F L ] 9 S ep 2 02 2 MODEL CHECKING TEMPORAL PROPERTIES OF RECURSIVE PROBABILISTIC PROGRAMS

. Probabilistic pushdown automata (pPDA) are a standard operational model for programming languages involving discrete random choices, procedures, and returns. Temporal properties are useful for gaining insight into the chronological order of events during program execution. Existing approaches for model checking pPDA against temporal properties have focused mostly ω -regular and LTL properties. In this paper, we study the model checking problem of pPDA against ω -visibly pushdown languages that can be described by speciﬁcation logics such as CaRet and are strictly more expressive than ω - regular properties. These logical formulae allow specifying properties that explicitly take the structured computations arising from procedural programs into account. For example, CaRet is able to match procedure calls with their corresponding future returns, and thus allows to express fundamental program properties such as total and partial correctness.


Introduction
Probabilistic programs extend traditional programs with the ability to flip coins or, more generally, sample values from probability distributions. These programs can be used to encode randomized algorithms and randomized mechanisms in security [BKOB13] in a natural way. The interest in probabilistic programs has significantly increased in recent years. To a large extent, this is due to the search in AI for more expressive and succinct languages than probabilistic graphical models for Bayesian inference [GHNR14]. Probabilistic programs have many applications [vdMPYW18]. They are used in, amongst others, machine learning, systems biology, security, planning and control, quantum computing, and software-defined networks. Probabilistic variants of many programming languages exist.
Procedural programs allow for the declaration of procedures-small independent code blocks-and the ability to call procedures from one another, possibly in a recursive fashion. Most common programming languages such as C, Python, or Java support procedures. It is thus not surprising that recursion is a key ingredient in many modern probabilistic programming languages (PPL). In fact, many early approaches to extend Bayesian networks focused on incorporating recursion [PK00, Jae01, CIRW08,SG12]. Randomized algorithms such as Hoare's quicksort with random pivot selection can be straightforwardly programmed using recursion. Recursion is also a first-class citizen in modeling rule-based dependencies between molecules or populations in systems biology (e.g., modeling reproduction). This paper studies the automated verification of probabilistic pushdown automata (pPDA) [EKM04] as an explicit-state operational model of procedural probabilistic programs against temporal specifications. As a motivating example, let us consider a simple epidemiological model for the outbreak of an infectious disease in a large population where the number of susceptible individuals can be assumed to be infinite. Our example model distinguishes young and elderly persons. Each affected individual infects a uniformly distributed number of others, with varying rates (expected values) according to the age groups ( Figure 2). The fatality rate for infected elderly and young persons is 1% and 0%, respectively. Initially, we assume there is a single infected young person, i.e., the overall program is started by calling infectYoung(). It is an easy task for any working programmer to specify this model as a discrete probabilistic program with mutually recursive procedures ( Figure 1). Note that this program can be easily amended to more realistic models involving, e.g., more age or gender groups, other distributions, hospitalization rate, etc.
The operational behavior of programs such as the one in Figure 1 can be naturally described by pPDA. The technical details of such a translation are beyond the scope of this paper but let us provide some intuition (more details can be found e.g. in [ABE18]). Roughly, the local states of the procedures-the valuation of the local variables and the position of the program counter-constitute both the state space and the stack alphabet of the automaton. Procedure calls correspond to push transitions in the automaton in such a way that the program's procedure stack is simulated by the automaton's pushdown stack, i.e., the current local state is saved on top of the stack. Accordingly, returning from a procedure corresponds to taking a pop transition in order to restore the local state of the caller. Returning a value can be handled similarly. Clearly, if the reachable local state spaces of the involved procedures are finite, then the resulting automaton will be finite as well.
A number of relevant questions such as "Will the virus eventually become extinct?" (termination probability) or "What is the expected number of fatalities?" (expected costs) are decidable for finite pPDA (see [BEKK13] for a survey). In this work, we focus on temporal properties, e.g., questions that involve reasoning about the chronological order of certain events of interest during the epidemic. An example are chains of infection: For instance, we might ask What is the probability that eventually a young person with only young persons in their chain of infection passes the virus on to an elderly person who then dies? On the level of the program in Figure 1, this corresponds to the probability of reaching a global program configuration where the call stack only contains infectYoung() invocations and during execution of the current infectYoung(), the local variable f is eventually set to true. This requires reasoning about the nestings of calls and returns of a computation. In fact, in order to decide if f = true in the current procedure, we must "skip" over all calls within it and only consider their local return values. This requirement and many others can be naturally expressed in the logic CaRet [AEM04], an extension of LTL: Here, p Y is an atomic proposition that holds at states which correspond to being in procedure infectYoung, and f indicates that f = true. Intuitively, the above formula states that eventually (outer ♦ g ), the computation reaches a (global) state where only infectYoung is on the call stack and the current procedure is infectYoung as well ( − p Y ∧ p Y ), and moreover the local-aka abstract-path within in the current procedure reaches a state where f is true (♦ a f ). Such properties are in general context-free but not always regular and thus cannot be expressed in LTL [AEM04].
Technical Contribution. The contribution of this paper is a solution to the following problem: We are given a (finite) pPDA ∆ and a CaRet formula ϕ and we are interested in determining the probability that a random trajectory of ∆ satisfies ϕ.
We briefly outline outline our solution. In order for the problem to be decidable [DBB12], we need to impose a mild visibility restriction on ∆, yielding a probabilistic visibly pushdown automaton (pVPA). Just like several previous works on model checking pPDA against ω-regular specifications [EKM04, BKS05, KEM06], we follow the automata-based approach (see Figure 3). More specifically, we first translate ϕ into an equivalent non-deterministic Büchi visibly pushdown automaton (VPA) [AM04] A and then determinize it using a procedure introduced by Löding et al. [LMS04]. The resulting DVPA D uses a so-called stairparity [LMS04] acceptance condition that is strictly more expressive than standard parity or Muller DVPA [AM04]. Stair-parity differs from usual parity in that it only considers certain positions-called steps [LMS04]-of an infinite word where the stack height never decreases again. We then construct a standard product ∆ × D. Here, the visibility conditions ensure that the automata synchronize their stack actions, yielding a product automaton that uses a single stack instead of two independent ones, which would lead to undecidability [DBB12]. Finally, we are left with computing a stair-parity acceptance probability in the product, which is itself a pPDA. This is achieved by constructing a specific finite Markov chain associated to ∆ × D, called step chain in this paper. Intuitively, the step chain jumps from Step chain M ∆×D (Def. 4.13) ETR Figure 3: Chain of reductions used in this paper. ETR stands for existential theory of the reals, i.e., the existentially quantified fragment of the FO-theory over (R, +, ·, ≤).
one step of a run to the next, and therefore we only need to evaluate standard parity rather than stair-parity on the step chain. The idea of step chains was introduced by Esparza el al. [EKM04] who used them to show decidability of the model checking problem against deterministic (non-pushdown) Büchi automata. For constructing the step chain, certain reachability probabilities of the pPDA need to be computed. In general, these probabilities are algebraic numbers that cannot always be expressed by radicals [EY09], let alone by rationals. However, the relevant problems are still decidable via an encoding in the existential fragment of the FO-theory of the reals (ETR) [KEM06].
The resulting main contributions of this paper are complexity results, summarized in Figure 4, and algorithms for quantitative model checking of pPDA against ω-visibly pushdown languages (VPL) given in terms of either deterministic or non-deterministic visibly pushdown automata, or as CaRet formulae. As common in the literature, we consider the special case of qualitative, or almost-sure (a.-s.), model checking separately. To the best of our knowledge, none of these problems was known to be decidable before. The work of [DBB12] proved decidability of model checking against deterministic Muller VPA which capture a strict subset of the CaRet-definable languages [AM04]. As a lemma of independent interest, we show that the step chain can be used for checking all kinds of measurable properties defined on steps, even beyond parity.
Related work. We have already mentioned various works on recursion in probabilistic graphical models (and PPL) as well as on verifying pPDA and the equivalent model of recursive Markov chains [EY09]. The analysis of these models focuses on reachability probabilities, ω-regular properties or (fragments of) probabilistic CTL, expected costs, and termination probabilities. The computation of termination probabilities in recursive Markov chains and variations thereof with non-determinism is supported by the software tool PReMo [WE07]. Our paper can be seen as a natural extension from checking pPDA against ω-regular properties to ω-visibly pushdown languages. In contrast to these algorithmic approaches, various deductive reasoning methods have been developed for recursive probabilistic programs. Proof rules for recursion were first provided in [Jon90], and later extended to proof rules in a weakest-precondition reasoning style [MM01,OKKM16]. Olmedo et al. [OKKM16] also address the connection to pPDA and provide proof rules for expected run-time analysis. A mechanized method for proving properties of randomized algorithms, including recursive ones, for the Coq proof assistant is presented in [AP09]. The Coq approach is based on higher-order logic using a monadic interpretation of programs as probabilistic distributions. Organization. This paper is structured as follows. We review the basics about VPA and CaRet in Section 2. Section 3 introduces probabilistic visibly pushdown automata (pVPA). The stair-parity DVPA model checking procedure is presented in Section 4, and the results for Büchi VPA and CaRet in Section 5. We conclude the paper in Section 6.

