1 Introduction

The class of visibly pushdown languages (Vpl) [6] lies properly between the regular and the context-free languages. Vpl enjoy most desirable properties of regular languages (closure under Boolean operations and decision procedures for, e.g., the equivalence problem). They are well-suited for representing data that have both a linear and a hierarchical ordering, e.g., procedural programs [4, 22, 24, 37] and XML documents [31, 33, 34, 38].

The corresponding automaton model is called visibly pushdown automaton (Vpa). It extends the finite automaton model with a stack of restricted access by requiring that the input symbol specifies the stack action – a call (resp. return) symbol implies a push (resp. pop) operation, and an internal symbol ignores the stack. In this paper, we consider a notion of Vpa where a call always pushes the current state on the stack. These Vpa are called weakly-hierarchical Vpa [7].

Size reduction of automata is an active research topic [2, 3, 8, 9, 14, 15, 32] that is theoretically appealing and has practical relevance: smaller automata require less memory and speed up automata-based tools [21, 23, 27, 29]. In this paper, we present a size reduction technique for a general class of (nondeterministic) Vpa that is different from classes that were considered in previous approaches [5, 13, 30]. An extended version of this paper is available [26].

It is well-known that for deterministic finite automata the unique minimal automaton can be obtained by quotienting (i.e., merging equivalent states), and there exists an efficient algorithm for this purpose [28]. Vpa do not have a canonical minimum [5]. For other automaton classes that lack this property, the usual approach is to find equivalence relations that are sufficient for quotienting [1, 3, 18]. The main difficulty of a quotienting approach for Vpa is that two states may behave similarly given one stack but differently given another stack, and as the number of stacks is usually infinite, one cannot simply compare the behaviors for each of them.

1.1 Motivating Examples

We now present three observations. The first observation is our key insight and shows that Vpa have interesting properties that we can exploit. The other observations show that Vpa have intricate properties that make quotienting nontrivial. For convenience, we use a for internal, c for call, and r for return symbols, and we omit transitions to the sink state.

Fig. 1.
figure 1

A Vpa and two possible quotientings due to unreachable stacks.

Full size image

Exploiting Unreachable Stacks Allows Merging States. Consider the Vpa in Fig. 1(a). The states \(q_1\) and \(q_2\) have the same behavior for the internal symbol a but different behaviors for the return symbol r with stack symbol \(q_0\): Namely, state \(q_1\) leads to the accepting state while \(q_2\) has no respective return transition. However, in \(q_2\) it is generally impossible to take a return transition with stack symbol \(q_0\) since \(q_2\) can only be reached with an empty stack. Thus the behavior for the stack symbol \(q_0\) is “undefined” and we can merge \(q_1\) and \(q_2\) without changing the language. The resulting Vpa is depicted in Fig. 1(b).

Merging States Requires a Transitive Relation. Using the same argument as above, we can also merge the states \(q_2\) and \(q_3\); the result is depicted in Fig. 1(c). For finite automata, mergeability of states is transitive. However, here we cannot merge all three states \(q_1\), \(q_2\), and \(q_3\) without changing the language because \(q_1\) and \(q_3\) have different behaviors for stack symbol \(q_0\). For Vpa, we have to check compatibility for each pair of states.

Merging States Means Merging Stack Symbols. Consider the Vpa in Fig. 2(a). Since for (weakly-hierarchical) Vpa, stack symbols are states, merging the states \(q_1\) and \(q_2\) implicitly merges the stack symbols \(q_1\) and \(q_2\) as well. After merging we receive the Vpa in Fig. 2(b) which recognizes a different language (e.g., it accepts the word \(a_1 c\, r_2\)).

Fig. 2.
figure 2

A Vpa where quotienting of states leads to quotienting of stack symbols.

Full size image

1.2 Our Approach

We define an equivalence relation over Vpa states for quotienting that is language-preserving. This equivalence relation exploits our key observation, namely that we can merge states if they have the same behavior on equivalent reachable stacks, even if they have different behavior in general (Sect. 3). We show an encoding of such a relation as a Boolean partial maximum satisfiability (PMax-Sat) instance (Sect. 4). In order to solve these instances efficiently, we propose a greedy algorithm that finds suboptimal solutions (Sect. 5.1). As a proof of concept, we implemented the algorithm and evaluated it in the context of the automata-based software verifier Ultimate Automizer [23, 25] (Sect. 5.2).

2 Visibly Pushdown Automata

In this section, we recall the basic definitions for visibly pushdown automata [6] and quotienting. After that, we characterize when an automaton is live.

2.1 Preliminaries

Alphabet. A (visibly pushdown) alphabet \(\varSigma = \varSigma _\text {i} \uplus \varSigma _\text {c} \uplus \varSigma _\text {r} \) is a partition consisting of three finite sets of internal (\(\varSigma _\text {i}\)), call (\(\varSigma _\text {c}\)), and return (\(\varSigma _\text {r}\)) symbols. A word is a sequence of symbols. We denote the set of finite words over alphabet \(\varSigma \) by \(\varSigma ^*\) and the empty word by \(\varepsilon \). As a convention we use a for internal, c for call, and r for return symbols, \(x\) for any type of symbol, and vw for words.

