Android Stack Machine ⋆

. In this paper, we propose Android Stack Machine (ASM), a formal model to capture key mechanisms of Android multi-tasking such as activities, back stacks, launch modes, as well as task aﬃnities. The model is based on pushdown systems with multiple stacks, and focuses on the evolution of the back stack of the Android system when interacting with activities carrying speci(cid:12)c launch modes and task aﬃnities. For formal analysis, we study the reachability problem of ASM. While the general problem is shown to be undecidable, we identify expressive fragments for which various veri(cid:12)cation techniques for pushdown systems or their extensions are harnessed to show decidability of the problem.


Introduction
Multi-tasking plays a central role in the Android platform.Its unique design, via activities and back stacks, greatly facilitates organizing user sessions through tasks, and provides rich features such as handy application switching, background app state maintenance, smooth task history navigation (using the "back" button), etc [16].We refer the readers to Section 2 for an overview.
Android task management mechanism has substantially enhanced user experiences of the Android system and promoted personalized features in app design.However, the mechanism is also notoriously difficult to understand.As a witness, it constantly baffles app developers and has become a common topic of questionand-answer websites (for instance, [2]).Surprisingly, the Android multi-tasking mechanism, despite its importance, has not been thoroughly studied before, let along a formal treatment.This has impeded further developments of computeraided (static) analysis and verification for Android apps, which are indispensable for vulnerability analysis (for example, detection of task hijacking [16]) and app performance enhancement (for example, estimation of energy consumption [8]).
This paper provides a formal model, i.e., Android Stack Machine (ASM), aiming to capture the key features of Android multi-tasking.ASM addresses the behavior of Android back stacks, a key component of the multi-tasking machinery, and their interplay with attributes of the activity.In this paper, for these attributes we consider four basic launch modes, i.e., standard (STD), singleTop (STP), singleTask (STK), singleInstance (SIT), and task affinities.(For simplicity more complicated activity attributes such as allowTaskReparenting will not be addressed in the present paper.)We believe that the semantics of ASM, specified as a transition system, captures faithfully the actual mechanism of Android systems.For each case of the semantics, we have created "diagnosis" apps with corresponding launch modes and task affinities, and carried out extensive experiments using these apps, ascertaining its conformance to the Android platform.(Details will be provided in Section 3.) For Android, technically ASM can be viewed as the counterpart of pushdown systems with multiple stacks, which are the de facto model for (multi-threaded) concurrent programs.Being rigours, this model opens a door towards a formal account of Android's multi-tasking mechanism, which would greatly facilitate developers' understanding, freeing them from lengthy, ambiguous, elusive Android documentations.We remark that it is known that the evolution of Android back stacks could also be affected by the intent flags of the activities.ASM does not address intent flags explicitly.However, the effects of most intent flags (e.g., FLAG ACTIVITY NEW TASK, FLAG ACTIVITY CLEAR TOP) can be simulated by launch modes, so this is not a real limitation of ASM.
Based on ASM, we also make the first step towards a formal analysis of Android multi-tasking apps by investigating the reachability problem which is fundamental to all such analysis.ASM is akin to pushdown systems with multiple stacks, so it is perhaps not surprising that the problem is undecidable in general; in fact, we show undecidability for most interesting fragments even with just two launch modes.In the interest of seeking more expressive, practice-relevant decidable fragments, we identify a fragment STK-dominating ASM which assumes STK activities have different task affinities and which further restricts the use of SIT activities.This fragment covers a majority of open-source Android apps (e.g., from Github) we have found so far.One of our technical contributions is to give a decision procedure for the reachability problem of STK-dominating ASM, which combines a range of techniques from simulations by pushdown systems with transductions [19] to abstraction methods for multi-stacks.The work, apart from independent interests in the study of multi-stack pushdown systems, lays a solid foundation for further (static) analysis and verification of Android apps related to multi-tasking, enabling model checking of Android apps, security analysis (such as discovering task hijacking), or typical tasks in software engineering such as automatic debugging, model-based testing, etc.
We summarize the main contributions as follows: (1) We propose-to the best of our knowledge-the first comprehensive formal model, Android stack machine, for Android back stacks, which is also validated by extensive experiments.(2) We study the reachability problem for Android stack machine.Apart from strongest possible undecidablity results in the general case, we provide a decision procedure for a practically relevant fragment.