Visibly Pushdown Languages
In this section, we summarize some preliminary results on visibly pushdown languages and their corresponding automata models, and we recall the syntax and semantics of CaRet. We use the following notation for words. Given a non-empty alphabet Σ, let Σ * be the set of all finite words (including the empty word ǫ), and let Σ ω be the set of all infinite words over Σ. For i ≥ 0, the i-th symbol of a word w ∈ Σ * ∪ Σ ω is denoted w(i) if it exists. |w| denotes the length of w. For sets of finite words A and B, the concatenation of all words from A with those from B is denoted A.B. We also use a.B and A.b as shorthands for {a}.B and A.{b}, respectively.
2.1. Visibly Pushdown Automata. A finite alphabet Σ is called pushdown alphabet if it is equipped with a partition Σ = Σ call ⊎ Σ int ⊎ Σ ret into three-possibly empty-subsets of call, internal, and return symbols. A visibly pushdown automaton (VPA) [AM04] over Σ is like a standard pushdown automaton with the additional syntactic restriction that reading a call, internal, or return symbol triggers a push, internal, or pop transition, respectively (an internal transition is one that does not change the stack height). VPA are defined more formally as follows.
The semantics of a VPA is defined as usual via configurations and runs. A configuration of VPA A is a tuple (s, γ) ∈ S × Γ * -⊥ .⊥, written more succinctly as sγ in the sequel. Intuitively, being in configuration sγ means that the automaton is currently in state s and has the word γ on its stack. If sγ = sZγ ′ for some Z ∈ Γ, then sZ is called the head of sγ. A bottom configuration is a configuration with head s⊥ for some s ∈ S. Let w ∈ Σ ω be an infinite input word. An infinite sequence ρ = s 0 γ 0 , s 1 γ 1 . . . of configurations is called a run of A on w if s 0 γ 0 = s 0 ⊥ and for all i ≥ 0, exactly one of the following cases applies: In other words, if A reads a call (or internal) symbol a while being in configuration sγ and there exists a suitable call transition s a − → tZ (or internal transition s a − → t), then a run of A may evolve from configuration sγ to tZγ (or tγ, respectively). Similarly, if A reads a return symbol a in configuration sZγ where Z = ⊥ and there is a transition sZ a − → t, then a run can move from sZγ to tγ. Note that invoking a return transition in a bottom configuration s⊥ does not remove the topmost symbol ⊥ from the stack.
A Büchi acceptance condition for A is a subset F ⊆ S. A VPA equipped with a Büchi condition is called a Büchi VPA. An infinite word w ∈ Σ ω is accepted by a Büchi VPA if there exists a run s 0 γ 0 , s 1 γ 1 , . . . of A on w such that s i ∈ F for infinitely many i ≥ 0. The ω-language of words accepted by a Büchi VPA A is denoted L(A) ⊆ Σ ω .
Definition 2.2 (ω-VPL [AM04]). Let Σ be a pushdown alphabet. L ⊆ Σ ω is an ω-visibly pushdown language (ω-VPL) if L = L(A) for a Büchi VPA A over Σ. △ A VPA is deterministic (DVPA) if it has exactly one run on each input word. In this case, δ call , δ int , and δ ret can be viewed as (total) functions. As for standard NBA, the class of languages recognized by Büchi DVPA is a strict subset of the languages recognized by nondeterministic Büchi VPA. Unlike in the non-pushdown case, DVPA with Muller or parity conditions are also strictly less expressive than non-deterministic Büchi VPA [AM04]. A deterministic automaton model for ω-VPL was given in [LMS04]. It uses a so-called stairparity acceptance condition which we explain in the upcoming Section 2.2.

