Reachability Analysis of Reversal-bounded Automata on Series-Parallel
  Graphs by Dimitrova, Rayna & Majumdar, Rupak
J. Esparza, E. Tronci (Eds.): Games, Automata,
Logics and Formal Verification 2015 (GandALF’15)
EPTCS 193, 2015, pp. 100–114, doi:10.4204/EPTCS.193.8
c© R. Dimitrova and R. Majumdar
This work is licensed under the
Creative Commons Attribution License.
Reachability Analysis of Reversal-bounded Automata on
Series-Parallel Graphs
Rayna Dimitrova
Max Planck Institute for Software Systems (MPI-SWS), Germany
Rupak Majumdar
Max Planck Institute for Software Systems (MPI-SWS), Germany
Extensions to finite-state automata on strings, such as multi-head automata or multi-counter au-
tomata, have been successfully used to encode many infinite-state non-regular verification prob-
lems. In this paper, we consider a generalization of automata-theoretic infinite-state verification
from strings to labeled series-parallel graphs. We define a model of non-deterministic, 2-way, con-
current automata working on series-parallel graphs and communicating through shared registers on
the nodes of the graph. We consider the following verification problem: given a family of series-
parallel graphs described by a context-free graph transformation system (GTS), and a concurrent
automaton over series-parallel graphs, is some graph generated by the GTS accepted by the automa-
ton? The general problem is undecidable already for (one-way) multi-head automata over strings. We
show that a bounded version, where the automata make a fixed number of reversals along the graph
and use a fixed number of shared registers is decidable, even though there is no bound on the sizes of
series-parallel graphs generated by the GTS. Our decidability result is based on establishing that the
number of context switches is bounded and on an encoding of the computation of bounded concurrent
automata to reduce the emptiness problem to the emptiness problem for pushdown automata.
1 Introduction
The language-theoretic approach to verification models the behaviors of a system as a set —or a lan-
guage— of structures (such as strings or trees), and defines machine models that generate or accept
these languages. The verification problem reduces to the language-emptiness problem for these models.
The simplest such models are finite-state machines over finite or infinite words or trees, and this forms the
basis of the hugely successful automata-theoretic approach to (finite-state) model checking [20]. Finite
state machines have been generalized in many ways to extend the set of languages that may be needed
to model more complex (non-regular) computational processes. For example, they can be extended with
data structures such as stacks or counters, or with multiple heads or tapes and allowing 2-way traversals
of the input [19, 17],
Since the emptiness problem can be undecidable for many extensions, research in infinite-state ver-
ification has focused on finding suitable underapproximations for which language emptiness is algorith-
mically decidable. For example, the reversal boundedness restriction bounds the number of reversals
of the counters or of stacks, or the number of traversals of the input [13, 14, 11, 10] and the bounded
language restriction considers behaviors describable by a bounded language [9, 8]. Overall, the approach
has led to beautiful theoretical results and has also been quite successful in modeling many infinite-state
parameterized computational models and reasoning about them algorithmically.
Most previous work in parameterized verification has focused on machine models for string or tree
languages. In this paper, we study behaviors encoded as series-parallel graphs whose edges are labeled
R. Dimitrova and R. Majumdar 101
with a finite alphabet. Series-parallel graphs generalize strings or multi-tape machines by allowing mul-
tiple parallel “tracks” to fork off and rejoin at any point. They allow modeling various natural modes of
computation, e.g., fork-join parallelism in data-parallel programs, while retaining enough structure, e.g.,
having a natural “forward” direction, that is absent in general graphs. Languages over series-parallel
graphs can be naturally described using context-free graph transformation systems (GTSs), which de-
scribe the dynamic evolution of families of graphs through local rewrite rules [5, 2, 4].
We define and study a class of concurrent finite-state automata traversing series-parallel graphs and
communicating through state-holding registers located at the nodes of the graph. More precisely, in our
model of computation, a fixed number of finite-state machines traverse the nodes of a series-parallel
graph. At each step, one of the machines makes a transition that depends on the current state of the
machine, the label it reads on one of the incoming or outgoing arcs, and the value of the register stored at
its node. The machine moves along the selected edge, updating its state as well as the register. Machines
are thus 2-way and non-deterministic, and communicate through the shared registers. A series-parallel
graph is accepted if some subset of machines reaches some final states being at the same node of the
graph.
We study the emptiness problem: given a context-free GTS defining a language of series-parallel
graphs, and a concurrent finite-state automaton, check if there is a graph in the language of the GTS
accepted by the automaton. This problem is, not surprisingly, undecidable: for example, we can encode
linear bounded automata over strings. We study a natural restriction of the emptiness problem by re-
stricting the number of reversals along the computation and by putting a bound on the number of shared
registers in the graph. With these two restrictions, we show that the emptiness problem is decidable and
can be reduced to the emptiness problem for pushdown automata. Note that even with the restrictions,
the problem is infinite-state because there is no a priori bound on the size of the series-parallel graphs
generated by the GTS.
The reduction is based on two technical observations. First, when the number of reversals and the
number of registers are fixed, there is a bound on the number of parallel tracks in the graph that needs to
be tracked. We also establish a bound on the number of different times each machine moves along the
run (although the length of the run may be unbounded). Second, using the bounds above, we construct a
large alphabet that tracks valid runs of the machines on a valid graph generated by the GTS. We do this
in several steps. We construct a pushdown automaton that checks that a word is a valid representation
of a subgraph of a graph generated by the context-free GTS. We construct a set of automata, one for
each machine, that checks that the word encodes a correct run of that machine along the graph. Finally,
we construct another automaton that checks that the run is accepted by the concurrent automaton. Some
graph generated by the GTS is accepted if the intersection of all these automata is non-empty.
Other Related Work The automata-theoretic approach is often called regular model checking, when
applied to parameterized verification [1]. An extensive study of the decidability of several verification
problems for classes of GTSs was carried out in [4]. The problems considered there are reachability of a
given graph, coverability (reachability of a graph that contains a given graph as a subgraph) and existen-
tial coverability, which asks whether there exists an initial graph such that the answer to the coverability
problem is positive. The classes of GTSs they investigate are defined by structural restrictions on the set
of transformation rules. Classes with decidable coverability problem are context-free graph grammars,
well-structured GTSs and the ones that keep the number of nodes constant. Hyperedge-replacement
graph grammars [6] and vertex-replacement graph grammars [7] are well-studied classes of GTSs. It
is known that for such graph grammars satisfiability of Monadic Second Order (MSO) formulas is de-
102 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
cidable [5]. A logic for expressing properties that involve interleaving of temporal and graph modalities
was developed in [3] as a combination of MSO and the µ-calculus. They employ an approximation
of GTS [2] that preserves fragments of the logic to obtain a sound but incomplete verification method
for these fragments. A method to refine such approximations based on counterexamples was developed
in [15]. [18] describes a tool for model checking finite-state graph transition systems against first order
temporal logic properties. The work [16] studies the emptiness problem for concurrent automata with
auxiliary storage and provides a generalization of the decidability results for a number of classes of such
automata for which the emptiness problem can be reduced to emptiness of finite-state graph automata
defined MSO definable graphs with bounded tree width. It might be possible to obtain or generalize the
results we establish in this paper through arguments similar to theirs.
2 Graph-grammar Transition Systems
Let A be a finite set. As usual, the set A∗ consists of all finite sequences of elements of A. Let pi =
a0a1 . . .an−1an ∈ A∗. We define pi−1 = anan−1 . . .a1a0 and last(pi) = an. The length |pi| = n+ 1 of pi is
the number of elements of pi and given 0 ≤ i ≤ j ≤ n we denote pi[i] = ai and pi[i, j] = ai . . .a j.
