Revisiting Underapproximate Reachability for Multipushdown Systems

Boolean programs with multiple recursive threads can be captured as pushdown automata with multiple stacks. This model is Turing complete, and hence, one is often interested in analyzing a restricted class which still captures useful behaviors. In this paper, we propose a new class of bounded underapproximations for multi-pushdown systems, which subsumes most existing classes. We develop an efficient algorithm for solving the under-approximate reachability problem, which is based on efficient fix-point computations. We implement it in our tool BHIM and illustrate its applicability by generating a set of relevant benchmarks and examining its performance. As an additional takeaway BHIM solves the binary reachability problem in pushdown automata. To show the versatility of our approach, we then extend our algorithm to the timed setting and provide the first implementation that can handle timed multi-pushdown automata with closed guards.


Introduction
The reachability problem for pushdown systems with multiple stacks is known to be undecidable.However, multi-stack pushdown automata (MPDA hereafter) represent a theoretically concise and analytically useful model of multi-threaded recursive programs with shared memory.As a result, several previous works in the literature have proposed different under-approximate classes of behaviors of MPDA that can be analyzed effectively, such as Round Bounded, Scope Bounded, Context Bounded and Phase Bounded [18,19,28,13,20,17].From a practical point of view, these underapproximations has led to efficient tools including, GetaFix [21], SPADE [23].It has also been argued (e.g., see [24]) that such bounded underapproximations suffice to find several bugs in practice.In many such tools efficient fix-point techniques are used to speed-up computations.
We extend known fix-point based approaches by developing a new algorithm that can handle a larger class of bounded underapproximations than bounded context and bounded scope for multi-pushdown systems while remaining efficiently implementable.This algorithm works for a new class of underapproximate behaviors called hole bounded behaviors, which subsumes contex-t/scope bounded underapproximations, and is orthogonal to phase bounded underapproximations.A "hole" is a maximal sequence of push operations of a fixed stack, interspersed with well-nested sequences of any stack.Thus, in a sequence α = βγ where β = [push 1 (push 2 push 3 pop 3 pop 2 )push 1 (push 3 pop 3 )] 10  and γ = push2push1pop2pop1(pop1) 20 , β is a hole with respect to stack 1.The suffix γ has 2 holes (the push 2 and the push 1 ).The number of context switches in α is > 50, and so is the number of changes in scope, while α is 3-hole bounded.A (k-)hole bounded sequence is one such, where, at any point of the computation, the number of holes are bounded (by k).We show that the class of hole bounded sequences subsumes most of the previously defined classes of underapproximations and is, in fact, contained in the very generic class of tree-width bounded sequences.This immediately shows decidability of reachability Analyzing the more generic class of tree-width bounded sequences is often much more difficult; for instance, building bottom-up tree automata for this purpose does not scale very well as it explores a large (and often useless) state space.Our technique is radically different from using tree automata.Under the hole-bounded assumption, we pre-compute information regarding well-nested sequences and holes using fix-point computations and use them in our algorithm.Using efficient data structures to implement this approach, we develop a tool (BHIM) for Bounded Hole reachability in Multi-stack pushdown systems.

Highlights of BHIM.
• Two significant aspects of the fix-point approach in BHIM are: we efficiently solve the binary reachability problem for pushdown automata.i.e., BHIM computes all pairs of states (s, t) such that t is reachable from s with empty stacks.This allows us to go beyond reachability and handle some liveness questions; (ii) we pre-compute the set of pairs of states that are endpoints of holes.This allows us to greatly limit the search for an accepting run.
• While the fix-point approach solves (binary) reachability efficiently, it does not a priori produce a witness of reachability.We remedy this situation by proposing a backtracking algorithm, which cleverly uses the computations done in the fixpoint algorithm, to generate a witness efficiently.
• BHIM is parametrized with respect to the hole bound: if non-emptiness can be checked or witnessed by a well-nested sequence (this is an easy witness and BHIM looks for easy witnesses first, then gradually increases complexity, if no easy witness is found), then it is sufficient to have the hole bound 0; increasing this complexity measure as required to certify non-emptiness gives an efficient implementation, in the sense that we search for harder witnesses only when no easier witnesses (w.r.t this complexity measure) exist.In all examples as described in the experimental section, a small (less than 4) bound suffices and we expect this to be the case for most practical examples.
• Finally, extend our approach to handle timed multi-stack pushdown systems.This shows the versatility of our approach and also requires us to solve several technical challenges which are specific to the timed setting.Implementing this approach in BHIM makes it, to the best of our knowledge, the first tool that can analyze timed multi-stack pushdown automata (TMPDA) with closed guards.
We analyze the performance of BHIM in practice, by considering benchmarks from the literature, and generating timed variants of some of them.We modeled two variants of the Bluetooth example [10,23] and BHIM was able to detect three errors (of which it seems only two were already known).Likewise, for an example of a multiple producer consumer model, BHIM could detect bugs by finding witnesses having just 3 holes, while, it is unlikely that existing tools working on scope/context bounded underapproximations can handle them as the number of scope/context switches would exceed 40 to find the bug.In the timed setting, one of the main challenges faced has been the unavailability of timed benchmarks; even in the untimed setting, many benchmarks were unavailable due to their proprietary nature.Nevertheless we tested our tool on 5 other benchmarks and 3 timed variants whose details, along with their parametric dependence plots, are given in Supplementary Material [26].Due to lack of space proofs and technical details, especially in the timed setting are also in [26].Related Work.Among other under-approximations, scope bounded [28] subsumes context and round bounded underapproximations, and it also paves path for GetaFix [21], a tool to analyze recursive (and multi-threaded) boolean programs.As mentioned earlier hole-boundedness strictly subsumes scope boundedness.On the other hand, GetaFix uses symbolic approaches via BDDs, which is orthogonal to the improvements made in this paper.Indeed, our next step would be to build a symbolic version of BHIM which extends the hole-bounded approach to work with symbolic methods.Given that BHIM can already handle synthetic examples with 12-13 holes (see [26]), we expect this to lead to even more drastic improvements and applicability.For sequential programs, a summary-based algorithm is used in [21]; summaries are like our well-nested sequences, except that well-nested sequences admit contexts from different stacks unlike summaries.As a result, our class of bounded hole behaviors generalizes summaries.Many other different theoretical results like phase bounded [18], order bounded [7] which gives interesting underapproximations of MPDA, are subsumed in tree-width bounded behaviors, but they do not seem to have practical implementations.Adding real-time information to pushdown automata by using clocks or timed stacks has been considered, both in the discrete and dense-timed settings.Recently, there has been a flurry of theoretical results in the topic [9,1,2,4,5].However, to the best of our knowledge none of these algorithms have been successfully implemented (except [5] which implements a tree-automata based technique for single-stack timed systems) for multi-stack systems.One reason is that these algorithms do not employ scalable fix-point based techniques, but instead depend on region automaton-based search or tree automata-based search techniques.

