General Decidability Results for Asynchronous Shared-Memory Programs: Higher-Order and Beyond

The model of asynchronous programming arises in many contexts, from low-level systems software to high-level web programming. We take a language-theoretic perspective and show general decidability and undecidability results for asynchronous programs that capture all known results as well as show decidability of new and important classes. As a main consequence, we show decidability of safety, termination and boundedness verification for higher-order asynchronous programs—such as OCaml programs using Lwt—and undecidability of liveness verification already for order-2 asynchronous programs. We show that under mild assumptions, surprisingly, safety and termination verification of asynchronous programs with handlers from a language class are decidable iff emptiness is decidable for the underlying language class. Moreover, we show that configuration reachability and liveness (fair termination) verification are equivalent, and decidability of these problems implies decidability of the well-known “equal-letters” problem on languages. Our results close the decidability frontier for asynchronous programs.


Introduction
Asynchronous programming is a common way to manage concurrent requests in a system. In this style of programming, rather than waiting for a time-consuming operation to complete, the programmer can make asynchronous procedure calls which are stored in a task buffer pending later execution. Each asynchronous procedure, or handler, is a sequential program. When run, it can change the global shared state of the program, make internal synchronous procedure calls, and post further instances of handlers to the task buffer. A scheduler repeatedly and non-deterministically picks pending handler instances from the task buffer and executes their code atomically to completion. Asynchronous programs appear in many domains, such as operating system kernel code, web programming, or user applications on mobile platforms. This style of programming is supported natively or through libraries for most programming environments. The interleaving of different handlers hides latencies of long-running operations: the program can process a different handler while waiting for an external operation to finish. However, asynchronous scheduling of tasks introduces non-determinism in the system, making it difficult to reason about correctness.
An asynchronous program is finite-data if all program variables range over finite domains. Finite-data programs are still infinite state transition systems: the task buffer can contain an unbounded number of pending instances and the sequential machine implementing an individual handler can have unboundedly large state (e.g., if the handler is given as a recursive program, the stack can grow unboundedly). Nevertheless, verification problems for finite-data programs have been shown to be decidable for several kinds of handlers [12,30,20,6]. Several algorithmic approaches have been studied, which tailor to (i) the kinds of permitted handler programs and (ii) the properties that are checked. State of the art We briefly survey the existing approaches and what is known about the decidability frontier. The Parikh approach applies to (first-order) recursive handler programs. Here, the decision problems for asynchronous programs are reduced to decision problems over Petri nets [12]. The key insight is that since handlers are executed atomically, the order in which a handler posts tasks to the buffer is irrelevant. Therefore, instead of considering the sequential order of posted tasks along an execution, one can equivalently consider its Parikh image. Thus, when handlers are given pushdown systems, the behaviors of an asynchronous program can be represented by a (polynomial sized) Petri net. Using the Parikh approach, safety (formulated as reachability of a global state), termination (whether all executions terminate), and boundedness (whether there is an a priori upper bound on the task buffer) are all decidable for asynchronous programs with recursive handlers, by reduction to corresponding problems on Petri nets [30,12]. Configuration reachability (reachability of a specific global state and task buffer configuration), fair termination (termination under a fair scheduler), and fair non-starvation (every pending handler instance is eventually executed) are also decidable, by separate ad hoc reductions to Petri net reachability [12]. A "reverse reduction" shows that Petri nets can be simulated by polynomial-sized asynchronous programs (already with finite-data handlers).
In the downclosure approach, one replaces each handler with a finite-data program that is equivalent up to "losing" handlers in the task buffer. Of course, this requires that one can compute equivalent finite-data programs for given handler programs. This has been applied to checking safety for recursive handler programs [3]. Finally, a bespoke rank-based approach has been applied to checking safety when handlers can perform restricted higher-order recursion [6]. Contribution Instead of studying individual kinds of handler programs, we consider asynchronous programs in a general language-theoretic framework. The class of handler programs is given as a language class C: An asynchronous program over a language class C is one where each handler defines a language from C over the alphabet of handler names, as well as a transformer over the global state. This view leads to general results: we can obtain simple characterizations of which classes of handler programs permit decidability. For example, we do not need the technical assumptions of computability of equivalent finite-data programs from the Parikh and the downclosure approach.
