Model Checking Temporal Properties of Recursive Probabilistic Programs

Probabilistic pushdown automata (pPDA) are a standard operational model for programming languages involving discrete random choices and recursive procedures. Temporal properties are useful for specifying the chronological order of events during program execution. Existing approaches for model checking pPDA against temporal properties have focused mostly on $\omega$-regular and LTL properties. In this paper, we give decidability and complexity results for the model checking problem of pPDA against $\omega$-visibly pushdown languages that can be described by specification logics such as CaRet. These logical formulae allow specifying properties that explicitly take the structured computations arising from procedural programs into account. For example, CaRet is able to match procedure calls with their corresponding future returns, and thus allows to express fundamental program properties such as total and partial correctness.


Introduction
Probabilistic programs extend traditional programs with the ability to flip coins or, more generally, sample values from probability distributions.These programs can be used to encode randomized algorithms and mechanisms in security [BKOB13] in a natural way.The interest in probabilistic programs has significantly increased in recent years.To a large extent, this is due to the search in AI for more expressive and succinct languages than probabilistic graphical models for Bayesian inference [GHNR14].Probabilistic programs have many applications [vdMPYW18].They are used in, among other areas, machine learning, systems biology, security, planning and control, quantum computing, and software-defined networks.Probabilistic variants of many programming languages exist.Recursion.Procedural programs allow for the declaration of procedures-small independent code blocks-and the ability to call procedures from one another, possibly in a recursive fashion.Most common programming languages such as C, Python, or Java support procedures.It is thus not surprising that recursion is also present in many modern probabilistic programming languages (PPL) such as WebPPL [GS14] or Church [SG12].In fact, there have been numerous approaches to extend Bayesian networks with recursion even before PPL became popular [PK00,Jae01,CIRW11].Randomized algorithms such as Hoare's quicksort (see, e.g., [Kar91]) with random pivot selection can be readily implemented using recursion.Finally, recursion in form of branching processes is an important tool to model reproduction of cells or molecules in systems biology [AK15].Motivating example.This paper studies the automated verification of probabilistic pushdown automata (pPDA) [EKM04] as an explicit-state operational model of procedural probabilistic programs against temporal specifications.As a motivating example we consider a simple epidemiological model for the outbreak of an infectious disease in a large population where the number of susceptible individuals can be assumed to be infinite.Our example model distinguishes young and elderly persons.Each affected individual infects a uniformly distributed number of others, with varying rates (expected values) according to the age groups (Figure 2).The fatality rate for infected elderly and young persons is 1% and 0%, respectively.Procedure infectElder () returns a Boolean in order to signal to its callers whether the infection has led to fatality.Initially, we assume there is a single infected young person, i.e., the overall program is started by calling infectYoung().It is an easy exercise to specify this model as a discrete probabilistic program with mutually recursive procedures (Figure 1).Note that this program can be easily amended to more realistic scenarios involving, e.g., more age or gender groups, hospitalization rate, etc.The behavior of such recursive probabilistic programs can be naturally described by pPDA.Roughly, the local states of the procedures-the values of the variables in the procedure's scope and the position of the program counter-constitute both the state space and the stack alphabet of the automaton.Procedure calls correspond to push transitions in the pPDA in such a way that the program's procedure stack is simulated by the automaton's pushdown stack, i.e., the caller's current local state is saved on top of the stack.Accordingly, returning from a procedure corresponds to taking a pop transition in order to restore the local state of the caller.Returning a value can be handled similarly.Clearly, if the reachable local state spaces of the involved procedures are finite, then the resulting automaton will be finite as well.We refer to [ABE18] for more details.
A number of natural questions such as "Will the virus eventually become extinct?"(termination probability) or "What is the expected number of fatalities?" (expected costs) are decidable for finite pPDA (see [BEKK13] for a survey).In this work, we focus on temporal properties, i.e., questions that involve reasoning about the chronological order of events during the epidemic.An example are chains of infection: For instance, we might ask What's the probability that eventually a young person with only young persons in their chain of infection passes the virus on to an elderly person who then dies?
On the level of the program in Figure 1, this corresponds to the probability of reaching a global program configuration where the call stack only contains infectYoung() invocations and during execution of the current infectYoung(), the local variable f is eventually set to true.This requires reasoning about the nestings of calls and returns of a computation.In fact, in order to decide if f = true in the current procedure, we must "skip" over all calls within it and only consider their local return values.This requirement (and many others) can be naturally expressed in the logic CaRet [AEM04], an extension of LTL: Here, p Y is an atomic proposition that holds at states which correspond to being in procedure infectYoung, and f indicates that f = true.Intuitively, the above formula states that eventually (outer ♢ g ), the computation reaches a (global) state where only infectYoung is on the call stack and the current procedure is infectYoung as well (□ − p Y ∧ p Y ), and moreover the local-aka abstract-path within in the current procedure reaches a state where f is true (♢ a f ).Such properties are in general context-free but not always regular and thus cannot be expressed in LTL [AEM04].
Contributions.The contribution of this paper is a solution to the following problem: Given a (finite) pPDA ∆ and an ω-visibly pushdown language (VPL) L in terms of either a CaRet formula or an automaton, determine the probability that a random trajectory of ∆ is in L.
The complexity results for the associated decision problems are summarized in Table 1.As common in the literature, we consider the special case of qualitative, i.e., almost-sure model checking separately.To the best of our knowledge, none of the problems in Table 1 was known to be decidable before.The work of [DBB12] proved decidability of model checking against deterministic Muller visibly pushdown automata (VPA) which capture a strict subset of the CaRet-definable languages [AM04].The most important technical insight of this paper is that two existing (but independently developed) constructions from the literature can be combined to enable effective model checking of pPDA against ω-VPL: The deterministic stair-parity VPA introduced in [LMS04], and a certain finite Markov chain associated with a pPDA [EKM04].We provide some more details in the next paragraph.Step chain M ∆×D (Def.4.14) ETR Figure 3: Chain of reductions used in this paper.ETR stands for existential theory of the reals, i.e., the existentially quantified fragment of the FO-theory over (R, +, •, ≤).
Techniques and tools.We briefly outline our approach which is built on a number of existing constructions and results from the literature.In order for the model checking problems to be decidable [DBB12], we need to impose a mild visibility restriction on ∆, yielding a probabilistic visibly pushdown automaton (pVPA).Just like several previous works on model checking pPDA against ω-regular specifications [EKM04, BKS05, KEM06], we follow an automata-based approach (see Figure 3).More specifically, we first translate φ into an equivalent non-deterministic Büchi VPA [AM04] A and then determinize it using a procedure introduced by Löding et al. [LMS04].The resulting DVPA D uses a so-called stairparity [LMS04] acceptance condition that is strictly more expressive than standard parity or Muller DVPA [AM04].Stair-parity differs from usual parity in that it only considers certain positions-called steps [LMS04]-of an infinite word where the stack height never decreases again.We then construct a standard product ∆ × D. Here, the visibility conditions ensure that the automata synchronize their stack actions, yielding a product automaton that uses a single stack instead of two independent stacks, which would lead to undecidability [DBB12].Finally, we are left with computing a stair-parity acceptance probability in the product.This is achieved by constructing a specific finite Markov chain associated to ∆ × D, called step chain in this paper.Intuitively, the step chain "jumps" from one step of a run to the next, hence we only need to evaluate standard parity on the step chain.The idea of step chains was introduced by Esparza et al. [EKM04] who used them to show decidability of the model checking problem against deterministic (non-pushdown) Büchi automata.For constructing the step chain, certain reachability probabilities in the given pPDA need to be computed.These probabilities are algebraic numbers (i.e., solutions of polynomial equations) that may be irrational in general.However, the relevant problems are still decidable via an encoding in the existential fragment of the FO-theory of the reals (ETR) [KEM06].
Related work.We have already mentioned various works on recursion in probabilistic graphical models and PPL as well as on verifying pPDA and the equivalent model of recursive Markov chains [EY09].The analysis of these models focuses on reachability probabilities, ω-regular properties or (fragments of) probabilistic CTL, expected costs, and termination probabilities.The computation of termination probabilities in recursive Markov chains and variations thereof with non-determinism is supported by the software tool PReMo [WE07].
Our paper can be seen as a natural extension from checking pPDA against ω-regular properties to ω-visibly pushdown languages.In contrast to these algorithmic approaches, various deductive reasoning methods have been developed for recursive probabilistic programs.
Proof rules for recursion were first provided in [Jon90], and later extended to proof rules in a weakest-precondition reasoning style [MM01,OKKM16].The authors of [OKKM16] also address the connection to pPDA and provide proof rules for expected run-time analysis.A mechanized method for proving properties of randomized algorithms, including recursive ones, for the Coq proof assistant is presented in [AP09].The Coq approach is based on higher-order logic using a monadic interpretation of programs as probabilistic distributions.