The set of well-matched words over \(\varSigma \), \( WM (\varSigma )\), is the smallest set satisfying: (1) \(\varepsilon \in WM (\varSigma ) \); (2) if \(w \in WM (\varSigma ) \), so is wa for \(a \in \varSigma _\text {i} \); and if \(v, w \in WM (\varSigma ) \), so is vcwr for \(c\,r \in \varSigma _\text {c} \cdot \varSigma _\text {r} \), and we call symbols c and r matching. Given a word over \(\varSigma \), for any return symbol we can uniquely determine whether the symbol is matching. The set of matched-return words, \( MR (\varSigma )\), consists of all words where each return symbol is matching. Clearly, \( WM (\varSigma ) \) is a subset of \( MR (\varSigma ) \).

Visibly Pushdown Automaton. A visibly pushdown automaton (Vpa) is a tuple \(\mathcal {A} = (Q, \varSigma , \bot , \varDelta , Q_0, F)\) with a finite set of states Q, a visibly pushdown alphabet \(\varSigma \), a bottom-of-stack symbol \(\bot \notin Q\), a transition relation \(\varDelta = (\varDelta _\text {i}, \varDelta _\text {c}, \varDelta _\text {r})\) consisting of internal transitions \(\varDelta _\text {i} \subseteq Q \times \varSigma _\text {i} \times Q\), call transitions \(\varDelta _\text {c} \subseteq Q \times \varSigma _\text {c} \times Q\), and return transitions \(\varDelta _\text {r} \subseteq Q \times \varSigma _\text {r} \times Q \times Q\), a nonempty set of initial states \(Q_0 \subseteq Q\), and a set of accepting states \(F \subseteq Q\).

A stack \(\sigma \) is a word over \( St \mathop {\mathop {=}\limits ^{\text {def}}} \{\bot \} \cdot Q^*\). We write \(\sigma [i]\) for the i-th symbol of \(\sigma \). A configuration is a pair \((q, \sigma ) \in Q \times St \). A run \(\rho _\mathcal {A} (w)\) of Vpa \(\mathcal {A}\) on word \(w = x _1 x _2 \cdots \in \varSigma ^*\) is a sequence of configurations \((q_0, \sigma _0) (q_1, \sigma _1) \cdots \) according to the following rules (for \(i \ge 0\)):

  1. 1.

    If \(x _{i+1} \in \varSigma _\text {i} \) then \((q_i, x _{i+1}, q_{i+1}) \in \varDelta _\text {i} \) and \(\sigma _{i+1} = \sigma _i\).

  2. 2.

    If \(x _{i+1} \in \varSigma _\text {c} \) then \((q_i, x _{i+1}, q_{i+1}) \in \varDelta _\text {c} \) and \(\sigma _{i+1} = \sigma _i \cdot q_i\).

  3. 3.

    If \(x _{i+1} \in \varSigma _\text {r} \) then \((q_i, x _{i+1}, \hat{q}, q_{i+1}) \in \varDelta _\text {r} \) and \(\sigma _i = \sigma _{i+1} \cdot \hat{q} \).

A run is initial if \((q_0, \sigma _0) \in Q_0 \times \{\bot \}\). A configuration \((q, \sigma )\) is reachable if there exists some initial run \(\rho = (q_0, \sigma _0)(q_1, \sigma _1) \cdots \) such that \((q_i, \sigma _i) = (q, \sigma )\) for some \(i \ge 0\), and unreachable otherwise. Similarly, we say that a stack \(\sigma \) is reachable (resp. unreachable) for state q if \((q, \sigma )\) is reachable (resp. unreachable). A run of length n is accepting if \(q_n \in F\). A word \(w \in \varSigma ^*\) is accepted if some initial run \(\rho _\mathcal {A} (w)\) is accepting. The language recognized by a Vpa \(\mathcal {A}\) is defined as \(L (\mathcal {A}) \mathop {\mathop {=}\limits ^{\text {def}}} \{w \mid w \text { is accepted by } \mathcal {A} \}\). A Vpa is deterministic if it has one initial state and the transition relation is functional.

A finite automaton (Fa) is a Vpa where \(\varSigma _\text {c} = \varSigma _\text {r} = \emptyset \).

Remark 1

We use a variant of Vpa that deviates from the Vpa model by Alur and Madhusudan [6] in two ways: (1) We forbid return transitions when the stack is empty, i.e., the automata accept only matched-return words; this assumption is also used in other works [30, 35]. (2) We consider weakly-hierarchical Vpa where a call transition implicitly pushes the current state on the stack; this assumption is also a common assumption [13, 30]; every Vpa can be converted to weakly-hierarchical form with \(2 |Q| |\varSigma |\) states [7].

Both assumptions are natural in the context of computer programs: The call stack can never be empty, and return transitions always lead back to the respective program location after the corresponding call.

Quotienting. For an equivalence relation over some set S, we denote the equivalence class of element e by [e]; analogously, lifted to sets, let \([T] \mathop {\mathop {=}\limits ^{\text {def}}} \{[e] \mid e \in T\}\).