2.2.
Steps and Stair-parity Conditions. In the remainder of this section, Σ denotes a pushdown alphabet and A a VPA over Σ. Consider a run ρ = s 0 γ 0 , s 1 γ 1 , . . . of A on an infinite word w ∈ Σ ω . We define the stack height of the i-th configuration as sh(ρ(i)) = |γ i | − 1 (i.e., the bottom symbol ⊥ does not count to the stack height). The stair-parity condition relies on the notion of steps: Definition 2.3 (Step). Let ρ be a run of A. Position i ≥ 0 is a step of ρ if ∀n ≥ i : sh(ρ(n)) ≥ sh(ρ(i)) .
△ Intuitively, a step is a position of a run such that there is no future position where the stack height is strictly smaller. Slightly abusing terminology, we also say that a configuration s i γ i of a given run ρ = s 0 γ 0 , s 1 γ 1 , . . . is a step if position i is a step.   Example 2.4. Figure 5 depicts a DVPA and the initial fragment of its unique run ρ on the input word τ r c τ τ c r c 2 r 2 c 3 r 3 . . .. The step positions are underlined, i.e., positions 0-5, 7, 11, and 17 are steps. Note that if ρ(i) = s⊥ for some s ∈ S then i is a step, i.e., bottom configurations are always steps.
Steps play a central role in the rest of the paper. We therefore explain some of their fundamental properties. Suppose that ρ is a run of A on an infinite word w ∈ Σ * .
• If positions i < j are adjacent steps, i.e., there is no step k strictly in between i and j, then sh(ρ(j)) − sh(ρ(i)) ∈ {0, 1}, i.e., the stack height from one step to the next increases by either zero or one. • Each step i has a next step j > i: If the symbol at step i is internal (e.g., i = 0, 3, 4 in Figure 5) or a return (e.g., i = 1) then the next step is simply the next position j = i + 1 and the stack height does not increase. If the symbol at position i is a call, then one of two cases occurs: Either the call has no matching future return (e.g., i = 2); in this case, the next step is the next position j = i + 1. Otherwise the call is eventually matched (e.g., i = 5, 7, 11) and the next step j > i + 1 occurs after the corresponding matching return is read and has the same stack height. • As a consequence, each infinite run has infinitely many steps. Notice though that the difference between two adjacent step positions may grow unboundedly as in Figure 5. • The stack height at the steps either grows unboundedly or eventually stabilizes (the latter occurs in Figure 5; the stack heights at the steps induce the sequence 0, 0, 0, 1 ω ).
Remark 2.5. We can also define the steps of a word w ∈ Σ ω as the positions where a run of any arbitrary VPA on w has a step. Due to the visibility restriction, the actual behaviour of the VPA does not influence the step positions [LMS04]. In other words, the step positions are predetermined by the input word. Thus, we can also speak of the stack height sh(w(i)) of word w at position i.
We need one last notion before defining stair-parity. The footprint of an infinite run ρ = s 0 γ 0 , s 1 γ 1 , . . . is the infinite sequence ρ↓ Steps = s n 0 s n 1 . . . ∈ S ω where for all i ≥ 0 the position n i is the i-th step of ρ. In words, ρ↓ Steps is the projection of the run ρ onto the states occurring at its steps. For the example run in Figure 5, ρ↓ Steps = s 0 s 1 s 1 s 0 s ω 1 . Definition 2.6 (Stair-parity [LMS04]). Let A be a VPA over pushdown alphabet Σ. A stair-parity acceptance condition for A is defined in terms of a priority function Ω : Intuitively, L(A) contains all words that have a run ρ on A such that the minimum priority occurring infinitely often at states in the footprint ρ↓ Steps is even.
Example 2.7. The DVPA in Figure 5 with Ω(s 0 ) = 1 and Ω(s 1 ) = 2 accepts the language of repeatedly bounded words [LMS04], i.e., words whose stack height (cf. Remark 2.5) is infinitely often equal to some constant B. The example word from Figure 5 satisfies this property with B = 1. To see why the automaton accepts L repbdd , note that a word is repeatedly bounded iff the stack height at the steps stabilizes eventually. The latter occurs iff in just finitely many cases, the transition before reaching a step was a call. The DVPA in Figure 5 detects this behavior; when reading a call symbol, it always moves to state s 0 which has odd priority, and it accepts iff s 0 is visited finitely often at call positions. It is known that L repbdd is not expressible through DVPA with usual parity conditions [AM04]. It was also shown in [LMS04] that stair-parity DVPA characterize exactly the class of ω-VPL (and are thus not more expressive than non-deterministic Büchi VPA).
2.3. CaRet, a Temporal Logic of Calls and Returns. Specifying requirements directly in terms of automata is tedious in practice. CaRet [AEM04] is an extension of Linear Temporal Logic (LTL) [Pnu77] that can be used to describe ω-VPL. Its syntax is defined as follows: Definition 2.8 (CaRet [AEM04]). Let AP be a finite set of atomic propositions. The logic CaRet adheres to the grammar Other common modalities such as ♦ b and b for b ∈ {g, a, −} are defined as usual via ♦ b ϕ = true U b ϕ, and b ϕ = ¬♦ b ¬ϕ. We now explain the intuitive semantics of CaRet, the formal definition is stated further below. We assume familiarity with LTL. CaRet formulae are interpreted over infinite words from the pushdown alphabet Σ = 2 AP × {call, int, ret}.
g and U g are the standard next and until modalities from LTL (called global next and until in CaRet). CaRet extends LTL by two key operators, the caller modality − and the abstract successor a . The semantics of these operators is visually explained in Figure 6. The caller − is a past modality that points to the position of the last pending call. For internal and return symbols, the abstract successor a behaves like g unless the latter is a return, in which case a is undefined (e.g. position 3 in Figure 6). On the other hand, the abstract successor of a call symbol is its matching return if it exists, or undefined otherwise. The until modalities U − and U a are defined over the paths induced by the callers and abstract successors, respectively. Note that the caller path is always finite and the abstract path can be either finite or infinite. A prime application of CaRet is expressing Hoare-like total correctness of a procedure F [AEM04]: where p and q are atomic propositions that hold at the states where the pre-and postcondition is satisfied, respectively, and p F is an atomic proposition marking the calls to F . Another example is the language of repeatedly bounded words from Example 2.7; it is described by the formula ϕ repbdd = ♦ g g (call → a ret) which states that all but finitely many calls have a matching return. Further examples are given in [AEM04]. We now define the semantics of CaRet formally. Let Σ = 2 AP × {call, int, ret} be the pushdown alphabet and w ∈ Σ ω . If w(i) ∈ Σ call , then let MR w (i) be the position of the matching return of w(i), or undef if there is no matching return. The abstract successor of position i in word w is defined as follows: The caller succ − w (i) of position i in word w is defined as the innermost ("closest") unmatched call position j < i, or undef if there was no previous open call.
Definition 2.9 (Semantics of CaRet). Let Σ = 2 AP × {call, int, ret} and w ∈ Σ ω . For all CaRet formulas ϕ and i ∈ N 0 , we define w(i) |= ϕ by induction over the structure of ϕ as follows:   Figure 6: CaRet's various next modalities applied to the initial fragment of an example word. Call, internal, and return positions are depicted as boxes, circles, and rhombs, respectively. Note that a of position 3 is undefined because g is a return. Whether or not a of position 1 is defined depends on how the words continues after position 5; more specifically, The above theorem is well-known in the literature [AAB + 07, ABE18] even though it is usually stated for Nested Word Automata (NWA) which are equivalent to VPA, and it is more common to state a space bound on A rather than a time bound for the construction. The theorem even applies to the logic NWTL + , an FO-complete extension of CaRet [AAB + 07] which we do not consider here for the sake of simplicity.
Theorems 2.1 and 2.2 together imply that each CaRet formula can be translated to a deterministic stair-parity VPA of doubly-exponential size.