Conference version.
A preliminary version of this article was published at FoSSaCS 2022 [WGK22].The present journal version extends the conference paper by the full proofs as well as further examples and explanations.
Paper structure.This paper is structured as follows.We review the basics about VPA and CaRet in Section 2. Section 3 introduces probabilistic visibly pushdown automata (pVPA).
The stair-parity DVPA model checking procedure is presented in Section 4, and the results for Büchi VPA and CaRet in Section 5. We conclude the paper in Section 6.

Visibly Pushdown Languages
In this section, we summarize some preliminary results on visibly pushdown languages and their corresponding automata models, and we recall the syntax and semantics of CaRet.We use the following notation for words.Given a non-empty alphabet Σ, let Σ * be the set of all finite words (including the empty word ϵ), and let Σ ω be the set of all infinite words over Σ.For i ≥ 0, the i-th symbol of a word w ∈ Σ * ∪ Σ ω is denoted w(i) if it exists.|w| denotes the length of w.For n ∈ N 0 we write Σ n = {w ∈ Σ * | |w| = n}.For sets of words A ⊆ Σ * and B ⊆ Σ * ∪ Σ ω , the concatenation of all words from A with those from B is denoted A.B. We also use a.B and A.b as shorthands for {a}.B and A.{b}, respectively.

Visibly Pushdown Automata.
A finite alphabet Σ is called pushdown alphabet if it is equipped with a partition Σ = Σ call ⊎ Σ int ⊎ Σ ret into three-possibly empty-subsets of call, internal, and return symbols.A visibly pushdown automaton (VPA) over Σ is like a standard pushdown automaton with the additional syntactic restriction that reading a call, internal, or return symbol triggers a push, internal, or pop transition, respectively (an internal transition is one that does not change the stack height).Formally: Definition 2.1 (VPA [AM04]).Let Σ be a pushdown alphabet.A visibly pushdown automaton (VPA) over Σ is a tuple A = (S, s 0 , Γ, ⊥, δ, Σ) with S a finite set of states, s 0 ∈ S an initial state, Γ a finite stack alphabet, ⊥ ∈ Γ a special bottom-of-stack symbol, and δ = (δ call , δ int , δ ret ) a triple of relations such that The semantics of a VPA is defined as usual via configurations and runs.A configuration of VPA A is a tuple (s, γ) ∈ S ×Γ * -⊥ .⊥,written more succinctly as sγ in the sequel.Intuitively, being in configuration sγ means that the automaton is currently in state s and has the word γ on its stack.If sγ = sZγ ′ for some Z ∈ Γ, then sZ is called the head of sγ.A bottom configuration is a configuration with head s⊥ for some s ∈ S. Let w ∈ Σ ω be an infinite input word.An infinite sequence ρ = s 0 γ 0 , s 1 γ 1 . . . of configurations is called a run of A on w if s 0 γ 0 = s 0 ⊥ and for all i ≥ 0, exactly one of the following cases applies: In other words, if A reads a call (or internal) symbol a while being in configuration sγ and there exists a suitable call transition s a − → tZ (or internal transition s a − → t), then a run of A may evolve from configuration sγ to tZγ (or tγ, respectively).Similarly, if A reads a return symbol a in configuration sZγ where Z ̸ = ⊥ and there is a transition sZ a − → t, then a run can move from sZγ to tγ.Note that invoking a return transition in a bottom configuration s⊥ does not remove the topmost symbol ⊥ from the stack.
A Büchi acceptance condition for A is a subset F ⊆ S. A VPA equipped with a Büchi condition is called a Büchi VPA.An infinite word w ∈ Σ ω is accepted by a Büchi VPA if there exists a run s 0 γ 0 , s 1 γ 1 , . . . of A on w such that s i ∈ F for infinitely many i ≥ 0. The ω-language of words accepted by a Büchi VPA A is denoted L(A) ⊆ Σ ω .Definition 2.2 (ω-VPL [AM04]).Let Σ be a pushdown alphabet.L ⊆ Σ ω is an ω-visibly pushdown language (ω-VPL) if L = L(A) for a Büchi VPA A over Σ. △ A VPA is deterministic (DVPA) if the relations δ call , δ int , and δ ret are total functions, i.e., δ call : (S × Σ call ) → (S × Γ -⊥ ), δ int : (S × Σ int ) → S, and δ ret : (S × Σ ret × Γ) → S. Note that DVPA have exactly one run on each input word.As for standard NBA, the class of languages recognized by Büchi DVPA is a strict subset of the languages recognized by non-deterministic Büchi VPA.Unlike in the non-pushdown case, DVPA with Muller or parity conditions are also strictly less expressive than non-deterministic Büchi VPA [AM04].A deterministic automaton model for ω-VPL was given in [LMS04].It uses a so-called stair-parity acceptance condition which we explain in the upcoming Section 2.2.