Our first result shows that, under a mild language-theoretic assumption, safety and termination are decidable if and only if the underlying language class C has decidable emptiness problem. 1 Similarly, we show that boundedness is decidable iff finiteness is decidable for the language class C. These results are the best possible: decidability of emptiness (resp., finiteness) is a requirement for safety and termination verification already for verifying the safety or termination (resp., boundedness) of one sequential handler call. As corollaries, we get new decidability results for all these problems for asynchronous programs over higher-order recursion schemes, which form the language-theoretic basis for programming in higher-order functional languages such as OCaml [21,28], as well as other language classes (lossy channel languages, Petri net languages, etc.).
Second, we show that configuration reachability, fair termination, and fair starvation are mutually reducible; thus, decidability of any one of them implies decidability of all of them. We also show decidability of these problems implies the decidability of a well-known combinatorial problem on languages: given a language over the alphabet {a, b}, decide if it contains a word with an equal number of as and bs. Viewed contrapositively, we conclude that all these decision problems are undecidable already for asynchronous programs over order-2 pushdown languages, since the equal-letters problem is undecidable for this class.
Together, our results "close" the decidability frontier for asynchronous programs, by demonstrating reducibilities between decision problems heretofore studied separately and connecting decision problems on asynchronous programs with decision problems on the underlying language classes of their handlers.
While our algorithms do not assume that downclosures are effectively computable, we use downclosures to prove their correctness. We show that safety, termination, and boundedness problems are invariant under taking downclosures of runs; this corresponds to taking downclosures of the languages of handlers.
The observation that safety, termination, and boundedness depend only on the downclosure suggests a possible route to implementation. If there is an effective procedure to compute the downclosure for class C, then a direct verification algorithm would replace all handlers by their (regular) downclosures, and invoke existing decision procedures for this case. Thus, we get a direct algorithm based on downclosure constructions for higher order recursion schemes, using the string of celebrated recent results on effectively computing the downclosure of word schemes [33,15,7].
We find our general decidability result for asynchronous programs to be surprising. Already for regular languages, the complexity of safety verification jumps from NL (NFA emptiness) to EXPSPACE (Petri net coverability): asynchronous programs are far more expressive than individual handler languages. It is therefore surprising that safety and termination verification remains decidable whenever it is decidable for individual handler languages.
Full proofs of our results are available here [25].

Preliminaries
Basic Definitions We assume familiarity with basic definitions of automata theory (see, e.g., [18,31]). The projection of word w onto some alphabet Σ , written Proj Σ (w), is the word obtained by erasing from w each symbol which does not belong to Σ . For a language L, define Proj The subword order on Σ * is defined as w w for w, w ∈ Σ * if w can be obtained from w by deleting some letters from w . For example, abba bababa but abba baaba. The downclosure ↓w with respect to the subword order of a word w ∈ Σ * is defined as ↓w := {w ∈ Σ * | w w}. The downclosure ↓L of a language L ⊆ Σ * is given by ↓L := {w ∈ Σ * | ∃w ∈ L : w w}. Recall that the downclosure ↓L of any language L is a regular language [17].
A multiset m : Σ → N over Σ maps each symbol of Σ to a natural number. Let M[Σ] be the set of all multisets over Σ. We treat sets as a special case of multisets where each element is mapped onto 0 or 1.

Language Classes and Full Trios
A language class is a collection of languages, together with some finite representation. Examples are the regular (e.g. represented by finite automata) or the context-free languages (e.g. represented by pushdown automata or PDA). A relatively weak and reasonable assumption on a language class is that it is a full trio, that is, it is closed under each of the following operations: taking intersection with a regular language, taking homomorphic images, and taking inverse homomorphic images. Equivalently, a language class is a full trio iff it is closed under rational transductions [5].
We assume that all full trios C considered in this paper are effective: Given a language L from C, a regular language R, and a homomorphism h, we can compute a representation of the languages L ∩ R, h(L), and h −1 (L) in C.