Given a Vpa \(\mathcal {A} = (Q, \varSigma , \bot , (\varDelta _\text {i}, \varDelta _\text {c}, \varDelta _\text {r}), Q_0, F)\) and an equivalence relation \(\equiv \, \subseteq Q \times Q\) on states, the quotient Vpa is the Vpa \(\mathcal {A}/_\equiv \mathop {\mathop {=}\limits ^{\text {def}}} ([Q], \varSigma , \bot , \varDelta ', [Q_0], [F])\) with \(\varDelta ' = (\varDelta _\text {i} ', \varDelta _\text {c} ', \varDelta _\text {r} ')\) and

  • \(\varDelta _\text {i} ' = \{([p], a, [p']) \mid \exists (q, a, q') \in \varDelta _\text {i} .\,q \in [p], q' \in [p']\}\),

  • \(\varDelta _\text {c} ' = \{([p], c, [p']) \mid \exists (q, c, q') \in \varDelta _\text {c} .\,q \in [p], q' \in [p']\}\), and

  • \(\varDelta _\text {r} ' = \{([p], r, [\hat{p} ], [p']) \mid \exists (q, r, \hat{q}, q') \in \varDelta _\text {r} .\,q \in [p], q' \in [p']\), \(\hat{q} \in [\hat{p} ] \}\).

Quotienting is the process of merging states from the same equivalence class to obtain the quotient Vpa; this implicitly means merging stack symbols, too.

2.2 Live Visibly Pushdown Automata

Let \(Q_{\bot } \mathop {\mathop {=}\limits ^{\text {def}}} Q \cup \{\bot \}\) be the stack alphabet. The function \( top : St \rightarrow Q_{\bot } \) returns the topmost symbol of a stack:

$$\begin{aligned} top (\sigma ) \mathop {\mathop {=}\limits ^{\text {def}}} {\left\{ \begin{array}{ll} \bot &{} \sigma = \bot \\ q &{} \sigma = \sigma ' \cdot q \text { for some } \sigma ' \in St \end{array}\right. } \end{aligned}$$

Given a state q, the function \( tops : Q \rightarrow 2^{Q_{\bot }}\) returns the topmost symbols of all reachable stacks \(\sigma \) for q (i.e., reachable configurations \((q, \sigma )\)):

$$\begin{aligned} tops (q) \mathop {\mathop {=}\limits ^{\text {def}}} \{ top (\sigma ) \mid \exists \sigma \in St .\,(q, \sigma ) \text { is reachable} \} \end{aligned}$$

For seeing that \( tops \) is computable, consider a Vpa \(\mathcal {A} = (Q, \varSigma , \bot , \varDelta , Q_0, F)\). The function \( tops \) is the smallest function \(f : Q \rightarrow 2^{Q_{\bot }}\) satisfying:

  1. 1.

    \(q \in Q_0 \implies \bot \in f(q)\)

  2. 2.

    \(\hat{q} \in f(q), (q, a, q') \in \varDelta _\text {i} \implies \hat{q} \in f(q')\)

  3. 3.

    \((q, \sigma )\) reachable for some \(\sigma \), \((q, c, q') \in \varDelta _\text {c} \implies q \in f(q')\)

  4. 4.

    \(\hat{q} \in f(q), (q, r, \hat{q}, q') \in \varDelta _\text {r} \implies f(\hat{q}) \subseteq f(q')\)

We call a Vpa live if the following holds. For each state q and for each internal and call symbol \(x \) there is at least one outgoing transition \((q, x, q')\) to some state \(q'\); additionally, for each return symbol r and state \(\hat{q}\) there is at least one outgoing return transition \((q, \hat{q}, r, q')\) to some state \(q'\) if and only if \(\hat{q} \in tops (q)\).

Note that a live Vpa has a total transition relation in a weaker sense: There are outgoing return transitions from state q if and only if the respective transition can be taken in at least one run. That is, we forbid return transitions when no corresponding configuration is reachable. Every Vpa can be converted to live form by adding one sink state.

Remark 2

For live Vpa \(\mathcal {A}\), a run \(\rho _\mathcal {A} (w)\) on word w can only “get stuck” in an empty-stack configuration, i.e., if \(w = v_1 r \, v_2\) with \(r \in \varSigma _\text {r} \) such that \(\rho _\mathcal {A} (v_1) = (q_0, \sigma _0) \cdots (q_k, \bot )\) for some \(q_k \in Q\). If \(w \in MR (\varSigma ) \), no run gets stuck.

For the remainder of the paper, we fix a live Vpa \(\mathcal {A} = (Q, \varSigma , \bot , \varDelta , Q_0, F)\). We sometimes refer to this Vpa as the input automaton.

3 A Quotienting Relation for VPA

In this section, we define an equivalence relation on the states of a Vpa that is useful for quotienting, i.e., whose respective quotient Vpa is language-preserving.

We first need the notion of closure under successors for each kind of symbol.

Let \(R \subseteq Q \times Q\) be a binary relation over states and let \(p, q, \hat{p}, \hat{q} \in Q\) be states. We say that R is

  • closed under internal successors for (p, q) if for each internal symbol \(a \in \varSigma _\text {i} \)

    • for all \((p, a, p') \in \varDelta _\text {i} \) there exists \((q, a, q') \in \varDelta _\text {i} \) s.t. \((p', q')\in R\) and

    • for all \((q, a, q') \in \varDelta _\text {i} \) there exists \((p, a, p') \in \varDelta _\text {i} \) s.t. \((p', q')\in R\),

  • closed under call successors for (p, q) if for each call symbol \(c \in \varSigma _\text {c} \)

    • for all \((p, c, p') \in \varDelta _\text {c} \) there exists \((q, c, q') \in \varDelta _\text {c} \) s.t. \((p', q')\in R\) and

    • for all \((q, c, q') \in \varDelta _\text {c} \) there exists \((p, c, p') \in \varDelta _\text {c} \) s.t. \((p', q')\in R\),

  • closed under return successors for \((p, q, \hat{p}, \hat{q})\) if for each return symbol \(r \in \varSigma _\text {r} \)

    • for all \((p, r, \hat{p}, p') \in \varDelta _\text {r} \) there exists \((q, r, \hat{q}, q') \in \varDelta _\text {r} \) s.t. \((p', q')\in R\) and

    • for all \((q, r, \hat{q}, q') \in \varDelta _\text {r} \) there exists \((p, r, \hat{p}, p') \in \varDelta _\text {r} \) s.t. \((p', q')\in R\).