2.2.
Steps and Stair-parity Conditions.In the remainder of this section, Σ denotes a pushdown alphabet and A a VPA over Σ.Consider a run ρ = s 0 γ 0 , s 1 γ 1 , . . . of A on an infinite word w ∈ Σ ω .We define the stack height of the i-th configuration as sh(ρ(i)) = |γ i |−1 (i.e., the bottom symbol ⊥ does not count to the stack height).The stair-parity condition relies on the notion of steps: τ r c τ τ c r c c r r c c c r r r ... 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ... Transitions labeled Z, r and ⊥, r are return transitions that are only enabled if Z (⊥, respectively) is on top of the stack.When executing Z, r, the symbol Z is popped from the stack.However, the special bottom-of-stack symbol ⊥ can never be popped (e.g., position 1 in the run).Right: The unique run of the DVPA on input word τ r c τ τ c r c 2 r 2 c 3 r 3 . ... Steps are underlined.
Intuitively, a step is a position of a run such that there is no future position where the stack height is strictly smaller.Slightly abusing terminology, we also say that a configuration s i γ i of a given run ρ = s 0 γ 0 , s 1 γ 1 , . . . is a step if position i is a step.
Example 2.4. Figure 4 depicts a DVPA and the initial fragment of its unique run ρ on the input word τ r c τ τ c r c 2 r 2 c 3 r 3 . ... The step positions are underlined, i.e., positions 0-5, 7, 11, and 17 are steps.Note that if ρ(i) = s⊥ for some s ∈ S then i is a step, i.e., bottom configurations are always steps.
Steps play a central role in the rest of the paper.We therefore explain some of their fundamental properties.Suppose that ρ is a run of A on an infinite word w ∈ Σ * .
• If positions i < j are adjacent steps, i.e., there is no step k strictly in between i and j, then sh(ρ(j)) − sh(ρ(i)) ∈ {0, 1}, i.e., the stack height from one step to the next increases by either zero or one.• Each step i has a next step j > i: If the symbol at step i is internal (e.g., i = 0, 3, 4 in Figure 4) or a return (e.g., i = 1) then the next step is simply the next position j = i + 1 and the stack height does not increase.If the symbol at position i is a call, then one of two cases occurs: Either the call has no matching future return (e.g., i = 2); in this case, the next step is the next position j = i + 1. Otherwise the call is eventually matched (e.g., i = 5, 7, 11) and the next step j > i + 1 occurs after the corresponding matching return is read and has the same stack height.• As a consequence, each infinite run has infinitely many steps.Notice though that the difference between two adjacent step positions may grow unboundedly as in Figure 4. • The stack height at the steps either grows unboundedly or eventually stabilizes (the latter occurs in Figure 4; the stack heights at the steps induce the sequence 0, 0, 0, 1 ω ).
Remark 2.5.We can also define the steps of a word w ∈ Σ ω as the positions where a run of any arbitrary VPA on w has a step.Due to the visibility restriction, the actual behavior of the VPA does not influence the step positions [LMS04].In other words, the step positions are predetermined by the input word.Thus, we can also speak of the stack height sh(w(i)) of word w at position i.
We need one last notion before defining stair-parity.The footprint of an infinite run ρ = s 0 γ 0 , s 1 γ 1 , . . . is the infinite sequence ρ↓ Steps = s n 0 s n 1 . . .∈ S ω where for all i ≥ 0 the position n i is the i-th step of ρ.In words, ρ↓ Steps is the projection of the run ρ onto the states occurring at its steps.For the example run in Figure 4, ρ↓ Steps = s 0 s 1 s 1 s 0 s ω 1 .Definition 2.6 (Stair-parity [LMS04]).Let A be a VPA over pushdown alphabet Σ.A stair-parity acceptance condition for A is defined in terms of a priority function Ω : The language accepted by A is denoted L(A).△ Intuitively, L(A) contains all words that have a run ρ on A such that the minimum priority occurring infinitely often at states in the footprint ρ↓ Steps is even.
Example 2.7.The DVPA in Figure 4 with Ω(s 0 ) = 1 and Ω(s 1 ) = 2 accepts the language of repeatedly bounded words [LMS04], i.e., words whose stack height (cf.Remark 2.5) is infinitely often equal to some constant B. The example word from Figure 4 satisfies this property with B = 1.To see why the automaton accepts L repbdd , note that a word is repeatedly bounded iff the stack height at the steps stabilizes eventually.The latter occurs iff in just finitely many cases, the transition before reaching a step was a call.The DVPA in Figure 4 detects this behavior; when reading a call symbol, it always moves to state s 0 which has odd priority, and it accepts iff s 0 is visited finitely often at call positions.It is known that L repbdd is not expressible through DVPA with usual parity conditions [AM04].
Theorem 2.8 [LMS04, Theorem 1].For every non-deterministic Büchi VPA A there exists a deterministic stair-parity DVPA D with 2 O(|S| 2 ) states such that L(A) = L(D).Moreover, D can be constructed in exponential time in the size of A.
It was also shown in [LMS04] that stair-parity DVPA characterize exactly the class of ω-VPL (and are thus not more expressive than non-deterministic Büchi VPA).
2.3.CaRet, a Temporal Logic of Calls and Returns.Specifying requirements directly in terms of automata is tedious in practice.CaRet [AEM04] is an extension of Linear Temporal Logic (LTL) [Pnu77] that can be used to describe certain ω-VPL.Definition 2.9 (Syntax of CaRet [AEM04]).Let AP be a finite set of atomic propositions.The logic CaRet adheres to the grammar where p ∈ AP ∪ {call, int, ret}.△ Other common modalities such as ♢ b and □ b for b ∈ {g, a, −} are defined as usual via ♢ b φ = true U b φ, and □ b φ = ¬♢ b ¬φ.We now explain the intuitive semantics of CaRet, the formal definition is stated further below in Definition 2.10.We assume familiarity with LTL (see, e.g., [BK08,Ch. 5] for an introduction).CaRet formulae are interpreted over infinite words from the pushdown alphabet Σ = 2 AP × {call, int, ret}.⃝ g and U g are the standard next and until modalities from LTL (called global next and until in CaRet).CaRet 24:9 Figure 5: CaRet's various next modalities applied to the initial fragment of an example word.Call, internal, and return positions are depicted as boxes, circles, and rhombs, respectively.Note that ⃝ a of position 3 is undefined because ⃝ g is a return.Whether or not ⃝ a of position 0 is defined depends on how the words continues after position 5; more specifically, it is defined iff there occurs a return position on the same height as position 5.In this case, ⃝ a of position 0 will point to the first such occurrence.
extends LTL by two key operators, the caller modality ⃝ − and the abstract successor ⃝ a .The semantics of these operators is visually explained in Figure 5.The caller ⃝ − is a past modality that points to the position of the last pending call (if such a call exists).For internal and return symbols, the abstract successor ⃝ a behaves like ⃝ g unless the latter is a return, in which case ⃝ a is undefined (e.g., position 3 in Figure 5).On the other hand, the abstract successor of a call symbol is its matching return if it exists, or undefined otherwise.The caller and abstract successor modalities induce sequences of positions which we call caller path and abstract path, respectively.The caller path is always finite and the abstract path can be either finite or infinite.The until modalities U − and U a are then defined analogously to the standard until U g with the difference that they are interpreted over the caller and abstract path, respectively.A prime application of CaRet is to express total correctness of a procedure F [AEM04]: where p and q are atomic propositions that hold at the states where the pre-and postcondition is satisfied, respectively, and p F is an atomic proposition marking the calls to F .Another example is the language of repeatedly bounded words from Example 2.7; it is described by the formula φ repbdd = ♢ g □ g (call → ⃝ a ret) which states that all but finitely many calls have a matching return.Further examples are given in [AEM04].
We now define the semantics of CaRet formally.Let Σ = 2 AP × {call, int, ret} be the pushdown alphabet and w ∈ Σ ω .If w(i) ∈ Σ call , then let MR w (i) be the position of the matching return of w(i), or undef if there is no matching return.The abstract successor succ a w (i) of position i in word w is defined as follows: The caller succ − w (i) of position i in word w is defined as the innermost ("closest") unmatched call position j < i, or undef if there was no previous open call.
The above theorem is well-known in the literature [AAB + 07, ABE18] even though it is usually stated for Nested Word Automata (NWA) which are equivalent to VPA, and it is more common to state a space bound on A rather than a time bound for the construction.The theorem even applies to the logic NWTL + , an FO-complete extension of CaRet [AAB + 07] which we do not consider here for the sake of simplicity.
Theorems 2.8 and 2.11 together imply that each CaRet formula can be translated to a deterministic stair-parity VPA of doubly-exponential size.

Probabilistic Visibly Pushdown Automata
As explained in the introduction, we employ probabilistic pushdown automata [EKM04] (pPDA) as an operational model for procedural probabilistic programs.pPDA thus play a fundamentally different role in this paper than VPA (cf.Definition 2.1): pPDA are used to model the system, while VPA encode the specification.Consequently, our pPDA do not read an input word like VPA do, but instead take their transitions randomly, according to fixed probability distributions.In this way, they define a probability space over their possible traces, i.e., runs projected on their labeling sequence.These traces constitute the input words of the VPA.In order for the model checking problems to be decidable [DBB12], a syntactic visibility restriction needs to be imposed on pPDA.In a nutshell, the condition is that each state only has outgoing transitions of one type, i.e., push, internal, or pop.This means that the stack operation is visible in the states (recall that for VPA, the stack operation is visible in the input symbol).This restriction is not severe in the context of modeling programs (see Remark 3.4 further below) and leads to our notion of probabilistic visibly pushdown automata (pVPA) which we now define formally.
Given a finite set X, we write Dist(X) = { f : X → [0, 1] | a∈X f (a) = 1 } for the set of probability distributions over X.