Many classes of languages studied in formal language theory form effective full trios. Examples include the regular and the context-free languages [18], the indexed languages [2,10], the languages of higher-order pushdown automata [26], higher-order recursion schemes (HORS) [16,9], Petri nets [14,19], and lossy channel systems (see Section 4.1). (While HORS are usually viewed as representing a tree or collection of trees, one can also view them as representing a word language, as we explain in Section 5.) Informally, a language class defined by non-deterministic devices with a finitestate control that allows ε-transitions and imposes no restriction between input letter and performed configuration changes (such as non-deterministic pushdown automata) is always a full trio: The three operations above can be realized by simple modifications of the finite-state control. The deterministic context-free languages are a class that is not a full trio.
Asynchronous Programs: A Language-Theoretic View We use a languagetheoretic model for asynchronous shared-memory programs.
We use → * for the reflexive transitive closure of the transition relation. A con- Intuitively, the set Σ of handler names specifies a finite set of procedures that can be invoked asynchronously. The shared state takes values in D. When a handler is called asynchronously, it gets added to a bag of pending handler calls (the multiset m in a configuration). The language L dσd captures the effect of executing an instance of σ starting from the global state d, such that on termination, the global state is d . Each word w ∈ L dσd captures a possible sequence of handlers posted during the execution.
Suppose the current configuration is (d, m). A non-deterministic scheduler picks one of the outstanding handlers σ ∈ m and executes it. Executing σ corresponds to picking one of the languages L dσd and some word w ∈ L dσd . Upon execution of σ, the new configuration has global state d and the new bag of pending calls is obtained by taking m, removing an instance of σ from it, and adding the Parikh image of w to it. This reflects the current set of pending handler calls-the old ones (minus an instance of σ) together with the new ones added by executing σ. Note that a handler is executed atomically; thus, we atomically update the global state and the effect of executing the handler.
Let us see some examples of asynchronous programs. It is convenient to present these examples in a programming language syntax, and to allow each handler to have internal actions that perform local tests and updates to the global state. As we describe informally below, and formally in the full version, when C is a full trio, internal actions can be "compiled away" by taking an intersection with a regular language of internal actions and projecting the internal actions away. Thus, we use our simpler model throughout. Examples For the languages corresponding to a and b, we use syntactic sugar in the form of internal actions; these are local tests and updates to the global state. For our example, we have, e.g., L (0,0),a,(1,1) = {ε}, L (1,x),a,(1,x) = {a} for all values of x, and similarly for b. The meaning is that, starting from a global state (0, 0), executing the handler will lead to the global state (1, 1) and no handlers will be posted, whereas starting from a global state in which turn is 1, executing the handler will keep the global state unchanged but post an instance of a. Note that all the languages are context-free.
Consider an execution of the program from the initial configuration ((0, 0), s1 ). The execution of s1 puts n as and n bs into the bag, for some n ≥ 0. The global variable turn is used to ensure that the handlers a and b alternately update x. When turn is 0, the handler for a increments x and sets turn to 1, otherwise it re-posts itself for a future execution. Likewise, when turn is 1, the handler for b decrements x and sets turn back to 0, otherwise it re-posts itself for a future execution. As a result, the variable x never grows beyond 1. Thus, the program satisfies the safety property that no execution sets x to ω.
It is possible that the execution goes on forever: for example, if s1 posts an a and a b, and thereafter only b is chosen by the scheduler. This is not an "interesting" infinite execution as it is not fair to the pending a. In the case of a fair scheduler, which eventually always picks an instance of every pending task, the program terminates: eventually all the as and bs are consumed when they are scheduled in alternation. However, if instead we started with s2 , the program will not terminate even under a fair scheduler: the last remaining b will not be paired and will keep executing and re-posting itself forever. Now consider the execution of s3. It has an infinite fair run, where the scheduler picks an instance of s3 at each step. However, the number of pending instances grows without bound. We shall study the boundedness problem, which checks if the bag can become unbounded along some run. We also study a stronger notion of fair termination, called fair non-starvation, which asks that every instance of a posted handler is executed under any fair scheduler. The execution of s3 is indeed fair, but there can be a specific instance of s3 that is never picked: we say s3 can starve an instance.