We are ready to present an equivalence relation that is useful for quotienting using a fixpoint characterization.

Definition 1

(Reachability-aware quotienting relation). Let \(\mathcal {A}\) be a Vpa and \(R\subseteq Q\times Q\) be an equivalence relation over states. We say that R is a Raq relation if for each pair of states \((p, q)\in R\) the following constraints hold.

  1. (i)

    State p is accepting if and only if state q is accepting \((p \in F \iff q \in F)\).

  2. (ii)

    R is closed under internal successors for (pq).

  3. (iii)

    R is closed under call successors for (pq).

  4. (iv)

    For each pair of states (resp. topmost stack symbols) \((\hat{p}, \hat{q}) \in R\),

    • R is closed under return successors for \((p, q, \hat{p}, \hat{q} \)), or

    • no configuration \((q, \sigma _q)\) with \(\hat{q} = top (\sigma _q)\) is reachable, or

    • no configuration \((p, \sigma _p)\) with \(\hat{p} = top (\sigma _p)\) is reachable.

Remark 3

“No configuration \((q, \sigma _q)\) with \(\hat{q} = top (\sigma _q)\) is reachable” is equivalent to “\(\hat{q} \notin tops (q)\)”. The equality relation \(\{(q, q) \mid q \in Q\}\) is a Raq relation for any Vpa; the respective quotient Vpa is isomorphic to the input automaton.

Example 1

Consider again the Vpa from Fig. 1(a). We claim that the relation \(R \mathop {\mathop {=}\limits ^{\text {def}}} \{(q, q) \mid q \in Q\} \cup \{(q_1, q_2), (q_2, q_1)\}\) is a Raq relation. Note that it corresponds to the quotient Vpa from Fig. 1(b). First we observe that R is an equivalence relation. We check the remaining constraints only for the two pairs \((q_1, q_2)\) and \((q_2, q_1)\). Both states are not accepting. Relation R is closed under internal (here: a) and call (here: none, i.e., implicitly leading to a sink) successors. The return transition constraint is satisfied because in state \(q_2\) no stack with topmost symbol \(q_0\) is reachable (\(q_0 \notin tops (q_2)\)).

We want to use a Raq relation for language-preserving quotienting. For this purpose we need to make sure that unreachable configurations in Definition 1 do not enable accepting runs that are not possible in the original Vpa. In the remainder of this section, we show that this is indeed the case.

Given an equivalence relation \(R \subseteq Q\times Q\) on states, we call a stack \(\sigma \) the R-quotienting of some stack \(\sigma '\) of the same height if either \(\sigma = \sigma ' = \bot \) or for all \(i = 2, \dots , |\sigma |\) each symbol \(\sigma [i]\) is the equivalence class of \(\sigma '[i]\), i.e., \(\sigma '[i] \in [\sigma [i]]\). We write \(\sigma ' \in [\sigma ]\) in this case. (We compare stacks only for \(i \ge 2\) because the first stack symbol is always \(\bot \).)

Lemma 1

(Corresponding run). Let \(\mathcal {A}\) be a Vpa and \(\equiv \) be some Raq relation for \(\mathcal {A}\). Then for any matched-return word w and respective run

$$\begin{aligned} \rho _{\mathcal {A}/\equiv }(w) = ([p_0], \bot ) \cdots ([p_n], [\sigma _n]) \end{aligned}$$

with \(p_0 \in Q_0\) in \(\mathcal {A}/_\equiv \) there is some corresponding run

$$\begin{aligned} \rho _{\mathcal {A}}(w) = (q_0', \bot ) \cdots (q_n', \sigma _n') \end{aligned}$$

in \(\mathcal {A}\) such that \(q_i' \in [p_i]\) and \(\sigma _i' \in [\sigma _i]\) for all \(i \ge 0\), and furthermore \(q_0' \in Q_0\).

Proof

The proof is by induction on the length of w. The case for \(w = \varepsilon \) is trivial. Now assume \(w' = w \cdot x \) for \(x \in \varSigma \) and fix some run \(\rho _{\mathcal {A}/\equiv }(w') = ([p_0], \bot ) \cdots ([p_n], [\sigma _n]) \cdot ([p_{n+1}], [\sigma _{n+1}])\). The hypothesis ensures that there exists a corresponding run for the prefix \(\rho _{\mathcal {A}}(w) = (q_0', \bot ) \cdots (q_n', \sigma _n')\) s.t. \(q_n' \in [p_n]\) and \(\sigma _n' \in [\sigma _n]\). We will extend this run in each of the three cases for symbol \(x \).