Definition 3.1 (pVPA). A probabilistic visibly pushdown automaton
is a finite stack alphabet, ⊥ ∈ Γ is a special bottom-of-stack symbol, P = (P call , P int , P ret ) is a triple of functions is a pushdown alphabet, and λ : Q → Σ is a state labeling function consistent with the visibility condition, i.e., for all type ∈ {call, int, ret} and all q ∈ Q, it is required that q ∈ Q type iff λ(q) ∈ Σ type .△ Similar to VPA, we use the notation q p − → rZ, q p − → r, and qZ p − → r to indicate that P call (q)(r, Z) = p, P int (q)(r) = p, and P ret (q, Z)(r) = p, respectively.
Intuitively, the behavior of a pVPA ∆ is as follows.If the current state q is a call state, then the probability distribution P call (q) determines a random successor state and stack symbol to be pushed on the stack (⊥ cannot be pushed).Similarly, if the current state q is internal, then P int (q) is the distribution over possible successor states and no stack operation is performed.Lastly, if the current state q is a return state and symbol Z ∈ Γ -⊥ is on top of the stack, then Z is popped and ∆ moves to a successor state with probability according to P ret (q, Z).As in VPA, the special symbol ⊥ is not popped from the stack if a return transition occurs in a bottom configuration.
The formal semantics of a pVPA is defined in terms of a countably infinite discrete-time Markov chain.A (labeled) Markov chain is essentially the special case of a pVPA where Q = Q int , with the only difference that we allow for countably infinite Q and do not impose the restriction on the labeling function λ.A Markov chain can thus be specified as a 5-tuple (Q, q 0 , P, Σ, λ), i.e., we omit ⊥ and Γ from the definition of pVPA because a Markov chain does not use a stack.A run of a Markov chain is an infinite sequence of states, i.e., an element from Q ω .Note that in our definition, runs do not necessarily start in q 0 ; this is just for technical convenience-impossible runs starting in a state other than q 0 will simply have probability 0. We extend the labeling function λ from states to runs in the natural way.
We define the Markov chain generated by a pVPA ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ) as , the state space of D ∆ is the set of configurations of ∆, and the transition probability function P ∆ is defined as follows.P ∆ (qγ)(rγ ′ ) = p > 0 iff exactly one of the following cases applies: Example 3.2.Figure 6 depicts a pVPA ∆ and a fragment of its generated Markov chain D ∆ .Even though D ∆ is infinite, many problems remain decidable, including in particular questions about reachability probabilities which can be characterized as the least solution of a system of polynomial equations [EKM04].We will use this extensively in Section 4.
We define the set Runs ∆ of a pVPA ∆ as the runs of the Markov chain D ∆ , i.e., Steps of pVPA runs are defined as in Definition 2.3.A further example pVPA and its possible runs are depicted in Figure 7 on page 16.We associate a probability space with Runs ∆ in the usual way (see, e.g., [BK08, Ch. 10]).To this end, we define the σ-algebra F ⊆ 2 Runs ∆ as the smallest set that contains all the cylinder sets ρ.Runs ∆ , where ρ is an arbitrary finite prefix ρ ∈ (Q × Γ * -⊥ .⊥)* of a run, and that is closed under complement and countable union.The sets in F are called measurable and there is a unique probability measure P ∆ : F → [0, 1] satisfying where an empty product (which occurs if |ρ| ≤ 1) is defined to be equal to 1.We omit the subscript in P ∆ whenever ∆ is given by the context.In the following two remarks, we summarize the technical differences between our pVPA model and existing models in the literature.
Remark 3.3.Unlike the pPDA from [EKM04], our pVPA only generate infinite runs, i.e., they do not "terminate" when reaching the empty stack.Indeed, in our pVPA, the stack can never be empty because the special bottom symbol ⊥ cannot be popped.We have chosen this semantics for compatibility with CaRet which describes ω-languages by definition.Nonetheless, terminating behavior can be easily simulated in our framework by moving to a dedicated sink state once the pVPA attempts to pop ⊥ for the first time.Another technical difference between our pVPA and the pPDA introduced in [EKM04] is that in pVPA, only pop transitions can read the stack, whereas in pPDA, all types of transitions can read, and possibly exchange, the current topmost stack symbol.We have chosen this definition (which is not a true restriction) for compatibility with VPA as defined in [AM04].
Remark 3.4.The visibility restriction of our pVPA is slightly different from the definition given in [DBB12] which requires all incoming transitions to a state to be of the same type, i.e., call, internal, or return.Our definition, on the other hand, imposes the same requirement on the states' outgoing transitions.We believe that our condition is more natural for pVPA obtained from procedural programs, such as the one in Figure 1.In fact, programs where randomness is restricted to internal statements such as x := bernoulli(0.5)or x := uniform(0, 3) naturally comply with our visibility condition because all call and return states of such programs are deterministic and thus cannot violate visibility.However, the alternative condition of [DBB12] is not necessarily fulfilled for such programs.
We can now formally state our main problem of interest: Definition 3.5 (Probabilistic CaRet Model Checking).Let AP be a finite set of atomic propositions, φ be a CaRet formula over AP , ∆ be a pVPA with labels from the pushdown alphabet Σ = 2 AP × {call, int, ret}, and θ ∈ [0, 1] ∩ Q.The quantitative CaRet Model Checking problem is to decide whether The qualitative CaRet Model Checking problem is the special case where θ = 1.△ The probabilities in Definition 3.5 are well-defined as ω-VPL are measurable [LMS04].

Model Checking pVPA against Stair-parity DVPA
In this section, we show that model checking pVPA (Definition 3.1) against VPL given in terms of a stair-parity DVPA (Definition 2.6) is decidable.This is achieved by first computing an automata-theoretic product of the pVPA and the DVPA and then evaluating the acceptance condition in the product automaton.
4.1.Products of Visibly Pushdown Automata.In general, pushdown automata are not closed under taking products as this would require two independent stacks.However, the visibility conditions on VPA and pVPA ensure that their product is again an automaton with just a single stack because the stack operations (push, internal, or pop) are forced to synchronize.
We now define the product formally.An unlabeled pVPA is a pVPA where the labeling function λ and alphabet Σ are omitted.Definition 4.1 (Product ∆ × D).Let ∆ = (Q, q 0 , Γ, ⊥, P, Σ, λ) be a pVPA, and D = (S, s 0 , Γ ′ , ⊥, δ, Σ) be a DVPA over pushdown alphabet Σ.The product of ∆ and D is the unlabeled pVPA where P ∆×D is the smallest set of transitions satisfying the following rules for all q, r ∈ Q, Z ∈ Γ, s, t ∈ S, and If the DVPA D is equipped with a priority function Ω : S → N 0 , then we extend Ω to Ω ′ : Q × S → N 0 via Ω ′ (q, s) = Ω(s).△ It is not difficult to show that ∆ × D is indeed a well-defined pVPA and moreover satisfies the following property (the proof is standard, see [WGK21, Appendix B.1]): Lemma 4.2 (Soundness of ∆ × D).Let ∆ be a pVPA and D be a stair-parity DVPA with priority function Ω, both over pushdown alphabet Σ.Then the product pVPA ∆ × D with priority function Ω ′ as in Definition 4.1 satisfies where Parity Ω ′ denotes the set of words in (Q × S) ω satisfying the standard parity condition induced by Ω ′ .Moreover, ∆ × D can be constructed in polynomial time.
Remark 4.3.It is not actually important that the product pVPA again satisfies the visibility condition, even though this happens to be the case.All techniques we apply to the product also work for general pPDA.4.2.Stair-parity Acceptance Probabilities in pVPA.Lemma 4.2 effectively reduces model checking pVPA against stair-parity DVPA to computing stair-parity acceptance in the product, which is again an (unlabeled) pVPA.We therefore focus on pVPA in this section and do not consider DVPA.
Throughout the rest of this section, let ∆ = ( Q, q 0 , Γ, ⊥, P ) be an unlabeled pVPA.On the next pages we describe the construction of a finite Markov chain M ∆ that we call the step chain of ∆.Loosely speaking, M ∆ simulates jumping from one step (see Definition 2.3) of a run of ∆ to the next.
Remark 4.4.The idea of the step Markov chain M ∆ first appeared in [EKM04].However, the step chain as presented here differs from the original definition in [EKM04] in at least two important aspects.First, we have to take the semantics of our special bottom symbol ⊥ into account.This is why our chain uses a subset of Q ∪ Q⊥ as states-it must distinguish whether a step occurs at a bottom configuration.The pPDA in [EKM04], on the other hand, may have both finite and infinite runs, and this needs to be handled differently in the step chain.Second, we use step chains for a different purpose than [EKM04], namely to show that general measurable properties defined on steps-this includes stair-parity-can be evaluated on pVPA (Lemma 4.15).