Android stack machine: An informal overview
In Android, an application, usually referred to as an app, is regarded as a collection of activities.An activity is a type of app components, an instance of which provides a graphical user interface on screen and serves the entry point for interacting with the user [1].An app typically has many activities for different user interactions (e.g., dialling phone numbers, reading contact lists, etc).A distinguished activity is the main activity, which is started when the app is launched.A task is a collection of activities that users interact with when performing a certain job.The activities in a task are arranged in a stack in the order in which each activity is opened.For example, an email app might have one activity to show a list of latest messages.When the user selects a message, a new activity opens to view that message.This new activity is pushed to the stack.If the user presses the "Back" button, an activity is finished and is popped off the stack.[In practice, the onBackPressed() method can be overloaded and triggered when the "Back" button is clicked.Here we assume-as a model abstraction-that the on-BackPressed() method is not overloaded.]Furthermore, multiple tasks may run concurrently in the Android platform and the back stack stores all the tasks as a stack as well.In other words, it has a nested structure being a stack of stacks (tasks).We remark that in android, activities from different apps can stay in the same task, and activities from the same app can enter different tasks.
Typically, the evolution of the back stack is dependent mainly on two attributes of activities: launch modes and task affinities.All the activities of an app, as well as their attributes, including the launch modes and task affinities, are defined in the manifest file of the app.The launch mode of an activity decides the corresponding operation of the back stack when the activity is launched.As mentioned in Section 1, there are four basic launch modes in Android: "standard", "singleTop", "singleTask" and "singleInstance".The task affinity of an activity indicates to which task the activity prefers to belong.By default, all the activities from the same app have the same affinity (i.e., all activities in the same app prefer to be in the same task).However, one can modify the default affinity of the activity.Activities defined in different apps can share a task affinity, or activities defined in the same app can be assigned with different task affinities.Below we will use a simple app to demonstrate the evolution of the back stack.
Example 1.In Fig. 1, an app ActivitiesLaunchDemo 7 is illustrated.The app contains four activities of the launch modes STD, STP, STK and SIT, depicted by green, blue, yellow and red, respectively.We will use the colours to name the activities.The green, blue and red activities have the same task affinity, while the yellow activity has a distinct one.The main activity of the app is the green activity.Each activity contains four buttons, i.e., the green, blue, yellow and red button.When a button is clicked, an instance of the activity with the colour starts.Moreover, the identifiers of all the tasks of the back stack, as well as their contents, are shown in the white zones of the window.We use the following execution trace to demonstrate how the back stack evolves according to the launch modes and the task affinities of the activities: The user clicks the buttons in the order of green, blue, blue, yellow, red, and green.1. [Launch the app] When the app is launched, an instance of the main activity starts, and the back stack contains exactly one task, which contains exactly one green activity (see Fig. 1(a)).For convenience, this task is called the green task (with id: 23963).

[Start an STD activity]
When the green button is clicked, since the launch mode of the green activity is STD, a new instance of the green activity starts and is pushed into the green task (see Fig. 1(b)).

