to model-checking. In CONCUR , volume 1243 of LNCS , pages 135–150. Springer, 1997.
- 8[8] A. Bouajjani and A. Meyer. Symbolic reachability analysis of higher-order context-free processes. In FSTTCS , volume 3328 of LNCS , pages 135–147. Springer, 2004.