4.2.1.
Steps as events.For all n ∈ N 0 , we define a random variable V (n) on Runs ∆ whose value is either the state q of ∆ at the n-th step, or the extended state q⊥ in the special case where the n-th step occurs at a bottom configuration q⊥, for some q ∈ Q.We denote the set of all such extended states with where step n (ρ) denotes the configuration at the n-th step of ρ.
Lemma 4.5.For all n ∈ N 0 and v ∈ Q ∪ Q⊥, the event V (n) = v is measurable, and thus V (n) is a well-defined random variable.
Proof.This was proved more generally in [EKM04].Here we give an alternative proof using the fact that all ω-VPL are measurable [LMS04].We view Q ∪ Q⊥ as a pushdown alphabet (the partition is induced by the partition on Q).We can construct a non-deterministic Büchi VPA that accepts a word w ∈ (Q ∪ Q⊥) ω iff the n-th step of w is v (the size of this automaton depends on n).To this end, the VPA guesses the first n positions that are steps and goes to an accepting state s if the n-th step was v.The automaton can verify that it guessed correctly as follows.If it believes a call symbol is a step, it pushes a special marker on the stack; if this marker is ever popped, then the call was no step and the guess was wrong.If it detects a wrong guess in this way, then it leaves the accepting state s, otherwise it loops there forever.The claim follows because the function f : Runs ∆ → (Q ∪ Q⊥) ω that maps runs to the sequence of their (extended) states is measurable (indeed, the preimage which is a countable intersection of countable unions of basic cylinder sets).
We can view the sequence V (0) , V (1) . . . of random variables as a stochastic process.It is intuitively clear that for all n ∈ N 0 , the value of V (n+1) depends only on V (n) , but not on V (i) for i < n.This is due to the more general observation that only the state q at any step configuration qγ (with γ ̸ = ⊥) fully determines the future of the run because being a step already implies that no symbol in γ can ever be read, as reading it implies popping it from the stack.In particular, q determines the probability distribution over possible next steps.A similar observation applies to bottom configurations of the form q⊥. Phrased in the language of probability theory, the process V (0) , V (1) . . .has the Markov property, i.e., holds for all values of v 0 , . . ., v n such that the conditional probabilities are well-defined 1 .This was proved in detail in [EKM04].It is also clear that the Markov process is time-homogeneous in the sense that holds for all n, m ∈ N 0 for which the two conditional probabilities are well-defined.The following example provides some intuition on these facts.
Example 4.6.Consider the pVPA in Figure 7 (left).The initial fragments of its two equiprobable runs are depicted in the middle.In this example, it is easy to read off the next-step probabilities They are summarized in the Markov chain on the right.For example, V (0) = q 0 ⊥ holds with probability 1, and V (1) = q 1 and V (1) = q 3 ⊥ hold with probability 1 /2 each because the second step occurs either at position 1 with configuration q 1 ⊥Z or at position 3 with configuration q 3 ⊥, and both options are equally likely.The case P(V (2) = q 2 | V (1) = q 1 ) = 1 is slightly more interesting: Given that a configuration q 1 γ with γ ̸ = ⊥ is a step, we know that the next state must be q 2 (which is then also a step).Even though there is a transition from q 1 to q 3 in ∆, the next state cannot be q 3 because the latter is a return state which would immediately decrease the stack height of γ.This shows that, intuitively speaking, conditioning on being a step influences the probabilities of a state's outgoing transitions.
1 A conditional probability is well-defined if the condition, i.e., the event on the right hand side of the vertical bar, has positive probability.Expressions like the one in (4.1) are thus not necessarily well-defined because the probability that V (n−1) = vn−1 might be zero for certain values of n and vn−1.
as we did in Example 4.6.It turns out that those can be stated in terms of the return and diverge probabilities of ∆.
Definition 4.7.Let q, r ∈ Q be states, and Z ∈ Γ -⊥ be a stack symbol of pVPA ∆.We define the following probabilities: • The return probability [qZ↓r] is the probability to reach configuration r⊥ from qZ⊥ without visiting another bottom configuration t⊥ for some t ̸ = r in between.Formally, [qZ↓r] = P qZ⊥ ( { q ′ γ⊥ | q ′ ∈ Q, γ ∈ Γ + -⊥ } U {r⊥} ) where P qZ⊥ is the probability measure associated with the infinite Markov chain D ∆ assuming initial state qZ⊥, and U is the standard until operator from LTL.
• The diverge probability [q↑] = 1 − t∈Q [qZ↓t], i.e., the probability to never pop Z from the stack when starting in qZ⊥.Note that [q↑] is indeed independent of Z because the only way to read Z is by popping it from the stack.Recall that this is due to our specific definition of pVPA (Definition 3.1) in which only pop transitions can read from the stack just like in VPA (Definition 2.1); we remark that in traditional (p)PDA, all types of transition can read -and possibly replace-the topmost stack symbol [EKM04].△ The diverge probabilities are closely related to steps.In fact, the probability that a non-bottom configuration with head qZ is a step is equal to [q↑].For example, in the pVPA in Figure 7 the configuration q 1 Z⊥ is a step with probability [q 1 ↑] = 1 /2.Example 4.8.It is well known that the return and diverge probabilities are not necessarily rational.We give a minimal example to illustrate this fact.Consider the following pVPA: Intuitively, this pVPA either pops the topmost symbol with probability 1 /2, or it pushes two times the symbol Z.Note that all return probabilities of the form [. . .↓q i ] for i ̸ = 0 are equal to zero.In [EKM04] it was shown that the remaining return probabilities are the component-wise least non-negative solution of the polynomial system: It follows that [q 0 Z↓q 0 ] must be the least non-negative solution of ≈ 0.618, the reciprocal of the golden ratio.△ The probabilities in Example 4.8 can still be expressed by radicals (square roots, cubic roots, and so on) which allows for certain effective computations.However, in general, the probabilities cannot even be expressed in this way.For example, consider a pVPA that repeats the following steps until emptying its stack or getting stuck in a sink state: (i) It pushes four symbols with probability 1 6 , or (ii) pops one symbol with probability 1 2 , or (iii) gets stuck otherwise.The resulting return probability is the least x ≥ 0 with x = 1 6 x 5 + 1 2 , which is an algebraic number not solvable by radicals [EY09, Theorem 3.2(1)].
Remark 4.9.The probabilities [qZ↓r] from Definition 4.7 were called termination probabilities in previous work [BEKK13].However, we believe that return probability is more appropriate.When modeling procedural probabilistic programs as pVPA, [qZ↓r] is just the probability to eventually return from local state q of the current procedure to local state r of the calling procedure (the return address is stored on the stack in Z).We believe that the term termination probability is more adequate for referring to the quantity r∈Q [q 0 Z 0 ↓r], where Z 0 is some initial stack symbol, i.e., the probability that some initial procedure indentified by Z 0 returns at all when started in local state q 0 .We now state the technical key lemma of this section, the characterization of the next step probabilities P(V 4.2.3.Proof of Lemma 4.10.We first explain the trivial entries in Table 2. Further below, we give a self-contained proof of the two non-trivial expressions in the left-most column of Table 2. Throughout the whole proof we fix an (unlabed) pVPA ∆ = (Q, q 0 , Γ, ⊥, P ), with P = (P call , P int , P ret ) the call, internal, and return transition functions, respectively.The following items correspond to the trivial entries in Table 2 and are ordered column-by-column, from left to right: • The probability P(V (n+1) = r | V (n) = q) with q ∈ Q ret is never well-defined because it is impossible that steps occur at non-bottom configurations with a return state.
• The probability P(V (n+1) = r | V (n) = q⊥) with q ∈ Q int is trivially zero because if q is internal then the next step after a bottom configuration q⊥ is necessarily also a bottom configuration.
is a return state at a bottom configuration then the next step occurs at the immediate successor configuration which is a bottom configuration as well.
and r⊥ are both steps and the probability that the next state after q⊥ is r⊥ is P int (q, r).• The probability P(V (n+1) = r⊥ | V (n) = q⊥) with q ∈ Q ret is simply P ret (q⊥, r) for the same reason as in the previous case (recall that a return state at a bottom-configuration behaves exactly like an internal one).• All the remaining probabilities in the rightmost column " q → r⊥ " are trivially zero or ill-defined because if a step occurs at non-bottom configuration, then the next step can never occur at a bottom configuration.We now focus on the following non-trivial cases.Let r ∈ Q and n ∈ N 0 be arbitrary.(1) If q ∈ Q int then, P int (q, r) .
(2) If q ∈ Q call then, The other two non-trivial cases are easier variants of case (2), hence we omit them here (see [WGK21,p. 30] for details).Next we provide some intuition about cases (1) and (2): • For (1), suppose that the n-th step is at position i of the run.Since the n-th step occurs at an internal state q ∈ Q int , the n+1-st step must necessarily occur immediately at position i+1.The factor P int (q, r)[r↑] is proportional to the probability to take an (internal) transition from q to r and then diverge in r, which is necessary in order for the next configuration to be a step.However, the values { P int (q, r)[r↑] | r ∈ Q } do not form a probability distribution in general.Therefore we divide by the normalizing constant [q↑] = r∈Q P int (q, r)[r↑].
• In (2), the two summands correspond to the following case distinction: Since the n-th step occurs at the call state q ∈ Q call , the n+1-st step either (i) occurs at the same stack height as the current step n (which means that the current call has a matching return), or (ii) the stack height at the next step n+1 is incremented by 1 compared to the stack height at step n.In case (ii), the next step occurs immediately at the next position, which is why the second summand is just the 1-step probability to go from q to r.In case (i), the symbols pushed by the outgoing transitions of q must be eventually popped.For instance, if we assume that q takes a transition to an immediate successor r ′ and pushes Z on the stack, then the probability that the next step occurs at r is precisely the return probability [r ′ Z↓r] (see Definition 4.7).The factor [r↑]  [q↑] is needed for similar reasons as in (1).We now give the formal proofs for (1) and (2).In the following, we often use equations involving conditional probabilities such as P(A | B) = P(C | D).These conditional probabilities are not necessarily well-defined in all cases.Therefore, the meaning of our equations is that they hold only if all probabilities involved are well-defined.We need some definitions and (simple) lemmas first.Definition 4.11.Let i ∈ N 0 and q ∈ Q.We introduce the following events: • q@i is the set of all runs ρ ∈ Runs ∆ such that ρ(i) = qγ with γ ̸ = ⊥, i.e., the runs whose i-th configuration has state q and stack unequal to ⊥. • Similarly, q⊥@i denotes the set of all runs ρ ∈ Runs ∆ such that ρ(i) = q⊥, i.e., the runs whose i-th configuration is a bottom configuration with state q.• step@i denotes the set of all runs such that the i-th configuration is a step.• We define sh@i = sh(ρ(i)) ∈ N 0 , i.e., the stack height of the i-th configuration.Strictly speaking, sh@i is a random variable, not an event.Note that step@i is by definition equivalent to ∀j > i : sh@j ≥ sh@i.These events are all measurable.△ Lemma 4.12.For all i ∈ N 0 , and q ∈ Q, the following identities hold: Further, for q ∈ Q int and r ∈ Q, P(r@(i+1) | q@i) = P int (q, r) (4.5) Proof.The first three equations follow immediately from the definitions.For (4.6) we have: The first equation holds because if q ∈ Q int and q@i, then step@(i+1) ∧ step@i is already implied by step@(i+1), and the second equation holds because the probability that step@(i+1) depends only on the state at position i+1, not on the state at position i.
To prove equation for case (1) we argue as follows.By time-homogeneity (see (4.2)) and the definition of V (n) , we have for all i, n ∈ N 0 , q ∈ Q int and r ∈ Q that Now: (by (4.7)) = P(r@(i+1) ∧ step@(i+1) ∧ q@i ∧ step@i) P(q@i ∧ step@i) (cond.probability) = P(r@(i+1) ∧ step@(i+1) ∧ step@i | q@i) • P(q@i) P(step@i | q@i) • P(q@i) = P(step@(i+1) ∧ step@i | r@(i+1) ∧ q@i) • P(r@(i+1) | q@i) P(step@i | q@i) This concludes the proof for case (1).We now turn to case (2).For all i, n ∈ N 0 , q ∈ Q call and r ∈ Q, it holds that (by time homogeneity and definition of V (n) ) = P(∃k > i+1 : step@k ∧ r@k ∧ ∀i < j < k : ¬step@j | step@i ∧ q@i) The last equality results from a split in two disjoint events.For the second summand in (4.8) it can be shown that by a similar derivation as in case (1) (the sum over all stack symbols Z is because q ∈ Q call , so that there may be multiple -up to |Γ -⊥ | many-direct transitions from q to r).
We need a couple of lemmas before deriving an equation for the first summand in (4.8).