The program in lines 9-20 is higher-order (produce and h take functions as arguments). The language of s4 is the set {c n d n f n | n ≥ 0}, that is, it posts an equal number of cs, ds, and fs. It is an indexed language; we shall see (Section 5) how this and other higher-order programs can be represented using higher-order recursion schemes (HORS). Note the OCaml types of produce : The program is similar to the first: the handlers c, d, and f execute in "round robin" fashion using the global state t to find their turns. Again, we use internal actions to update the global state for readability. We ask the same decision questions as before: does the program ever reach a specific global state and does the program have an infinite (fair) run? We shall see later that safety and termination questions remain decidable, whereas fair termination does not.

Decision Problems on Asynchronous Programs
We now describe decision problems on runs of asynchronous programs.

Runs, preruns, and downclosures
and symbols σ i ∈ Σ. The set of preruns of P will be denoted Preruns(P). Note that if two asynchronous programs P and P have the same D and Σ, then Preruns(P) = Preruns(P ). The length, denoted |ρ|, of a finite prerun ρ is the number of configurations in ρ. The i th configuration of a prerun ρ will be denoted ρ(i).
A  (d i+1 , m i+1 ). The set of runs of P is denoted Runs(P) and ↓Runs(P) is its downclosure with respect to .
An infinite run c 0 That is, whenever an instance of a handler is posted, some instance of the handler is executed later. Fairness does not preclude that a specific instance of a handler is never executed. An infinite fair run starves handler σ if there exists an index J ≥ 0 such that for each j ≥ J, we have (i) c j .m(σ) ≥ 1 and (ii) whenever c j σ − → c j+1 , we have c j .m(σ) ≥ 2. In this case, even if the run is fair, a specific instance of σ may never be executed. Now we give the definitions of the various decision problems.  Intuitively, safety, termination, and boundedness is preserved when the multiset of pending handler instances is "lossy": posted handlers can get lost. This corresponds to these handlers never being scheduled by the scheduler. However, if a run demonstrates reachability of a global state, or non-termination, or unboundedness, in the lossy version, it corresponds also to a run in the original problem (and conversely). In contrast, simple examples show that configuration reachability, fair termination, and fair non-starvation properties are not preserved under downclosures.

General Decidability Results
In this section, we characterize those full trios C for which particular problems for asynchronous programs over C are decidable. Our decision procedures will use the following theorem, summarizing the results from [12], as a subprocedure .   Theorem 1 ([12]). Safety, boundedness, configuration reachability, termination, fair non-termination, and fair non-starvation are decidable for asynchronous programs over regular languages.

Safety and termination
Our first main result concerns the problems of safety and termination.
Theorem 2. Let C be a full trio. The following are equivalent: (i) Safety is decidable for asynchronous programs over C.

(ii) Termination is decidable for asynchronous programs over C. (iii) Emptiness is decidable for C.
We begin with "(i)⇒(iii)". Let K ⊆ Σ * be given. We construct . We see that P can reach d 1 iff K is non-empty. To prove "(iii)⇒(i)", we design an algorithm deciding safety assuming decidability of emptiness. Given asynchronous program P and state d as input, the algorithm consists of two semi-decision procedures: one which searches for a run of P reaching the state d, and the second which enumerates regular overapproximations P of P and checks the safety of P using Theorem 1. Each P consists of a regular language A c overapproximating L c for each context c of P. We use decidability of emptiness to check that L c ∩ (Σ * \ A c ) = ∅ to ensure that P is indeed an overapproximation.
The algorithm clearly gives a correct answer if it terminates. Hence, we only have to argue that it always does terminate. Of course, if d is reachable, the first semi-decision procedure will terminate. In the other case, termination is due to the regularity of downclosures: if d is not reachable in P, then Proposition 1 tells us that ↓P cannot reach d either. But ↓P is an asynchronous program over regular languages; this means there exists a safe regular overapproximation and the second semi-decision procedure terminates.