With M(A) = {S | S : A → N} we denote the set of multisets over A. For S1,S2 ∈M(A) we define
S1  S2 iff for every a ∈ A we have S1(a) ≤ S2(a). We use square brackets to denote multisets, for
example, [a1,a2,a2] denotes S ∈M(A), where S(a1) = 1, S(a2) = 2 and S(a) = 0 for all a ∈ A\{a1,a2}.
2.1 Series-parallel graph grammars
Fix an alphabet Σ. We consider graphs labeled with letters from Σ. A graph is a tuple G = (N,E,nb,ne)
where N is a finite set of nodes, E ∈M(N×N×Σ) is a multiset of edges and nb,ne ∈ N are two distin-
guished nodes called source and sink, respectively. For an edge e = (n,n′,σ) ∈ E , we write src(e) for n
and trg(e) for n′, and α(e) for the label σ of e. We write HΣ for the set of all Σ-labeled graphs.
Let G = (N,E,nb,ne) and G′ = (N ′,E ′,n′b,n′e) be graphs on disjoint sets of nodes. For an edge
ê = (n̂1, n̂2, σ̂) ∈ E , the edge replacement graph G[ê 7→ G′] is the (unique up to isomorphism) graph
defined by removing one copy of the edge ê from G, and adding the nodes and edges of G′ by fusing
n̂1 with n′b, and n̂2 with n′e. Formally, G[ê 7→ G′] = (N ′′,E ′′,nb,ne), where N ′′ = N ∪˙ (N ′ \ {n′b,n′e}),
E ′′ = (E \{ê})∪ Ê ′, where there is an edge (n1,n2,σ) in the multiset Ê ′ with some multiplicity iff
• in E ′, with the same multiplicity, there is an edge (n′b,n′e,σ), and n1 = src(ê) and n2 = trg(ê), or
• in E ′, with the same multiplicity, there is an edge (n1,n2,σ), and n1 6= n′b and n2 6= n′e, or
• in E ′, with the same multiplicity, there is an edge (n′b,n2,σ), and n1 = src(ê), or
• in E ′, with the same multiplicity, there is an edge (n1,n′e,σ), and n2 = trg(ê).
Definition 1 (Series-parallel graph grammar). A series parallel graph grammar (SPGG) is a tuple G =
(V,Σ,R,G0), where V is a finite set of variables, Σ is a finite alphabet (Σ∩V = /0), R ⊆ V ×HΣ∪V is a
finite set of rules, G0 = ({nb,ne},{(nb,ne,v0)},nb,ne) ∈HV , with nb 6= ne is the initial graph.
Furthermore, each rule (v,G′) ∈ R, where G′ = (N ′,E ′,n′b,n′e), satisfies exactly one of the following:
(1) N ′ = {n′b,n′e}, E ′ = {(n′b,n′e,σ)} and σ ∈ Σ, denoted (v,σ) ∈ R;
(2) N ′ = {n′b,n′e,n′} has three nodes, E ′ = {(n′b,n′,v1),(n′,n′e,v2)} and v1,v2 ∈ V , denoted by (v,v1 ·
v2) ∈ R (series composition);
(3) N ′= {n′b,n′e} has two nodes, E ′= {(n′b,n′e,v1),(n′b,n′e,v2)} and v1,v2 ∈V , denoted by (v,v1 ‖ v2)∈
R (parallel composition).
R. Dimitrova and R. Majumdar 103
c
a
b
a a
a
b
b
b
b
b
nb n1
ne
(a) A series parallel graph with Σ = {a,b,c}.
q0
qa qb
((a, .),0,1)
((b, .),0,0)
((b, .),1,1)
((c, .),1,0) ((c, .),0,0)
((c, .),1,1)
((c, .),0,0)
((c, .),1,1)
((a, .),0,0)
((a, .),1,1)
((b, .),0,0)
((b, .),1,1)
(b) A finite-state machine with Σ = {a,b,c}.
Figure 1: A series parallel graph generated by an SPGG and a finite-state machine over the same alphabet.
An SPGG derives a graph in HΣ as follows. It starts with the graph G0. In each step, it picks an
arbitrary edge e of the current graph G that is labeled with a variable v ∈V , and applies a rule (v,G′) ∈ R
to get a new graph G′′ = G[e 7→G′]. In this case, we write G =⇒G′′. A graph G ∈HΣ is derived if there
is a sequence G0 =⇒ G1 . . .=⇒ Gn = G of steps that results in G. Note that every graph thus derived is
a series-parallel graph labeled with Σ, so an SPGG represents a set of series-parallel graphs labeled with
Σ. We write L (G ) for the set of graphs in HΣ derived by G .
Example 1. As an example of an SPGG consider G = (V,Σ,R,G0) with variables V = {v0,v1,va,vb,vc},
set of terminal symbols Σ = {a,b,c}, initial graph G0 = ({nb,ne},{(nb,ne,v0)},nb,ne) and rules
R = {(v0,vc · v1),(v1,va ‖ vb),(va,a),(vb,b),(vc,c),(va,va · va),(vb,vb · vb),(vb,vb ‖ vb),}.
Figure 1a shows a (series-parallel) graph G derived from the SPGG G . The directions of the edges
denote the “natural” direction from source to sink associated with a series parallel graph.
A series-parallel graph has a natural “direction” associated with it from the source to the sink, con-
sistent with the direction n1 → n2 of an edge (n1,n2,σ). In particular, it has no directed cycles. For
convenience, we introduce the “symmetric closure” of series-parallel graphs. For each edge (n1,n2,σ)
labeled with σ , we augment the label with a direction 1 to obtain (σ ,1) (1 capturing the “forward” di-
rection), and add an opposite edge (n2,n1,(σ ,−1)) labeled with (σ ,−1) denoting the edge taken in the
“backward” direction. Formally, given a series-parallel graph G = (N,E,nb,ne), we define its symmetric
closure G′ = (N,E ′,nb,ne) ∈HΣ×{1,−1}, where E ′ = {(n,n′,(σ ,1)) | (n,n′,σ) ∈ E}∪{(n,n′,(σ ,−1)) |
(n′,n,σ) ∈ E}. We write L u(G ) for the set of symmetric closures of all graphs derived by G .
Remark. While for simplicity of the presentation we consider graphs with a single pair of source and
sink nodes, our results can in principle be extended to graphs with multiple such nodes. However, the
automata construction outlined in Section 4.3 relies on the structure of the rules of an SPGG and does
not directly generalize to general context-free GTSs defining sets of directed acyclic graphs.
2.2 Graph-grammar transition systems
We now define communicating finite automata on the symmetric closure of series-parallel graphs. Recall
that these are series-parallel graphs whose edges are labeled with an alphabet and a direction. Intuitively,
a system of communicating machines has a set of m machines that traverse the edges of a series-parallel
graph, some of whose nodes are annotated with Boolean registers. Each automaton traverses the edges
of the graph: when the automaton is at a node n of the graph and in state q, it reads the register on the
node, chooses an edge with source node n labeled with (σ ,d) ∈ Σ×{1,−1} based on its current state,
104 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
the label, and the value read from the register, traverses the edge and moves to the target node of that
edge and to a new state q′, and writes a value to the register at the source node.
Let Σ be a finite alphabet. A finite-state machine M = (Q,q0,Σ,δ ) consists of finite set of states Q,
initial state q0 ∈Q, input alphabet Σ, and transition relation δ ⊆ Q× (Σ×{1,−1})×B×Q×B.
The intuitive meaning of a transition (q,(σ ,d),b,q′,b′) ∈ δ is that when the machine M is in state
q and reads input letter σ ∈ Σ, direction {1,−1}, and register value b, then it changes its state to q′ and
moves along an edge labeled (σ ,d) in the graph and writes b′ to the register.