Lemma 4.13.For all q ∈ Q call , r ∈ Q, and i ∈ N 0 it holds that: P(r@k ∧ ∀i<j<k : sh@j > sh@k = sh@i | q@i) (4.9) Moreoever, for all q ∈ Q call , i ∈ N 0 , and k ∈ N 0 , we have: P(step@k ∧ ∀i<j<k : ¬step@j ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j > sh@i = sh@k | q@i) (4.10) and P(∀i<j<k : sh@j > sh@i = sh@k | q@i ∧ r@k ∧ step@k) = P(∀i<j<k : sh@j > sh@i = sh@k | q@i ∧ r@k) (4.11) Proof.For (4.9), note that r ′ ,Z P call (q, r ′ Z)[r ′ Z↓r] is the probability to go from q (with empty stack) to a successor state r ′ , push Z ∈ Γ and then later reach r with empty stack within finitely many steps.If we assume that q@i, then this is the same as summing over all positions k > i + 1 (we can exclude k = i + 1 because is not possible because to push and pop Z within one transition) such that r@k and for all i < j < k the stack height is greater than at position i and k.Positions i and k have the same stack height because in the transition from i the symbol Z is pushed, and k is the position directly after Z is popped.
In between those two transitions, the stack below Z cannot change, so the stack is the same at both positions.For (4.10) we argue as follows: P(step@k ∧ ∀i<j<k : ¬step@j ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j > sh@i = sh@k ∧ step@i | q@i) = P(step@k ∧ ∀i<j<k : sh@j>sh@i = sh@k | q@i) The first equality holds because if no position between i and k is a step, then the stack at those positions must be higher than at position k.Furthermore, since i is a step, we have sh@i ≤ sh@k; and moreover, since i+1 is not a step and q is a call state, we even have sh@i = sh@k.The second equality holds because if i and k have the same stack height and all positions between them have a higher stack, then i is a step if and only of k is a step.
Equation (4.11) is somewhat counter-intuitive because conditioning on step@k is like "conditioning on the future": The stack height after position k should never be smaller than at position k.Knowing that step@k gives information about the (extended) state at position k.However, in (4.11) we also condition on the fact that r@k, i.e., at position k, the run is in step r and the topmost stack symbol is not ⊥.Hence, in the context of (4.11), we can drop step@k from the condition.
4.2.4.The step chain.Recall from (4.1) that the stochastic process V (0) , V (1) . .., where initial state q 0 ⊥, and for all v, v ′ ∈ M , the probability of transition v → v ′ is defined according to Table 2. △ Figure 8 depicts a non-trivial pVPA and its step chain.In this example, all return and diverge probabilities are rational.In general, however, the return and diverge probabilities (Definition 4.7) are algebraic numbers that are not always rational or even expressible by radicals [EY09] (cf.Example 4.8).As a consequence, one cannot easily perform numerical computations on the step chain.However, the probabilities can be encoded implicitly as the unique solution of an existential theory of the reals (ETR) formula, i.e., an existentially quantified FO-formula over (R, +, •, ≤) [EKM04].Since the ETR is decidable in PSPACE, many questions about the step chain are in PSPACE as well.We will make use of this in Theorem 4.16 below.
The property of M ∆ that is most relevant to us is given by the following Lemma 4.15.For ρ ∈ Runs ∆ , we let ρ⇓ Steps = V (0) (ρ)V (1) (ρ) . . .∈ (Q ∪ Q⊥) ω (note that this is a slightly different "footprint" than the one introduced in Section 2.2).
Lemma 4.15 (Soundness of M ∆ ).Let ∆ be a pVPA with step chain M ∆ .Let M be the states of the step chain and let R ⊆ M ω be measurable.Then where P ∆ and P M ∆ are the probability measures associated with ∆ and M ∆ , respectively.
Proof.The formal proof requires some basic notions from measure theory.In fact, Lemma 4.15 is actually an instance of the following more general statement: (⋆) Let (X, A, µ) and (Y, B, ν) be probability spaces such that B = σ(G), where G ⊆ 2 Y , i.e., B is the σ-algebra generated by the sets in G. Assume furthermore that G is a π-system, i.e., G is non-empty and closed under finite intersections.Let f : Then f is a measurable function and the pushforward measure ν ′ = µ • f −1 coincides with ν.
We now explain how to prove (⋆) using fundamental measure theory.The fact that f is measurable follows because the inverse image f −1 preserves set operations (see, e.g., [ADD00, below Definition 1.5.1]).For the claim that ν ′ = ν it suffices to note that by assumption we have for all G ∈ G that ν ′ (G) = ν(G), and since G is a π-system, an application of the π-λ theorem (see, e.g., [Pan09, Proposition 2.10]) implies that ν ′ = ν.
We instantiate (⋆) as follows to prove Lemma 4.15: The probability spaces are the ones associated with the measures P ∆ and P M ∆ .In particular, the σ-algebra on which P M ∆ is defined is the one generated by the cylinder sets C = {w.M ω | w ∈ M * } ⊆ 2 M ω .It is easy to see that G = C ∪ {∅} is a π-system, and σ(C) = σ(G).We define f : (Q × Γ * -⊥ .⊥)ω → M ω , f (ρ) = ρ⇓ Steps , i.e., f projects a run from ∆ to its footprint of steps (which is a run in M ∆ ).To apply (⋆) it remains to show that for all cylinder sets w.M ω , w ∈ M * , we have that (i) f −1 (w.M ω ) is measurable, and (ii) is indeed measurable because it is a finite intersection of measurable events by Lemma 4.5; recall that V (i) denotes the (extended) state at the ith step.(ii) is trivial in the case where |w| = 0, so we let |w| = n + 1, n ≥ 0, and exploit the properties of the step chain M ∆ .If w(0) ̸ = q 0 ⊥ (the initial state of M ∆ ) then P ∆ (V (0) = w(0)) = P M ∆ (w.M ω ) = 0. Otherwise w(0) = q 0 ⊥.In this case, if n = 0 (i.e., |w| = 1), then P ∆ (V (0) = w(0)) = P M ∆ (w.M ω ) = 1.Else, if n > 0 (|w| > 1), by the Markov property from equation (4.1), we have (By Lemma 4.10) where P is the transition probability function in the Markov chain M ∆ and the last equality holds by definition of the probability measure P M ∆ .
Table 3: The underlying graph of the step chain.The condition in each cell is true iff the corresponding transition probability in Table 2 is non-zero.
∨ ∃Z : P call (q, rZ) > 0) The following is the main result of Section 4: Theorem 4.16.Let ∆ be a pVPA and D be a stair-parity DVPA, both over the same pushdown alphabet Σ.Then for all θ ∈ [0, 1] ∩ Q, the following is decidable in PSPACE: The rest of Section 4.3 is devoted to the proof of Theorem 4.16.We first provide a brief overview.The first step is to construct the product ∆ × D according to Definition 4.1.By Lemma 4.2 we need to compute the stair-parity acceptance probability of ∆×D.Lemma 4.15 reduces this to computing a usual parity acceptance probability in the step chain M ∆×D .This can be achieved through finding the bottom strongly connected components (BSCC) of M ∆×D , classifying them as good (the minimum priority of a BSCC state is even) or otherwise as bad, and running a standard reachability analysis w.r.t. the good BSCCs (see Figure 9 for an example).The remaining technical difficulty is that the transition probabilities of M ∆×D are not rational in general.We handle this using the fact that these probabilities are expressible in the ETR [EKM04].
We now present the formal proof.We use the following result about return probabilities of pPDA, which is originally due to [EKM04]: Lemma 4.17 (as stated in [BEKK13, Theorem 2]).The return probabilities [pZ↓q] are expressible in ETR.More specifically, there exists an FO-formula Φ over (R, +, •, ≤) which uses just existential quantifiers and free variables ⟨pZ↓q⟩ p,q∈Q,Z∈Γ such that Φ becomes a true FO-sentence iff each free variable ⟨pZ↓q⟩ is substituted by the actual return probability [pZ↓q].Moreover, Φ can be effectively constructed in polynomial space.
Lemma 4.18.The next-step probabilities (i.e., the transition probabilities of the step chain) in Table 2 are expressible in ETR.
Proof.With Lemma 4.17 it suffices to note that ETR expressible numbers are closed under addition, multiplication and division.Let x, y ∈ R be expressed by ETR formulae Φ(x) and Φ ′ (y), respectively.Then the formula Φ ′′ (z) := ∃x, y : Φ(x) ∧ Φ ′ (y) ∧ z = x + y where z is a fresh variable expresses the sum of x and y, and similar for multiplication.For division, we have that Φ ′′ (z) := ∃x, y : Φ(x) ∧ Φ ′ (y) ∧ z • y = x expresses x/y provided that y ̸ = 0 (if y = 0 then Φ ′′ does not express a unique real number as it is then either unsatisfiable or trivial).
We now describe our PSPACE algorithm to prove Theorem 4.16.
Step 1.We first construct the product pVPA ∆ = ∆ × D with priority function Ω ′ : Q → N 0 where Q are the states of ∆ as in Definition 4.1.By Lemma 4.2 it suffices to compute the probability that the footprint of a run in the product ∆ satisfies the parity condition induced by Ω ′ .∆ can be constructed in polynomial time.
Step 2. We express (4.12) using the step chain M ∆.Let M ⊆ Q ∪ Q⊥ be the states of the step chain M ∆.Let Ω ′′ : M → N 0 be the extension of Ω ′ to the states of M via Ω ′′ (q) = Ω ′′ (q⊥) = Ω ′ (q) for all q ∈ Q.That is, Ω ′′ induces a parity acceptance set Parity Ω ′′ ⊆ M ω which is ω-regular and thus measurable.Let ρ ∈ Runs ∆.Clearly, ρ↓ Steps ∈ Parity Ω ′ iff ρ⇓ Steps ∈ Parity Ω ′′ .Thus by Lemma 4.15, (4.12) is equal to where the right hand side is the probability that a run of the step chain M ∆ satisfies the parity condition induced by Ω ′′ .We have thus reduced the problem of computing a stair-parity acceptance probability in the product pPDA ∆ to computing a standard parity acceptance probability in the finite Markov chain M ∆.
The rest of the proof uses standard techniques and is similar to the proof of [EKM04, Theorem 5.15].The main technical difficulty is that the transition probabilities of M ∆ cannot be written in an explicit numerical form since they are in general algebraic numbers.
Step 3. We construct the underlying graph G ∆ of the step chain M ∆, i.e., we determine the set M of states and include a directed edge between states v, v ′ ∈ M iff the probability of transition v → v ′ is positive.Table 3 gives sufficient and necessary conditions for this in all cases (Table 3 can be seen as the "qualitative" version of Table 2).The conditions in Table 3 (as well as constructing the state space of M ∆) require checking if [q↑] > 0 for states q ∈ Q of ∆.The latter is equivalent to checking if r∈Q [qZ↓r] < 1, which is reducible to ETR by Lemma 4.17 and hence decidable in PSPACE.
Step 4. We determine the bottom strongly connected components (BSCC) of G ∆ from the previous step by a standard (efficient) graph analysis.We mark the BSCCs B ⊆ M such that min v∈B Ω ′′ (v) is even as "good", the others as "bad".It is well-known that in the finite Markov chain M ∆ it holds that P(ρ ∈ Parity Ω ′′ | ρ reaches a good BSCC) = 1 due to the Long-Run Theorem of finite Markov chains: Each state of a BSCC is visited infinitely often almost-surely, provided that this BSCC is reached at all.Moreover, if a run ρ reaches a bad BSCC, than the probability to satisfy the parity condition is zero and thus P(ρ ∈ Parity Ω ′′ ) = P(ρ ∈ Parity Ω ′′ | ρ reaches a good BSCC) • P(ρ reaches a good BSCC) = P(ρ reaches a good BSCC) Thus it only remains to compute the probability to reach a good BSCC in M ∆.
Step 5. We use the previous step to classify the states M of the step chain M ∆ into three categories: M =0 contains all states from which no good BSCC is reachable in the graph G ∆, M =1 contains all good BSCCs, and M ?contains all other states.We recall that the probabilities to reach M =1 are the unique solution of the following linear equation system (see, e.g., [BK08, Ch. 10]): We can treat the vectors of probabilities ⃗ p and the variables ⃗ x in this equation system as free variables of an ETR formula R(⃗ p, ⃗ x).By Lemma 4.18, there is an ETR formula Φ(⃗ p) expressing ⃗ p.The ETR formula ∃⃗ p, ⃗ x : Φ(⃗ p) ∧ R(⃗ p, ⃗ x) ∧ x v 0 ≥ θ is thus true iff the probability to reach a good BSCC from initial state v 0 ∈ M is at least θ.Truth of this formula can be decided in PSPACE, which concludes the proof of Theorem 4.16.
4.4.Implications for Probabilistic One-counter Automata.A probabilistic visibly one-counter automaton (pVOC) is the special case of a pVPA with unary stack alphabet, i.e., |Γ -⊥ | = 1.For example, the pVPA in Figure 8 (left) is a pVOC.For many problems, better complexity bounds are known for pVOC than for the general case.In particular, [p↑] > ?0, i.e., the question whether a pVOC started in state p never reaches counter value (or stack height) zero with positive probability, can be decided in P [BEKK13, Theorem 4].We can exploit this to improve Theorem 4.16 in the pVOC case: Corollary 4.19.Let ∆ be a pVOC and D be a stair-parity DVPA over pushdown alphabet Σ.The problem P({ρ ∈ Runs ∆ | λ(ρ) ∈ L(D)}) = ? 1 is decidable in P.
Proof.The key observation is that, since we can efficiently decide [p↑] > ?0, we can efficiently (in polynomial time) construct the underlying graph G ∆×D of the step chain of ∆ × D (as in the proof of Theorem 4.16), and then apply polynomial-time graph analysis algorithms to check if only good BSCCs are reachable in G ∆×D .
Corollary 4.19 implies that there exist efficient algorithms for many properties of pVOC-expressible random walks on N 0 .In fact, almost-sure satisfaction of each fixed visiblypushdown property can be decided in P. For instance, using the DVPA from Figure 4 we can decide if a random walk is repeatedly bounded with probability 1.