  1. (1)

    If \(x \in \varSigma _\text {i} \), then, since there is a transition \(([p_n], x, [p_{n+1}]) \in \varDelta _\text {i} {}_{/\equiv }\), there exist some states \(q_n'' \in [p_n]\) and \(q_{n+1}'' \in [p_{n+1}]\) s.t. \((q_n'', x, q_{n+1}'') \in \varDelta _\text {i} \) (from the definition of quotienting). Using that \(\equiv \) is closed under internal successors, there also exists a target state \(q_{n+1}' \in [p_{n+1}]\) s.t. \((q_n', x, q_{n+1}') \in \varDelta _\text {i} \). Additionally, because \(x \in \varSigma _\text {i} \), we have that \(\sigma _{n+1}' = \sigma _n' \in [\sigma _n] = [\sigma _{n+1}]\) by the hypothesis.

  2. (2)

    If \(x \in \varSigma _\text {c} \), a similar argument holds, only this time the stack changes. We have that \(\sigma _{n+1}' = \sigma _n' \cdot q_n' \in [\sigma _n \cdot p_n] = [\sigma _{n+1}]\) by the hypothesis.

  3. (3)

    If \(x \in \varSigma _\text {r} \), then the configuration \((q_n', \sigma _n')\) is reachable (witnessed by the run \(\rho _{\mathcal {A}}(w)\)). Since \(\equiv \) is closed under return successors for all states in \([p_n]\) (modulo unreachable configurations), for each top-of-stack symbol \(\hat{q} \in [ top (\sigma _n')]\) s.t. \((q_n', \sigma '' \cdot \hat{q})\) is reachable for some stack \(\sigma ''\) there exists a corresponding return transition \((q_n', x, \hat{q}, q_{n+1}') \in \varDelta _\text {r} \) with \(q_{n+1}' \in [p_{n+1}]\); in particular, this holds for \(\hat{q} = top (\sigma _n')\). Recall that \(\mathcal {A}\) is assumed to be live, which ensures that every return transition that exists in the quotient Vpa has such a witness. The stack property \(\sigma _{n+1}'\in [\sigma _{n+1}]\) follows from the hypothesis.   \(\square \)

From the above lemma we can conclude that quotienting with a Raq relation preserves the language.

Theorem 1

(Language preservation of quotienting). Let \(\mathcal {A}\) be a Vpa and let \(\equiv \) be a Raq relation on the states of \(\mathcal {A}\). Then \(L(\mathcal {A}) = L(\mathcal {A}/_\equiv )\).

Proof

Clearly, \(L (\mathcal {A}) \subseteq L (\mathcal {A}/_\equiv )\) for any equivalence relation \(\equiv \). We show the other inclusion by means of a contradiction.

Assume there exists a word w s.t. \(w \in L(\mathcal {A}/_\equiv ) \setminus L(\mathcal {A})\). By assumption, in \(\mathcal {A}/_\equiv \) there is an initial accepting run \(\rho _{\mathcal {A}/_\equiv }(w)\). Then, by Lemma 1, there is a corresponding run \(\rho _\mathcal {A} (w)\), and furthermore this run is initial.

The run \(\rho _\mathcal {A} (w)\) is also accepting by the property that \([p] \in [F]\) if and only if \(q \in F\) for all \(q \in [p]\) (cf. Property (i) of a Raq relation).   \(\square \)

4 Computing Quotienting Relations

In Sect. 3, we introduced the notion of a Raq relation and showed how we can use it to minimize Vpa while preserving the language. In this section, we show how we can compute a Raq relation. For this purpose, we provide an encoding as a partial maximum satisfiability problem (PMax-Sat). From a (in fact, any) solution, i.e., satisfying assignment, we can synthesize a Raq relation. While this does not result in the coarsest Raq relation possible, the relation obtained is locally optimal, i.e., there is no coarser Raq relation that is a strict superset.

4.1 Computing RAQ Relations

Note that in general there are many possible instantiations of a Raq relation, e.g., the trivial equality relation which is not helpful for minimization. Since we are interested in reducing the number of states, we prefer coarser relations over finer relations.

To obtain a coarse relation, we describe an encoding of the Raq relation constraints as an instance of the PMax-Sat problem [12, 19]. Such a problem consists of a propositional logic formula in conjunctive normal form with each clause being marked as either hard or soft. The task is to find a truth assignment such that all hard clauses are satisfied and the number of the satisfied soft clauses is maximal.

SAT Encoding. For the moment, we ignore soft clauses and provide a standard Sat encoding of the constraints. The encoding has the property that any satisfying assignment induces a valid Raq relation \(\equiv \).

Let \(\textsf {true}\) and \(\textsf {false}\) be the Boolean constants. We need \(\mathcal {O}(n^2) \) variables of the form \(\mathsf {X}_{\{p, q\}} \) where p and q are states of the input automaton. The idea is that \(p \equiv q\) holds if we assign the value \(\textsf {true}\) to \(\mathsf {X}_{\{p, q\}}\). (We ignore the order of p and q as \(\equiv \) must be symmetric.) We express the constraints from Definition 1 as follows.