Example 2. Figure 1b shows an example of a finite-state machine M = (Q,q0,Σ,δ ) with states Q =
{q0,qa,qb}, input alphabet Σ = {a,b,c} and transition relation δ depicted in Figure 1b, where a label
(((σ ,d), p, p′) on an edge from state q to state q′ stands for the transition ((q,(σ ,d), p,q′ , p′).
A system of machines (M ,m) is a set of m disjoint copies M1, . . . ,Mm of the machine M .
Definition 2 (Graph-grammar transition system). Let M = (Q,q0,Σ,δ ) be a finite-state machine. A
system of m machines (M ,m), together with an SPGG G = (V,Σ,R,G0) defines a transition system
T (M ,m,G ) = (Γ,Γ0,→) as follows. The set of configurations Γ consists of all tuples 〈G,µ ,β 〉 such
that G ∈L u(G ) is a graph derived by G and:
• µ : N → 2{1,...,m}×Q maps each node in G to the states of the machines at that node; we require
that for each i∈ {1, . . . ,m} there exists exactly one n∈ N and exactly one q∈Q with (i,q) ∈ µ(n);
• β : N → B maps each node to the value of the Boolean register at that node.
The set Γ0 of initial configurations is such that γ = 〈G,µ ,β 〉 ∈ Γ0 iff γ ∈ Γ, µ(nb) = {(i,q0) | i ∈
{1, . . . ,m}}, µ(n) = /0 for every n∈N \{nb}, and β (n) = 0 for every n∈N. That is, initially all machines
are positioned at the source node of the graph and are in their initial state, and all registers are 0.
The successor relation →⊆ Γ×Γ is defined as →= ⋃mi=1 →i, where for each i ∈ {1, . . . ,m} it holds
that (〈G,µ ,β 〉,〈G′,µ ′,β ′〉) ∈→i, (denoted 〈G,µ ,β 〉 →i 〈G′,µ ′,β ′〉) iff the following hold:
• G′ = G, where G = (N,E,nb,ne) ∈L u(G ) is a graph generated by G .
• There exist an edge e = (n,n′,(σ ,d)) ∈ E, states q,q′ ∈ Q, and a value b′ ∈ B such that:
(i) (i,q) ∈ µ(n) (Note: n 6= n′, since G is an SPGG),
(ii) (q,α(e),β (n),q′ ,b′) ∈ δ ,
(iii) µ ′(n) = µ(n)\{(i,q)}, µ ′(n′) = µ(n)∪{(i,q′)} and µ ′(n′′) = µ(n′′) for all n′′ ∈ N \{n,n′},
(iv) β ′(n) = b′ and β ′(n′′) = β (n′′) for all n′′ ∈ N \{n}.
We say that the edge e is compatible with the transition γ → γ ′.
A run ρ of T (M ,m,G ) = (Γ,Γ0,→) is a sequence of configurations ρ = γ0 . . .γ f ∈ Γ∗ such that
γ0 ∈ Γ0 and γi−1 → γi for each i = 1, . . . , f .
Intuitively, the infinite-state transition system T (M ,m,G ) captures the behaviors of m machines,
copies of M , on the family of all series-parallel graphs derived by G .
2.3 Configuration properties and verification problem
A configuration property describes a set of configurations. Let n be a variable (ranging over nodes),
and S ∈M(Q). The set of configuration properties consists of the positive Boolean combinations (no
negation) of atomic properties of the form ∃n. S  µ(n).
A configuration γ = 〈G,µ ,β 〉 ∈ Γ with G = (N,E,nb,ne) satisfies an atomic configuration prop-
erty ϕ = ∃n. S  µ(n) (written γ |= ϕ) iff there exists a node n ∈ N such that S  [q ∈ Q | (i,q) ∈
µ(n), where i ∈ {1, . . . ,m}], that is, the multiset S is contained in the multiset of machine states in the
node n in the configuration γ . The relation |= is naturally extended to positive Boolean combinations.
R. Dimitrova and R. Majumdar 105
Let (M ,m) be a system of machines and G an SPGG. Given a configuration property F describing a
set of final configurations, the verification problem Reach(M ,m,G ,F) is to decide whether there exists
a run ρ = γ0 . . .γ f of T (M ,m,G ) such that γi |= F for some 0 ≤ i ≤ f , i.e., a run that reaches F .
Since our model allows machines to do arbitrarily many “reversals” (i.e., following forward and
backward edges) and do not fix a bound on the number of shared registers that are read or written, it
easily captures linear bounded automata. Thus, the verification problem is in general undecidable.
Proposition 1. The verification problem is undecidable.
2.4 Bounded verification problem
Since the general problem is undecidable, we focus on a bounded version. We introduce two restrictions.
First, we allow each machine to make only a bounded number of reversals (a reversal occurs when the
machine changes direction in the graph). Second, we fix an a priori bound on the number of shared
registers. That is, while the SPGG generates a potentially unbounded set of graphs, with unboundedly
many nodes, we assume that there is some fixed bound k on the number of Boolean registers located at
nodes of a generated graph (these k registers may be situated at arbitrary nodes of the graph though).
Fix a machine M = (Q,q0,Σ,δ ), the system of machines (M ,m), and an SPGG G = (V,Σ,R,G0).
Reversal bound. Let us fix a run ρ = γ0, . . . ,γ f where γi = 〈G,µi,βi〉. Consider the projection of
ρ to → j for each machine j ∈ {1, . . . ,m}. The number of reversals made by machine j along the run,
intuitively, is the number of times it changes from traversing an edge marked with direction 1 to traversing
an edge marked with direction −1, or vice versa.
Formally, let e1e2 . . .en be a sequence of edges. A reversal occurs at position i if α(ei) = (·,1) and
α(ei+1) = (·,−1) or if α(ei) = (·,−1) and α(ei+1) = (·,1).
Now, let γi1 → j γi1+1, γi2 → j γi2+1, . . . be the transitions of machine j along the run ρ , and let ei1 , ei2 ,
. . . be the compatible edges that were taken by machine j. The number of reversals of machine j along
ρ is the number of reversals in the sequence ei1 ei2 . . ..
For r ≥ 0, the set of r-reversal bounded runs of T (M ,m,G ) is the set of runs in which each machine
makes at most r reversals.
Register bound. The register bound fixes a number k of Boolean registers. That is, each graph G
derived by G comes with a mapping κ : N →{0,1}, such that |κ−1(1)| ≤ k, and we allow the machines
to read and write register values only when their current node is in κ−1(1).
To derive graphs with a mapping κ , we modify an SPGG to “mark” some nodes along the derivation,
and ensure that any derived graph has at most k marked nodes. (The formal details are similar to con-
structing a CFG for a CFL with at most k marked positions from a CFG for the (unmarked) language.)
For an SPGG G , we denote by G k the SPGG that marks at most k nodes of a derived graph. We write,
by abuse of notation, (G,κ) ∈L u(G k) for a graph G which is the symmetric closure of a graph derived
by G k together with the mapping κ .
In addition, we modify the successor relation of the graph-grammar transition systems T (M ,m,G k)
to require (ii)’ (q,α(e),β (n),q′ ,b′) ∈ δ if κ(n) = 1 and (q,α(e),0,q′ ,0) ∈ δ otherwise.
Example 3. The SPGG G shown in Example 1 can be modified into an SPGG G 2 that derives graphs in
which at most 2 nodes are marked. Furthermore, we can consider SPGGs that not only ensure an upper
bound on the number of marked nodes, but impose constraints on their location. For example, we can
106 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
consider an SPGG G 2∗ that additionally requires that by applying the rule (v0,vc · v1) the corresponding
intermediate node between the edges labeled vc and v1 is marked to contain a register.