Probabilistic Visibly Pushdown Automata
As explained in the introduction, we employ probabilistic pushdown automata [EKM04] (pPDA) as an operational model for procedural probabilistic programs. pPDA thus play a fundamentally different role in this paper than VPA (cf. Definition 2.1): pPDA are used to model the system, while VPA encode the specification. Consequently, our pPDA do not read an input word like VPA do, but instead take their transitions randomly, according to fixed probability distributions. In this way, they define a probability space over their possible traces, i.e., runs projected on their labeling sequence. These traces constitute the input words of the VPA. In order for the model checking problems to be decidable [DBB12], a syntactic visibility restriction needs to be imposed on pPDA. In a nutshell, the condition is that each state only has outgoing transitions of one type, i.e., push, internal, or pop. This means that the stack operation is visible in the states (recall that for VPA, the stack operation is visible in the input symbol). This restriction is not severe in the context of modeling programs (see Remark 3.4 further below) and leads to our notion of probabilistic visibly pushdown automata (pVPA) which we now define formally.
Given a finite set X, we write Dist(X) = { f : X → [0, 1] | a∈X f (a) = 1 } for the set of probability distributions over X.
Definition 3.1 (pVPA). A probabilistic visibly pushdown automaton (pVPA) is a tuple ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ) where Q is a finite set of states partitioned into Q = Q call ⊎ Q int ⊎ Q ret , q 0 ∈ Q is an initial state, Γ is a finite stack alphabet, ⊥ ∈ Γ is a special bottom-of-stack symbol, P = (P call , P int , P ret ) is a triple of functions is a pushdown alphabet, and λ : Q → Σ is a state labeling function consistent with the visibility condition, i.e., for all type ∈ {call, int, ret} and all q ∈ Q, it is required that q ∈ Q type iff λ(q) ∈ Σ type . △ Similar to VPA, we use the notation q p − → rZ, q p − → r, and qZ p − → r to indicate that P call (q)(r, Z) = p, P int (q)(r) = p, and P ret (q, Z)(r) = p, respectively.
Intuitively, the behavior of a pVPA ∆ is as follows. If the current state q is a call state, then the probability distribution P call (q) determines a random successor state and stack symbol to be pushed on the stack (⊥ cannot be pushed). Similarly, if the current state q is internal, then P int (q) is the distribution over possible successor states and no stack operation is performed. Lastly, if the current state q is a return state and symbol Z ∈ Γ -⊥ is on top of the stack, then Z is popped and ∆ moves to a successor state with probability according to P ret (q, Z). As in VPA, the special symbol ⊥ is not popped from the stack if a return transition occurs in a bottom configuration.
The formal semantics of a pVPA is defied in terms of a countably infinite discrete-time Markov chain. A (labeled) Markov chain is essentially the special case of a pVPA where Q = Q int , with the only difference that we allow for countably infinite Q and do not impose the restriction on the labeling functon λ. A Markov chain can thus be specified as a 5-tuple (Q, q 0 , P, Σ, λ), i.e., we omit ⊥ and Γ from the definition of pVPA because a Markov chain does not use a stack. A run of a Markov chain is an infinite sequence q 0 q 1 q 2 . . . ∈ q 0 .Q ω of states. We extend the labeling function λ from states to runs in the natural way.
We define the Markov chain generated by a pVPA ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ) as i.e., the state space of D ∆ is the set of configurations of ∆ and the transition probability function P ∆ is defined as follows. P ∆ (qγ)(rγ ′ ) = p > 0 iff exactly one of the following three cases applies: Example 3.2. Figure 7 depicts a pVPA ∆ and a fragment of its generated Markov chain D ∆ . Even though D ∆ is infinite, many question about pVPA remain decidable, including in particular questions about reachability probabilities which can be characterized as the least solution of a system of polynomial equations [EKM04]. We will use this extensively in Section 4.
We define the set Runs ∆ of a pVPA ∆ as the runs of the Markov chain D ∆ , i.e., Steps of pVPA runs are defined as in Definition 2.3. A further example pVPA and its possible runs are depicted in Figure 8 on page 16.
We associate a probability space with Runs ∆ in the usual way (see, e.g., [BK08, Ch. 10]). To this end, we define the σ-algebra F ⊆ 2 Runs ∆ as the smallest set that contains all the cylinder sets ρ.Runs ∆ , where ρ is an arbitrary finite prefix of configurations, and that is for all finite prefixes ρ 0 . . . ρ n of configurations. In the following two remarks, we summarize the technical differences between our pVPA model and existing models in the literature.
Remark 3.3. Our pVPA only produce infinite runs and do not simply "terminate" upon reaching the empty stack as in most of the literature on probabilistic pushdown automata (pPDA), e.g., [EKM04]. Indeed, in our pVPA, the stack can never be empty because the special bottom symbol ⊥ cannot be popped. We have chosen this semantics for compatibility with CaRet which describes ω-languages per definition. Nonetheless, terminating behavior can be easily simulated in our framework by moving to a dedicated sink state once the pVPA attempts to pop ⊥ for the first time. Another technical difference between our pVPA and the pPDA introduced in [EKM04] is that in pVPA, only pop transitions can read the stack, whereas in pPDA, all types of transitions can read, and possibly exchange, the current topmost stack symbol. We have chosen this definition (which is not a true restriction) for compatibility with VPA as defined in [AM04].
Remark 3.4. The visibility restriction of our pVPA is slightly different from the definition given in [DBB12] which requires all incoming transitions to a state to be of the same type, i.e., call, internal, or return. Our definition, on the other hand, imposes the same requirement on the states' outgoing transitions. We believe that our condition is more natural for pVPA obtained from procedural programs, such as the one in Figure 1. In fact, programs where randomness is restricted to internal statements such as x := bernoulli(0.5) or x := uniform(0, 3) naturally comply with our visibility condition because all call and return states of such programs are deterministic and thus cannot violate visibility. However, the alternative condition of [DBB12] is not necessarily fulfilled for such programs.
We can now formally state our main problem of interest: Definition 3.5 (Probabilistic CaRet Model Checking). Let AP be a finite set of atomic propositions, ϕ be a CaRet formula over AP , ∆ be a pVPA with labels from the pushdown alphabet Σ = 2 AP ×{call, int, ret}, and θ ∈ [0, 1]∩Q. The quantitative CaRet Model Checking problem is to decide whether The qualitative CaRet Model Checking problem is the special case where θ = 1. △ The probabilities in Definition 3.5 are well-defined as ω-VPL are measurable [LMS04].

Model Checking pVPA against Stair-parity DVPA
In this section, we show that model checking pVPA (Definition 3.1) against VPL given in terms of a stair-parity DVPA (Definition 2.6) is decidable. This is achieved by first computing an automata-theoretic product of the pVPA and the DVPA and then evaluating the acceptance condition in the product automaton.
4.1. Products of Visibly Pushdown Automata. In general, pushdown automata are not closed under taking products as this would require two independent stacks. However, the visibility conditions on VPA and pVPA ensure that their product is again an automaton with just a single stack because the stack operations (push, internal, or pop) are forced to synchronize. We now define the product formally. An unlabeled pVPA is a pVPA where the labeling function λ and alphabet Σ are omitted.
Definition 4.1 (Product ∆ × D). Let ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ) be a pVPA, and D = (S, s 0 , Γ ′ , ⊥, δ, Σ) be a DVPA over pushdown alphabet Σ. The product of ∆ and D is the unlabeled pVPA where P ∆×D is the smallest set of transitions satisfying the following rules for all q, r ∈ Q, Z ∈ Γ, s, t ∈ S, and Y ∈ Γ ′ : If the DVPA D is equipped with a priority function Ω : S → N 0 , then we extend Ω to Ω ′ : Q × S → N 0 via Ω ′ (q, s) = Ω(s). △ It is not difficult to show that ∆ × D is indeed a well-defined pVPA and moreover satisfies the following property (the proof is standard, see [WGK21]): Lemma 4.2 (Soundness of ∆ × D). Let ∆ be a pVPA and D be a stair-parity DVPA with priority function Ω, both over pushdown alphabet Σ. Then the product pVPA ∆ × D with priority function Ω ′ as in Definition 4.1 satisfies where Parity Ω ′ denotes the set of words in (Q × S) ω satisfying the standard parity condition induced by Ω ′ . Moreover, ∆ × D can be constructed in polynomial time.
Remark 4.3. It is not actually important that the product pVPA again satisfies the visibility condition, even though this happens to be the case. All techniques we apply to the product also work for general pPDA.