Like the algorithm for safety, the algorithm for termination consists of two semi-decision procedures. By standard well-quasi-ordering arguments, an infinite run of an asynchronous program P is witnessed by a finite self-covering run. The first semi-decision procedure enumerates finite self-covering runs (trying to show non-termination). The second procedure enumerates regular asynchronous programs P that overapproximate P. As before, to check termination of P , it applies the procedure from Theorem 1. Clearly, the algorithm's answer is always correct. Moreover, it gives an answer for every input. If P does not terminate, it will find a self-covering sequence. If P does terminate, then Proposition 1 tells us that ↓P is a terminating finite-state overapproximation. This implies that the second procedure will terminate in that case.
Let us point out a particular example. The class L of languages of lossy channel systems is defined like the class of languages of WSTS with upward-closed sets of accepting configurations as in [13], except that we only consider lossy channel systems [1] instead of arbitrary Well-Structured Transition Systems (WSTS). Then L forms a full trio with decidable emptiness. Although downclosures of lossy channel languages are not effectively computable (an easy consequence of [27]), our algorithm employs Theorem 2 to decide safety and termination.

Boundedness
Theorem 3. Let C be a full trio. The following are equivalent:

(i) Boundedness is decidable for asynchronous programs over C. (ii) Finiteness is decidable for C.
Clearly, the construction for "(i)⇒(iii)" of Theorem 2 also works for "(i)⇒(ii)": P is unbounded iff K is infinite.
For the converse, we first note that if finiteness is decidable for C then so is emptiness. Given L ⊆ Σ * from C, consider the homomorphism h : (Σ ∪ {λ}) * → Σ * with h(a) = a for every a ∈ Σ and h(λ) = ε. Then h −1 (L) belongs to C and h −1 (L) is finite if and only if L is empty: in the inverse homomorphism, λ can be arbitrarily inserted in any word. By Theorem 2, this implies that we can also decide safety. As a consequence of considering only full trios, it is easy to see that the problem of context reachability reduces to safety: a contextĉ = (d,σ,d ) ∈ C is reachable in P if there is a reachable configuration (d, m) in P with m(σ) ≥ 1.
We now explain our algorithm for deciding boundedness of a given aysnchronous program P = (D, Σ, (L c ) c∈C , d 0 , m 0 ). For every context c, we first check if L c is infinite (feasible by assumption). This paritions the set of contexts of P into sets I and F which are the contexts for which the corresponding language L c is infinite and finite respectively. If any context in I is reachable, then P is unbounded. Otherwise, all the reachable contexts have a finite language. For every finite language L c for some c ∈ F , we explicitly find all the members of L c . This is possible because any finite set A can be checked with L c for equality. L c ⊆ A can be checked by testing whether L c ∩ (Σ * \ A) = ∅ and L c ∩ (Σ * \ A) effectively belongs to C. On the other hand, checking A ⊆ L c just means checking whether L c ∩ {w} = ∅ for each w ∈ A, which can be done the same way. We can now construct asynchronous program P which replaces all languages for contexts in I by ∅ and replaces those corresponding to F by the explicit description. Clearly P is bounded iff P is bounded (since no contexts from I are reachable) and the former can be decided by Theorem 1.
We observe that boundedness is strictly harder than safety or termination: There are full trios for which emptiness is decidable, but finiteness is undecidable, such as the languages of reset vector addition systems [11] (see [32] for a definition of the language class) and languages of lossy channel systems.

Configuration reachability and liveness properties
Theorems 2 and 3 completely characterize for which full trios safety, termination, and boundedness are decidable. We turn to configuration reachability, fair termination, and fair starvation. We suspect that it is unlikely that there is a simple characterization of those language classes for which the latter problems are decidable. However, we show that they are decidable for a limited range of infinite-state systems. To this end, we prove that decidability of any of these problems implies decidability of the others as well, and also implies the decidability of a simple combinatorial problem that is known to be undecidable for many expressive classes of languages.