If we then consider the graph-grammar transition system T (M ,2,G 2∗ ), where M is the finite-state
machine described in Example 2, and let G be the graph depicted in Figure 1a, then there does not exist
a run with underlying graph G that reaches a configuration satisfying ϕ = ∃n. [qa,qa] µ(n), since the
register at node n1 acts as a semaphore that does not allow two copies of the machine M to enter the
part of the graph containing edges labeled with the letter a.
The reversal-bounded and register-bounded verification problem takes as input a system of machines
(M ,m), an SPGG G , and parameters r and k, and a configuration property F , and asks if there exists an
r-reversal bounded run of the machines on some graph derived by G k that reaches F .
Our main result is the following.
Theorem 1. The reversal- and register-bounded verification problem is decidable.
Remark. Our decidability results hold for a somewhat more general model, in which the machines can
read one of the fixed number of registers not at its current node but can only write to the register at its
current node, or vice versa. We work in the simpler setting to keep the notation manageable.
3 Properties of Reversal-Bounded Runs
Fix a machine M = (Q,q0,Σ,δ ), the system of machines (M ,m), an SPGG G = (V,Σ,R,G0) and the
parameters r and k. In this section we state two properties of r-reversal bounded runs of T (M ,m,G k)
that allow us to encode such runs as words over a finite alphabet and to reduce the reversal- and register-
bounded verification problem to the emptiness test for a context free language.
Given a run ρ = γ0 . . .γ f and a machine i ∈ {1, . . . ,m}, an i-block is a segment ρ [ j1, j2] = γ j1 . . .γ j2
of the run ρ such that γ j →i γ j+1 for each j1 ≤ j < j2. That is, all transitions in the part ρ [ j1, j2] of the
run are made by machine i. The following proposition establishes that for every r-reversal bounded run
ρ we can reorder its transitions to obtain an r-reversal bounded run ρ̂ such that the number of maximal
blocks in ρ̂ is not greater than a constant depending on m,r and k (and not on the length of the run ρ).
Proposition 2. For every r-reversal bounded run ρ = γ0, . . . ,γ f of T (M ,m,G k) there exist an r-reversal
bounded run ρ̂ = γ̂0, . . . , γ̂ f of T (M ,m,G k) and a sequence of indices 0 = f0 < f1 < .. . < fu = f such
that the following conditions are satisfied:
• u ≤
(
r ·m+ k ·m · (r+1)+1
)
· (m+1),
• for each i ∈ {0, . . . ,u−1}, there exists mi ∈ {1, . . . ,m} such that ρ̂ [ fi, fi+1] is a mi-block,
• γ̂0 = γ0 and µ̂ f = µ f , where γ f = 〈G,µ f ,β f 〉 and γ̂ f = 〈G, µ̂ f , β̂ f 〉.
Remark. In the proof of the above proposition we construct the run ρ̂ by reordering transitions in ρ while
keeping in place the transitions that access registers. Thus, the relative order of transitions which modify
registers is preserved, which in turn implies that γ̂ f = γ f (that is, we have also β̂ f = β f ).
The second property uses the bound r on the number of reversals of each machine in an r-reversal
bounded run ρ to relate ρ to the set of paths in the underlying graph traversed by the machines in ρ .
A trace τ is an element of the set Σ∗. A trace τ = σ1 . . .σ f is compatible with a run ρ = γ0, . . . ,γ f if
there exists a sequence of edges e1e2 . . .e f compatible with ρ such that α(ei) = (σi, ·) for every 0< i≤ f .
Given a graph G = (N,E,nb,ne) ∈ L u(G k) and a trace τ we define Paths(G,τ) to be the (possibly
empty) set of paths from nb to ne whose sequence of edge labels is τ = σ1 . . .σ f . Formally, for a sequence
of nodes pi = n0n1 . . .n f ∈ N∗ we have pi ∈ Paths(G,τ) iff n0 = nb, n f = ne and (ni−1,ni,(σi,1)) ∈ E .
R. Dimitrova and R. Majumdar 107
Below we establish a property of an r-reversal bounded run ρ = γ0 . . .γ f of T (M ,m,G k) and a trace
τ that is compatible with ρ . Namely, for each machine i ∈ {1, . . . ,m} the corresponding subsequence τi
of τ can be split into at most r+1 segments, such that each of those segments can be embedded in a trace
labelling a simple path from nb to ne or from ne to nb. This is formalized in the following proposition,
which easily follows from the properties of series-parallel graphs.
Proposition 3. Let ρ be an r-reversal bounded run of T (M ,m,G k) and τ be a trace that is compatible
with ρ . Let pii be the sequence of nodes visited in ρ by machine i ∈ {1, . . . ,m}, in the order they occur in
ρ , let τi be the corresponding subsequence of τ , and ri ≤ r be the number of reversals of machine i in ρ .
Then, for each i ∈ {1, . . . ,m} and each h ∈ {1, . . . ,r+1} there exist traces τi,h,τ ′i,h,τ ′′i,h,τ ′′′i,h ∈ Σ∗ and
sequences of nodes pii,h,pi ′i,h,pi ′′i,h,pi ′′′i,h ∈ N∗ such that the following conditions are satisfied:
• pii,h ∈ Paths(G,τi,h), and τi,h = τ ′i,h · τ ′′i,h · τ ′′′i,h, and pii,h = pi ′i,h ·pi ′′i,h ·pi ′′′i,h;
• For each i ∈ {1, . . . ,m} there exist indices 0 = j0 < j1 < .. . < jri+1 = |pii|−1 such that:
– if 1 ≤ h ≤ ri +1 and h is odd, then τi[ jh−1 +1, jh] = τ ′′i,h and pii[ jh−1, jh] = pi ′′i,h;
– if 1 ≤ h ≤ ri +1 and h is even, then τi[ jh−1 +1, jh] = τ ′′i,h−1 pii[ jh−1, jh] = pi ′′i,h−1.
Proposition 2 allows us to restrict our reasoning to r-reversal bounded runs with at most
(
r ·m+ k ·
m · (r+1)+1
)
· (m+1) blocks. Proposition 3 allows us to reduce from reasoning about graphs derived
by G k to reasoning about r+1-tuples of traces in such graphs. Based on these results, we define the two
parameters p =
(
r ·m+ k ·m · (r+1)+1
)
· (m+1) and t = r˜ ·m, where r˜ = r+1.
4 Automata-theoretic Algorithm
In this section we present an automata-theoretic algorithm for solving the reversal- and register-bounded
verification problem. Before we give an overview of our algorithm and outline the automata constructions
it comprises, we recall some basic definitions from automata theory.
4.1 Preliminaries
A 2-way nondeterministic finite automaton (2NFA) is a tuple A = (Q,q0,Σ,δ ,A), where Q is a finite
set of states, q0 ∈ Q is the initial state, Σ is a finite alphabet, δ ⊆ Q×Σ×Q×{−1,1} is the transition
relation and A ⊆ Q is a set of accepting states. A is deterministic iff δ is a function from Q× Σ to
Q×{−1,1}. A is a 1-way NFA (NFA) iff d = 1 for each (q,σ ,q′,d) ∈ δ .
For q,q′ ∈ Q, w′,w′′,w′′′,w′′′′ ∈ Σ∗, σ ∈ Σ and σ ′ ∈ Σ∪{ε}, let 〈q,w′,σ ,w′′〉 ⇒A 〈q′,w′′′,σ ′,w′′′′〉
iff (q,σ ,q′,d) ∈ δ and (1) if d = 1, then w′′′ = w′.σ , w′′ = σ ′.w′′′′, either σ ′ ∈ Σ or σ ′ = ε and w′′′′ = ε
and (2) if d =−1, then w′′′′ = σ .w′′, w′ = w′′′.σ ′, either σ ′ ∈ Σ or σ ′ = ε and w′′′ = ε .