4.2.
Stair-parity Acceptance Probabilities in pVPA. Lemma 4.2 effectively reduces model checking pVPA against stair-parity DVPA to computing stair-parity acceptance in the product, which is again an (unlabeled) pVPA. We therefore focus on pVPA in this section and do not consider DVPA.
Throughout the rest of this section, let ∆ = ( Q, q 0 , Γ, ⊥, P ) be an unlabeled pVPA. On the next pages we describe the construction of a finite Markov chain M ∆ that we call the step chain of ∆. Loosely speaking, M ∆ simulates jumping from one step (see Definition 2.3) of a run of ∆ to the next. A similar idea first appeared in [EKM04]. Our construction, however, differs from the original one in various aspects. We discuss this in detail in Remark 4.15 further below.

4.2.1.
Steps as events. For all n ∈ N 0 , we define a random variable V (n) on Runs ∆ whose value is either the state q of ∆ at the n-th step, or the extended state q⊥ in the special case where the n-th step occurs at a bottom configuration q⊥, for some q ∈ Q. We denote the set of all such extended states with Q⊥ = { q⊥ | q ∈ Q }. Formally, V (n) : Runs ∆ → Q ∪ Q⊥ is defined as where step n (ρ) denotes the configuration at the n-th step of ρ.
Note that V (0) = q 0 ⊥ because the first position of a run is always a step.
Lemma 4.4. For all n ∈ N 0 and v ∈ Q ∪ Q⊥, the event V (n) = v is measurable, and thus V (n) is a well-defined random variable.
Proof. This was proved more generally in [EKM04]. Here we give an alternative proof using the fact that all ω-VPL are measurable [LMS04]. We view Q ∪ Q⊥ as a pushdown alphabet (the partition is induced by the partition on Q). We can construct a non-deterministic Büchi VPA that accepts a word w ∈ (Q ∪ Q⊥) ω iff the n-th step of w is v (the size of this automaton depends on n). To this end, the VPA guesses the first n symbols that are steps and goes to an accepting state s ∈ F if the n-th step was v. The automaton can verify that it guessed correctly as follows. If it believes a call symbol is a step, it pushes a special marker on the stack; if this marker is ever popped, then the call was no step and the guess was wrong. If it detects a wrong guess in this way, then it leaves the accepting state s, otherwise it loops there forever. The claim follows because the function f : Runs ∆ → (Q ∪ Q⊥) ω that maps runs to the sequence of their (extended) states is measurable (indeed, the preimage f −1 (w) of every w ∈ (Q ∪ Q⊥) ω is which is a countable intersection of countable unions of basic cylinder sets).
We can view the sequence V (0) , V (1) . . . of random variables as a stochastic process. It is intuitively clear that for all n ∈ N 0 , the value of V (n+1) depends only on V (n) , but not on V (i) for i < n. This is due to the more general observation that only the state q at any step configuration qγ (with γ = ⊥) fully determines the future of the run because being a step already implies that no symbol in γ can ever be read, as reading it implies popping it from the stack. In particular, q determines the probability distribution over possible next steps. A similar observation applies to bottom configurations of the form q⊥. Phrased in probability theoretical terms, the process V (0) , V (1) . . . has the Markov property, i.e., holds for all values of v 0 , . . . , v n such that the conditional probabilities are well-defined 1 . This was proved in detail in [EKM04]. It is also clear that the Markov process is timehomogeneous in the sense that holds for all n, m ∈ N 0 for which the two conditional probabilities are well-defined. The following example provides some intuition on these facts.
Example 4.5. Consider the pVPA in Figure 8 (left). The initial fragments of its two equiprobable runs are depicted in the middle. In this example, it is easy to read off the next-step probabilities P(V (n) = v n | V (n−1) = v n−1 ) for all n ∈ N 0 and v n , v n−1 ∈ Q ∪ Q⊥. They are summarized in the Markov chain on the right. For example, V (0) = q 0 ⊥ holds with probability 1, and V (1) = q 1 and V (1) = q 3 ⊥ hold with probability 1 /2 each because the second step occurs either at position 1 with configuration q 1 ⊥Z or at position 3 with configuration q 3 ⊥, and both options are equally likely. The case P(V (2) = q 2 | V (1) = q 1 ) = 1 is slightly more interesting: Given that a configuration q 1 γ with γ = ⊥ is a step, we know that the next state must be q 2 (which is then also a step). Even though there is a transition from q 1 to q 3 in ∆, the next state cannot be q 3 because the latter is a return state which would immediately decrease the stack height of γ. This shows that, intuitively speaking, conditioning on being a step influences the probabilities of a state's outgoing transitions.

4.2.2.
Probabilities of next steps, returns, and diverges. Our next goal is to provide expressions for the next-step probabilities P(V (n+1) = v ′ | V (n) = v) as we did in Example 4.5. It turns out that those can be stated in terms of the return and diverge probabilities of ∆.
Definition 4.6. Let q, r ∈ Q be states, and Z ∈ Γ -⊥ be a stack symbol of pVPA ∆. We define the following probabilities:  • The return probability [qZ↓r] is the probability to reach configuration r⊥ from qZ⊥ without visiting another bottom configuration t⊥ for some t = r in between. More formally, where P qZ⊥ is the probability measure associated with the infinite Markov chain D ∆ assuming initial state qZ⊥, and U is the standard until operator from LTL. • The diverge probability [q↑] = 1 − t∈Q [qZ↓t], i.e., the probability to never pop Z from the stack when starting in qZ⊥. Note that [q↑] is indeed independent of Z because the only way to read Z is by popping it from the stack. △ The diverge probabilities are closely related to steps. In fact, the probability that a non-bottom configuration with head qZ is a step is equal to [q↑]. For example, in the pVPA in Figure 8 the configuration q 1 Z⊥ is a step with probability [q 1 ↑] = 1 /2. Example 4.7. We give a minimal example illustrating that the return and diverge probabilities are in general non-rational. Consider the following pVDA: Intuitively, this pVPA either pops the topmost symbol with probability 1/2, or it pushes two times the symbol Z. Note that all return probabilities of the form [. . . ↓q i ] for i = 0 are equal to zero. In [EKM04] it was shown that the remaining return probabilities are the least non-negative solution of the polynomial system: It follows that [q 0 Z↓q 0 ] must be the least non-negative solution of 618, the reciprocal of the golden ratio. △ The probabilities in Example 4.7 can still be expressed by radicals (square roots, cubic roots, and so on) which allows for certain effective computations. However, in general, the probabilities cannot even be expressed in this way. For example, consider a pVPA that repeats the following steps until emptying its stack or getting stuck in a sink state: (i) It pushes four symbols with probability 1/6, or (ii) pops one symbol with probability 1/2, or (iii) gets stuck otherwise. The resulting return probability is the least solution of x = (1/6)x 5 + 1/2, which is an algebraic number not solvable by radicals [EY09, Thm. 3.2(1)].
Remark 4.8. The probabilities [qZ↓r] from Definition 4.6 were called termination probabilities in previous work [BEKK13]. However, we believe that return probability is more appropriate. When modeling procedural probabilistic programs as pVPA, [qZ↓r] is just the probability to eventually return from local state q of the current procedure to local state r of the calling procedure (the return address is stored on the stack in Z). We believe that the term termination probability is more adequate for referring to the quantity r∈Q [q 0 Z 0 ↓r], where Z 0 is some initial stack symbol, i.e., the probability that some initial procedure indentified by Z 0 returns at all when started in local state q 0 .
Lemma 4.9. The conditional next-step probabilities in Figure 9 are correct in the sense that if P(V (n+1) = v ′ | V (n) = v) is defined for n ∈ N 0 and v, v ′ ∈ Q ∪ Q⊥, then it is equal to the probability in the respective column v → v ′ .