[Start an STP activity]
When the blue button is clicked, since the top activity of the green task is not the blue activity, a new instance of the blue activity is pushed into the green task (see Fig. 1(c)).On the other hand, if the blue button is clicked again, because the launch mode of the blue activity is STP and the top activity of the green task is already the blue one, a new instance of the blue activity will not be pushed into the green task and its content is kept unchanged.4. [Start an STK activity] Suppose now that the yellow button is clicked, since the launch mode of the yellow activity is STK, and the task affinity of the yellow activity is different from that of the bottom activity of the green task, a new task is created and an instance of the yellow activity is pushed into the new task (called the yellow task, with id: 23964, see Fig. 1(d), where the leftmost task is the top task of the back stack).5. [Start an SIT activity] Next, suppose that the red button is clicked, because the launch mode of the red activity is SIT, a new task is created and an instance of the red activity is pushed into the new task (called the red task, with id: 23965, see Fig. 1(e)).Moreover, at any future moment, the red activity is the only activity of the red task.Note that here a new task is created in spite of the affinity of the red activity.6. [Start an STD activity from an SIT activity] Finally, suppose the green button is clicked again.Since the top task is the red task, which is supposed to contain only one activity (i.e., the red activity), the green task is then moved to the top of the back stack and a new instance of the green activity is pushed into the green task (see Fig. 1(f)).
For convenience, we usually write a transition (q, A, α, q ′ ) ∈ ∆ as q A,α −−→ q ′ , and (q, ▷, α, q ′ ) ∈ ∆ as q ▷,α − − → q ′ .Intuitively, ▷ denotes an empty back stack, □ denotes there is no change over the back stack, back denotes the pop action, and start(A) denotes the activity A being started.We assume that, if the back stack is empty, the Android stack system terminates (i.e., no further continuation is possible) unless it is in the initial state q 0 , We use which denotes the content of the stack, with A 1 (resp.A n ) as the top (resp.bottom) symbol, denoted by top(S) (resp.btm(S)).We also call the bottom activity of a non-empty task S as the root activity of the task.(Intuitively, this is the first activity of the task.)For ⋆ ∈ {STD, STP, STK, SIT}, a task S is called a ⋆-task if Lmd(btm(S)) = ⋆.We define the affinity of a task S, denoted by Aft(S), to be Aft(btm(S)).For S 1 ∈ Act * and S 2 ∈ Act * , we use S 1 • S 2 to denote the concatenation of S 1 and S 2 , and ϵ is used to denote the empty word in Act * .
As mentioned in Section 2, the (running) tasks on Android are organized as the back stack, which is the main modelling object of ASM.Typically we write a back stack ρ as a sequence of non-empty tasks, i.e., ρ = (S 1 , • • • , S n ), where S 1 and S n are called the top and the bottom task respectively.(Intuitively, S 1 is the currently active task.)ε is used to denote the empty back stack.For a non-empty back stack ρ = (S 1 , • • • , S n ), we overload top by using top(ρ) to refer to the task S 1 , and thus top 2 (ρ) the top activity of S 1 .

Definition 2 (Configurations
We require ρ to satisfy the following constraints: [Non-stuttering for STP-activities] [Affinities of STK-activities agree to the host task] [Affinities of tasks are mutually distinct, except for those rooted at SIT-activities] By Definition 2(5), each back stack ρ contains at most Moreover, by Definition 2(1-5), all the root activities in a configuration are pairwise distinct, which allows to refer to a task whose root activity is A as the A-task.
Let Conf A denote the set of configurations of A. The initial configuration of A is (q 0 , ε).To formalize the semantics of A concisely, we introduce the following shorthand stack operations and one auxiliary function.Here ρ = (S 1 , • • • , S n ) is a non-empty back stack.
Intuitively, GetNonSITTaskByAft(ρ, k) returns a non-SIT task whose affinity is k if it exists, otherwise returns Undef.
In the sequel, we define the transition relation (q, ρ) A − → (q ′ , ρ ′ ) on Conf A to formalize the semantics of A. We start with the transitions out of the initial state q 0 and those with □ or back action.
The most interesting case is, however, the transitions of the form q A,start(B) − −−−−− → q ′ .We shall make case distinctions based on the launch mode of B. For each transition q This concludes the definition of the transition definition of Example 2. The ASM for the ActivitiesLaunchDemo app in Example 1 is A = (Q, Sig, q 0 , ∆), where Q = {q 0 , q 1 }, Sig = (Act, Lmd, Aft, A g ) with -Act = {A g , A b , A y , A r }, corresponding to the green, blue, yellow and red activity respectively in the ActivitiesLaunchDemo app, and ∆ comprises the transitions illustrated in Fig. 2. Below is a path in the graph A − → corresponding to the sequence of user actions clicking the green, blue, blue, yellow, red, blue button (cf.Example 1), (q 0 , ε) Proposition 1.Let A be an ASM.For each (q, ρ) ∈ Conf A and (q, ρ) A − → (q ′ , ρ ′ ), (q ′ , ρ ′ ) ∈ Conf A , namely, (q ′ , ρ ′ ) satisfies the five constraints in Definition 2. Remark 1.A single app can clearly be modeled by an ASM.However, ASM can also be used to model multiple apps which may share tasks/activities.(In this case, these multiple apps can be composed into a single app, where a new main activity is added.)This is especially useful when analysing, for instance, task hijacking [16].We sometimes do not specify the main activity explicit for convenience.The translation from app source code to ASM is not trivial, but follows standard routines.In particular, in ASM, the symbols stored into the back stack are just names of activities.Android apps typically need to, similar to function calls of programs, store additional local state information.This can be dealt with by introducing an extend activity alphabet such that each symbol is of the form A(b), where A ∈ Act and b represents local information.When we present examples, we also adopt this general syntax.

Model validation.
We validate the ASM model by designing "diagnosis" Android apps with extensive experiments.For each case in the semantics of ASM, we design an app which contains activities with the corresponding launch modes and task affinities.To simulate the transition rules of the ASM, each activity contains some buttons, which, when clicked, will launch other activities.For instance, in the case of Lmd(B) = STD, Lmd(A) = SIT, GetNonSITTaskByAft(ρ, Aft(B)) = Undef, the app contains two activities A and B of launch modes SIT and STD respectively, where A is the main activity.When the app is launched, an instance of A is started.A contains a button, which, when clicked, starts an instance of B. We carry out the experiment by clicking the button, monitoring the content of the back stack, and checking whether the content of the back stack conforms to the definition of the semantics.Specifically, we check that there are exactly two tasks in the back stack, one task comprising a single instance of A and another task comprising a single instance of B, with the latter task on the top.Our experiments are done in a Redmi-4A mobile phone with Android version 6.0.1.The details of the experiments can be found at https://sites.google.com/site/assconformancetesting/.

Reachability of ASM
Towards formal (static) analysis and verification of Android apps, we study the fundamental reachability problem of ASM.Fix an ASM A = (Q, Sig, q 0 , ∆) with Sig = (Act, Lmd, Aft, A 0 ) and a target state q ∈ Q.There are usually two variants: the state reachability problem asks whether (q 0 , ε) A = ⇒ (q, ρ) for some back stack ρ, and the configuration reachability problem asks whether (q 0 , ε) A = ⇒ (q, ρ) when ρ is also given.We show they are interchangeable as far as decidability is concerned.

Proposition 2. The configuration reachability problem and the state reachability problem of ASM are interreducible in exponential time.
Proposition 2 allows to focus on the state reachability problem in the rest of this paper.Observe that, when the activities in an ASM are of the same launch mode, the problem degenerates to that of standard pushdown systems or even finite-state systems.These systems are well-understood, and we refer to [6] for explanations.To proceed, we deal with the cases where there are exactly two launch modes, for which we have ( ) = 6 possibilities.The classification is given in Theorem 1-2.Clearly, they entail that the reachability for general ASM (with at least two launch modes) is undecidable.To show the undecidablity, we reduce from Minsky's two-counter machines [14], which, albeit standard, reveals the expressibility of ASM.We remark that the capability of swapping the order of two distinct non-SIT-tasks in the back stack-without resetting the content of any of them-is the main source of undecidability.

Theorem 1. The reachability problem of ASM is undecidable, even when the ASM contains only (1) STD and STK activities, or (2) STD and SIT activities, or (3) STK and STP activities, or (4) SIT and STP activities.
In contrast, we have some relatively straightforward positive results: Theorem 2. The state reachability problem of ASM is decidable in polynomial time when the ASM contains STD and STP activities only, and in polynomial space when the ASM contains STK and SIT activities only.
As mentioned in Section 1, we aim to identify expressive fragments of ASM with decidable reachability problems.To this end, we introduce a fragment called STK-dominating ASM, which accommodates all four launch modes.

Definition 3 (STK-dominating ASM
).An ASM is said to be STK-dominating if the following two constraints are satisfied: (1) the task affinities of the STK activities are mutually distinct, (2) for each transition q The following result explains the name "STK-dominating".Proposition 3. Let A = (Q, Sig, q 0 , ∆) be an STK-dominating ASM with Sig = (Act, Lmd, Aft, A 0 ).Then each configuration (q, ρ) that is reachable from the initial configuration (q 0 , ε) in A satisfies the following constraints: (1) for each STK activity A ∈ Act with Aft(A) ̸ = Aft(A 0 ), A can only occur at the bottom of some task in ρ, (2) ρ contains at most one STD/STP-task, which, when it exists, has the same affinity as A 0 .
It is not difficult to verify that the ASM given in Example 2 is STK-dominating.

Theorem 3. The state reachability of STK-dominating ASM is in 2-EXPTIME.
The proof of Theorem 3 is technically the most challenging part of this paper.We shall give a sketch in Section 5 with the full details in [6].

STK-dominating ASM
For simplicity, we assume that A contains STD and STK activities only 15 .To tackle the (state) reachability problem for STK-dominating ASM, we consider two cases, i.e., Lmd(A 0 ) = STK and Lmd(A 0 ) ̸ = STK.The former case is simpler because, by Proposition 3, all tasks will be rooted at STK activities.For the latter, more general case, the back stack may contain, apart from several tasks rooted at STK activities, one single task rooted at A 0 .Section 5.1 and Section 5.2 will handle these two cases respectively.
We will, however, first introduce some standard, but necessary, backgrounds on pushdown systems.We assume familiarity with standard finite-state automata (NFA) and finite-state transducers (FST).We emphasize that, in this paper, FST refers to a special class of finite-state transducers, namely, letter-to-letter finite-state transducers where the input and output alphabets are the same.
Preliminaries of Pushdown systems.A pushdown system (PDS) is a tuple P = (Q, Γ, ∆), where Q is a finite set of control states, Γ is a finite stack alphabet, and ∆ ⊆ Q × Γ × Γ * × Q is a finite set of transition rules.The size of P, denoted by |P|, is defined as |∆|.
Let P = (Q, Γ, ∆) be a PDS.A configuration of P is a pair (q, w) ∈ Q × Γ * , where w denotes the content of the stack (with the leftmost symbol being the top of the stack).Let Conf P denote the set of configurations of P. We define a binary relation P − → over Conf P as follows: (q, w) P − → (q ′ , w ′ ) iff w = γw 1 and there exists w ′′ ∈ Γ * such that (q, γ, w ′′ , q ′ ) ∈ ∆ and w ′ = w ′′ w 1 .We use P = ⇒ to denote the reflexive and transitive closure of For q ∈ Q, we define C q = {q} × Γ * and write pre * (q) and post * (q) as shorthand of pre * (C q ) and post * (C q ) respectively.
As a standard machinery to solve reachability for PDS, a P-multi-automaton . Evidently, multi-automata are a special class of NFA.Let A = (Q ′ , Γ, δ, I, F ) be a P-MA and (q, w) ∈ Conf P , (q, w) is accepted by A if q ∈ I and there is an accepting run q 0 q 1 • • • q n of A on w with q 0 = q.Let Conf A denote the set of configurations accepted by A. Moreover, let L(A) denote the set of words w such that (q, w) ∈ Conf A for some q ∈ I.For brevity, we usually write MA instead of P-MA when P is clear from the context.Moreover, for an MA A = (Q ′ , Γ, δ, I, F ) and q ′ ∈ Q, we use A(q ′ ) to denote the MA obtained from A by replacing I with {q ′ }.A set of configurations C ⊆ Conf P is regular if there is an MA A such that Conf A = C.The connection between ASM and PDS is rather obvious.In a nutshell, ASM can be considered as a PDS with multiple stacks, which is well-known to be undecidable in general.Our overall strategy to attack the state reachability problem for the fragments of ASM is to simulate them (in particular, the multiple stacks) via-in some cases, decidable extensions of-PDS.

Case Lmd(A 0 ) = STK
Our approach to tackle this case is to simulate A by an extension of PDS, i.e., pushdown systems with transductions (TrPDS), proposed in [19].In TrPDS, each transition is associated with an FST defining how the stack content is modified.Formally, a TrPDS is a tuple P = (Q, Γ, T , ∆), where Q and Γ are precisely the same as those of PDS, T is a finite set of FSTs over the alphabet Γ , and finite set of transition rules.Let R(T ) denote the set of transductions defined by FSTs from T and R(T ) denote the closure of R(T ) under composition and left-quotient.A TrPDS P is said to be finite if R(T ) is finite.
To simulate A via a finite TrPDS P, the back stack where ♯ is a delimiter and ⊥ is the bottom symbol of the stack), which is stored in the stack of P. Recall that, in this case, each task S i is rooted at an STK-activity which sits on the bottom of S i .Suppose top(S 1 ) = A. When a transition (q, A, start(B), q ′ ) with B ∈ Act STK is fired, according to the semantics of A, the B-task of ρ, say S i , is switched to the top of ρ and changed into [B] (i.e., all the activities in the B-task, except B itself, are popped).To simulate this in P, we replace every stack symbol in the place of S i with a dummy symbol † and keep the other symbols unchanged.On the other hand, to simulate a back action of A, P continues popping until the next non-dummy and non-delimiter symbol is seen.Proposition 4. Let A = (Q, Sig, q 0 , ∆) be an STK-dominating ASM with Sig = (Act, Lmd, Aft, A 0 ) and Lmd(A 0 ) = STK.Then a finite TrPDS P = (Q ′ , Γ, T , ∆ ′ ) with Q ⊆ Q ′ can be constructed in time polynomial in |A| such that, for each q ∈ Q, q is reachable from (q 0 , ε) in A iff q is reachable from (q 0 , ⊥) in P.
For a state q ∈ Q, pre * P (q) can be effectively computed as an MA B q , and the reachability of q in A is reduced to checking whether (q 0 , ⊥) ∈ Conf Bq .

Case Lmd(A 0 ) ̸ = STK
We then turn to the more general case Lmd(A 0 ) ̸ = STK which is significantly more involved.For exposition purpose, we consider an ASM A where there are exactly two STK activities A 1 , A 2 , and the task affinity of A 2 is the same as that of the main task A 0 (and thus the task affinity of A 1 is different from that of A 0 ).We also assume that all the activities in A are "standard" except A 1 , A 2 .Namely Act = Act STD ∪ {A 1 , A 2 } and A 0 ∈ Act STD in particular.Neither of these two assumptions is fundamental and their generalization is given in [6].
By Proposition 3, there are at most two tasks in the back stack of A. The two tasks are either an A 0 -task and an A 1 -task, or an A 2 -task and an A 1 -task.An A 2 -task can only surface when the original A 0 -task is popped empty.If this happens, no A 0 -task will be recreated again, and thus, according to the arguments in Section 5.1, we can simulate the ASM by TrPDS directly and we are done.The challenging case is that we have both an A 0 -task and an A 1 -task.To solve the state reachability problem, the main technical difficulty is that the order of the A 0 -task and the A 1 -task may be switched for arbitrarily many times before reaching the target state q.Readers may be wondering why they cannot simply simulate two-counter machines.The reason is that the two tasks are asymmetric in the sense that, each time when the A 1 -task is switched from the bottom to the top (by starting the activity A 1 ), the content of the A 1 -task is reset into [A 1 ].But this is not the case for A 0 -task: when the A 0 -task is switched from the bottom to the top (by starting the activity A 2 ), if it does not contain A 2 , then A 2 will be pushed into the A 0 -task; otherwise all the activities above A 2 will be popped and A 2 becomes the top activity of the A 0 -task.Our decision procedure below utilises the asymmetry of the two tasks.
Intuition of construction.The crux of reachability analysis is to construct a finite abstraction for the A 1 -task and incorporate it into the control states of A, so we can reduce the state reachability of A into that of a pushdown system P A (with a single stack).Observe that a run of A can be seen as a sequence of task switching.In particular, an A 0 ; A 1 ; A 0 switching denotes a path in A − → where the A 0 -task is on the top in the first and the last configuration, while the A 1 -task is on the top in all the intermediate configurations.The main idea of the reduction is to simulate the A 0 ; A 1 ; A 0 switching by a "macro"-transition of P A .Note that the A 0 -task regains the top task in the last configuration either by starting the activity A 2 or by emptying the A 1 -task.Suppose that, for an A 0 ; A 1 ; A 0 switching, in the first (resp.last) configuration, q (resp.q ′ ) is the control state and α (resp.β) is the finite abstraction of the A 1 -task.Then for the "macro"-transition of P A , the control state will be updated from (q, α) to (q ′ , β), and the stack content of P A is updated accordingly: -If the A 0 -task regains the top task by starting A 2 , then the stack content is updated as follows: if the stack does not contain A 2 , then A 2 will be pushed into the stack; otherwise all the symbols above A 2 will be popped.-On the other hand, if the A 0 -task regains the top task by emptying the A 1 -task, then the stack content is not changed.
Roughly speaking, the abstraction of the A 1 -task must carry the information that, when A 0 -task and A 1 -task are the top resp.bottom task of the back stack and A 0 -task is emptied, whether the target state q can be reached from the configuration at that time.As a result, we define the abstraction of the A 1 -task whose content is encoded by a word w ∈ Act * , denoted by α(w), as the set of all states q ′′ ∈ Q such that the target state q can be reached from (q ′′ , (w)) in A.
[Note that during the process that q is reached from (q ′′ , (w)) in A, the A 0 -task does not exist anymore, but a (new) A 2 -task, may be formed.]Let Abs A1 = 2 Q .
To facilitate the construction of the PDS P A , we also need to record how the abstraction "evolves".For each (q ′ , A, α) ∈ Q×(Act\{A 1 })×Abs A1 , we compute the set Reach(q ′ , A, α) consisting of pairs (q ′′ , β) satisfying: there is an A 0 ; A 1 ; A 0 switching such that in the first configuration, A is the top symbol of the A 0 -task, q ′ (resp.q ′′ ) is the control state of the first (resp.last) configuration, and α (resp.β) is the abstraction for the A 1 -task in the first (resp.last) configuration. 16omputing Reach(q ′ , A, α).Let (q ′ , A, α) ∈ Q × (Act \ {A 1 }) × Abs A1 .We first simulate relevant parts of A as follows: -Following Section 5.1, we construct a TrPDS P A0 = (Q A0 , Γ A0 , T A0 , ∆ A0 ) to simulate the A 1 -task and A 2 -task of A after the A 0 -task is emptied, where Note that A 0 may still-as a "standard" activity-occur in P A0 though the A 0 -task disappears.
In addition, we construct an MA B q = (Q q , Γ A0 , δ q , I q , F q ) to represent pre * P A 0 (q), where I q ⊆ Q A0 .Then given a stack content w ∈ Act * STD A 1 of the A 1 -task, the abstraction α(w) of w, is the set of q ′′ ∈ I q ∩ Q such that (q ′′ , w♯⊥) ∈ Conf Bq .
Construction of P A .We first construct a PDS P A0 = (Q A0 , Γ A0 , ∆ A0 ), to simulate the A 0 -task of A.
, ⊥}, and ∆ A0 comprises the transitions.Here 1 (resp.0) marks that the activity A 2 is in the stack (resp. is not in the stack) and the tag pop marks that the PDS is in the process of popping until A 2 .The construction of P A0 is relatively straightforward, the details of which can be found in [6].
[q is reached after the A 0 -task becomes empty and the A 1 -task becomes the top task] Proposition 5. Let A be an STK-dominating ASM where there are exactly two STK-activities A 1 , A 2 and Aft(A 2 ) = Aft(A 0 ).Then q is reachable from the initial configuration (q 0 , ε) in A iff q is reachable from the initial configuration ((∅, (q 0 , 0)), ⊥) in P A .

Related work
We first discuss pushdown systems with multiple stacks (MPDSs) which are the most relevant to ASM. (For space reasons we will skip results on general pushdown systems though.)A multitude of classes of MPDSs have been considered, mostly as a model for concurrent recursive programs.In general, an ASM can be encoded as an MPDS.However, this view is hardly profitable as general MPDSs are obviously Turing-complete, leaving the reachability problem undecidable.
To regain decidability at least for reachability, several subclasses of MPDSs were proposed in literature: (1) bounding the number of context-switches [15], or more generally, phases [10], scopes [11], or budgets [3]; (2) imposing a linear ordering on stacks and pop operations being reserved to the first non-empty stack [5]; (3) restricting control states (e.g., weak MPDSs [7]).However, our decidable subclasses of ASM admit none of the above bounded conditions.A unified and generalized criterion [12] based on MSO over graphs of bounded tree-width was proposed to show the decidability of the emptiness problem for several restricted classes of automata with auxiliary storage, including MPDSs, automata with queues, or a mix of them.Since ASMs work in a way fairly different from multi-stack models in the literature, it is unclear-literally for us-to obtain the decidability by using bounded tree-width approach.Moreover, [12] only provides decidability proofs, but without complexity upper bounds.Our decision procedure is based on symbolic approaches for pushdown systems, which provides complexity upper bounds and which is amenable to implementation.
Higher-order pushdown systems represent another type of generalization of pushdown systems through higher-order stacks, i.e., a nested "stack of stack" structure [13], with decidable reachability problems [9].Despite apparent resemblance, the back stack of ASM can not be simulated by an order-2 pushdown system.The reason is that the order between tasks in a back stack may be dynamically changed, which is not supported by order-2 pushdown systems.
On a different line, there are some models which have addressed, for instance, GUI activities of Android apps.Window transition graphs were proposed for representing the possible GUI activity (window) sequences and their associated events and callbacks, which can capture how the events and callbacks modify the back stack [21].However, the key mechanisms of back stacks (launch modes and task affinities) were not covered in this model.Moreover, the reachability problem for this model was not investigated.A similar model, labeled transition graph with stack and widget (LATTE [20]) considered the effects of launch modes on the back stacks, but not task affinities.LATTE is essentially a finite-state abstraction of the back stack.However, to faithfully capture the launch modes and task affinities, one needs an infinite-state system, as we have studied here.

Conclusion
In this paper, we have introduced Android stack machine to formalize the back stack system of the Android platform.We have also investigated the decidability of the reachability problem of ASM.While the reachability problem of ASM is undecidable in general, we have identified a fragment, i.e., STK-dominating ASM, which is expressive and admits decision procedures for reachability.
The implementation of the decision procedures is in progress.We also plan to consider other features of Android back stack systems, e.g., the "allowTaskReparenting" attribute of activities.A long-term program is to develop an efficient and scalable formal analysis and verification framework for Android apps, towards which the work reported in this paper is the first cornerstone.

A
− →.As usual, we use A = ⇒ to denote the reflexive and transitive closure of A − →.

Fig. 2 :
Fig. 2: ASM corresponding to the ActivitiesLaunchDemo app A pre * and A post * that recognise pre * (Conf A ) and post * (Conf A ) respectively.
and w ′ = uw 2 .Let P = ⇒ denote the reflexive and transitive closure of P − →.Similarly to PDS, we can define pre * (•) and post * (•) respectively.Regular sets of configurations of TrPDS can be represented by MA, in line with PDS.More precisely, given a finite TrPDS P = (Q, Γ, T , ∆) and an MA A for P, one can compute, in time polynomial in |P| + | R(T ) | + |A|, two MAs A pre * and A post * that recognize the sets pre * (Conf A ) and post * (Conf