If A is an NFA, we define δ (q,w) for w ∈ Σ∗ in the obvious way.
Let ⊢∈ Σ and ⊣∈ Σ, where ⊢6=⊣, be designated symbols and w ∈ (Σ\{⊢,⊣})∗.
If A is a 2NFA, then w∈L (A ) iff 〈q0,ε ,⊢,w⊣〉⇒∗
A
〈q,⊢w⊣,ε ,ε〉 or 〈q0,ε ,⊢,w⊣〉⇒∗
A
〈q,ε ,ε ,⊢
w ⊣〉 for some q ∈ A. If A is an NFA, then w ∈L (A ) iff δ (q0,⊢ w ⊣)∩A 6= /0.
A push-down automaton (PDA) is a tuple P = (Q,q0,Σ,∆,⊥,δ ), where Q is a finite set of states,
q0 ∈ Q is the initial state, Σ is a finite input alphabet, ∆ is a finite stack alphabet, ⊥ is the start symbol
and δ ⊆ Q× (Σ∪{ε})×∆×Q×∆∗ is the transition relation. For q,q′ ∈ Q, σ ∈ Σ∪{ε}, w ∈ Σ∗, a ∈ ∆,
α ,β ∈ ∆∗ we define 〈q,σ .w,a.α〉 ⇒P 〈q′,w,β .α〉 iff (q,σ ,a,q′,β ) ∈ δ .
For a PDA P , w ∈L (P) iff 〈q0,⊢ w ⊣,⊥〉⇒∗
P
〈q,ε ,⊥〉.
108 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
4.2 Overview of the algorithm
We now outline the construction of a PDA A , which we use in order to reduce the reversal- and register-
bounded verification problem to checking emptiness of a PDA. We begin by describing the input of the
automata involved in the construction and then proceed to give an overview of the construction followed
by a formal definition of the input alphabets of these automata.
The automaton A reads words that consist of traces in Σ∗. In order to reflect sufficient information
about the corresponding nodes and registers in the underlying graph, these traces are annotated as fol-
lows. First, since graphs derived by G k contain at most k registers, we assume these registers to have
unique identifiers from the set {1, . . . ,k}. Thus, a triple (σ , j1, j2) ∈ Σ×{0, . . . ,k}×{0, . . . ,k} consists
of an edge label σ and the identifiers of the registers at the source and target node of the edge, where 0 in-
dicates no register at the respective node. We add additional annotation to reflect which nodes are shared
in the corresponding paths, that is, positions where paths in the series-parallel graph branch off or join.
The automaton A reads such annotated traces and checks the existence of a run by emulating the be-
haviour of the machines on these traces by guessing an execution for each of them. An execution of M =
(Q,q0,Σ,δ ) is a sequence ξ = q0,(σ1,b1,b′1),q1, . . . ,(σ f ,b f ,b′f ),q f such that (ql−1,σl,bl ,ql,dl ,b′l) ∈ δ
for some dl ∈ {1,−1}. In addition to verifying that each guess is indeed an execution, A needs to also
check that the values written to and read from the shared registers by different machines are consistent.
Formally, an annotated trace and executions of the machines define a read-write sequence η =
( j1,b1,b′1), . . . ,( j f ,b f ,b′f )∈ ({0, . . . ,k}×B×B)∗, where, intuitively, ji is the location that is read and/or
written. Such a read-write sequence η is valid w.r.t. an initial register valuation β0 : {1, . . . ,k} → B iff
each read operation reads the value written by the most recent write operation, or the initial value from
β0 if it is not overwritten, that is, for i ∈ {1, . . . , f} with ji > 0 it holds that if there is i′ < i such that
ji′ = ji, then bi = b′i′ for the largest such i′, and otherwise bi = β0( ji).
Thus, the automaton A accepts tuples of traces in some graph derived by G k, annotated with infor-
mation about registers and about nodes shared by the corresponding paths in the graph. A also guesses
an execution for each of the m machines. The PDA A is constructed as the intersection of a PDA Pt
and an NFA Ae (Section 4.3). Pt checks that its input word encodes a tuple of traces in some graph
derived by G k and that these are correctly annotated with information about registers and the nodes that
are shared among the paths corresponding to these traces. The NFA Ae guesses and verifies the exe-
cutions of the machines. It is obtained as the intersection of m+ 2 NFAs: m NFAs Ai, one for each
i ∈ {1, . . . ,m}, an NFA Ac and an NFA As. The NFA Ai verifies that the guess of an execution of ma-
chine i ∈ {1, . . . ,m} is correct. We describe the construction of Ai as a 2NFA (Section 4.4) which is then
converted to an NFA using standard techniques [12]. Automaton Ac checks the validity of the read-write
sequence corresponding to the annotated traces and the guessed executions (Section 4.5). Automaton As
(Section 4.6) checks that a configuration in F is reached. The reversal- and register-bounded verification
problem thus reduces to checking emptiness of the language of the constructed automaton A .
According to Section 3, it suffices to reason about t = m · (r+1) traces in graphs derived by G k. To
this end, we define the trace alphabet Σt =
((
Σ ∪˙ {♭}
)
×{0, . . . ,k}2×{1, . . . , t}
)t
∪˙ {1, . . . , t}t . Words
over Σt are tuples of t traces in some graph G, annotated with additional information. Each letter in Σt
contains one row for each of the m machines and each of the r˜ = r+1 paths corresponding to it. There are
two types of letters. Each row in a letter of the first type consists of a letter in Σ (or the special symbol ♭)
together with two register identifiers in {0, . . . ,k} and a path index in {1, . . . , t}. The letters of the second
type are t-tuples of path indices in {1, . . . , t}, where equal indices indicate paths sharing a node.
The execution alphabet Σe =
(
{0, . . . , p} ×B×B×Q×{1, . . . , t})t is used to describe tuples of
executions, one for each of the m machines. Each letter contains r˜ = r+ 1 rows for each machine, one
R. Dimitrova and R. Majumdar 109
for each of its paths. Each row in the letter consists of a block number in {0, . . . , p}, two register values
(one for the read and one for the write operations), a successor state and an index of a row in an associated
trace word (word in Σ∗
t
). Let Σ˜ = Σt×Σe be the product of the trace and execution alphabets.
In what follows, if τ˜ = σ˜1 . . . σ˜ f ∈ Σ∗t , then σ˜ j = (σ˜1, j, . . . , σ˜t, j) denotes the elements of the j-th letter
of the word τ˜ for j ∈ {1, . . . , f}, and we use τ˜i = σ˜i,1 . . . σ˜i, f to denote the i-th row of τ˜ for i ∈ {1, . . . , t}.
Similarly, if τ˜ = σ˜1 . . . σ˜ f ∈ Σ˜∗, the j-th letter is σ˜ j =(σ˜1, j, . . . , σ˜t, j, η˜1,1, j, . . . , η˜1,r˜, j, . . . , η˜m,1, j, . . . , η˜m,r˜, j),
for j ∈ {1, . . . , f}, and the i-th row is τ˜i = σ˜i,1 . . . σ˜i, f , for i ∈ {1, . . . , t}. For n∈ {1, . . . ,m}, h ∈ {1, . . . , r˜}
and j ∈ {1, . . . , f}, the corresponding letter from Σe is denoted η˜n,h, j = (pn,h, j,bn,h, j,b′n,h, j,q′n,h, j, tn,h, j).