4.2.3.
Proof sketch of Lemma 4.9. We first explain the trivial entries of the table in Figure 9. Further below, we give a self-contained proof of the two non-trivial expressions in the left-most column of Figure 9. Throughout the whole proof we fix a pVPA ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ), with P = (P call , P int , P ret ) the call, internal, and return transition functions, respectively. The following items correspond to the trivial entries in Figure 9 and are ordered column-by-column, from left to right: • The probability P(V (n+1) = r | V (n) = q) with q ∈ Q ret is never well-defined because it is impossible that steps occur at non-bottom configurations with a return state. • The probability P(V (n+1) = r | V (n) = q⊥) with q ∈ Q int is trivially zero because if q is internal then the next step after a bottom configuration q⊥ is necessarily also a bottom configuration. • The probability P(V (n+1) = r | V (n) = q⊥) with q ∈ Q ret is trivially zero because if q is a return state at a bottom configuration then the next step occurs at the immediate successor configuration which is a bottom configuration as well. • The probability P(V (n+1) = r⊥ | V (n) = q⊥) with q ∈ Q int is straightforward because q⊥ and r⊥ are both steps and the probability that the next state after q⊥ is r⊥ is P int (q, r). • The probability P(V (n+1) = r⊥ | V (n) = q⊥) with q ∈ Q ret is simply P ret (q⊥, r) for the same reason as in the previous case (recall that a return state at a bottom-configuration behaves exactly like an internal one). • All the remaining probabilities in the rightmost column " q → r⊥ " are trivially zero or ill-defined because if a step occurs at non-bottom configuration, then the next step can never occur at a bottom configuration. We now focus on the following non-trivial cases. Let r ∈ Q and n ∈ N 0 be arbitrary. (1) If q ∈ Q int then, (2) If q ∈ Q call then, The other two non-trivial cases are essentially subsumed by case (2). For the compete proof we refer to [WGK21]. Before giving the formal proof, we first provide some intuition on the above expressions.
• For (1), suppose that the n-th step takes place at position i of the run. Since the n-th step occurs at an internal state q, the n+1-st step must necessarily occur immediately at position i+1. The factor P int (q, r)[r↑] is proportional to the probability to take an (internal) transition from q to r and then diverge in r, which is necessary in order for the next configuration to be a step. However, the values { P int (q, r)[r↑] | r ∈ Q } do not form a probability distribution in general. Therefore we divide by the normalizing constant [q↑] = r∈Q P int (q, r)[r↑]. • In (2), the two summands correspond to the following case distinction: Since the n-th step occurs at the call state q, the n+1-st step either (i) occurs at the same stack height as the current step n (which means that the current call has a matching return), or (ii) the stack height at the next step n+1 is incremented by 1 compared to the stack height at step n. In case (ii), the next step occurs immediately at the next position, which is why the second summand is just the 1-step probability to go from q to r. In case (i), the symbols pushed by the outgoing transitions of q must be eventually popped. For instance, if we assume that q takes a transition to an immediate successor r ′ and pushes Z on the stack, then the probability that the next step occurs at r is precisely the return probability [r ′ Z↓r] (see Definition 4.6). The factor [r↑]/[q↑] is needed for similar reasons as in (1). We now give the formal proofs. In the following, we often use equations involving conditional probabilities such as P(A | B) = P(C | D). These conditional probabilities are not necessarily well-defined in all cases. Therefore, the meaning of our equations is that they hold only if all probabilities involved are well-defined. We need some definitions and (simple) lemmas first.
Definition 4.10. Let i ∈ N 0 and q ∈ Q. We introduce the following events: • q@i is the set of all runs ρ ∈ Runs ∆ such that ρ(i) = qγ with γ = ⊥, i.e., the runs whose i-th configuration has state q and stack unequal to ⊥. • Similarly, q⊥@i denotes the set of all runs ρ ∈ Runs ∆ such that ρ(i) = q⊥, i.e., the runs whose i-th configuration is a bottom configuration with state q. • step@i denotes the set of all runs such that the i-th configuration is a step.
• sh@i = sh(ρ(i)) ∈ N 0 , i.e., the stack height of the i-th configuration. Strictly speaking, sh@i is a random variable, not an event. Note that these events are all measurable. △ Lemma 4.11. For all i ∈ N 0 and q ∈ Q, the following identities hold: Further, for q ∈ Q int and r ∈ Q, P(r@(i+1) | q@i) = P int (q, r) (4.5) Proof. The first three equations all follow immediately from the definitions. For (4.6) we have: The first equation holds because if q ∈ Q int and q@i, then step@(i+1)∧step@i is already implied by step@(i+1), and the second equation holds because the probability that step@(i+1) depends only on the state at position i+1, not on the state at position i.
(by (4.3), (4.5)) We now turn to case (2). For all i, n ∈ N 0 , q ∈ Q call and r ∈ Q, it holds that For the second summand of the last expression we obtain that: by a similar derivation as in case (1).
Lemma 4.12. The following equations hold for all q ∈ Q call : P(r@k ∧ ∀i<j<k : sh@j > sh@k = sh@i | q@i) (4.8) P(step@k ∧ ∀i<j<k : ¬step@j ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j > sh@i = sh@k | q@i) (4.9) P(∀i<j<k : sh@j > sh@i = sh@k | step@k) = P(∀i<j<k : sh@j > sh@i = sh@k) (4.10) Proof. (4.8): r ′ ,Z P call (q, r ′ Z)[r ′ Z↓r] describes the probability to go from q (with empty stack) to a successor state r ′ , push Z ∈ Γ and then later reach r with empty stack within finitely many steps. If we assume that q@i, then this is the same as summing over all positions k > i + 1 (k = i + 1 is not possible because it is not possible to push and pop Z within one transition) such that r@k and for all i < j < k the stack height is greater than at position i and k. Positions i and k have the same stack height because in the transition from i the symbol Z is pushed and k is the position directly after Z is popped. In between those two transitions, the stack below Z cannot change, so the stack is the same at both positions. (4.9): P(step@k ∧ ∀i<j<k : ¬step@j ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j > sh@i = sh@k ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j>sh@i = sh@k | q@i) The first equality holds because if no position between i and k is a step, then the stack at those positions must be higher than at position k. Furthermore, since i is a step, we have sh@i ≤ sh@k; and moreover, since i+1 is not a step and q is a call state, we even have sh@i = sh@k. The second equality holds because if i and k have the same stack height and all positions between them have a higher stack, then i is a step if and only of k is a step. (4.10): The probability P(∀i<j<k : sh@j > sh@i = sh@k) is independent of the event step@k because knowing whether or not there is a position with lower stack height after position k does not influence the stack height before k.
For the first summand of (2) we now argue as follows: initial state q 0 ⊥, and for all v, v ′ ∈ M , the probability of transition v → v ′ is defined according to Figure 9. △ Figure 10 depicts a non-trivial pVPA and its step chain. In this example, all return and diverge probabilities are rational. In general, however, the return and diverge probabilities (Definition 4.6) are algebraic numbers that are not always rational or even expressible by radicals [EY09] (cf. Example 4.7). As a consequence, one cannot easily perform numerical computations on the step chain. However, the probabilities can be encoded implicitly as the unique solution of an existential theory of the reals (ETR) formula, i.e., an existentially quantified FO-formula over (R, +, ·, ≤) [EKM04]. Since the ETR is decidable in PSPACE, many questions about the step chain are in PSPACE as well. We will make use of this in Theorem 4.1 below.
The property of M ∆ that is most relevant to us is given by the following Lemma 4.14. We call ρ⇓ Steps = V (0) (ρ)V (1) (ρ) . . . the extended footprint of run ρ.
Lemma 4.14 (Soundness of M ∆ ). Let ∆ be a pVPA with step chain M ∆ . Let M be the states of the step chain and consider a measurable set R ⊆ M ω . Then Proof. We first show the case where R is a basic cylinder set, i.e., R = w.M ω for some w ∈ M * . Let |w| = n. By the Markov property (4.1), we have P(V (n) = w(n) ∧ . . . ∧ V (0) = w(0)) = P(V (n) = w(n) | V (n−1) = w(n − 1)) · . . . · P(V (1) = w(1) | V (0) = w(0)) = P (w(n − 1), w(n)) · . . . · P (w(0), w(1)) (By Lemma 4.9) = P(R) where P (s, t) denotes the 1-step transition probability from states s to t in the Markov chain M ∆ and the last equality holds by definition of the probability space associated to a Markov chain. It remains to show the claim for measurable sets R that are not of the above form R = w.M ω . To this end, we make an induction over the levels of the Borel hierarchy, i.e., we show that if the claim holds for a set R, then it also holds for the complement M ω \ R; and similarly, if it holds for a countable family of pairwise disjoint sets R 0 , R 1 , . . ., then it holds for i∈N 0 R i . It is indeed sufficient to show the claim for pairwise disjoint sets, as a countable union i∈N 0 R i of not necessarily pairwise disjoint R i can be rewritten as Remark 4.15. The step chain as presented here differs from the original definition in [EKM04] in at least two important aspects. First, we have to take the semantics of our special bottom symbol ⊥ into account. This is why our chain uses a subset of Q ∪ Q⊥ as states-it must distinguish whether a step occurs at a bottom configuration. The pPDA in [EKM04], on the other hand, may have both finite and infinite runs, and this needs to be handled differently in the step chain. Second, we use step chains for a different purpose than [EKM04], namely to show that general measurable properties defined on steps-this includes stair-parity-can be evaluated on pVPA (Lemma 4.14).
The following is the main result of this section.