Consider the constraint (i). For each pair of states (pq) not satisfying the constraint we introduce the clause

$$\begin{aligned} \lnot \mathsf {X}_{\{p, q\}}. \end{aligned}$$
(1)

Consider the constraints (ii), (iii), (iv). For each transition \((p, a, p') \in \varDelta _\text {i} \), \((p, c, p') \in \varDelta _\text {c} \), and \((p, r, \hat{p}, p') \in \varDelta _\text {r} \) and all states q and \(\hat{q} \) we respectively construct one of the following clauses.

$$\begin{aligned} \lnot \mathsf {X}_{\{p, q\}}&\vee (\mathsf {X}_{\{p', q_1^a\}} \vee \dots \vee \mathsf {X}_{\{p', q_{k_a}^a\}}) \end{aligned}$$
(2)
$$\begin{aligned} \lnot \mathsf {X}_{\{p, q\}}&\vee (\mathsf {X}_{\{p', q_1^c\}} \vee \dots \vee \mathsf {X}_{\{p', q_{k_c}^c\}}) \end{aligned}$$
(3)
$$\begin{aligned} \lnot \mathsf {X}_{\{p, q\}}&\vee \lnot \mathsf {X}_{\{\hat{p}, \hat{q} \}} \vee (\mathsf {X}_{\{p', q_1^r\}} \vee \dots \vee \mathsf {X}_{\{p', q_{k_r}^r\}}) \end{aligned}$$
(4)

Here the \(q_i^a\)/\(q_i^c\) are the respective a/c-successors of q and the \(q_i^r\) are the r-successors of q with stack symbol \(\hat{q} \). To account for the unreachable configuration relaxation, we may omit return transition clauses (4) where \(\hat{p} \notin tops (p)\) or \(\hat{q} \notin tops (q)\).

We also need to express that \(\equiv \) is an equivalence relation, i.e., we need additional reflexivity clauses

$$\begin{aligned} \mathsf {X}_{\{q_1, q_1\}} \end{aligned}$$
(5)

and transitivity clauses

$$\begin{aligned} \lnot \mathsf {X}_{\{q_1, q_2\}} \vee \lnot \mathsf {X}_{\{q_2, q_3\}} \vee \mathsf {X}_{\{q_1, q_3\}} \end{aligned}$$
(6)

for any distinct states \(q_1\), \(q_2\), \(q_3\) (assuming there are least three states). Recall that our variables already ensure symmetry.

Let \(\varPhi \) be the conjunction of all clauses of the form (1), (2), (3), (4), (5), and (6). All assignments satisfying \(\varPhi \) represent valid Raq relation s.

However, we know that the assignment

$$\begin{aligned} \mathsf {X}_{\{p, q\}} \mapsto {\left\{ \begin{array}{ll} \textsf {true} &{} p = q \\ \textsf {false} &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

corresponding to the equality relation is always trivially satisfying. Such an assignment is not suited for our needs. We consider an assignment optimal if it represents a Raq relation with a coarsest partition.

PMax-SAT Encoding. We now describe an extension of the Sat encoding to a PMax-Sat encoding. In this setting, we can enforce that the number of variables that are assigned the value \(\textsf {true}\) is maximal.

As an addition to \(\varPhi \), we add for every two states p, q with \(p \ne q\) the clause

$$\begin{aligned} \mathsf {X}_{\{p, q\}} \end{aligned}$$
(7)

and finally we consider all old clauses, i.e., clauses of the form (1)–(6), as hard clauses and all clauses of the form (7) as soft clauses.

4.2 Locally Maximal RAQ Relation

Note that an assignment obtained from the PMax-Sat encoding does not necessarily give us a coarsest Raq relation. Consider a Vpa with seven states \(q_0, \dots , q_6\) and the partition \(\big \{\{q_0, q_1, q_2, q_3\}\), \(\{q_4\}\), \(\{q_5\}\), \(\{q_6\} \big \}\). Here we set six variables to \(\textsf {true}\) (all pairs of states from the first set). However, the partition \(\big \{ \{q_0, q_1, q_2\}\), \(\{q_3, q_4\}\), \(\{q_5, q_6\} \big \}\) is coarser, and yet we only set five variables to \(\textsf {true}\).

Despite not finding the globally maximal solution, we can establish local maximality.

Theorem 2

(Local maximum). A satisfying assignment of the PMax-Sat instance corresponds to a Raq relation such that no strict superset of the relation is also a Raq relation.

Proof

It is clear from the construction that in the obtained assignment, no further variable \(\mathsf {X}_{\{p, q\}}\) can be assigned the value \(\textsf {true}\). Each such variable determines membership of the symmetric pairs (pq) and (qp) in the Raq relation.   \(\square \)

5 Experimental Evaluation

In this section, we report on our implementation and its potential in practice.

5.1 Implementation

Initially, we apply the following preprocessing steps for reducing the complexity. First, we remove unreachable and dead states and make the Vpa live for return transitions (we do not require that the Vpa is total for internal or call transitions). Second, we immediately replace variables \(\mathsf {X}_{\{p\}} \) by \(\textsf {true}\) (reflexivity). Third, we construct an initial partition of the states and replace variables \(\mathsf {X}_{\{p,q\}} \) by \(\textsf {false}\) if p and q are not in the same block. This partition is the coarsest fixpoint of a simple partition refinement such that states in the same block have the same acceptance status, the same outgoing internal and call symbols, and, if all states in a block have a unique successor under an internal/call symbol, those successors are in the same block (cf. Definition 1 and Hopcroft’s algorithm [28]).

Optimally solving a PMax-Sat instance is an Np-complete problem. Expectedly, a straightforward implementation of the algorithm presented in Sect. 4 using an off-the-shelf PMax-Sat solver does not scale to interesting problems (see also the extended version [26]). Therefore, we implemented a domain-specific greedy PMax-Sat solver that only maximizes the satisfied soft clauses locally.