Model Checking against Büchi VPA and CaRet
With Theorem 2.8 and theorem 4.16 it follows immediately that quantitative model checking of pVPA against non-deterministic Büchi VPA is decidable in EXPSPACE.We can improve the complexity in the qualitative case: Theorem 5.1.Let ∆ be a pVPA and A be a (non-deterministic) Büchi VPA over the same pushdown alphabet.The problem P({ρ ∈ Runs ∆ | λ(ρ) ∈ L(A)}) = ? 1 is EXPTIME-complete.
Proof.The lower bound is due to [EY05, Theorem 8] and already holds for non-pushdown Büchi automata.We now describe an EXPTIME decision procedure: • We first determinize A using Theorem 2.8 which is possible in time exponential in |A|.
Let D be the resulting stair-parity DVPA and consider the product ∆ × D (Definition 4.1).Note that the product can be constructed in polynomial time in |D| and |∆|, and thus in exponential time in the overall size of the input.• The crucial observation for the next step is that [q↑] = [(q, s)↑] for all states (q, s) of ∆ × D. This holds because by definition of the product, D merely observes the runs of ∆, and thus the diverge probabilities of ∆ × D and ∆ are essentially the same.We compute the set Div ∆ = {q | [q↑] > 0} ⊆ Q, where Q are the states of ∆, in exponential time in |∆| using a PSPACE decision procedure for the ETR [EKM04].Note that computing Div ∆×D = {(q, s) | [(q, s)↑] > 0} directly would take doubly-exponential time in |A|; the proposed "optimization" is thus essential for obtaining the EXPTIME upper bound.• We now determine the set of triples Ret ∆×D = {(q, Z, p) | [qZ↓p] > 0} in ∆ × D. Unlike the diverge probabilities, this set can be computed in polynomial time in the size of ∆ × D (hence exponential in the size of the input) because we may disregard the exact transition probabilities and conduct a standard reachability analysis in a non-deterministic pushdown automaton [ABE18], also see [BEKK13,p. 136].• The next step is to construct the underlying graph G ∆×D of the step chain M ∆×D , i.e., the directed graph that has the same vertices as M ∆×D and includes an edge (u, v) iff the 1-step transition probability from u to v is positive in the Markov chain.This can be done in polynomial time in |∆ × D| using the sets Div ∆ and Ret ∆×D defined above and Table 3. • The final step is, as in Theorem 4.16, to determine the BSCCs of G ∆×D , classify them as good or bad according to whether they satisfy the (standard) parity condition inherited from D, and then check if there is a bad BSCC reachable from the initial state.All these steps can be done in polynomial time in |∆ × D|.
In the above result, membership in EXPTIME relies on the fact that one can construct the underlying graph of a step chain M ∆×D in time exponential in the size of ∆ but polynomial in the size of D. EXPTIME-hardness follows from [EY05, Theorem 8].In fact, qualitative model checking of pPDA against non-pushdown Büchi automata is also EXPTIME-complete [EY05].
With Theorems 2.8 and 2.11 and theorems 4.16 and 5.1 we immediately obtain the following complexity results for CaRet model checking: Theorem 5.2.The quantitative and qualitative probabilistic CaRet model checking problems (Definition 3.5) are decidable in 2EXPSPACE and 2EXPTIME, respectively.
Both problems are known to be EXPTIME-hard [YE05].