In the remainder of this section we present the intuition behind the automata constructions and their
properties.
4.3 PDA accepting traces in a graph
The PDA Pt is the intersection of a PDA P obtained from G k, where G = (V,Σ,R,G0) is an SPGG,
and a NFA Ar that checks that register identifiers are correctly placed.
The construction of P = (Qp,q0p,Σt ∪˙ {⊢,⊣},Σt ∪˙ {⊢,⊣} ∪˙ V˜ ∪˙ {⊥},⊥,δp) resembles the classical
construction of a PDA given a CFG. Here, instead of words generated by a CFG the language L (P)
of P consists of t-tuples of (annotated) traces in some graph generated by the grammar. The automaton
has a stack alphabet Σt ∪˙ {⊢,⊣} ∪˙ V˜ ∪˙ {⊥}, where V˜ consists of symbols corresponding to the variables
in G . The transitions in δp can be grouped according to the top symbol on the stack: empty stack, top
symbol σ˜ ∈ Σt∪{⊢,⊣}, and top symbol v˜ ∈ V˜ . Transitions for v˜ ∈ V˜ correspond to the production rules
of the SPGG G . For the series composition δp employs the additional symbol ♭ to allow for traces that
are aligned in a way that letters in {1, . . . , t}t reflect the information about nodes shared by the respective
paths. For the parallel composition δp guesses symbols, in the graphs generated by which the corre-
sponding traces occur, together with the number of traces in the subgraph generated by each symbol.
The number of times a new branch is introduced is bounded by t, the number of parallel traces.
P does not check that the register identifiers in the annotation are consistent among letters corre-
sponding to edges in the graph that share a node, i.e., that letters corresponding to these edges have the
same identifier for this node. This is done by the NFA Ar = (Qr,q0r ,Σt ∪˙ {⊢,⊣},δr,Fr), which also veri-
fies that identifiers for different nodes are unique. To this end, each state q˜ of Ar contains a path index lh ∈
{1, . . . , t} and a register identifier ih ∈ {0, . . . ,k} for each row τ˜h of τ˜ . δr checks that the letters in τ˜ that
correspond to edges incident with the same node agree on the corresponding register identifier. The path
indices lh in q˜ are used to identify branching or joining paths and the register identifiers ih to check the
required equalities. In the accepting states the equalities for the sink node of the graph must be satisfied.
Additionally, δr verifies that the register identifiers in τ˜ corresponding to different nodes are different.
The PDA Pt has L (Pt) = L (P) ∩L (Ar). The construction of P and Ar ensures that if
τ˜ ∈ L (Pt), then there exists (G,κ) ∈ L u(G k) and for each i ∈ {1, . . . , t} there exists a sequence of
nodes pii in G such that for each row τ˜i of τ˜ there exists a subsequence pii ∈ Paths(G,τi) of pii correspond-
ing to the projection τi =
(
τ˜i|Σ×{0,...,k}2×{1,...,t}
)
|Σ of τ˜i on Σ. Furthermore, these paths can be chosen such
that edges corresponding to rows with the same path index connect the same pair of nodes. Additionally,
the mapping κ for the nodes on these paths agrees with the corresponding register identifiers in τ˜ .
Conversely, if (G,κ) ∈L u(G k) and for every n ∈ {1, . . . ,m} and h ∈ {1, . . . , r˜} we are given a path
pin,h ∈ Paths(G, τ̂n,h) for some trace τ̂n,h ∈ Σ∗, then there exists a word τ˜ ∈ L (Pt), which corresponds
to these paths and traces. The word τ˜ is obtained by ordering, extending and annotating the given traces.
110 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
4.4 2NFA accepting executions
We construct a 2NFA A˜n for each n ∈ {1, . . . ,m} that checks that the sequence described by the rows of
the word that correspond to n is indeed an execution of M that reads the corresponding rows of the trace
word. Furthermore, A˜n verifies that the machine switches between traces described by different rows of
the trace word only at positions at which the traces share a node in the corresponding paths.
Each state q˜ of A˜n = (Q˜n,Q˜0n, Σ˜ ∪˙ {⊢,⊣}, δ˜n,Q˜n) contains a state q ∈ Q of M , which is the current
state of the simulated machine, and an index i∈ {1, . . . , t} in the trace-word that is part of the input word.
δ˜n refers to the transition relation δ of M to check the existence of a transition of M that performs the
read and write operations determined by the read letter of τ˜ . The state q is updated according to δ and
remains unchanged when the machine is inactive in the current part of the trace. The row of the trace
word that is read in state q˜ is determined by i. The index i can be changed by δ˜n only if for the current
letter we have σ˜tn,h ∈ {1, . . . , t} and pn,h > 0, and for the new value i′ it must hold that σi′ =σi. That is, the
machine can switch between traces only at positions where the paths intersect. An additional component
of q˜ is used to check that block number 0 in τ˜ is used to correctly encode the reversals of the machine
(which do not have to be at the start or sink nodes of the graph). All states are accepting.
Then, τ˜ ∈L (A˜n) iff by taking the elements of τ˜ corresponding to machine n in the appropriate order
we can construct an execution ξn, formally defined as follows. For each h∈ {1, . . . , r˜} and l ∈ {1, . . . , f},
if σ˜tn,h,l ,l = (σ ,c, j1, j2) ∈ Σ× {1, . . . , t} × {0, . . . ,k}2 and pn,h,l > 0, then, if h is odd, then ξ̂n,h,l =
(σ ,bn,h,l ,b′n,h,l) · q′n,h,l , and if h is even, then ξ̂n,h,l = q′n,h,l · (σ ,bn,h,l ,b′n,h,l), Otherwise, ξ̂n,h,l = ε . Then
ξ̂n,h = ξ̂n,h,1 · . . . · ξ̂n,h, f if h is odd, and ξ̂n,h = ξ̂n,h, f · . . . · ξ̂n,h,1 otherwise. Finally, ξn = q0 · ξ̂n,1 · . . . · ξ̂n,r˜.
4.5 2NFA accepting valid read-write sequences
Here we describe a 2NFA A˜c that checks that the executions of the different machines described by
the input word are compatible with each other. That, is that the read and write operations of different
machines match when executed in the order determined by the input word, where each operation is
labelled with a block number. A˜c verifies that each block number is used in a single execution and that
for each execution the sequence of positive block numbers is nondecreasing. To check the validity of the
corresponding read-write sequence w.r.t. the initial register values, A˜c tracks the register values at the
end and at the beginning of each block and compares the values at the beginning of block i+1 with those
at the end of block i. An assumption is a partial function A : {1, . . . , p} → Bk that maps a block number
to a valuation of the registers, representing the obligation to verify that at the beginning of a block the
registers have the respective values. Similarly, a guarantee is a function G : {1, . . . , p} → Bk used to
propagate the guarantee that at the end of a block the registers have a certain value.
Each state of the automaton A˜c = (Q˜c, q˜0c, Σ˜ ∪˙ {⊢,⊣}, δ˜c, F˜c) contains a block number pn and a
valuation of the registers βn for machine n, a set P of already seen block numbers, an assumption A and
a guarantee G. The transition relation δ˜c checks that all read operations of machine n except those at the
beginning of a block read the value stored in βn. At the beginning of a block of machine n, δ˜c guesses
a valuation of the registers for read operations and stores them in βn. The new block number and the
guess are added to the set A. The values of its write operations are used to update βn and, at the end of
a block the respective guarantee is added to G. δ˜c discharges assumptions in A for which the respective
guarantees are in G. In an accepting state the set A should be empty and the set P of all block numbers
in τ˜ should contain all block numbers smaller or equal the maximal one.