Our solver is interactive, i.e., clauses are added one after another, and propagation is applied immediately. After adding the last clause, the solver chooses some unset variable and first sets it to \(\textsf {true}\) optimistically. Theorem 2 still holds with this strategy. Apart from that, the solver follows the standard DPLL algorithm and uses no further enhancements found in modern Sat solvers.

Remark 4

If the Vpa is deterministic, we obtain a Horn clause system. Then the above algorithm never needs to backtrack for more than one level, as the remaining clauses can always be satisfied by assigning \(\textsf {false}\) to the variables.

The main limitation of the approach is the memory consumption. Clearly, the majority of clauses are those expressing transitivity. Therefore, we implemented and integrated a solver for the theory of equality: When a variable \(\mathsf {X}_{\{p, q\}} \) is set to \(\textsf {true}\), this solver returns all variables that must also be set to \(\textsf {true}\) for consistency. That allowed us to omit the transitivity clauses (see [26] for details).

5.2 Experiments

Our evaluation consists of three parts. First, we evaluate the impact of our minimization on an verifier Ultimate Automizer. Second, we evaluate the performance of our minimization on automata that were produced by Ultimate Automizer. Third, we evaluate the performance of our minimization on a set of random automata. All experiments are performed on a PC with an Intel i7 3.60 GHz CPU running Linux.

Impact on the software verifier Ultimate Automizer. The software verifier Ultimate Automizer [23] follows an automata-based approach [25] in which sets of program traces are represented by automata. The approach can be seen as a CEGAR-style algorithm in which an abstraction is iteratively refined. This abstraction is represented as a weakly-hierarchical Vpa where the automaton stack only keeps track of the states from where function calls were triggered.

For our evaluation, we run Ultimate Automizer on a set of C programs in two different modes. In the mode “No minimization” no automata minimization is applied. In the mode “Minimization” we apply our minimization in each iteration of the CEGAR loop to the abstraction if it has less than 10, 000 states. (In cases where the abstraction has more than 10, 000 states the minimization can be too slow to pay off on average.)

As benchmarks we took C programs from the repository of the SV-COMP 2016 [10] and let Ultimate Automizer analyze if the error location is reachable. In this repository the folders systemc and eca-rers2012 contain programs that use function calls (hence the Vpa contain calls and returns) and in whose analysis the automata sizes are a bottleneck for Ultimate Automizer. We randomly picked 100 files from the eca-rers2012 folder and took all 65 files from the systemc folder. The timeout of Ultimate Automizer was set to 300 s and the available memory was restricted to 4 GiB.

Table 1. Performance of Ultimate Automizer with and without minimization. Column # shows the number of successful reachability analyses (out of 165), average run time is given in milliseconds, average removal shows the states removed for all iterations, and the last column shows the relative number of iterations where minimization was employed. The first two rows contain the data for those programs where both modes succeeded, and the third row contains the data for those programs where only the minimization mode succeeded.
Full size table
Table 2. Performance of our algorithm on automata produced by Ultimate Automizer (see also Fig. 3). We aggregate the data for all automata whose number of states is in a certain interval. Column # shows the number of automata, #nd shows the number of nondeterministic automata, and the other data is reported as average. The next seven columns show information about the input automata. The run time is given in milliseconds. The last two columns show the number of variables and clauses passed to the PMax-Sat solver.
Full size table

The results are given in Table 1. Our minimization increases the number of programs that are successfully analyzed from 66 to 78. On programs that are successfully analyzed in both modes, the mode using minimization is slightly faster. Hence, the additional cost due to minimization is more than compensated by savings in other operations on the (now smaller) Vpa on average.

Evaluation on automata from Ultimate Automizer. To evaluate the performance of our minimization algorithm in more details, we applied it to a benchmark set that consists of 1026 Vpa produced by Ultimate Automizer. All automata from this set contain call and return transitions and do not contain any dead ends (states from which no accepting state is reachable). Details on the construction of these automata can be found in the extended version [26]

Fig. 3.
figure 3

Minimization results on automata produced by Ultimate Automizer (see also Table 2). D(N) stands for (non-)deterministic automata.

Full size image

We ran our implementation on these automata using a timeout of 300 s and a memory limit of 4 GiB. Within the resource bounds we were able to minimize 596 of the automata. Details about these automata and the minimization run are presented in Table 2. In the table we grouped automata according to their size. For instance, the first row aggregates the data of all automata that have up to 250 states. The table shows that we were able to minimize automata up to a five-digit number of states and that automata that have a few thousand states can be minimized within seconds. Figure 3 shows the sizes of the minimization results. The first four graphs compare the sizes of input and output in terms of states and transitions. The fourth graph shows that the (partly) significant size reduction is not only due to “intraprocedural” merges, but that also the number of return transitions is reduced. The last two graphs show that the relative size reduction is higher on larger automata. The reason is that small automata in Ultimate Automizer tend to have similarities to the control flow graph of a program, which is usually already minimal.

Fig. 4.
figure 4

Minimization results on random Vpa with 100 states, of which \(50\%\) are accepting, and with one internal, call, and return symbol each. Return transitions are each inserted with 50 random stack symbols. The transition density is increased in steps of \(2\%\). Each data point stems from 500 random automata.