Conclusion
We have presented the first decidability result for model checking probabilistic pushdown automata-an operational model of recursive discrete probabilistic programs-against CaRet, or more generally, against the class of ω-VPL.We heavily rely on the determinization procedure from [LMS04, Theorem 1] and the notion of a step chain used in previous works [EKM04,KEM06].These two constructions turn out to be a natural match.
We conjecture that the upper bounds from Theorem 5.2 are not tight due to the exponential blow up incurred by applying the VPA determinization from [LMS04, Theorem 1].Future work is thus to investigate whether the doubly-exponential complexity can be lowered to singly-exponential, e.g., by generalizing the automata-less algorithm from [YE05].Another open question is whether existing results [EY09, EKL10, SEY15] for approximately computing the probabilities [qZ↓r] can be used for approximate quantitative CaRet and ω-VPL model checking.We also plan to extend our recent work on certificates [WK23a,WK23b] to temporal and other logical properties.Such certificates can be approximate as well.
Other future work includes exploring to what extent algorithms for probabilistic CTL can be generalized to the branching-time variant of CaReT [GMN18], considering more expressive logics such as visibly LTL [BS18] or OPTL [CMP20], and studying the interplay of conditioning and recursion [SG12] through the lens of pPDA.

Figure 1 :
Figure 1: Recursive probabilistic program modeling the outbreak of an infectious disease.uniform(a, b) stands for the discrete uniform distribution on [a, b].

Figure 2 :
Figure 2: Example infection rates by age groups.

Figure 4 :
Figure 4: Left: An example VPA (in fact, a DVPA) with Γ = {Z, ⊥} over input alphabet Σ = {c} ⊎ {τ } ⊎ {r}.Transitions labeled c, Z are call transitions that push Z on the stack.The transitions labeled τ are internal transitions; they ignore the stack completely.Transitions labeled Z, r and ⊥, r are return transitions that are only enabled if Z (⊥, respectively) is on top of the stack.When executing Z, r, the symbol Z is popped from the stack.However, the special bottom-of-stack symbol ⊥ can never be popped (e.g., position 1 in the run).Right: The unique run of the DVPA on input word τ r c τ τ c r c 2 r 2 c 3 r 3 . ... Steps are underlined.

Figure 9 :
Figure 9: Left: The product of the pVPA from Figure 8 (left) and the DVPA from Figure 4 on page 7. Right: Its step chain according to Definition 4.14.The dashed region is the only BSCC.It violates the parity condition Ω(s 0 ) = 1 and Ω(s 1 ) = 2 inherited from the DVPA (see Example 2.7 on page 8) since every run reaching the BSCC visits cs 0 infinitely often with probability 1.Only reachable states are depicted.* is a placeholder that stands for an arbitrary stack symbol.

Table 1 :
Complexity results established in this paper.ω-VPL given in terms of ...
Left: A pVPA ∆ (labeling function omitted) with Γ = {⊥, Z}.Call and return states are drawn as squares and rhombs, respectively.Transitions labeled p, Z for p ∈ [0, 1] mean that with probability p symbol Z is pushed.Transitions labeled X, p, for X ∈ Γ and p ∈ [0, 1], indicate that if X is on top of the stack, then the transition is taken with probability p (and X is popped if X ̸ = ⊥).Note that the visibility restriction on pVPA enforces that a state may not have both outgoing push and outgoing pop transitions.Right: The infinite-state Markov chain D ∆ generated by ∆.

Table 2 .
The upcoming section is devoted to proving that the entries in the table are correct.Lemma 4.10.The conditional next-step probabilities in Table2are correct in the sense that is the extended state at the ith step, has the Markov property.Since Q ∪ Q⊥ is a finite set, we can now use Lemma 4.10 to construct the underlying finite Markov chain explicitly.Definition 4.14 (The Step Chain M ∆ ).M ∆ is the Markov chain with states