Let Z ⊆ {a, b} * be the language Z = {w ∈ {a, b} * | |w| a = |w| b }. The Zintersection problem for a language class C asks, given a language K ⊆ {a, b} * from C, whether K ∩ Z = ∅. Informally, Z is the language of all words with an equal number of as and bs and the Z-intersection problem asks if there is a word in K with an equal number of as and bs. (i) Configuration reachability is decidable for asynchronous programs over C.
(ii) Fair termination is decidable for asynchronous programs over C. (iii) Fair starvation is decidable for asynchronous programs over C.

Moreover, if decidability holds, then Z-intersection is decidable for C.
We prove Theorem 4 by providing reductions among the three problems and showing that Z-intersection reduces to configuration reachability. We use diagrams similar to automata to describe asynchronous programs. Here, circles represent global states of the program and we draw an edge d d σ|L in case we have L d,σ,d = L in our asynchronous program P. Furthermore, we have L d,σ,d = ∅ whenever there is no edge that specifies otherwise. To simplify notation, we draw an edge d w|L −−→ d in an asynchronous program for a word w ∈ Σ * , w = σ 1 . . . σ n with σ 1 , . . . , σ n ∈ Σ, to symbolize a sequence of states which removes σ 1 , . . . , σ n from the task buffer and posts a multiset of handlers specified by L.
Proof of "(ii)⇒(i)" Given an asynchronous program P = (D, Σ, (L c ) c∈C , d 0 , m 0 ) and a configuration (d f , m f ) ∈ D × M[Σ], we construct asynchronous program P as follows. Let z be a fresh letter and let m f = σ 1 , . . . , σ n . We obtain P from P by adding a new state d f and including the following edges: Starting from (d 0 , m 0 ⊕ z ), the program P has a fair infinite run iff (d f , m f ) is reachable in P. The 'if' direction is obvious. Conversely, z has to be executed in any fair run ρ of P which implies that d f is reached by P in ρ. Since only z can be executed at d f in ρ, this means that the multiset is exactly m f when d f is reached during ρ. Clearly this initial segment of ρ corresponds to a run of P which reaches the target configuration. Proof of "(i)⇒(iii)" From P = (D, Σ, (L c ) c∈C , d 0 , m 0 ) over C, for each subset Γ ⊆ Σ and τ ∈ Σ, we construct an asynchronous program P Γ,τ = (D , Σ , (L c ) c∈C , d 0 , m 0 ) over C such that a particular configuration is reachable in P Γ,τ if and only if P has a fair infinite run ρ Γ,τ , where Γ is the set of handlers that is executed infinitely often in ρ Γ,τ and ρ Γ,τ starves τ . Since there are only finitely many choices for Γ and τ , decidability of configuration reachability implies decidability of fair starvation. The idea is that run ρ Γ,τ exists if and only if there exists a run . A run of P Γ,τ simulates the two phases of ρ. While simulating the first phase, P Γ,τ keeps two copies of the task buffer, m andm. The copying is easily accomplished by a homomorphism with σ → σσ for each σ ∈ Σ. At some point, P Γ,τ switches into simulating the second phase. There,m remains unchanged, so that it stores the value of m n in Eq. (1) and can be used in the end to make sure that m n n k .
Hence, in the second phase, P Γ,τ works, like P, only with Σ. However, whenever a handler σ ∈ Σ is executed, it also produces a taskσ. These handlers are used at the end to make sure that every γ ∈ Γ has been executed at least once in the second phase. Also, whenever τ is executed, P Γ,τ checks that at least two instances of τ are present in the task buffer, thereby ensuring that τ is starved.