Full size image

Evaluation on Random Automata. The automata produced by Ultimate Automizer have relatively large alphabets (according to Table 2 there are on average less than 10 states per symbol) and are extremely sparse (on average less than 1.5 transitions per state). To investigate the applicability of our approach to Vpa without such structure, we also evaluate it on random nondeterministic Vpa. We use a generalization of the random Büchi automata model by Tabakov and Vardi [36] to Vpa (see the extended version [26] for details). Figure 4 shows that our algorithm can remove some states on top of removing dead ends for lower transition densities, but overall it seems more appropriate to automata that have some structure.

6 Related Work

Alur et al. [5] show that a canonical minimal Vpa does not exist in general. They propose the single entry-Vpa (Sevpa) model, a special Vpa of equivalent expressiveness with the following constraints: Each state and call symbol is assigned to one of k modules, and each module has a unique entry state which is the target of all respective call transitions. This is enough structure to obtain the unique minimal k-Sevpa from any given k-Sevpa by quotienting.

Kumar et al. [30] extend the idea to modular Vpa. Here the requirement of having a unique entry per module is overcome, but more structure must be fixed to preserve a unique minimum – most notably the restriction to weakly-hierarchical Vpa and the return alphabet being a singleton.

Chervet and Walukiewicz [13] generalize the above classes to call driven automata. They show that general Vpa can be exponentially more succinct than the three classes presented. Additionally, they propose another class called block V pa for which a unique minimum exists that is at most quadratic in the size of some minimal (general) Vpa. However, to find it, the “right” partition into modules must be chosen, for which no efficient algorithm is known.

All above Vpa classes have in common that the languages recognized are subsets of \( WM (\varSigma )\), the states are partitioned into modules, and the minimal automaton (respecting the partition) can be found by quotienting. While the latter is an enjoyable property from the algorithmic view, the constraints limit practical applicability: Even under the assumption that the input Vpa recognizes a well-matched language, if it does not meet the constraints, it must first be converted to the respective form. This conversion generally introduces an exponential blow-up in the number of states. In contrast, our procedure assumes only weakly-hierarchical Vpa accepting matched-return words. In general, a weakly-hierarchical Vpa can be obtained with only a linear blow-up. (In Ultimate Automizer the automata already have this form.)

Fig. 5.
figure 5

A parametric k-Sevpa.

Full size image

Consider the k-Sevpa in Fig. 5. It has k modules \(\{ q_1 \}\), \(\dots \), \(\{ q_k \}\) (and the default module \(\{ q_0, q_f \}\)). This is the minimal k-Sevpa recognizing the language with the given modules. Our algorithm will (always) merge all singleton modules into one state, resulting in a (minimal) three-state Vpa.

Caralp et al. [11] present a polynomial trimming procedure for Vpa. The task is to ensure that every configuration exhibited in the Vpa is both reachable and co-reachable. Such a procedure may add new states. We follow the opposite direction and exploit untrimmed configurations to reduce the number of states.

Ehlers [17] provides a Sat encoding of the question “does there exist an equivalent Büchi automaton (Ba) of size \(n-1\)”. Baarir and Duret-Lutz [8, 9] extend the idea to so-called transition-based generalized Ba. Since the search is global, on the one hand, such a query can be used iteratively to obtain a reduced Ba after each step and some globally minimal Ba upon termination; on the other hand, global search leaves little structure to the solver.

Geldenhuys et al. [20] also use a Sat encoding to reduce the state-space of nondeterministic Fa. The first step is to construct the minimal deterministic Fa \(\mathcal {B}\). Then the solver symbolically guesses a candidate Fa of a fixed size and checks that the automaton resulting from the subset construction applied to the candidate is isomorphic to \(\mathcal {B}\). If the formula is unsatisfiable, the candidate size must be increased. Determinization may incur an exponential blow-up, and the resulting automaton is not always (but often) minimal.

In contrast to the above works, our PMax-Sat encoding consists of constraints about a quotienting relation (which always exists) that is polynomial in the size of the Vpa. We do not find a minimal Vpa, but our technique can be applied to Vpa of practical relevance (the authors report results for automata with less than 20 states), in particular using our greedy algorithm.

Restricted to Fa, the definition of a Raq relation coincides with direct bisimulation [16, 18]. This has two consequences. First, for Fa, we can omit the transitivity clauses because a direct bisimulation is always transitive. Second, our algorithm always produces the (unique) maximal direct bisimulation. This can be seen as follows. If two states p and q bisimulate each other, then \(\mathsf {X}_{\{p, q\}}\) can be assigned \(\textsf {true}\): since we are looking for a maximal assignment, we will assign this value. If p and q do not bisimulate each other, then in any satisfying assignment \(\mathsf {X}_{\{p, q\}}\) must be \(\textsf {false}\). Alternatively, one can also say that our algorithm searches for some maximal fixpoint, which is unique for direct bisimulation.

For Fa, it is well-known that minimization based on direct simulation yields smaller automata compared to direct bisimulation (i.e., the induced equivalence relation is coarser) [18]. Two states can be merged if they simulate each other. Our PMax-Sat encoding can be generalized to direct simulation by making the variables non-symmetric, i.e., using both \(\mathsf {X}_{p,q} \) and \(\mathsf {X}_{q,p} \) and adapting the clauses in a straightforward way. This increases the complexity by a polynomial.