4.2.5.
Proof of Theorem 4.1. In this section we give a self-contained proof of Theorem 4.1. We first provide a brief overview. The first step is to construct the product ∆ × D according to Definition 4.1. By Lemma 4.2 we need to compute the stair-parity acceptance probability of ∆ × D. Lemma 4.14 reduces this to computing a usual parity acceptance probability in the step chain M ∆×D . This can be achieved through finding the bottom strongly connected components (BSCC) of M ∆×D , classifying them as good (the minimum priority of a BSCC state is even) or otherwise as bad, and running a standard reachability analysis w.r.t. the good BSCCs (see Figure 11 for an example). The remaining technical difficulty is that the transition probabilities of M ∆×D are not rational in general. We handle this using the fact that these probabilities are expressible in the ETR [EKM04]. We now present the formal proof. We use the following result about return probabilities of pPDA, which is originally due to [EKM04]: Lemma 4.16 (as found in [BEKK13, Thm. 2]). The return probabilities [pZ↓q] are expressible in ETR. More specifically, there exists an FO-formula Φ over (R, +, ·, ≤) which uses just existential quantifiers and free variables pZ↓q p,q∈Q,Z∈Γ such that Φ becomes a true FO-sentence iff each free variable pZ↓q is substituted by the actual return probability [pZ↓q]. Moreover, Φ can be effectively constructed in polynomial space.
Lemma 4.17. The next-step probabilities (i.e., the transition probabilities of the step chain) in Figure 9 are expressible in ETR.
Proof. With the previous lemma it suffices to note that ETR expressible numbers are closed under addition, multiplication and division. Let x, y ∈ R be expressed by ETR formulae Φ(x) and Φ ′ (y), respectively. Then the formula Φ ′′ (z) := ∃x, y : Φ(x) ∧ Φ ′ (y) ∧ z = x + y where z is a fresh variable expresses the sum of x and y, and similar for multiplication. For division, we have that Φ ′′ (z) := ∃x, y : Φ(x) ∧ Φ ′ (y) ∧ z · y = x expresses x/y provided that y = 0 (if y = 0 then Φ ′′ does not express a unique real number as it is then either unsatisfiable or trivial).
We now describe our PSPACE algorithm to prove Theorem 4.1.
Step 1. We first construct the product pVPA∆ = ∆ × D with priority function Ω ′ : Q → N 0 where Q are the states of∆ as in Definition 4.1. By Lemma 4.2 it suffices to compute the probability P({ π ∈ Runs∆ | ρ↓ Steps ∈ Parity Ω ′ }) (4.11) that the footprint of a run in the product∆ satisfies the parity condition induced by Ω ′ .∆ can be constructed in polynomial time.
Step 2. We express (4.11) using the step chain M∆. Let M ⊆ Q ∪ Q⊥ be the states of the step chain M∆. Let Ω ′′ : M → N 0 be the extension of Ω ′ to the states of M via Ω ′′ (q) = Ω ′′ (q⊥) = Ω ′ (q) for all q ∈ Q. That is, Ω ′′ induces a parity acceptance set Parity Ω ′′ ⊆ M ω which is ω-regular and thus measurable. Let ρ ∈ Runs∆. Clearly, ρ↓ Steps ∈ Parity Ω ′ iff ρ⇓ Steps ∈ Parity Ω ′′ . Thus by Lemma 4.14, (4.11) is equal to where the right hand side is the probability that a run of the step chain M∆ satisfies the parity condition induced by Ω ′′ . We have thus reduced the problem of computing a stair-parity acceptance probability in the product pPDA∆ to computing a standard parity acceptance probability in the finite Markov chain M∆.
The rest of the proof mainly uses standard techniques and is similar to the proof of [EKM04,Thm. 5.15]. The main technical difficulty is that the transition probabilities of M∆ cannot be written in an explicit numerical form since they are in general algebraic numbers.
Step 3. We construct the underlying graph G∆ of the step chain M∆, i.e., we determine the set M of states and include a directed edge between states v, v ′ ∈ M iff the probability of transition v → v ′ is greater than zero. Recall that q ∈ Q is in M iff [q↑] > 0. The latter can be reduced to checking the truth of an ETR formula (an existentially quantified FOformula over (R, +, ·, ≤)) which can be decided in PSPACE. A similar observation applies to checking whether the transition probabilities in Figure 9 are positive.
Step 4. We determine the bottom strongly connected components (BSCC) of G∆ from the previous step by a standard (efficient) graph analysis. We mark the BSCCs B ⊆ M such that min v∈B Ω ′′ (v) is even as "good", the others as "bad". It is well-known that in the finite Markov chain M∆ it holds that P(ρ ∈ Parity Ω ′′ | ρ reaches a good BSCC) = 1 due to the Long-Run Theorem of finite Markov chains: Each state of a BSCC is visited infinitely often almost-surely, provided that this BSCC is reached at all. Moreover, if a run ρ reaches a bad BSCC, than the probability to satisfy the parity condition is zero and thus P(ρ ∈ Parity Ω ′′ ) = P(ρ ∈ Parity Ω ′′ | ρ reaches a good BSCC) · P(ρ reaches a good BSCC) = P(ρ reaches a good BSCC) Thus it only remains to compute the probability to reach a good BSCC in M∆.
Step 5. We use the previous step to classify the states M of the step chain M∆ into three categories: M =0 contains all states from which no good BSCC is reachable in the graph G∆, M =1 contains all good BSCCs, and M ? contains all other states. We recall from e.g. [BK08, Ch. 10] that the probabilities to reach M =1 are the unique solution of the linear equation system We can treat the vectors of probabilities p and the variables x in this equation system as free variables of an ETR formula R( p, x). By Lemma 4.17, there is an ETR formula Φ( p) expressing p. The ETR formula is thus true iff the probability to reach a good BSCC from initial state v 0 ∈ M is at least θ.
Truth of this formula can be decided in PSPACE.