By construction, in each word τ˜ ∈ L (A˜c) each block number is assigned to at most one machine
R. Dimitrova and R. Majumdar 111
and for each machine the sequence of positive block numbers is nondecreasing. All such words τ˜ are
accepted by A˜c iff the read-write sequence, constructed by ordering elements of τ˜ according to block
number while preserving the order for each individual machine, is valid w.r.t. the initial register contents.
4.6 NFA checking configuration properties
The NFA As = (Q˜s, q˜0s , Σ˜ ∪˙ {⊢,⊣}, δ˜s, F˜s) checks that in some run in T (M ,m,G k) corresponding to the
input word, a configuration that satisfies the given configuration property F = ∃n. S  µ(n) is reached.
Since the configuration property F asserts the existence of a node in the graph of a configuration,
potential such configurations can be detected by inspecting (at most) two consecutive letters in the word.
The information relevant for the satisfaction of a configuration property consists of the block number and
successor state components of the letters of the execution word and the letters of the trace word. Thus,
we define the set C = {1, . . . , p}t × (Q∪{⊥})t ×Σt and consider pairs of elements of C.
Let c0 =(p01,1, . . . , p0m,r˜,q
0
1,1, . . . ,q
0
m,r˜, σ˜
0
1,1, . . . , σ˜
0
m,r˜), c⊥=(p
⊥
1,1, . . . , p
⊥
m,r˜,q
⊥
1,1, . . . ,q⊥m,r˜, σ˜
⊥
1,1, . . . , σ˜
⊥
m,r˜),
where for n ∈ {1, . . . ,m} and h ∈ {1, . . . , r˜}, p0n,h = p⊥n,h = 0, q0n,h = q0, q⊥n,h =⊥, σ˜ 0n,h = σ˜⊥n,h = (♭,1,0,0).
Let us consider two elements of the set C: c′ = (p′1,1, . . . , p′m,r˜,q
′
1,1, . . . ,q′m,r˜, σ˜
′
1,1, . . . , σ˜
′
m,r˜) ∈ C and
c′′ = (p′′1,1, . . . , p
′′
m,r˜,q
′′
1,1, . . . ,q′′m,r˜, σ˜
′′
1,1, . . . , σ˜
′′
m,r˜) ∈C.
We say that the pair (c′,c′′) occurs in τ˜ = σ˜1 . . . σ˜ f ∈ Σ˜ iff there exists a sequence of consecutive
letters in τ˜ such that those of c′ and c′′ that are not equal to c0 and c⊥ match these letters of τ˜ in the same
order. Formally, (c′,c′′) occurs in τ˜ iff one of the following conditions is satisfied.
(1) c′ = c0, and p′′n,h = pn,h,1, q′′n,h = qn,h,1 and σ˜ ′′n,h = σ˜tn,h,1,1 (c′′ matches σ˜1).
(2) c′′ = c⊥, and p′n,h = pn,h,1, q′n,h = qn,h,1 and σ˜ ′n,h = σ˜tn,h,1, f (c′ matches σ˜ f ).
(3) There exists 1 < l ≤ f such that
– p′n,h = pn,h,l−1, q
′
n,h = qn,h,l−1 and σ˜ ′n,h = σ˜tn,h,l−1,l−1 (c′ matches σ˜l−1),
– p′′n,h = pn,h,l , q
′′
n,h = qn,h,l and σ˜ ′′n,h = σ˜tn,h,l ,l (c′′ matches σ˜l).
Consider a configuration γ ∈ Γ of a run ρ that satisfies the configuration property F . This means
that there exists an edge e ∈ E , such that some of the nodes src(e) and trg(e) makes the property true.
Furthermore, there exits a set of machines involved in the satisfaction of the property in γ . Among these
machines, we distinguish between the one that executed the last transition in ρ leading to this configura-
tion and the remaining machines. By the definition of runs of T (M ,m,G k), the current node and states
of these remaining machines should be reached at the end of one of their execution blocks. We define a
predicate about pairs of elements of C, sets of machines and corresponding positions in their executions
(i.e., rows in the respective letter of the execution word). The automaton As will use this predicate to
identify letters of the word that may encode configurations satisfying the configuration property F.
Let S ∈M(Q), M ⊆ {1, . . . ,m} and fM : M →{1, . . . , r˜}. For each n ∈ M, let fn = fM(n) and if fn is
odd, then pn = p′n, fn , qn = q
′
n, fn and σn = σ˜
′
n, fn , and if fn is even, then pn = p′′n, fn , qn = q′′n, fn and σn = σ˜ ′′n, fn .
Let n0 ∈M be such that for each n ∈ M, it holds that pn ≤ pn0 . We define pn(c′,c′′,M, fM) = pn for each
n ∈ M and n0(c′,c′′,M, fM) = n0.
The node predicate NodeProperty(S,c′,c′′,M, fM) is true iff the conditions listed below hold.
• S = [qn | n ∈ M] and for each n ∈M \{n0}, pn < pn0 and p′n, fn 6= p
′′
n, fn .
• One of the following requirements is satisfied:
– σ ′n0 ∈ {1, . . . , t} and σ
′
n = σ
′
n0 for each n ∈ M.
– σ ′n0 = (σ0, l0, j0, j′0)∈ Σ×{1, . . . , t}×{0, . . . ,k}2 and for each n∈M there exist σ ∈ Σ, j, j′ ∈
{0, . . . ,k} such that σ ′n = (σ , l0, j, j′).
112 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
– σ ′′n0 ∈ {1, . . . , t} and σ
′′
n = σ
′′
n0 for each n ∈ M.
– σ ′′n0 = (σ0, l0, j0, j′0)∈ Σ×{1, . . . , t}×{0, . . . ,k}2 and for each n∈M there exist σ ∈ Σ, j, j′ ∈
{0, . . . ,k} such that σ ′′n = (σ , l0, j, j′).
In order to evaluate the above predicates on positions of the input word τ˜ , the NFA As stores in its
state an element c′ of C. The current letter of the input word determines an element c′′ of C, and As
evaluates the node predicate on the pair (c′,c′′). In order to verify that some run corresponding to τ˜
contains a configuration satisfying the configuration property F , As must detect all pairs on which the
predicate NodeProperty holds true, that is, they might encode a final configuration. For each such pair
As must verify that some of the pairs on which the predicate NodeProperty holds actually fulfils a global
condition on τ˜ . Namely, that for all the involved machines, the currently executed block number is the
last one. (We can, w.l.o.g. restrict to runs where only the last configuration can be final.)
A state q˜ of As contains an element c′ of C, a boolean value f inal ∈ B, and for each machine n it
contains components Pn ∈ 2{1,...,p} and pn ∈ {0, . . . , p}. The set Pn consists of the already seen block
numbers for n. If the current letter defines c ∈C such that NodeProperty(S,c′,c,M, fM) holds true for
some M ⊆ {1, . . . ,m} and some function fM, then f inal can be set to 1 if it is 0, and the current block
number of machine n for each n ∈M can be stored in pn, in order to verify later that a final configuration
is indeed reached (by checking that pn is the maximal block number for n). Based on the currently read
letter of τ˜ , the transition relation δ˜s updates the component c′ of the state. The accepting state q˜ fs can be
entered after reading ⊣ if f inal = 1 and if pn is the maximal block number for machine n for each n.
The construction of As ensures that τ˜ ∈L (As) iff there exists a pair (c′,c′′) occurring in τ˜ encoding
a configuration that satisfies the given configuration property F .