In the end, a distinguished final state allows P Γ,τ to execute handlers in Γ andΓ simultaneously to make sure that m n n k . In its final state, P Γ,τ can execute handlersγ ∈Γ and γ ∈ Γ (without creating new handlers). In the final configuration, there can be noσ with σ ∈ Σ \ Γ , and there has to be exactly onê γ for each γ ∈ Γ . This guarantees that (i) each handler in Γ is executed at least once during the second phase, (ii) every handler executed in the second phase is from Γ , and (iii) m n contains only handlers from Γ (because handlers fromΣ cannot be executed in the second phase). Decidability of Z-intersection To complete the proof of Theorem 4, we reduce Z-intersection to configuration reachability. Given K ⊆ {a, b} * from C, we construct the asynchronous program P = (D, Σ, Theorem 4 is useful in the contrapositive to show undecidability. For example, one can show undecidability of Z-intersection for languages of lossy channel systems (see Section 4.1): One expresses reachability in a non-lossy FIFO system by making sure that the numbers of enqueue-and dequeue-operations match. Thus, for asynchronous programs over lossy channel systems, the problems of Theorem 4 are undecidable. We also use Theorem 4 in Section 5 to conclude undecidability for higher-order asynchronous programs, already at order 2.

Higher-Order Asynchronous Programs
We apply our general decidability results to asynchronous programs over (deterministic) higher-order recursion schemes (HORS). Kobayashi [21] has shown how higher-order functional programs can be modeled using HORS. In his setting, a program contains instructions that access certain resources. For Kobayashi, the path language of the HORS is the set of possible sequences of instructions. For us, the input program contains post instructions and we translate higher-order programs with post instructions into a HORS whose path language is used as the language of handlers. We recall some definitions from [21]. The set of types is defined by the grammar A := o | A → A. The order ord(A) of a type A is inductively defined as ord(o) = 0 and ord(A → B) := max(ord(A) + 1, ord(B)). The arity of a type is inductively defined by arity(o) = 0 and arity(A → B) = arity(B) + 1. We assume a countably infinite set Var of typed variables x : A. For a set Θ of typed symbols, the setΘ of terms generated from Θ is the least set which contains Θ such that whenever s : A → B and t : A belong toΘ, then also s t : B belongs toΘ. By convention the type o → . . . (o → (o → o)) is written o → . . . → o → o and the term ((t 1 t 2 )t 3 · · · )t n is written t 1 t 2 · · · t n . We writex for a sequence (x 1 , x 2 , . . . , x n ) of variables.
A higher-order recursion scheme (HORS) is a tuple S = (Σ, N , R, S) where Σ is a set of typed terminal symbols of types of order 0 or 1, N is a set of typed non-terminal symbols (disjoint from terminal symbols), S : o is the start non-terminal symbol and R is a set of rewrite rules F x 1 x 2 · · · x n t where F : If N is the maximum arity of a symbol in Σ, then a (possibly infinite) tree over Σ is a partial function tr from {0, 1, . . . , N − 1} * to Σ that fulfills the following conditions: ε ∈ dom(tr), dom(tr) is closed under prefixes, and if tr(w) = a and arity(a) = k then {j | wj ∈ dom(tr)} = {0, 1, . . . , k − 1}.
A deterministic HORS is one where there is exactly one rule of the form F x 1 x 2 · · · x n → t for every non-terminal F . Following [21], we show how a deterministic HORS can be used to represent a higher-order pushdown language arising from a higher-order functional program.