4.3.
Implications for Probabilistic One-counter Automata. A probabilistic visibly one-counter automaton (pVOC) is the special case of a pVPA with unary stack alphabet, i.e., |Γ -⊥ | = 1. For example, the pVPA in Figure 10 (left) is a pVOC. For many problems, better complexity bounds are known for pVOC than for the general case. In particular, [p↑] > ? 0, i.e., the question whether a pVOC started in state p never reaches counter value (or stack height) zero with positive probability, can be decided in P [BEKK13, Thm. 4]. We can exploit this to improve Theorem 4.1 in the pVOC case: Corollary 4.18. Let ∆ be a pVOC and D be a stair-parity DVPA over pushdown alphabet Σ. The problem P({ρ ∈ Runs ∆ | λ(ρ) ∈ L(D)}) = ? 1 is decidable in P.

Proof.
The key observation is that, since we can efficiently decide [p↑] > ? 0, we can efficiently (in polynomial time) construct the underlying graph G ∆×D of the step chain of ∆ × D (as in the proof of Theorem 4.1), and then apply polynomial-time graph analysis algorithms to check if only good BSCCs are reachable in G ∆×D .
Corollary 4.18 implies that there exist efficient algorithms for many properties of pVOCexpressible random walks on N 0 . In fact, almost-sure satisfaction of each fixed visiblypushdown property can be decided in P. For instance, using the DVPA from Figure 5 we can decide if a random walk is repeatedly bounded with probability 1.

Model Checking against Büchi VPA and CaRet
With Theorems 2.1 and 4.1 it follows immediately that quantitative model checking of pVPA against non-deterministic Büchi VPA is decidable in EXPSPACE. We can improve the complexity in the qualitative case: Theorem 5.1. Let ∆ be a pVPA and A be a (non-deterministic) Büchi VPA over the same pushdown alphabet. The problem P({ρ ∈ Runs ∆ | λ(ρ) ∈ L(A)}) = ? 1 is EXPTIMEcomplete.
Proof. The lower bound is due to [EY05, Thm. 8] and already holds for non-pushdown Büchi automata. We now describe an EXPTIME decision procedure: • We first determinize A using Theorem 2.1 which is possible in time exponential in |A|.
Let D be the resulting stair-parity DVPA and consider the product ∆×D (Definition 4.1). Note that the product can be constructed in polynomial time in |D| and |∆|, and thus in exponential time in the overall size of the input. • The crucial observation for the next step is that [q↑] = [(q, s)↑] for all states (q, s) of ∆×D.
This holds because by definition of the product, D merely observes the runs of ∆, and thus the diverge probabilities of ∆ × D and ∆ are essentially the same. We compute the set Div ∆ = {q | [q↑] > 0} ⊆ Q, Q the states of ∆, which can be done in exponential time in |∆| using an efficient (i.e. PSPACE) decision procedure for the ETR [EKM04]. Note that computing Div ∆×D = {(q, s) | [(q, s)↑] > 0} directly would take doubly-exponential time in |A|; the proposed "optimization" is thus essential for obtaining the EXPTIME upper bound. • We now determine the set of triples Ret ∆×D = {(q, Z, p) | [qZ↓p] > 0} in ∆ × D. Unlike the diverge probabilities, this set can be computed in polynomial time in the size of ∆ × D (hence exponential in the size of the input) because we may disregard the exact transition probabilities and conduct a standard reachability analysis in a non-deterministic pushdown automaton [ABE18], also see [BEKK13,p. 136]. • The next step is to construct the underlying graph G ∆×D of the step chain M ∆×D , i.e., the directed graph that has the same vertices as M ∆×D and includes an edge (u, v) iff the 1-step transition probability from u to v is positive in the Markov chain. This can be done in polynomial time in |∆ × D| using the sets Div ∆ and Ret ∆×D defined above and Figure 12. • The final step is, as in Theorem 4.1, to determine the BSCCs of G ∆×D , classify them as good or bad according to whether they satisfy the (standard) parity condition inherited from D, and then check if there is a bad BSCC reachable from the initial state. All these steps can be done in polynomial time in |∆ × D|.
In the above result, membership in EXPTIME relies on the fact that one can construct the underlying graph of a step chain M ∆×D in time exponential in the size of ∆ but polynomial in the size of D. EXPTIME-hardness follows from [EY05, Thm. 8]. In fact, qualitative model checking of pPDA against non-pushdown Büchi automata is also EXPTIME-complete [EY05]. With Theorems 2.1, 2.2, 4.1 and 5.1 we immediately obtain the following complexity results for CaRet model checking: Theorem 5.2. The quantitative and qualitative probabilistic CaRet model checking problems (Definition 3.5) are decidable in 2EXPSPACE and 2EXPTIME, respectively. q → r q⊥ → r q⊥ → r⊥ q → r⊥ q ∈ Q call [r↑] > 0 ∧ ( (∃r ′ , Z : P call (q, r ′ Z) > 0 ∧ [r ′ Z↓r]) > 0) ∨ P call (q, rZ) > 0) ∃Z : P call (q, rZ) > 0 ∧ [r↑] > 0 ∃r ′ , Z : P call (q, rZ) > 0 ∧ [r ′ Z↓r] > 0 false q ∈ Q int [r↑] > 0 ∧ P int (q, r) false P int (q, r) > 0 false q ∈ Q ret false false P ret (q⊥, r) > 0 false Figure 12: The underlying graph of the step chain. The condition in each cell is true iff the transition probability in the upper table is non-zero.
Both problems are known to be EXPTIME-hard [YE05].

Conclusion
We have presented the first decidability result for model checking pPDA-an operational model of procedural discrete probabilistic programs-against CaRet, or more generally, against the class of ω-VPL. We heavily rely on the determinization procedure from [LMS04] and the notion of a step chain used in previous works [EKM04,KEM06]. These two constructions turn out to be a natural match. We conjecture that our upper complexity bounds are not tight which is often the case in purely automata-based model checking. Future work is thus to investigate whether the doubly-exponential complexity can be lowered to singly-exponential, e.g. by generalizing the automata-less algorithm from [YE05]. Other topics are to explore to what extent algorithms for probabilistic CTL can be generalized to the branching-time variant of CaReT [GMN18], to consider more expressive logics such as visibly LTL [BS18] or OPTL [CMP20], and to study the interplay of conditioning and recursion [SG12] through the lens of pPDA.