Underapproximations in MPDA
A multi-stack pushdown automaton (MPDA) is a tuple M = (S, ∆, s 0 , S f , n, Σ, Γ ) where, S is a finite non-empty set of locations, ∆ is a finite set of transitions, s 0 ∈ S is the initial location, S f ⊆ S is a set of final locations, n ∈ N is the number of stacks, Σ is a finite input alphabet, and Γ is a finite stack alphabet which contains ⊥.A transition t ∈ ∆ can be represented as a tuple (s, op, a, s ), where, s, s ∈ S are respectively, the source and destination locations of the transition t, a ∈ Σ is the label of the transition, and op is one of the following operations (1) nop, or no stack operation, (2) For a transition t = (s, op, a, s ) we write src(t) = s, tgt(t) = s and op(t) = op.At the moment we ignore the action label a but this will be useful later when we go beyond reachability to model checking.A configuration of the MPDA is a tuple (s, λ 1 , λ 2 , . . ., λ n ) such that, s ∈ S is the current location and λ i ∈ Γ * represents the current content of i th stack.The semantics of the MPDA is defined as follows: a run is accepting if it starts from the initial state and reaches a final state with all stacks empty.The language accepted by a MPDA is defined as the set of words generated by the accepting runs of the MPDA.Since the reachability problem for MPDA is Turing complete, we consider underapproximate reachability.
A sequence of transitions is called complete if each push in that sequence has a matching pop and vice versa.A well-nested sequence denoted ws is defined inductively as follows: a possibly empty sequence of nop-transitions is ws, and so is the sequence t ws t where op(t) = (↓ i α) and op(t ) = (↑ i α) are a matching pair of push and pop operations of stack i, ∀i ∈ {1 . . .n}. Finally the concatenation of two well-nested sequences is a well-nested sequence, i.e., they are closed under concatenation.The set of all well-nested sequences defined by an MPDA is denoted WS.If we visualize this by drawing edges between pushes and their corresponding pops, well-nested sequences have no crossing edges, as in Bounded underapproximations for multistack timed pushdown systems 13 The witness algorithm uses k stacks to correctly implement the backtracking procedure, to deal with k kinds of holes.We refer to these as witness stacks, not to confuse with the stacks of the multistack system.
• Assume that the current pop operation is closing a hole of kind i. Searching among possible push transitions, we identify the matching push transition associated with this pop.On backtracking, this leads us to a parent node with an atomic hole (see figure 3, the green atomic hole), having a left end point as the push point, and the right end point as the target of a ws (if any).We push onto the witness stack i, a barrier (a delimiter symbol #) followed by ws and then the matching push transition.The barrier is useful in segregating the contents of the witness stack, especially when we obtain two pop transitions of the same stack (" 1 and " 5 ) in the reverse run which close two di↵erent holes (the first blue hole and the second blue hole) of the same stack as in Fig. 6.A run with 3 holes.The blue holes correspond to stack 1, and the pink hole to stack 2. A final state is reached from "1 on a discrete transition.
We illustrate the multistack case on an example.Assume that the path we obtain on back tracking is as in Figure 6.Holes arising from pending pushes of stack 1 are blue holes, and those from stack 2 are red holes in the figure.We have two blue holes : the first blue hole has a left end point #1, and right end point ws3.The second blue hole has a left end point #4, and right end point #5.
The pink hole has left end point #1 and right end point ws4.
1. From the final configuration (sf , vf ), on backtracking, we obtain the pop operation ("1).By the fixed point algorithm, this operation closes the first blue hole, matching the first pending push #1.In the computation tree, the parent node has the atomic blue hole consisting of just the #1.Notice also that, in the parent node, this is the only blue hole, since the second blue hole in figure 6 is closed, and hence does not exist in the parent node.We use two witness stacks, a blue stack and a pink stack to track the information with respect to the blue and pink holes.On encountering a pop transition • Assume that the current pop operation is shrinking a hole of kind i.
The list at the present node has this hole, and its parent will have a larger hole, obtained by appending an atomic hole segment to the hole in the child node.As in the case above, we first identify the matching push transition, and check if it agrees with the last atomic hole segment in the parent.If so, we populate the witness stack i with the rightmost atomic hole segment of the parent node (see figure 3).Each time we find a pop on going up the run tree, we find the rightmost atomic hole segment of the parent node, and keep pushing it on the stack, until we reach the node which is obtained as a result of a hole creation.At this point, we have completely recovered the entire hole information by backtracking, and filling the stack with the atomic hole segments which constituted this hole.Notice that when we finish processing a hole of kind i, then the witness stack i has the hole reversed inside it, followed by a barrier.The next hole of the same kind i will be treated in the same manner.
-If the current node is obtained by creating a hole of kind i in the fixed point algorithm, then we pop the contents of witness stack i till we reach a barrier.This spits out the atomic hole segments of the hole from the right to the left, giving us a sequence of push transitions, and the respective ws in between.
The transitions constituting the ws are retrieved using the witness algorithm for the single stack case, and added.Notice that popping the witness stack i till a barrier spits out the sequence of transitions in the correct reverse order while backtracking.
Appendix 10 shows an illustrating example.

Experiments
We tested our implementation on di↵erent examples.Being first of its kind it was di cult for us to find proper benchmark examples to run and compare our results.But we managed to get some well known examples from di↵erent literatures.Most of them were untimed but we tried to add time in a relevant way.

Bluetooth Driver [9]
Here we will first consider a Bluetooth device driver which uses two threads.
We will try to model this Bluetooth driver as shown in the Fig. 4. The driver maintains a structure, and any thread can modify the values of the variables in the structure.The variables in the structure can be listed as follows, a See Appendix 9.1 for the full example.• Assume that the current pop operation is shrinking a hole of kind i.
The list at the present node has this hole, and its parent will have a larger hole, obtained by appending an atomic hole segment to the hole in the child node (see Figure 3, the atomic green hole followed by the atomic violet hole at the parent node of the atomic green hole).As in the case above, we first identify the matching push transition, and check if it agrees with the last atomic hole segment in the parent.If so, we populate the witness stack i with the rightmost atomic hole segment of the parent node (see Figure 3, the violet atomic segment is populated in the stack).Each time we find a pop on going up the exploration graph, we find the rightmost atomic hole segment of the parent node, and keep pushing it on the stack, until we reach the node which is obtained as a result of a hole creation.At this point, we have completely recovered the entire hole information by backtracking, and filling the stack with the atomic hole segments which constituted this hole.Notice that when we finish processing a hole of kind i, then the witness stack i has the hole reversed inside it, followed by a barrier.The next hole of the same kind i will be treated in the same manner.
-If the current node is obtained by creating a hole of kind i in the fixed point algorithm, then we pop the contents of witness stack i till we reach a barrier.This spits out the atomic hole segments of the hole from the right to the left, giving us a sequence of push transitions, and the respective ws in between.
The transitions constituting the ws are retrieved using the witness algorithm for the single stack case, and added.Notice that popping the witness stack i till a barrier spits out the sequence of transitions in the correct reverse order while backtracking.
Appendix 9 shows an illustrating example.
and Bounded underapproximations for multistack timed pushdown systems 13 s algorithm uses k stacks to correctly implement the backtracking to deal with k kinds of holes.We refer to these as witness stacks, fuse with the stacks of the multistack system.e that the current pop operation is closing a hole of kind i. Searchong possible push transitions, we identify the matching push ion associated with this pop.On backtracking, this leads us to t node with an atomic hole (see figure 3, the green atomic hole), a left end point as the push point, and the right end point as get of a ws (if any).We push onto the witness stack i, a bardelimiter symbol #) followed by ws and then the matching push ion.The barrier is useful in segregating the contents of the witack, especially when we obtain two pop transitions of the same " 1 and " 5 ) in the reverse run which close two di↵erent holes st blue hole and the second blue hole) of the same stack as in Title Suppressed Due to Excessive Length 13 blue hole and the first blue hole) of the same stack as in rate the multistack case on an example.Assume that the path we ck tracking is as in Figure 6.Holes arising from pending pushes of blue holes, and those from stack 2 are red holes in the figure.We ue holes : the first blue hole has a left end point # 1 , and right end he second blue hole has a left end point # 4 , and right end point # 5 .le has left end point # 1 and right end point ws 4 .
e final configuration (s f , v f ), on backtracking, we obtain the pop n (" 1 ).By the fixed point algorithm, this operation closes the first e, matching the first pending push # 1 .In the computation tree, the ode has the atomic blue hole consisting of just the # 1 .Notice also the parent node, this is the only blue hole, since the second blue hole 6 is closed, and hence does not exist in the parent node.We use ess stacks, a blue stack and a pink stack to track the information pect to the blue and pink holes.On encountering a pop transition t the current pop operation is shrinking a hole of kind i.
the present node has this hole, and its parent will have a obtained by appending an atomic hole segment to the hole node.As in the case above, we first identify the matching ion, and check if it agrees with the last atomic hole segment t.If so, we populate the witness stack i with the rightmost segment of the parent node (see figure 3).Each time we find a g up the run tree, we find the rightmost atomic hole segment t node, and keep pushing it on the stack, until we reach the is obtained as a result of a hole creation.At this point, we tely recovered the entire hole information by backtracking, he stack with the atomic hole segments which constituted n we finish processing a hole of kind i, then the witness stack eversed inside it, followed by a barrier.The next hole of the l be treated in the same manner.de is obtained by creating a hole of kind i in the fixed point we pop the contents of witness stack i till we reach a barrier.e atomic hole segments of the hole from the right to the left, ence of push transitions, and the respective ws in between.constituting the ws are retrieved using the witness algorithm ack case, and added.Notice that popping the witness stack i ts out the sequence of transitions in the correct reverse order ing.
an illustrating example.ts pendix 10.1 for the full example.e that the current pop operation is shrinking a hole of kind i. t at the present node has this hole, and its parent will have a hole, obtained by appending an atomic hole segment to the hole child node (see Figure 3, the atomic green hole followed by the violet hole at the parent node of the atomic green hole).As in e above, we first identify the matching push transition, and check rees with the last atomic hole segment in the parent.If so, we te the witness stack i with the rightmost atomic hole segment of ent node (see Figure 3, the violet atomic segment is populated in ck).Each time we find a pop on going up the exploration graph, the rightmost atomic hole segment of the parent node, and keep g it on the stack, until we reach the node which is obtained as a f a hole creation.At this point, we have completely recovered the hole information by backtracking, and filling the stack with the hole segments which constituted this hole.t when we finish processing a hole of kind i, then the witness stack ole reversed inside it, followed by a barrier.The next hole of the i will be treated in the same manner.nt node is obtained by creating a hole of kind i in the fixed point then we pop the contents of witness stack i till we reach a barrier.out the atomic hole segments of the hole from the right to the left, sequence of push transitions, and the respective ws in between.tions constituting the ws are retrieved using the witness algorithm le stack case, and added.Notice that popping the witness stack i r spits out the sequence of transitions in the correct reverse order tracking.
, where we have two stacks, depicted with red and violet edges.We emphasize that a well-nested sequence can have well-nested edges from any stack.In a sequence σ, a push (pop) is called a pending push (pop) if its matching pop (push) is not in the same sequence σ.Bounded Underapproximations.As mentioned in the introduction, different bounded under-approximations have been considered in the literature to get around the Turing completeness of MPDA.During a computation, a context is a sequence of transitions where only one stack or no stack is used.In context bounded computations the number of contexts are bounded [25].A round is a sequence of (possibly empty) contexts for stacks 1, 2, . . ., n. Round bounded computations restrict the total number of rounds allowed [19,4,5].Scope bounded computations generalize bounded context computations.Here, the context changes within any push and its corresponding pop is bounded [19,20,17].A phase is a contiguous sequence of transitions in a computation, where we restrict pop to only one stack, but there are no restrictions on the pushes [18].A phase bounded computation is one where the number of phase changes is bounded.Tree-width.A generic way of looking at them is to consider classes which have a bound on the tree-width [22].In fact, the notions of split-width/cliquewidth/tree-width of communicating finite state machines/timed push down systems has been explored in [3], [12].The behaviors of the underlying system are then represented as graphs.It has been shown in these references that if the family of graphs arising from the behaviours of the underlying system (say S) have a bounded tree-width, then the reachability problem is decidable for S via, tree-automata.However, this does not immediately give rise to an efficient implementation.The tree-automata approach usually gives non-deterministic or bottom-up tree automata, which when implemented in practice (see [5]) tend to blow up in size and explore a large and useless space.Hence there is a need for efficient algorithms, which exist for more specific underapproximations such as context-bounded (leading to fix-point algorithms and their practical implementations [21]).

A new class of under-approximations
Our goal is to bridge the gap between having practically efficient algorithms and handling more expressive classes of under-approximations for reachability of multi-stack pushdown systems.To do so, we define a bounded approximation which is expressive enough to cover previously defined practically interesting classes (such as context bounded etc), while at the same time allowing efficient decidable reachability tests, as we will see in the next section.
Definition 1. (Holes).Let σ be complete sequence of transitions, of length n in a MPDA, and let ws be a well-nested sequence.
-A hole of stack i is a maximal factor of σ of the form (↓ i ws) + , where ws ∈ WS.The maximality of the hole of stack i follows from the fact that any possible extension ceases to be a hole of stack i; that is, the only possible events following a maximal hole of stack i are a push ↓ j of some stack j = i, or a pop of some stack j = i.In general, whenever we speak about a hole, the underlying stack is clear.-A push ↓ i in a hole (of stack i) is called a pending push at (i.e., just before) a position x ≤ n, if its matching pop occurs in σ at a position z > x.
-A hole (of stack i) is said to be open at a position x ≤ n, if there is a pending push ↓ i of the hole at x. Let # x (hole) denote the number of open holes at position x.The hole bound of σ is defined as max 1≤x≤|σ| # x (hole).-A hole segment of stack i is a prefix of a hole of stack i, ending in a ws, while an atomic hole segment of stack i is just the segment of the form ↓ i ws.
As an example, consider the sequence σ in Figure 1 of transitions of a MPDA having stacks 1,2 (denoted respectively red and blue).We use superscripts for each push, pop of each stack to distinguish the ith push, jth pop and so on of each stack.There are two holes of stack 1 (red stack) denoted by the red patches, A run σ with 2 holes (2 red patches) of the red stack and 1 hole (one blue patch) of the blue stack.
and one hole of stack 2 (blue stack) denoted by the blue patch.The subsequence ↓ 1 1 ↓ 2 1 ws 2 of the first hole is not a maximal factor, since it can be extended by ↓ 3  1 ws 3 in the run σ, extending the hole.Consider the position in σ marked with ↓ A detailed proof of this Proposition is given in [26].Once we have this, from [22][4] [5], decidability and complexity follow immediately.Thus, ) where, M is the size of the underlying MPDA.
Next, we turn to the expressiveness of this class with respect to the classical underapproximations of MPDA: first, the hole bounded class strictly subsumes scope bounded which already subsumes context bounded and round bounded classes.Also hole bounded MPDA and phase bounded MPDA are orthogonal.
Proposition 2. Consider a MPDA M .For any K, let L K denote a set of sequences accepted by M which have number of rounds or number of contexts or scope bounded by K. Then there exists K ≤ K such that L K is K hole bounded.Moreover, there exist languages which are K hole bounded for some constant K, which are not K round or context or scope bounded for any K .Finally, there exists a language which is accepted by phase bounded MPDA but not accepted by hole bounded MPDA and vice versa.
Proof.We first recall that if a language L is K-round, or K-context bounded, then it is also K -scope bounded for some K ≤ K [20,19].Hence, we only show that scope bounded systems are subsumed by hole bounded systems.
Let L be a K-scope bounded language, and let M be a MPDA accepting L. Consider a run ρ of w ∈ L in M .Assume that at any point i in the run ρ, # i (holes) = k , and towards a contradiction, let, k > K. Consider the leftmost open hole in ρ which has a pending push ↓ p whose pop ↑ p is to the right of i.Since k > K is the number of open holes at i, there are at least k > K context changes in between ↓ p and ↑ p .This contradicts the K-scope bounded assumption, and hence k ≤ K.
To show the strict containment, consider the visibly pushdown language [6] given by with a, b representing push in stack 1,2 respectively and c, d representing the corresponding matching pop from stack 1,2.A run ρ accepting the word w ∈ L bh will start with a sequence of pushes of stack 1 followed by another sequence of pushes of stack 2. Note that, the number of the pushes n is same in both stacks.Then there is a group G consisting of a well-nested sequence of stack 1 (equal a and c) followed by a pop of the stack 1 (an extra c), another well-nested sequence of stack 2 (equal b and d) and a pop of the stack 2 (an extra d), repeated n times.From the definition of the hole, the total number of holes required in G is 0. But, we need 1 hole for the sequence of a's and another for the sequence of b's at the beginning of the run, which creates at most 2 holes during the run.Thus, the hole bound for any accepting run ρ is 2, and the language L bh is 2-hole bounded.
However, L bh is not k-scope bounded for any k.Indeed, for each m ≥ 1, consider the word w m = a m b m (ac 2 bd 2 ) m ∈ L bh .It is easy to see that w m is 2mscope bounded (the matching c, d of each a, b happens 2m context switches later) but not k-scope bounded for k < 2m.It can be seen that L bh is not k-phase bounded either.Finally, L = {(ab) n c n d n | n ∈ N} with a, b and c, d respectively being push and pop of stack 1,2 is not hole-bounded but 2-phase bounded.

A Fix-point Algorithm for Hole Bounded Reachability
In the previous section, we showed that hole-bounded underapproximations are a decidable subclass for reachability, by showing that this class has a bounded tree-width.However, as explained in the introduction, this does not immediately give a fix-point based algorithm, which has been shown to be much more efficient for other more restricted sub-classes, e.g., context-bounded.In this section, we provide such a fix-point based algorithm for the hole-bounded class and explain its advantages.Later we discuss its versatility by showing extensions and evaluating its performance on a suite of benchmarks.
We describe the algorithm in two steps: first we give a simple fix-point based algorithm for the problem of 0-hole or well-nested reachability, i.e, reachability by a well-nested sequence without any holes.For the 0-hole case, our algorithm computes the reachability relation, also called the binary reachability problem [14].That is, we accept all pairs of states (s, s ) such that there is a well-nested run from s with empty stack to s with empty stack.Subsequently, we combine this binary reachability for well-nested sequences with an efficient graph search to obtain an algorithm for K-hole bounded reachability.Binary well-nested reachability for MPDA.Note that single stack PDA are a special case, since all runs are indeed well-nested.
1. Transitive Closure: Let R be the set of tuples of the form (s i , s j ) representing that state s j is reachable from state s i via a nop discrete transition.Such a sequence from s i to s j is trivially well-nested.We take the TransitiveClosure of R using Floyd-Warshall algorithm [11].The resulting set R c of tuples answers the binary reachability for finite state automata (no stacks).Beyond well-nested reachability.A naive algorithm for K-hole bounded reachability for K > 0 is to start from the initial state s 0 , and do a Breadth First Search (BFS), nondeterministically choosing between extending with a well-nested segment, creating hole segments (with a pending push) and closing hole segments (using pops).We accept when there are no open hole segments and reach a final state; this gives an exponential time algorithm.Given the exponential dependence on the hole-bound K (Corollary 1), this exponential blowup is unavoidable in the worst case, but we can do much better in practice.In particular, the naive algorithm makes arbitrary non-deterministic choices resulting in a blind exploration of the BFS tree.
In this section, we use the binary well-nested reachability algorithm as an efficient subroutine to limit the search in BFS to its reachable part (note that this is quite different from DFS as well since we do not just go down one path).The crux is that at any point, we create a new hole for stack i, only when (i) we know that we cannot reach the final state without creating this hole and (ii) we know that we can close all such holes which have been created.Checking (i) is easy, since we just use the WR relation for this.Checking (ii) blindly would correspond to doing a DFS; however, we precompute this information and simply look it up, resulting in a constant time operation after the precomputation.
Precomputing hole information.Recall that a hole of stack i is a maximal sequence of the form (↓ i ws) + , where ws is a well-nested sequence and ↓ i represents a push of stack i.A hole segment of stack i is a prefix of a hole of stack i, ending in a ws, while an atomic hole segment of stack i is just the segment of the form ↓ i ws.A hole-segment of stack i which starts from state s in the MPDA and ends in state s , can be represented by the triple (i, s, s ), that we call a hole triple.We compute the set HS i of all hole triples (i, s, s ) such that starting at s, there is a hole segment of stack i which ends at state s , as detailed in lines (5-9) of Algorithm 1.In doing so, we also compute the set AHS i of all atomic hole segments of stack i and store them as tuples of the form (i, s p , α, s q ) such that s p and s q are the MPDA states respectively at the left and right end points of an atomic hole segment of stack i, and α is the symbol pushed on stack A guided BFS exploration.We start with a list µ 0 = [s 0 ] consisting of the initial state and construct a BFS exploration tree whose nodes are lists of bounded length.A list is a sequence of states and hole triples representing a K-hole bounded run in a concise form.If H i represents a hole triple for stack i, then a list is a sequence of the form [s, H i , H j , H k , H i , . . ., H , s ].The simplest kind of list is a single state s.For example, a list with 3 holes of stacks i, j, k is µ = [s 0 ,(i, s, s ),(j, r, r ),(k, t, t ),t ].The hole triples (in red) denote open holes in the list.The maximum number of open holes in a list is bounded, making the length of the list also bounded.Let last(µ) represent the last element of the list µ.This is always a state.For a node v storing list µ in the BFS tree, if v 1 , . . .v k are its children, then the corresponding lists µ 1 , . . .µ k are obtained by extending the list µ by one of the following operations: 1. Extend µ with a hole.Assume there is a hole of some stack i, which starts at last(µ) = s, and ends at s .If the list at the parent node v is µ = [. . ., s], then for all (i, s, s ) ∈ HS i , we obtain the list trunc(µ) • append[(i, s, s ), s ] at the child node (i.e., we remove the last element s of µ, then append to this list the hole triple (i, s, s ), followed by s ).Algorithm 3 in [26] describes this operation in more detail.2. Extend µ with a pop.Suppose there is a transition t = (s k , ↑ i (α), a, s k ) from last(µ) = s k , where µ is of the form [s0, . . ., (h, u, v), (i, s, s ), (j, t, t ) . . ., s k ], such that there is no hole triple of stack i after (i, s, s ), we extend the run by matching this pop (with its push).However, to obtain the last pend-ing push of stack i corresponding to this hole, just HS i information is not enough since we also need to match the stack content.Instead, we check if we can split the hole (i, s, s ) into (1) a hole triple (i, s, s a ) ∈ HS i , and (2) a tuple (i, s a , α, s ) ∈ AHS i .If both ( 1) and ( 2) are possible, then the pop transition t corresponds to the last pending push of the hole (i, s, s ).t indeed matches the pending push recorded in the atomic hole (i, s a , α, s ) in µ, enabling the firing of transition t from the state s k , reaching s k .In this case, we add the child node with the list µ obtained from µ as follows.We replace (i) s k with s k , and (ii) (i, s, s ) with (i, s, s a ), respectively signifying firing of the transition t and the "shrinking" of the hole, by shifting the end point of the hole segment to the left.When we obtain the hole triple (i, s, s) (the start and end points of the hole segment coincide), we may have uncovered the last pending push and thereby "closed" the hole segment completely.At this point, we may choose to remove (i, s, s) from the list, obtaining [s 0 , . . ., (h, u, v), (j, t, t ) . . ., s k ].For every such µ = [s 0 , . . ., (h, u, v), (i, s, s a ), (j, t, t ), . . ., s k ] and all (s k , s m ) ∈ W S we also extend µ to µ = [s 0 , . . ., (h, u, v), (i, s, s a ), (j, t, t ), . . ., s m ].Notice that the size of the list in the child node obtained on a pop, is either the same as the list in the parent, or is smaller.The details are in [26].
The number of lists is bounded since the number of states and the length of the lists are bounded.The BFS exploration tree will thus terminate.Combining the above steps gives us Algorithm 1, whose correctness gives us: Theorem 1.Given a MPDA and a positive integer K, Algorithm 1 always terminates and answers "false" iff there exists a K-hole bounded accepting run of the MPDA.
Complexity of the Algorithm.The maximum number of states of the system is |S|.The time complexity of transitive closure is O(|S| 3 ), using a Floyd-Warshall implementation.The time complexity of Algorithm 2 [26], which uses the transitive closure, is O(|S| 5 ) + O(|S| 2 × (|∆| × |S|)).To compute AHS for n stacks the time complexity is O(n × |∆| × |S| 2 ) and to compute HS for n stacks the complexity is O(n × |S| 2 ).For multistack systems, each list keeps track of (i) the number of hole segments(≤ K), and (ii) information pertaining to holes (start, end points of holes, and which stack the hole corresponds to).In the worst case, this will be (2K + 2) possible states in a list, as we are keeping the states at the start and end points of all the hole segments and a stack per hole.So, there are ≤ |S| 2K+3 × n K+1 lists.In the worst case, when there is no K-hole bounded run, we may end up generating all possible lists for a given bound K on the hole segments.The time complexity is thus bounded above by Beyond Reachability.We can solve the usual safety questions in the (boundedhole) underapproximate setting, by checking for underapproximate reachability on the product of the given system with the complement of the safe set.Given the way Algorithm 1 is designed, the fix-point algorithm allows us to go beyond reachability.In particular, we can solve several (increasingly difficult) variants of the repeated reachability problem, without much modification.
Consider the question : For a given state s and MPDA, does there exist a run ρ starting from s 0 which visits s infinitely often?This is decidable if we can decompose ρ into a finite prefix ρ 1 and an infinite suffix ρ 2 s.t.(1)Both ρ 1 , ρ 2 are well-nested, or (2) ρ 1 is K-hole bounded complete (all stacks empty), and ρ 2 is well-nested, or (3) ρ 1 is K-hole bounded, and ρ 2 = (ρ 3 ) ω , where ρ 3 is K-hole bounded.It is easy to see that (1) is solved by two calls to WellNestedReach and choosing non-empty runs.( 2) is solved by a call to Algorithm 1, modified so that we reach s, and then calling WellNestedReach.Lastly, to solve (3), first modify Algorithm 1 to check reachability to s with possibly non-empty stacks.Then run the modified algorithm twice : first start from s 0 and reach s; second start from s and reach s again.

Generating a Witness
We next focus on the question of generating a witness for an accepting run when our algorithm guarantees non-emptiness.This question is important to address from the point of view of applicability: if our goal is to see if bad states are reachable, i.e., non-emptiness corresponds to presence of a bug, the witness run gives the trace of how the bug came about and hence points to what can be done to fix it (e.g., designing a controller).We remark that this question is difficult in general.While there are naive algorithms which can explore for the witness (thus also solving reachability), these do not use fix-point techniques and hence are not efficient.On the other hand, since we use fix-point computations to speed up our reachability algorithm, finding a witness, i.e., an explicit run witnessing reachability, becomes non-trivial.Generation of a witness in the case of wellnested runs is simpler than the case when the run has holes, and requires us to "unroll" pairs (s 0 , s f ) ∈ WR recursively and generate the sequence of transitions responsible for (s 0 , s f ), as detailed in Algorithm 5 [26].Getting Witnesses from Holes.Now we move on to the more complicated case of behaviours having holes.Recall that in BFS exploration we start from the states reachable from s 0 by well-nested sequences, and explore subsequent states obtained either from (i) a hole creation, or (ii) a pop operation on a stack.Proceeding in this manner, if we reach a final configuration (say s f ), with all holes closed (which implies empty stacks), then we declare non-emptiness.To generate a witness, we start from the final state s f reachable in the run (a leaf node in the BFS exploration tree) and backtrack on the BFS exploration tree till we reach the initial state s 0 .This results in generating a witness run in the reverse, from the right to the left.
• Assume that the current node of the BFS tree was obtained using a pop operation.There are two possibilities to consider here (see below) depending on whether this pop operation closed or shrunk some hole.Recall that each hole has a left end point and a right end point and is of a specific stack i, depending on the pending pushes ↓ i it has.So, if the MPDA has k stacks, then a list in the exploration tree can have k kinds of holes.The witness algorithm uses k stacks called witness stacks to correctly implement the backtracking procedure, to deal with k kinds of holes.Witness stacks should not be confused with the stacks of the MPDA.
• Assume that the current pop operation is closing a hole of kind i as in Figure 2.This hole consists of the atomic holes , and .The atomic hole consists of the push and the well-nested sequence (same for the other two atomic holes).Searching among possible push transitions, we identify the matching push associated with the current pop, resulting in closing the hole.On backtracking, this leads to a parent node with the atomic hole having as left end point, the push , and the right end point as the target of the ws .We push onto the witness stack i, a barrier (a delimiter symbol #) followed by the matching push transition and then the ws, . The barrier segregates the contents of the witness stack when we have two pop transitions of the same stack in the reverse run, closing/shrinking two different holes.• Assume that the current pop operation is shrinking a hole of kind i.The list at the present node has this hole, and its parent will have a larger hole (see Figure 2, where the parent node of has ).As in the case above, we first identify the matching push transition, and check if it agrees with the push in the last atomic hole segment in the parent.If so, we populate the witness stack i with the rightmost atomic hole segment of the parent node (see Figure 2, is populated in the stack).Each time we find a pop on backtracking the exploration tree, we find the rightmost atomic hole segment of the parent node, and keep pushing it on the stack, until we reach the node which is obtained as a result of a hole creation.Now we have completely recovered the entire hole information by backtracking, and fill the witness stack with the reversed atomic hole segments which constituted this hole.Notice that when we finish processing a hole of kind i, then the witness stack i has the hole reversed inside it, followed by a barrier.The next hole of the same kind i will be treated in the same manner.
• If the current node of the BFS tree is obtained by creating a hole of kind i in the fix-point algorithm, then we pop the contents of witness stack i till we reach a barrier.This spits out the atomic hole segments of the hole from the right to the left, giving us a sequence of push transitions, and the respective ws in between.The transitions constituting the ws are retrieved using Algorithm ?? and added.Notice that popping the witness stack i till a barrier spits out the sequence of transitions in the correct reverse order while backtracking.

Adding Time to Multi-pushdown systems
In this section, we briefly describe how the algorithms described in section 3 can be extended to work in the timed setting.Due to lack of space, we focus on some of the significant challenges and advances, leaving the formal details and algorithms to the supplement [26].A TMPDA extends a MPDA with clock variables.Transitions check constraints which are conjunctions/disjunctions of constraints (called closed guards in the literature) of the form x ≤ c or x ≥ c for c ∈ N and x any clock.Symbols pushed on stacks "age" with time elapse.A pop is successful only when the age of the symbol lies within a certain interval.The acceptance condition is as in the case of MPDA.
The first main challenge in adapting the algorithms in section 3 to the timed setting was to take care of all possible time elapses along with the operations defined in Algorithm 1.The usage of closed guards in TMPDA means that it suffices to explore all runs with integral time elapses (for a proof see e.g., Lemma 4.1 in [4]).Thus configurations are pairs of states with valuations that are vectors of non-negative integers, each of which is bounded by the maximal constant in the system.Now, to check reachability we need to extend all the precomputations (transitive closure, well-nested reachability, as well as atomic and non-atomic hole segments) with the time elapse information.To do this, we use a weighted version of the Floyd-Warshall algorithm by storing time elapses during precomputations.This allows us to use this precomputed timed well-nested reachability information while performing the BFS tree exploration, thus ensuring that any explored state is indeed reachable by a timed run.In doing so, the most challenging part is extending the BFS tree wrt a pop.Here, we not only have to find a split of a hole into an atomic hole-segment and a hole-segment as in Algorithm 1, but also need to keep track of possible partitions of time.Timed Witness: As in the untimed case, we generate a witness certifying non-emptiness of TMPDA.But, producing a witness for the fix-point computation as discussed earlier requires unrolling.The fix-point computation generates a pre-computed set WRT of tuples ((s, ν), t, (s , ν )), where s, s ∈ S, t is time elapsed in the well-nested sequence and ν, ν ∈ N |X | are integral valuations.This set of tuples does not have information about the intermediate transitions and time-elapses.To handle this, using the pre-computed information, we define a lexicographic progress measure which ensures termination of this search.
While the details are in [26] (Algorithm 14), the main idea is as follows: the first progress measure is to check if there a time-elapse t transition possible between (s, ν) and (s , ν ) and if so, we print this out.If not, ν = ν + t, and some set of clocks have been reset in the transition(s) from (s, ν) to (s , ν ).The second progress measure looks at the sequence of transitions from (s, ν) to (s , ν ), consisting of reset transitions (at most the number of clocks) that result in ν from ν.If neither the first nor the second progress measure apply, then ν = ν , and we are left to explore the last progress measure, by exploring at most |S| number of transitions from (s, ν) to (s , ν ).The lexicographic progress measure seamlessly extends the witness generation to the timed setting.

Implementation and Experiments
We implemented a tool BHIM (Bounded Holes In MPDA) in C++ based on Algorithm 1, which takes an MPDA and a constant K as input and returns (True) iff there exists a K-hole bounded run from the start state to an accepting state of the MPDA.In case there is such an accepting run, BHIM generates one such, with minimal number of holes.For a given hole bound K, BHIM first tries to produce a witness with 0 holes, and iteratively tries to obtain a witness by increasing the bound on holes till K.In most of the cases, BHIM found the witness before reaching the bound K. Whenever BHIM's witness had K holes, it is guaranteed that there are no witnesses with a smaller number of holes.
To evaluate the performance of BHIM, we looked at some available benchmarks and modeled them as MPDA.We also added timing constraints to some examples such that they can be modeled as TMPDA.Our tests were run on a GNU/Linux system with Intel R Core TM i7-4770K CPU @ 3.50GHz, and 16GB of RAM.We considered overall 7 benchmarks, of which we sketch 3 in detail here.The details of these as well as the remaining ones are in [26].
• Bluetooth Driver [25].The Bluetooth device driver example [25], has two threads and a shared memory.We model this driver using a 2-stack pushdown system, where a state represents the current valuation of the global variables and stacks are used to maintain the call-return between different functions.A known error as pointed out in [25] is a race condition between two threads where one thread tries to write to a global variable and the other thread tries to read from it.BHIM found this error, with a well-nested witness.A timed extension of this example was also considered, where, a witness was obtained again with hole bound 0.
• Bluetooth Driver v2 [10,23].A modified version of Bluetooth driver is considered [10,23], where a counter is maintained to count the number of threads actively using the driver.A two stack MPDA models this, with one stack simulating the counter and another one scheduling the threads.Two known errors reported are (i) counter underflow where a counter goes negative, leading to some unwanted behavior of the driver, (2) interrupted I/O, where the stopping thread kills the driver while the other thread is busy with I/O.The tools SPADE and MAGIC [10,23] found one of these two errors, while BHIM found both errors, the first using a well nested witness, and the second with a 2-hole bounded witness.
• A Multi-threaded Producer Consumer Problem.The Producer consumer problem (see e.g., [27]) is a classic example of concurrency and synchronization.An interesting scenario is when there are multiple producers and consumers.Assume that two ingredients called 'A' and 'B' are produced in a production line in batches, where a batch can produce arbitrarily many items, but it is fixed for a day.Further, assume that (1) two units of 'A' and one unit of 'B' make an item called 'C'; (2) the production line starts by producing a batch of A's and then in the rest of the day, it keeps producing B's in batches, one after the other.During the day, 'C's are churned out using 'A' and 'B' in the proportion mentioned above and, if we run out of 'A's, we obtain an error; there is no problem if 'B' is exhausted, since a fresh batch producing 'B' is commenced.This idea can be imagined as a real life scenario where item 'A' represents an item which is very expensive to produce but can be produced in large amount but the item 'B' can be produced frequently, but it has to be consumed quickly, else it becomes useless.For m, n, k ∈ N, consider words of the form a m (b k (c 2 d) k ) n where, a represents the production of one unit of 'A', b represents the production of one unit of 'B', c represents consumption of one unit of 'A' and d represents consumption of one unit of 'B'.'m' represents the production capacity of 'A' for the day and 'k' represents production capacity of 'B'(per batch) for the day, 'n' represents the number batches of 'B' produced in a day.Unless m ≥ 2nk, we will obtain an error.This is easily modeled using a 2 stack visibly multi pushdown automaton where a, b are push symbols of stack 1, 2 respectively and c, d are pop symbols of stack 1, 2 respectively.Let L m,k,n be the set of words of the above form s.t.2nk < m.It can be seen that L m,k,n does not have any well-nested word in it.The number of context switches(also, scope bound) in words of L m,k,n depends on the parameters k and n.However, L m,k,n is 2 hole-bounded : at any position of the word, the open holes come from the unmatched sequences of a and b seen so far.BHIM checked for the non-emptiness of L m,k,n with a witness of hole bound 2.
• Critical time constraints [8].This is one of the timed examples, where we consider the language L crit = {a y b z c y d z | y, z ≥ 1} with time constraints between occurrences of symbols.The first c must appear after 1 time-unit of the last a, the first d must appear within 3 time-units of the last b, and the last b must appear within 2 time units from the start, and the last d must appear at 4 time units.L crit is accepted by a TMPDA with two timed stacks.L crit has no well-nested word, is 4-context bounded, but only 2 hole-bounded.
• A Linux Kernel bug dm target.c[15].This example is about a double free bug in the file drivers/md/dm-target.c in Linux Kernel 2.5.71, which was introduced to fix a memory leak, but it ended up double freeing the object.BHIM found this bug with a witness of hole bound 3.
• Concurrent Insertions in Binary Search Trees.Concurrent insertions in binary search trees is a very important problem in database management systems.[16] proposes an algorithm to solve this problem for concurrent implementations.However, if the locks are not implemented properly, then it is possible for a thread to overwrite others.We modified the algorithm [16] to capture this bug, and modeled it as MPDA.BHIM found the bug with a witness of hole-bound 2.
• Maze Example.Finally we consider a robot navigating a maze, picking items; an extended (from single to multiple stack) version of the example from [5].In the untimed setting, a witness for non-emptiness was obtained with hole-bound 0, while in the extension with time, the witness had a hole-bound 2. Results and Discussion.The performance of BHIM is presented in Table 1 for untimed examples and in Table 2 for timed examples.Apart from the results in the tables, to check the robustness of BHIM wrt parameters like the number of locations, transitions, stacks, holes and clocks (for TMPDA), we looked at examples with an empty language, by making accepting states non-accepting in the examples considered so far.This forces BHIM to explore all possible paths in the BFS tree, generating the lists at all nodes.The scalability of BHIM wrt all these parameters are in [26].BHIM Vs.State of the art.What makes BHIM stand apart wrt the existing state of the art tools is that (i) none of the existing tools handle underapproximations captured by bounded holes, (ii) none of the existing tools work with multiple stacks in the timed setting (even closed guards!).The state of the art research in underapproximations wrt untimed multistack pushdown systems has produced some amazing tools like GetaFix which handles multi-threaded programs with bounded context switches.While we have adapted some of the examples from GetaFix, the latest available version of GetaFix has some issues in handling those examples 3 .Likewise, SPADE, MAGIC and the counter implementation [15] are currently not maintained.This has come in the way of a performance comparison between BHIM and these tools.Indeed, most examples handled by BHIM correspond to non-context bounded, or non scope bounded, or timed languages which are beyond Getafix.For instance, the 2-hole bounded witness found by BHIM for the language L 20,10 (m = 20, p = 10) for the multi producer consumer case cannot be found by GetaFix/MAGIC/SPADE with less than 41 context switches.In the timed setting, the Maze example (TMPDA with 2 clocks, 2 timed stacks) has a 2 hole-bounded witness where the robot visits certain locations an equal number of times.The tool [5] cannot handle this example since it handles only one stack.Lastly, [5] cannot solve binary reachability with an empty stack unlike BHIM.BHIM v2.The next version of BHIM will go symbolic, inspired from GetaFix.The current avatar of BHIM showcases the efficiency of fix-point techniques extended 3 we did get in touch with the authors, who confirmed this to larger bounded underapproximations; indeed going symbolic will make BHIM much more robust and scalable.
the source, provide a link to the Creative Commons license and indicate if changes were made.The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material.If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

1 2 .Proposition 1 .
At this position, there is an open hole of the red stack (the first red patch), and there is an open hole of the blue stack (the blue patch).Likewise, at the position ↑ 5 1 , there are 2 open holes of the red stack (2 red patches) and one open hole of the blue stack 2 (the blue patch).The hole bound of σ is 3.The green patch consisting of ↑ 3 1 , ↑ 2 1 and ws 5 is a pop-hole of stack 1.Likewise, the pops ↑ 2 2 , ↑ 5 1 , ↑ 1 2 are all pop-holes (of length 1) of stacks 2,1,2 respectively.Definition 2. (Hole Bounded Reachability Problem) Given a MPDA and K ∈ N, the K-hole bounded reachability problem is the following: Does there exist a K-hole bounded accepting run of the MPDA?The tree-width of K-hole bounded MPDA behaviors is at most (2K + 3).

Figure 2 .
Figure 2. Backtracking to spit out the hole in reverse.The transitions of the atomic hole are first written in the reverse order, followed by those of in reverse, and then of in reverse.

Table 1 .
Name Locations Transitions Stacks Holes Time Empty (mili sec) Time Witness (mili sec) Memory(KB) Experimental results: Time Empty and Time Witness column represents no. of milliseconds needed for emptiness checking and to generate witness respectively.Name Locations Transitions Stacks Clocks cmax Aged(Y/N) Holes Time Empty(mili sec) Time Witness (mili sec) Memory(KB)

Table 2 .
Experimental results of timed examples.The column cmax is defined as the maximum constant in the automaton, and Aged denotes if the stack is timed or not