4.7 Correctness of the algorithm
Let A1, . . . ,Am be an NFA obtained respectively from A˜1, . . . ,A˜m such that for each i ∈ {1, . . . ,m},
L (Ai) = L (A˜i). Let Ac be an NFA constructed from A˜c such that L (Ac) = L (A˜c). We then
construct the NFA Ae by intersecting A1, . . . ,Am, Ac and As and projecting the result on Σt, i.e.,
L (Ae) =
(⋂m
i=1 L (Ai)∩L (Ac)∩L(As)
)
|Σt . The PDA A is the intersection of Pt and Ae.
Theorem 2. L (A ) 6= /0 iff there exists an r-reversal bounded run ρ = γ0 . . .γ f in T (M ,m,G k) such that
γi |= F for some 0 ≤ i ≤ f , i.e., a run that reaches a configuration satisfying F.
5 Conclusion.
In this paper we define and study a class of concurrent finite-state automata traversing series-parallel
graphs and communicating through shared finite registers located at the nodes of the graph. We con-
sidered a model in which a fixed number of finite-state machines traverse the nodes of a series-parallel
graph. The series-parallel graphs are generated by a graph grammar, and as we do not impose an a priori
bound on the size of the graphs, the resulting system is infinite-state. Since the emptiness problem for
this model is in general undecidable, we consider a natural restriction by putting bounds on the num-
ber of reversals along the computation and the number of shared registers in the graph. With these two
restrictions, we show that the emptiness problem is decidable and can be reduced to PDA emptiness.
As we noted in Section 2.4, our decidability result holds for a more general model of communication
between the machines, in which either read or write (but not both) operations on registers can be non-
local, that is, access a register that is not at the node where the machine is currently located. Another
possible extension that we omitted for simplicity concerns the language of configuration properties.
R. Dimitrova and R. Majumdar 113
While here we consider properties that quantify over individual nodes in the graph, we can, in principle,
extend the construction described in Section 4.6 to handle configuration properties asserting the existence
of edges with certain labels, or a fixed number of adjacent nodes and edges.
Interesting directions for future work include establishing the complexity of the bounded emptiness
problem for our model, as well as studying different extensions. One possibility is to allow parametriza-
tion in the number of concurrent machines, another is to consider other classes of context-free GTSs.
For example, using the techniques from [16] one can try to extend our results to a more general class of
graphs of bounded tree width.
Acknowledgements. We thank the anonymous reviewers for their helpful and insightful comments.
References
[1] Parosh Aziz Abdulla, Bengt Jonsson, Marcus Nilsson & Mayank Saksena (2004): A Survey of Regular
Model Checking. In Philippa Gardner & Nobuko Yoshida, editors: CONCUR 2004 - Concurrency Theory,
15th International Conference, London, UK, August 31 - September 3, 2004, Proceedings, Lecture Notes in
Computer Science 3170, Springer, pp. 35–48, doi:10.1007/978-3-540-28644-8_3.
[2] Paolo Baldan, Andrea Corradini & Barbara Ko¨nig (2001): A Static Analysis Technique for Graph
Transformation Systems. In: Proc. CONCUR’01, LNCS 2154, Springer, pp. 381–395, doi:10.1007/
3-540-44685-0_26.
[3] Paolo Baldan, Andrea Corradini, Barbara Ko¨nig & Alberto Lluch-Lafuente (2006): A Temporal Graph Logic
for Verification of Graph Transformation Systems. In: WADT, LNCS 4409, Springer, pp. 1–20, doi:10.
1007/978-3-540-71998-4_1.
[4] Nathalie Bertrand, Giorgio Delzanno, Barbara Ko¨nig, Arnaud Sangnier & Jan Stu¨ckrath (2012): On the
Decidability Status of Reachability and Coverability in Graph Transformation Systems. In: RTA, LIPIcs 15,
doi:10.4230/LIPIcs.RTA.2012.101.
[5] Bruno Courcelle & Joost Engelfriet (2012): Graph Structure and Monadic Second-Order Logic - A
Language-Theoretic Approach. 138, Cambridge University Press, doi:10.1017/CBO9780511977619.
[6] Frank Drewes, Hans-Jo¨rg Kreowski & Annegret Habel (1997): Hyperedge Replacement Graph Grammars.
In: Handbook of Graph Grammars, World Scientific, pp. 95–162.
[7] J. Engelfriet & G. Rozenberg (1997): In Grzegorz Rozenberg, editor: Handbook of Graph Grammars and
Computing by Graph Transformation, chapter Node Replacement Graph Grammars, World Scientific Pub-
lishing Co., Inc., pp. 1–94, doi:10.1142/9789812384720_0001.
[8] J. Esparza, P. Ganty & R. Majumdar (2012): A Perfect Model for Bounded Verification. In: LICS 2012, IEEE
Computer Society, pp. 285–294, doi:10.1109/LICS.2012.39.
[9] J. Esparza, P. Ganty & T. Poch (2014): Pattern-Based Verification for Multithreaded Programs. ACM Trans.
Program. Lang. Syst. 36(3), pp. 9:1–9:29, doi:10.1145/2629644.
[10] E.M. Gurari & O.H. Ibarra (1981): The Complexity of Decision Problems for Finite-Turn Multicounter Ma-
chines. J. Comput. Syst. Sci. 22(2), pp. 220–229, doi:10.1016/0022-0000(81)90028-3.
[11] E.M. Gurari & O.H. Ibarra (1982): Two-Way Counter Machines and Diophantine Equations. J. ACM 29(3),
pp. 863–873, doi:10.1109/SFCS.1981.52.
[12] John E. Hopcroft & Jeffrey D. Ullman (2000): Introduction to Automata Theory, Languages and Computa-
tion, Second Edition. Addison-Wesley.
[13] Oscar H. Ibarra (1978): Reversal-Bounded Multicounter Machines and Their Decision Problems. J. ACM
25(1), pp. 116–133, doi:10.1145/322047.322058.
[14] Oscar H. Ibarra (2014): Automata with Reversal-Bounded Counters: A Survey. In: DCFS 2014, Springer,
pp. 5–22, doi:10.1007/978-3-319-09704-6_2.
114 Reachability Analysis of Reversal-bounded Automata on Series-Parallel Graphs
[15] Barbara Ko¨nig & Vitali Kozioura (2006): Counterexample-Guided Abstraction Refinement for the Analysis of
Graph Transformation Systems. In: TACAS, LNCS 3920, Springer, pp. 197–211, doi:10.1007/11691372_
13.
[16] P. Madhusudan & Gennaro Parlato (2011): The tree width of auxiliary storage. In Thomas Ball & Mooly
Sagiv, editors: Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Program-
ming Languages, POPL 2011, Austin, TX, USA, January 26-28, 2011, ACM, pp. 283–294, doi:10.1145/
1926385.1926419.
[17] M. O. Rabin & D. Scott (1959): Finite Automata and Their Decision Problems. IBM Journal of Research
and Development 3(2), pp. 114–125, doi:10.1147/rd.32.0114.
[18] Arend Rensink (2008): Explicit State Model Checking for Graph Grammars. In: Concurrency, Graphs and
Models, LNCS 5065, Springer, pp. 114–132, doi:10.1007/978-3-540-68679-8_8.
[19] Arnold L. Rosenberg (1965): On multi-head finite automata. In: 6th Annual Symposium on Switching
Circuit Theory and Logical Design, IEEE Computer Society, pp. 221–228, doi:10.1109/FOCS.1965.19.
[20] M.Y. Vardi (2014): From Lo¨wenheim to PSL and SVA. In: Language, Culture, Computation. Computing -
Theory and Technology - Essays Dedicated to Yaacov Choueka on the Occasion of His 75th Birthday, Part I,
Lecture Notes in Computer Science 8001, Springer, pp. 78–102, doi:10.1007/978-3-642-45321-2_5