Sentential forms can be seen as ranked trees over Σ ∪ N ∪ Var. A sequence Π over {0, 1, . . . , n − 1} is a path of tr if every finite prefix of Π ∈ dom(tr). The set of paths in a tree tr will be denoted Paths(tr). Note that we are only interested in finite paths in our context. Associated with any path Π = n 1 , n 2 , . . . , n k is the word w Π = tr(n 1 )tr(n 1 n 2 ) · · · tr(n 1 n 2 · · · n k ). Let Σ 1 := {a ∈ Σ | arity(a) = 1}. The path language L p (S ) of a deterministic HORS S is defined as {Proj Σ1 (w Π ) | Π ∈ Paths(T S )}. The tree language L t (S ) associated with a HORS is the set of finite trees over Σ generated by S . The deterministic HORS corresponding to the higher-order function s3 from A HORS S is called a word scheme if it has exactly one nullary terminal symbol e and all other terminal symbolsΣ are of arity one. The word language L w (S ) ⊆Σ * defined by S is L w (S ) = {a 1 a 2 · · · a n | (a 1 (a 2 · · · (a n (e)) · · · )) ∈ L t (S )}. We denote by H the class of languages L w (S ) that occur as the word language of a higher-order recursion scheme S . Note that path languages and languages of word schemes are both word languages over the setΣ of unary symbols considered as letters. They are connected by the following proposition. A consequence of [21] and Prop. 2 is that the "post" language of higher-order functional programs can be modeled as the language of a word scheme. Hence, we define an asynchronous program over HORS as an asynchronous program over the language class H and we can use the following results on word schemes. Theorem 5. HORS and word schemes form effective full trios [7]. Emptiness [23] and finiteness [29] of order-n word schemes are (n − 1)-EXPTIME-complete. Now Theorems 2 and 3, together with Proposition 2 imply the decidability results in Corollary 1. The undecidability result is a consequence of Theorem 4 and the undecidability of the Z-intersection problem for indexed languages or equivalently, order-2 pushdown automata as shown in [33]. Order-2 pushdown automata can be effectively turned into order-2 OI grammars [10], which in turn can be translated into order-2 word schemes [9]. See also [22,Theorem 4]. A Direct Algorithm We say that downclosures are computable for a language class C if for a given description of a language L in C, one can compute an automaton for the regular language ↓L. From Proposition 1 and Theorem 1, if one can compute downclosures for a language class, then one can avoid the enumerative approaches of Section 4 and get a "direct algorithm." The algorithm replaces each handler by its downclosure and then invokes the decision procedure summarized in Theorem 1. The direct algorithm for asynchronous programs over HORS relies on the recent breakthrough results on computing downclosures. Unfortunately, current techniques for computing downclosures do not yet provide a complexity upper bound as we describe below. In [33], it was shown that in a full trio, downclosures are computable if and only if the diagonal problem for C is decidable. The latter asks, given a language L ⊆ Σ * , whether for every k ∈ N, there is a word w ∈ L with |w| σ ≥ k for every σ ∈ Σ. The diagonal problem was then shown to be decidable for higher-order pushdown automata [15] and then for word schemes [7]. The algorithm from [33] to compute downclosures using an oracle for the diagonal problem employs enumeration to compute a downclosure automaton, thus we have hidden the enumeration into the downclosure computation. We conjecture that downclosures can be computed in elementary time for word schemes of fixed order. This would imply an elementary time procedure for asynchronous programs over HORS of fixed order.
For handlers over context-free languages, given as PDAs, Ganty and Majumdar [12] show an EXPSPACE upper bound for safety, termination, and boundedness. Their algorithm constructs for each handler a polynomial-size Petri net with certain guarantees (forming so-called adequate family of Petri nets) that accepts a Parikh equivalent language. These Petri nets are then used to construct a larger Petri net, polynomial in the size of the asynchronous program and the adequate family of Petri nets, in which safety, termination, or boundedness can be phrased as a query decidable in EXPSPACE.
A natural question is whether a downclosure-based algorithm matches the same complexity. We can replace the Parikh-equivalent Petri nets of [12] with Petri nets recognizing the downclosure of a language. It is an easy consequence of Proposition 1 that the resulting Petri nets can be used in place of the adequate families of Petri nets in the procedures for safety, termination, and boundedness of [12]. Unfortunately, a finite automaton for ↓L may require exponentially many states in the PDA [4], so a naive approach gives a 2EXPSPACE algorithm.
In the full version of this paper, we show that that for each context-free language L, one can construct in polynomial time a 1-bounded Petri net accepting ↓L. (Recall that a 1-bounded Petri net if every reachable marking has at most one token in each place.) When used in the construction of [12], this matches the EXPSPACE upper bound for safety, termination, and boundedness verification.
As a byproduct, we get a simple direct construction of a finite automaton for ↓L when L is given as a PDA. This is of independent interest because earlier constructions of ↓L always start from a context-free grammar and produce (necessarily!) exponentially large NFAs [24,8,4]. The key observation is that the downclosure of the language of a PDA can be represented, after some simple modifications, as the language accepted by the PDA with a bounded stack.
or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium