History-Register Automata

Programs with dynamic allocation are able to create and use an unbounded number of fresh resources, such as references, objects, files, etc. We propose History-Register Automata (HRA), a new automata-theoretic formalism for modelling and verifying such programs. HRAs extend the expressiveness of previous approaches and bring us to the limits of decidability for reachability checks. The distinctive feature of our machines is their use of unbounded memory sets (histories) where input symbols can be selectively stored and compared with symbols to follow. In addition, stored symbols can be consumed or deleted by reset. We show that the combination of consumption and reset capabilities renders the automata powerful enough to imitate counter machines, and in particular reset Petri nets, and yields closure under all regular operations apart from complementation. We moreover examine weaker notions of HRAs which strike different balances between expressiveness and effectiveness.


Introduction
Program analysis faces substantial challenges due to its aim to devise finitary methods and machines which are called to operate on potentially infinite program computations.A specific such challenge stems from dynamic generative behaviours such as, for example, object or thread creation in Java, or reference creation in ML.A program engaging in such behaviours is expected to generate a possibly unbounded amount of distinct, i.e. fresh, resources, each of which is assigned a unique identifier, a name.Hence, any machine designed for analysing such programs is expected to operate on an infinite alphabet of names.The latter need has brought about introducing automata over infinite alphabets in program analysis, starting from prototypical machines for mobile calculi [21] and variable programs [17], and recently developing towards automata for verification tasks such as equivalence checks of ML programs [22,23], context-bounded analysis of concurrent programs [7,3] and runtime program monitoring [13].
The literature on automata over infinite alphabets is rich in formalisms each based on a different approach for tackling the infiniteness of the alphabet in a finitary manner (see e.g.[28] for an overview).A particularly intuitive such model is that of Register Automata (RA) [17,24], which are machines built around the concept of an ordinary finite-state automaton attached with a fixed finite amount of registers.The automaton can store in its registers names coming from the input, and make control decisions by comparing new input names with those already stored.Thus, by talking about addresses of its memory registers rather than actual names, a so finitely-described automaton can tackle the infinite alphabet of names.Driven by program analysis considerations, register automata have been recently extended with feature of name-freshness recognition [30], that is, the capability of the automaton to accept specific inputs just if they are fresh -they have not appeared before during computation.Those automata, called Fresh-Register Automata (FRA), can account for languages like the following, which captures the output of a fresh-name generator (N is a countably infinite set of names).FRAs are expressive enough to model, for example, finitary fragments of languages like the π-calculus [30] or ML [22].
The freshness oracle of FRAs administers the automata to have some restricted access to the full history of the computation.In this work we further capitalise on the use of histories by effectively upgrading them to the status of registers.That is, in addition to registers, we equip our automata with a fixed number of unbounded sets of names (histories) where input names can be stored and compared with names to follow.As histories are internally unordered, the kind of name comparison we allow for is name belonging (does the input name belong to the i-th history?).Moreover, names can be selected and removed from histories, and individual histories can be reset altogether.We call the resulting machines History-Register Automata (HRA).
The above generalisations greatly strengthen the expressive power of our machines.For example, different input names may be stored in distinct histories and checked for different properties.Moreover, individual names can be removed from histories, thus allowing us to express consumption of resources.More specifically, we identify three distinctive features of HRAs: (a) The capability to reset histories, which captures languages like for some fixed name a 0 .(b) The use of multiple histories, which allows one to express (c) The capability to select and remove individual names from histories, which allows us to express The above examples, neither of which are FRA-recognisable, are used here to demonstrate the limitations of FRAs: although the latter are sufficiently powerful for expressing the semantics of programs with generative effects, they fall short of providing a satisfactorily rich verification toolkit for them.We cannot (a) Kleeneclose FRAs (actually, not even concatenate them), (b) interleave them nor (c) use them to express non-freshness or consumption of names.
Let us further expand on point (c).The language L 3 captures a paradigmatic scenario of a name generator followed by a name consumer: each consumed name a ′ i must have been created first (non-freshness), and no name can be consumed twice.The language is decided by the following automaton with one history.
The automaton starts from state q 0 with empty history and, for each input name a, if a does not appear in the history, it accepts a, stores it in the history and goes back to q 0 . 1 Alternatively, the automaton can make an ǫ-transition to consumption mode, i.e. to state q 1 .There, for each input name a, if a already appears in the history, the automaton accepts a, removes it from the history and goes back to q 1 . 2Thus, at q 0 the automaton acts as a name generator and at q 1 as a name consumer.
Apart from the gains in expressive power, the passage to HRAs yields a more well-rounded automata-theoretic formalism for generative behaviours as these machines enjoy closure under all regular operations apart from complementation (union, intersection, concatenation, Kleene star).On the other hand, the combination of the aforementioned features (a-c) of HRAs enable us to use histories as counters and simulate counter machines.We therefore obtain nonprimitive recursive bounds for checking language emptiness.Given that language containment and universality are undecidable already for register automata [24], HRAs are fairly close to the decidability boundary for properties of languages over infinite alphabets.Nonetheless, starting from HRAs and weakening them in each of the first two enumerated factors (a,b) we obtain automata models which are still highly expressive but computationally more tractable.Overall, the expressiveness hierarchy of the machines we examine is depicted in Figure 1 (weakening in (a) and (b) respectively occurs in the second column of the figure).

Motivation and related work
The motivation behind this work stems from semantics and verification.In semantics, the use of names to model resource generation originates in the work of Pitts and Stark on the ν-calculus [25] and Stark's PhD thesis [29].Names have subsequently been incorporated in the semantics literature (see, for example [15,4,1,18]), especially after the advent of Nominal Sets [12] which provided formal foundations for doing mathematics with names.Recent work in game semantics in particular has produced algorithmic representations of game models 1 Thus, the "∅" in the loop label means that a does not appear in any history, and the "1" that, once accepted, a should be added to history number 1 (the only history of the automaton in this case). 2Thus, the "1" in this transition label means that a already appears in history 1, and the "∅" that, once accepted, a should appear in no history.using extensions of fresh-register automata [22,23], thus achieving automated equivalence checks for fragments of ML.In a parallel development, a research stream on automated analysis of dynamic concurrent programs has developed essentially the same formalisms, this time stemming from basic operational semantics [7,3].This confluence of different methodologies is exciting and encourages the development of stronger automata for a wider range of verification tasks, and just such an automaton we propose herein.

HRA
Although our work is driven by program analysis, the closest existing automata models to ours come from XML database theory and model checking.Research in the latter area has made great strides in the last years on automata over infinite alphabets and related logics (e.g.see [28] for an overview from 2006).As we show in this paper, history-register automata fit very well inside the big picture of automata over infinite alphabets (cf. Figure 1) and in fact can be seen as a variant of Data Automata (DA) [6] or, equivalently Class Memory Automata (CMA) [5].This fit leaves space for transfer of technologies and, more specifically, of the associated logics of data automata.

Overview
The next section introduces HRAs and looks into examples and some first properties.In Section 3 we examine regular closure properties of HRAs and in Section 4 we prove decidability for emptiness.In Section 5 we introduce weaker models and in Section 6 we connect HRAs to existing automata formalisms.We conclude by discussing future directions which emanate from this work.

Definitions and first properties
We start by fixing some notation.Let N be a countably infinite alphabet of names, which we range over by a, b, c, etc.For any pair of natural numbers i ≤ j, we write [i, j] for the set {i, i+1, • • • , j}, and for each i we let [i] be the set {1, • • • , i}.For any set S, we write |S| for the cardinality of S, P(S) for the powerset of S, P fn (S) for the set of finite subsets of S, and P =∅ (S) for the set of non-empty subsets of S. We write id : S → S for the identity function on S, and img(f ) for the image of f : S → T .
We define automata which are equipped with a fixed number of registers and histories where they can store names.Each register is a memory cell where one name can be stored at a time; each history can hold an unbounded set of names.We use the term place to refer to both histories and registers.
Transitions are of two kinds: name-accepting transitions and reset transitions.Those of the former kind have labels of the form (X, X ′ ), for sets of places X and X ′ ; and those of the latter carry labels with single sets of places X.A transition labelled (X, X ′ ) means: accept name a if it is contained precisely in places X, and update places in X and X ′ so that a be contained precisely in places X ′ after the transition (without touching other names).
By a being contained precisely in places X we mean that it appears in every place in X, and in no other place.In particular, the label (∅, X ′ ) signifies accepting a fresh name (one which does not appear in any place) and inserting it in places X ′ .On the other hand, a transition labelled by X resets all the places in X, that is, updates each to be the empty set.Reset transitions do not accept names; they are ǫ-transitions from the outside.Note then that the label (X, ∅) has different semantics from the label X: the former stipulates that a name appearing precisely in X be accepted and then removed from X; whereas the latter clears all the contents of the places in X, without accepting anything.Formally, let us fix positive integers m and n which will stand for the default number of histories and registers respectively in the machines we define below.The set Asn of assignments and the set Lab of labels are: For example, {(i, ∅) | i ∈ [m+n]} is the empty assignment.We range over elements of Asn by H and variants, and over elements of Lab by ℓ and variants.Moreover, it will be handy to introduce the following notation for assignments.For any assignment H and any a ∈ N , S ⊆ N and X ⊆ [m+n]: -We set H@X to be the set of names which appear precisely in places X in is the update of H which removes name a from all places and inserts it back in X, that is, for all i: Note above that operation H[a in X] acts differently in the case of histories (i ≤ m) and registers (i > m) in X: in the former case, the name a is added to the history H(i), while in the latter the register H(i) is set to {a} and its previous content is cleared.
We can now define our automata.
Definition 1.A history-register automaton (HRA) of type (m, n) is a tuple A = Q, q 0 , H 0 , δ, F where: -Q is a finite set of states, q 0 is the initial state, F ⊆ Q are the final ones, -H 0 ∈ Asn is the initial assignment, and For brevity, we shall call A an (m, n)-HRA.
We write transitions in the forms q X,X ′ −→ q ′ and q X −→ q ′ , for each kind of transition labels.In diagrams, we may unify different transitions with common source and target, for example q X,X ′ −→ q ′ and q Y,Y ′ −→ q ′ may be written q X,X ′ / Y,Y ′ −−−−−−−→ q ′ ; moreover, we shall lighten notation and write i for the singleton {i}, and ij for {i, j}.
We already gave an overview of the semantics of HRAs.This is formally defined by means of configurations representing the current computation state of the automaton.A configuration of A is a pair (q, H) ∈ Q, where: From the transition relation δ we obtain the configuration graph of A as follows.
x = a ∈ N and there is q x = ǫ and there is q The language accepted by A is: Note that we use ǫ both for the empty sequence and the empty transition so, in particular, when writing sequences of the form x 1 • • • x n we may implicitly consume ǫ's.
The automaton starts by accepting a 0 , leaving it in register 2, and moving to state q 1 .There, it loops accepting fresh names (appearing in no place) which it stores in history 1.From q 1 it goes back to q 1 by resetting its history.
We can also see that the following HRAs, of type (2, 0) and (1, 0), accept the languages L 2 and L 3 respectively.
Both automata start with empty assignments.
A Register Automaton (RA) of n registers is a (0, n)-HRA with no reset transitions.
Thus, in an FRA all the initial names must appear in its history, and the same holds for all the names the automaton accepts during computation (1 ∈ X ′ ).As, in addition, no reset transitions are allowed, the history effectively contains all names of a run.On the other hand, the automaton cannot recognise nonfreshness: if a name appearing only in the history is to be accepted at any point then a totally fresh name can be also be accepted in the same way.Now, from [30] we have the following.Lemma 5.The languages L 1 , L 2 and L 3 are not FRA-recognisable.
Proof.L 1 was explicitly examined in [30].For L 2 and L 3 we use a similar argument as the one for showing that L 0 * L 0 is not FRA-recognisable [30] .
⊓ ⊔ Bisimulation Bisimulation equivalence, also called bisimilarity, is a useful tool for relating automata, even from different paradigms.It implies language equivalence and is generally easier to reason about than the latter.We will be using it avidly in the sequel.
R is called a bisimulation if both R and R −1 are simulations.We say that A 1 and A 2 are bisimilar, written A 1 ∼ A 2 , if there is a bisimulation R such that ((q 01 , H 01 ), (q 02 , H 02 )) ∈ R.
The following is a standard result.
As a first taste of HRA reasoning, we demonstrate a technique for simulating registers by histories in HRAs.The idea is to represent a register by a history whose size is always kept at most 1.There are, however, some technicalities.To ensure that histories are effectively kept in size ≤ 1 they must be cleared before inserting names.This in turn complicates the conditions dictating when a transition can be taken as such conditions may depend on the deleted names.Proposition 8. Let A = Q, q 0 , H 0 , δ, F be an (m, n)-HRA.There is an (m+2n, 0)- Proof.To each of the n registers of A we assign a pair of histories in A ′ .The reason we need two copies of each register is so that, for each transition with label (X, X ′ ), we use one copy for the name comparisons needed for the X part of the label (old copy), and the other copy for the assignments dictated by X ′ (new copy).Note that assigning names in the same copy would mean that our histories would grow to sizes greater than 1.After the assignment, the old copies of X and X ′ are garbage.The correspondence is completed by pre-composing each such transition with a reset of all garbage.Formally, A ′ = Q ′ , q ′ 0 , H ′ 0 , δ ′ , F ′ where elements of Q ′ are of the form (q, f ) with q ∈ Q and f : [m+1, m+n] → [m+1, m+2n] is such that, for each i, f (i) ∈ {i, i+n}. 4The role of f is to record which copy of the two registers is currently used.We set f to be the complement of f , that is, the function defined by f Finally, we include in δ ′ precisely the following transitions.
-For each q The above reduction makes substantial use of reset transitions and of transitions which move names between histories.As shown in [5], it is possible to express register behaviour with histories and without resets, using a so called colouring technique.The latter is demonstrated in Example 25 of Section 6 but we do not have a general concrete reduction for HRAs.More In generally, though, the technique obscures the intuition of registers and produces automata which need close examination even for simple languages like the one which contains all words a 1 • • • a n such that a i = a i+1 for all i (see Example 25).As, in addition, it is not applicable to the weaker unary HRAs we examine in Section 5, we preferred to explicitly include registers in HRAs.Another design choice regards the use of sets of places in transitions instead e.g. of single places.Although the latter description would lead to an equivalent and probably conciser formalism, it would be inconvenient for combining HRAs e.g. in order to produce the intersection of their accepted languages.In fact, our formulation follows M-automata [17], an equivalent presentation of RAs susceptible to closure constructions.
Determinism We close our presentation here by describing the deterministic class of HRAs.We defined HRAs in such a way that, at any given configuration (q, H) and for any input symbol a, there is at most one set of places X that can match a, i.e. such that a ∈ H@X.As a result, the notion of determinism in HRAs can be ensured by purely syntactic means.Below we write q Definition 9. Let A be an HRA.We say that A is deterministic if, for any reachable configuration q and any name a, if Lemma 10.If A is strongly deterministic then it is deterministic.

Closure properties
History-register automata enjoy good closure properties with respect to regular language operations.In particular, they are closed under union, intersection, concatenation and Kleene star, but not closed under complementation.
In fact, the design of HRAs is such that the automata for union and intersection come almost for free through a straightforward product construction which is essentially an ordinary product for finite-state automata, modulo reindexing of places to account for duplicate labels (cf.[17]).The constructions for Kleene star and complementation are slightly more involved.We shall need the following technical gadget, which is fully presented in Appendix B. Given an (m, n)-HRA A and a sequence w of k distinct names, we construct a bisimilar (m, n+k)-HRA, denoted A fix w, in which the names of w appear exclusively in the additional k registers, which, moreover, remain unchanged during computation.The construction will allow us, for instance, to create feedback loops in automata ensuring that after each feedback transition the same initial configuration occurs.
Lemma 11.Let A be an (m, n)-HRA with initial assignment H 0 and w = a 1 • • • a k a sequence of distinct names.We can effectively construct an (m, n+k)- for all reachable configurations (q, H) of A fix w and all i > m+n, H(i) = H ′ 0 (i).We can now show the following.
Proposition 12. Languages recognised by HRAs are closed under union, intersection, concatenation and Kleene star.
Proof.We show concatenation and Kleene star only.For the former, consider and assume wlog that they have common type (m, n).Let w be an enlistment of all names in H 02 and construct is the language recognised by connecting A ′ 1 and A ′ 2 serially, that is, the automaton obtained by connecting each final state of A ′ 1 to the initial state of A ′ 2 with a transition labelled [m+n], and with initial/final states those of A ′ 1 /A ′ 2 respectively.Finally, given an (m, n)-HRA A and an enlistment w of its initial names, we construct an automaton A ′ by connecting the final states of A fix w to its initial state with a transition labelled [m+n].We can see that In the next section we shall see that, while universality is undecidable for HRAs, their emptiness problem can be decided by reduction to coverability for transfer-reset vector addition systems.In combination, these results imply that HRAs cannot be effectively complemented.In fact, the following holds.
Lemma 13.HRAs are not closed under complementation.
The proof is in the following example, adapted from [20].
Example 14.Consider the following language and its complement.
The automaton non-deterministically selects an input name which either appears only once in the input or at least three times.However, L 4 is not HRA-recognisable.For suppose it were recognisable (wlog) by an (m, 0)-HRA A with k states.Then, A would accept the word where all a i 's are distinct and do not appear in the initial assignment of A.
Let p = p 1 p 2 be the path in A through which w is accepted, with each p i corresponding to one of the two halves of w.Since all a i s are fresh for A, the non-reset transitions of p 1 must carry labels of the form (∅, X), for some sets X.
Let q be a state appearing twice in p 1 , say p 1 = p 11 (q)p 12 (q)p 13 .Consider now the path p ′ = p ′ 1 p 2 where p ′ 1 is the extension of p 1 which repeats p 12 , that is, p ′ 1 = p 11 (q)p 12 (q)p 12 (q)p 13 .We claim that p ′ is an accepting path in A. Indeed, by our previous observation on the labels of p 1 , the path p ′ 1 does not block, i.e. it cannot reach a transition q 1 X,Y − −− → q 2 , with X = ∅, in some configuration (q 1 , H 1 ) such that H 1 @X = ∅.We need to show that p 2 does not block either (in p ′ ).Let us denote (q, H 1 ) and (q, H 2 ) the configurations in each of the two visits of q in the run of p on w; and let us write (q, H 3 ) for the third visit in the run of p ′ 1 , given that for the other two visits we assume the same configurations as in p.Now observe that, for each non-empty X ⊆ [m], repeating p 12 cannot reduce the number of names appearing precisely in X, therefore |H 2 @X| ≤ |H 3 @X|.The latter implies that, since p does not block, p ′ does not block either.Now observe that any word accepted by w ′ is not in L 4 , as p ′ 1 accepts more than k distinct names, a contradiction.

Emptiness and Universality
We now turn to the question of checking emptiness.The use of unbounded histories effectively renders our machines into counter automata: where a counter automaton would increase (or decrease) a counter, an HRA would add (remove) a name from one of its histories, or set of histories.Nonetheless, HRAs cannot decide their histories for emptiness, which leaves space for decidability. 5The capability for resetting histories leads us to consider Transfer-Reset Vector Addition Systems [8,2] (i.e.Petri nets with reset and transfer arcs) as equivalent formalisms for checking emptiness.
A Transfer-Reset Vector Addition System (TR-VASS) of m dimensions will be a tuple A = Q, δ where Q a set of states and a transition relation.Each dimension of A corresponds to an unbounded counter.Thus, a transition of A can either update its counters by addition of a vector v ∈ {−1, 0, 1} m , or transfer the value of one counter to another, or reset some counter.
Formally, a configuration of A is a pair (q, v) ∈ Q × N m consisting of a state and a vector of values stored in the counters.The configuration graph of A is constructed by including an edge (q, v) where we write v i for the ith dimension of v, and v[i → v ′ ] for the update of v where the i-th counter is set to v ′ .An R-VASS is a TR-VASS without transfer transitions.
The control-state reachability problem for TR-VASSs is defined as follows.Given a TR-VASS A of m dimensions, a configuration (q 0 , v 0 ) and a state q, is there some v ∈ N m such that (q 0 , v 0 ) → → (q, v)?In such a case, we write (A, q 0 , v 0 , q) ∈ Reach.
We next reduce HRA emptiness to TR-VASS control-state reachability.By Proposition 8, we can consider HRAs without registers.Below we write 0 for the vector 0 Proposition 16.Emptiness is decidable for HRAs.
Proof.For each (m, 0)-HRA A = Q.q 0 , H 0 , δ, F , we construct a TR-VASS A ′ with 2 m dimensions: one dimension X for each X ⊆ [m].The dimension ∅ will be simply garbage collecting.We assign to each state of A a corresponding state in A ′ .Moreover, We also add in A ′ a state q F and transitions q 0 − → q F for each q ∈ F , and set A ′ simulates the behaviour of A so that, whenever A is at a configuration (q, H), A ′ is at a configuration (q, v) such that, for all non-empty X ⊆ [m], |H@X| = v X .The transitions above capture exactly that.At a transition label (X, X ′ ), a name appearing precisely in X is moved precisely to X ′ .On the other hand, the effect of a reset label X is more complicated: all names appearing precisely in some set of places X i such that X i ∩ X = ∅ will see themselves transferred precisely to X i \ X.We have that L(A) = ∅ iff there is an accepting run of A, that is, a run from the initial to some final configuration which does not block, i.e. it does not reach a transition q X,Y −→ q ′ in some configuration (q, H) such that |H@X| = 0. Equivalently, L(A) = ∅ iff (A ′ , q 0 , v 0 , q F ) ∈ Reach.Now we use Fact 15.
⊓ ⊔ Doing the opposite reduction we can show that emptiness of even strongly deterministic HRAs is non-primitive recursive.In this direction, each R-VASS of m dimensions is simulated by an (m, 0)-HRA so that the value of each counter i of the former is the same as the number of names appearing precisely in history i of the latter.
Proposition 17. Checking emptiness of strongly deterministic HRAs is nonprimitive recursive.
Proof.Let A be an R-VASS of m dimensions such that, for each transition q v −→ q ′ , the number of non-zero dimensions of v is 1.Moreover, suppose A is deterministic in the following sense.For each state q and transitions q t1 −→ q 1 and q By [27], control-state reachability for such R-VASSs is non-primitive recursive. 6et (A, q 0 , v 0 , q F ) be such an instance.We construct a strongly deterministic (m, 0)-HRA A ′ where each counter i of A corresponds to the i-th history of A ′ .For each i, j we write i ⊕ j for i + j mod m, and i ⊖ j for i − j mod m.For each dimension i with v 0i = n, we pick names a i , a i 1 , • • • , a i n , all pairwise distinct.The names a i 1 , • • • , a i n will be used for representing the value n.On the other hand, each a i will be used in reset transitions in order to ensure determinacy.We write ī for the set {i ⊖ 1, i, i ⊕ 1}.Thus, the initial assignment for A ′ is given by: For all other sets X, H@X = ∅.We let q 0 and q F be the initial state and final states of A ′ respectively.Moreover, we map each transition a sequence of transitions: The effect of the above is to remove all names appearing precisely in history i, and proceed with a three-name code which distinguishes this reset from any other transition and restores the missing a j s from history i.Note that the determinacy of A combined with the way we translate reset transitions, imply strong determinacy of A ′ .We can see that A ′ simulates the behaviour of A by storing the value of each counter i as the number of names appearing exactly in its history i.Hence, (A, q 0 , v 0 , q We now turn to the questions of universality and language containment.Note first that our machines directly inherit undecidability of these properties from register automata [24].
Nonetheless, as we next show, the above properties are decidable in the deterministic case.In order to simplify our analysis, we shall be reducing HRAs to the following compact form where ǫ-transitions are incorporated inside nameaccepting ones.As we show below, no expressiveness is lost by this packed form.
A packed (m, 0)-HRA is a tuple A = Q, q 0 , δ, H 0 , F defined exactly as an (m, 0)-HRA, with the exception that now: The semantics of such a transition is the same as that of a pair of transitions q an ordinary HRA.Formally, configurations of packed HRAs are pairs (q, H), like in HRAs, and the configuration graph of a packed HRA A like the above is constructed as follows.We set (q, H) Lemma 19.Let A be an (m, 0)-HRA.There is a packed (m, 0)-HRA A ′ such that A ∼ A ′ .

⊓ ⊔
We shall decide language containment via complementation.In particular, given a deterministic packed HRA A, the automaton A ′ accepting the language N \L(A) can be constructed in the analogous way as for deterministic finite-state automata, namely by obfuscating the automaton with all missing transitions and swapping final with non-final states.Finding the missing transitions is easy: for each state q and each set X such that there is no transition of the form q Y ;X\Y,X ′ − −−−−−− → q ′ in A, we add a transition q ∅;X,∅ −−−→ q F to some sink final state q F .Lemma 20.Deterministic packed HRAs are closed under complementation.
Proof.Let A = Q, q 0 , δ, H 0 , F be a packed (m, 0)-HRA.Following the above rationale, we construct a packed (m, 0)-HRA A ′ = Q ⊎ {q F }, q 0 , δ ∪ δ ′ , H 0 , F ′ , where F ′ = {q F } ∪ (Q \ F ) and δ ′ is given as follows.For each q ∈ Q and all X such that there is no q . Otherwise, if s = s ′ as ′′ with a the point where a transition to the sink state is taken then, upon acceptance of s ′ by A, a appears precisely in some histories X such that A has no transition to accept a at that point.Thus, s / ∈ L(A).Conversely, if s ∈ N * \ L(A) then either s induces a configuration in A which does not end in a final state, or s = s ′ as ′′ where s ′ is accepted by A but at that point a is not a possible transition.We can see that, in each case, s ∈ L(A ′ ).⊓ ⊔ Combining the above with the product construction, and using Proposition 16 and the fact that language emptiness can be reduced to language containment, we obtain the following.
Proposition 21.Language containment and universality are decidable for deterministic HRAs, with non-primitive recursive complexity.

Weakening HRAs
The complexity of HRAs is too high for practical verification purposes.For example, deciding emptiness requires complexity which is not primitive recursive.It is therefore useful to seek for restrictions thereof which allow us to express meaningful properties and, at the same time, remain at feasible complexity.As the complexity of HRAs stems from the fact that they can simulate computations of R-VASSs, our strategy for producing weakenings is to restrict the functionalities of the corresponding R-VASSs.We follow two directions: (a) We remove reset transitions.This corresponds to removing counter transfers and resets and drops the complexity of control-state reachability to exponential space.(b) We restrict the number of histories to just one.We thus obtain polynomial space complexity as the corresponding counter machines are simply onecounter automata.This kind of restriction is also a natural extension of FRAs with history resets.
Observe that each of the aspects of HRAs targeted above correspond to the distinctive features (a,b) we identified in the Introduction, witnessed by the languages L 1 and L 2 respectively.We shall see that each restriction leads to losing the corresponding language.
Our analysis on emptiness for general HRAs from Section 4 is not applicable to these weaker machines as we now need to take registers into account: the simulation of registers by histories is either not possible or not practical for deriving satisfactory bounds.A direct analysis is therefore necessary.
Solving emptiness for each of the weaker versions of HRAs will involve reduction to the name-free algorithmic setting of a counter machine.In both cases, the reduction shall follow the same concept of simulating computations with names symbolically.We present the method in full rigour in Appendix A and specialise it for each of the weaker HRAs.

Non-reset HRAs
We first weaken our automata by disallowing resets.We show that the new machines retain all their closure properties apart from Kleene-star closure.The latter is concretely manifested in the fact that language L 1 of the Introduction is lost.On the other hand, the emptiness problem reduces in complexity to double exponential space, or exponential space for machines with histories only.
We call such a machine a non-reset (m, n)-HRA.In an analogous fashion, a VASS of m dimensions (an m-VASS ) is an R-VASS with no reset transitions.For these machines, control-state reachability is significantly less complex.
Closure properties Of the closure constructions of Section 3 we can see that union and intersection readily apply to non-reset HRAs.On the other hand, concatenation does use a reset but it can be avoided.More specifically, we add empty transitions from the final states of A ′ 1 to the initial state of a version of A ′ 2 which keeps the placed used by A ′ 1 untouched and uses its own separate copy of places, obfuscating its own transitions so as to capture accidental matchings of the legacy names of A ′ 1 .Unfortunately, this solution cannot be used for Kleene closure as in each loop the automaton needs to find a fresh copy of its initial configuration, and be able to use it (in the previous construction, the final assignment of A ′ 1 is lost).In fact, using an argument similar to that of [5, Proposition 7.2], we can show that the language L 1 is not recognised by non-reset HRAs and, hence, the latter are not closed under Kleene star.Finally, note that the HRA constructed for the language L 4 in Example 14 is a non-reset HRA, which implies that non-reset HRAs are not closed under complementation.
Emptiness We next reduce emptiness for non-reset HRAs to control-state reachability for VASSs, using the symbolic construction from Appendix A. The reduction works by mapping each non-empty subset of [m] to a VASS counter.This produces a VASS of exponential size, and of square size if the original non-reset HRA contained no registers.The latter discrimination is due to the fact that in the general case the status of registers needs to be embedded inside states.For the converse direction, we reduce reachability for a VASS of 2 m −1 counters to emptiness for an (m, 0)-automaton: we map each counter to a non-empty subset of [m]. 7roposition 24.Emptiness checking for non-reset HRAs is in 2-ExpSpace.For non-reset HRAs without registers, it is ExpSpace-complete.
Example 25.It is easy to see that the following language is recognised by the (0, 1)-HRA on the left below.What is perhaps not as clear is that the (2, 0)-HRA on the right, call it A, accepts the same language.
Note first that, by construction, it is not possible for A to accept the same name in two successive transitions: if we write (X, X ′ ) for the labels of incoming transitions to q 0 and (Y, Y ′ ) for the outgoing, we cannot match any X ′ with some Y , and similarly for q 1 .This shows L(A) ⊆ L 5 .To prove the other inclusion, we need to show that for every word w = a 1 • • • a n ∈ L 5 there is an accepting run in A. For this, it suffices to find a sequence ℓ 1 , • • • , ℓ n of labels from the set {(∅, 1), (∅, 2), (1, 1), (1, 2), (2, 1), (2, 2)}, say (ℓ i = (X i , X ′ i ), satisfying: 1.For any i, X ′ i = X i+1 .2. If a i = a j , i < j, and for no i < k < j do we have a i = a k then X ′ i = X j .3. For any i, if a i = a j for all j < i then X i = ∅.
The first condition ensures that the sequence corresponds to a valid transition sequence in A, and the other two that the sequence accepts the word w = a 1 • • • a n .Conditions 1 and 2 determine dependencies between the choices of left and right components in ℓ i s.Let us attach to w dependency pointers as follows: attach a pointer of type 1 (dependency right-to-left) from each a i to its next occurrence in w, say a j ; from each a i+1 attach a type 2 pointer (dependency left-to-right) to a i .Now note that, as there is no cycle in w which alternates between type 1 and type 2 pointers, it is always possible to produce a valid sequence ℓ 1 , • • • , ℓ n .
We now show the general result.We assume automata with their registers initially empty -the general case can be captured by first applying a construction like A fix w of Lemma 11 (the lemma introduces new registers for storing the initial names, but we can as well use new histories for the same purpose).The proof is presented in Appendix B.

Unary HRAs
Our second restriction concerns allowing resets but bounding the number of histories to just 1.Thus, these automata are closer to the spirit of FRAs and, in fact, extend them by rounding up their history capabilities.We show that these automata require polynomial space complexity for emptiness and retain all their closure properties apart from intersection.The latter is witnessed by failing to recognise L 2 from the Introduction.We can see that extending this example to multiple interleavings we can show that intersection is in general incompatible with bounding the number of histories.In other words, unary HRAs are extensions of FRAs where names can be selectively inserted or removed from histories and, additionally, histories can be reset.These capabilities give us in fact a strict extension.
Example 28.The automata used in Example 3 for L 1 ans L 3 were unary HRAs.Note that neither of these languages is FRA-recognisable.On the other hand, the language L 2 is not recognisable by unary HRAs.For suppose L 2 = L(A) for some unary HRA A of n registers and let there is a path, say p, in A which accepts w.We divide p as p 1 p 2 with p 2 accepting the second half of w.Let p = p1 p2 be the corresponding configuration path and let (q ′ , H ′ ) be the first configuration in p2 .We set and do a case analysis on the labels of the form (X, X ′ ) which appear in p 2 and accept names from S. Since names in S do not appear in any H ′ (i), for i > 0, it must be that each such X is either {1} or ∅.We have the following cases.
-There are two such labels, say ({1}, X i ) and ({1}, X j ), accepting names a i and b j respectively.But this would imply that A also accepts w ′ , where w ′ is w with these occurrences of a i and b j swapped, contradicting L(A) = L 2 (as w ′ / ∈ L 2 ).-There are two such labels, say (∅, X i ) and (∅, X j ), accepting names a i and b j respectively.In order for A not to accept w ′ (w ′ as above), it is necessary that a reset transition with label Y ∋ 1 occurs between the two transitions.Suppose i < j.Then, since k > n, there is a name a i ′ which does not appear in any place after clearing Y .Thus, (∅, X j ) can accept a i ′ and complete the path p by accepting a word w ′ / ∈ L 2 .Dually if j ≤ i. -Each a i ∈ S is accepted by a label ({1}, X ′ ), and each b j ∈ S by a label (∅, X ′ ).Let a i ∈ S be the last such accepted in p 2 .This means that the rest of the path has length at most 2n.Therefore, since k > n, there is a b j ∈ S accepted in p 2 before a i .Let (q, H) be the configuration just before accepting b j .In order for A not to accept any a i ′ at that point, it must be that all a i ′ ∈ S appear in H. Since |S| > n + 1, there exists a i ′ ∈ H(1) ∩ S such that a i ′ = a i .But then, the transition accepting a i can accept a i ′ instead and lead to acceptance of a word w ′ ∈ L 2 .
We therefore reach a contradiction in every case.

Closure properties
The closure constructions of Section 3 readily apply to unary HRAs, with one exception: intersection.For the latter, we simply observe that , where A 1 and A 2 are the following unary (1, 0)-HRAs, with empty initial assignments.
We can see that their corresponding languages are: On the other hand, unary HRAs are not closed under complementation as one can construct unary HRAs accepting L(A 1 ) and L(A 2 ), and then take their union to obtain a unary HRA for L 2 .
Emptiness In the case of just one history, the results on TR-VASS reachability [27,10] we used in Section 4 provide rather rough bounds.It is therefore useful to do a direct analysis.We examine control-state reachability for R-VASSs of 1 dimension.Note that these machines can be seen as close relatives to several other formalisms, like one-counter automata or pushdown automata on a one-letter alphabet.To the best of our knowledge, though, there has been no direct attack of state reachability for R-VASSs of 1 dimension.Our analysis below (proof in Appendix B) yields square minimal-path length.
Lemma 29.Control-state reachability for R-VASSs of dimension 1 can be decided in Space(log 2 N ).
We can now proceed with our main result for unary HRAs.Each such automaton A will be reduced to an R-VASS A ′ with one counter, following the method presented in Appendix A.
Proposition 30.Emptiness of unary HRAs can be decided in Space((N log N ) 2 ).
Proof.Let A = Q, q 0 , H 0 , δ, F be a unary HRA of n registers and let N = A .Following the construction from Appendix A we obtain a simulating R-VASS A ′ = Q ′ , δ ′ with 1 counter such that L(A) = ∅ iff there is (q, φ) with q ∈ F such that (A ′ , (q 0 , Σ(H 0 )), |H 0 (1)|, (q, φ)) ∈ Reach.By Lemma 29, the latter can be decided in squared logarithmic space.Note that this does not require actually constructing A ′ : we can apply the algorithm of Lemma 29 on the fly, using only the space required for running it.Moreover, we can run each instance (for different (q, φ)'s) in the same space.Now, since there is only one history, the induced size of A ′ is relatively smaller.In particular, setting ⊓ ⊔

Connections with existing formalisms
We have already seen that HRAs strictly extend FRAs.In this section we shall draw connections between HRAs and an automata model over infinite alphabets in the limits of decidability, called Data Automata (DA), introduced in [6] in the context of XML database theory and model checking.DAs operate on data words, that is, over finite sequences of elements from S × N , where S is a finite set of data tags and N incarnates an infinite set of data values (but we shall call them names).A DA operates in two stages which involve a transducer automaton and a finite-state automaton respectively.Both automata operate on the tag projection of the input word, with the second-stage automaton focussing on data tags accompanied by the same data value.
For the rest of our discussion we shall abuse data words and treat them simply as strings of names, neglecting data tags.This is innocuous since there are straightforward translations between the two settings. 8An equivalent formalism to DAs which is closer to our framework is the following [5].
of final states and the transition relation is of type δ : Q×(Q∪{⊥}) → P(Q).Moreover, φ 0 is an initial class memory function, that is, a function φ : The semantics of a CMA A like the above is given as follows.Configurations of A are pairs of the form (q, φ), where q ∈ Q and φ a class memory function.The configuration graph of A is constructed by setting (q, φ) . The initial configuration is (q 0 , φ 0 ), while a configuration (q, φ) is accepting just if q ∈ F 1 and, for all a ∈ N , φ(a) ∈ F 2 ∪{⊥}.
Thus, CMAs resemble HRAs in that they store input names in "histories", only that histories are identified with states: for each state q there is a corresponding history q (note notation overloading), and a transition which accepts a name a and leads to a state q must store a in the history q.Moreover, each name appears in at most one history (hence the type of φ) and, moreover, the finality conditions for configurations allow us to impose that all names appear in specific histories, if they appear in any.For example, here is a CMA (left below, with F 1 = F 2 = {q 0 }) which recognises the language L 4 .
Each name is put in history q 1 when seen for the first time, and to q 0 when seen for the second time.The automaton accepts if all its names are in q 0 .This latter condition is what makes the essential difference to HRAs, namely the capability to check where the names reside for acceptance.For example, the HRA on the right above would accept the same language were we able to impose the condition that accepting configurations (q, H) satisfy a ∈ H@{2} for all names a ∈ i H(i).
The above example proves that HRAs cannot express the same languages as CMAs.Conversely, as shown in [5, Proposition 7.2], the fact that CMAs lack resets does not allow them to express languages like, for example, L 1 = (L a0 ) * where: In the latter sections of [5] several extensions of CMAs are considered, one of which does involve resets.However, the resets considered there do not seem directly comparable to the reset capability of HRAs.On the other hand, a direct comparison can be made with non-reset HRAs.We already saw in Proposition 26 that, in the latter formalism, histories can be used for simulating register behaviour.In the absence of registers, CMAs differ from non-reset HRAs solely in their constraint of relating histories to states (and their termination behaviour, which is more expressive).As the latter can be easily counterbalanced by obfuscating the set of states, we obtain the following.
Proposition 32.For each non-reset HRA A there is a CMA A ′ such that L(A) = L(A ′ ).

Further directions
We see several further directions of this work.A first direction is examining the decidability of bisimilarity.Although it is known that bisimilarity is undecidable for Petri nets [14], the version which seems of relevance towards an undecidability argument for HRA-bisimilarity is that of visibly counter automata with labels, i.e. automata which accept labels at each transition, and the action of each transition is determined by the accepted label.The latter problem is not known to be decidable.On the other hand, it seems reasonable to consider further extensions of HRAs with additional expressiveness added by constrained tests for zero, for example as in [11].Finally, an avenue we would like to pursue is the application of automata with histories in runtime verification, in the spirit of [13].Although the complexity results derived in this paper may seem discouraging at first, they are based on quite specific representations of hard problems.In practice, we expect programs to yield automata of simpler complexities.Experience with tools based on coverability of TR-VASSs, like e.g.BFC [16], positively testify in that respect.

A Reasoning about emptiness symbolically
In this section we describe a method for reducing emptiness for HRAs to controlstate reachability for TR-VASSs.For convenience, we shall consider a specific subclass of HRAs which encompasses the weak HRAs we examine in Section 5, and for which the corresponding TR-VASSs are just R-VASSs.More specifically, we examine HRAs A = Q, q 0 , H 0 , δ, F such that: We can see that in the above machines it is not possible to virtually transfer names between histories.Therefore, all possible transfers are additions of single names, or literal resets.
Before we proceed with our analysis, let us fix the way we compute the size of our machines.For a set X, we write |X| for its cardinality.For a structure X, we write X for its size.We assume that in general we need log(k) space to encode any i from a set [k].
HRA Let A = Q, q 0 , H 0 , δ, F be an (m, n)-HRA.We represent A by encoding δ, q 0 , H 0 and F , where δ is encoded as an array of tuples of the form (q, ℓ, q ′ ) with ℓ ∈ P([m+n]) 2 ∪ P([m+n]).We have δ = |δ| • (2 log |Q| + log(2 2(m+n) + 2 m+n )) and so: A rough lower bound of the above is: δ be an R-VASS of m dimensions.Encoding δ as an array with entries of the form (q, ℓ, q ′ ), where ℓ ∈ {−1, 0, 1} m ∪ [m], we have that the size of A is: The size (A, q 0 , i 0 , q F ) of an input to state-reachability is: Skeletons Checking language emptiness for a given HRA boils down to determining the existence of a symbolic accepting path, i.e. a sequence of δ-steps from the initial state to some final state, which is also realisable by the HRA, i.e. it leads to a corresponding configuration path.Finding symbolic paths from initial to final states is easy: one just needs to decide emptiness for the finite-state automaton underlying the HRA in examination.On the other hand, resolving whether a path is realisable is more demanding: in order for a transition q X,X ′ −→ q ′ to be realisable, it is necessary that the automaton be at a configuration H such that there exists a name appearing precisely in places X; put otherwise, |H@X| > 0.
We address the above by constructing counter machines which operate symbolically and carry along during computation (inside their states and counters) the minimal amount of information necessary for resolving whether a transition of the modelled HRA can be taken.This information corresponds to a symbolic encoding of actual assignments.For each assignment H, it consists of: (i) A partition of the set of registers according to whether they contain the same name in H, and a function assigning to each history those registers whose contents appear in that history.(ii) For each set of histories X, a counter which stores the number of names which appear exactly in X.
We call part (i) the skeleton of the assignment, and part (ii) its counters.Consider, for example, the (1, 4)-HRA assignments: Their skeletons coincide as, in both assignments: the first and fourth registers (places 2 and 5) contain the same name, the third register (place 4) contains a different one, and the second register (place 3) is empty; -the history (place 1) contains the name of the third register, and no other names from the registers.
On the other hand, their counters differ: the former leads to a counter value 0 (no names appearing only in the history), while the latter leads to 2. Formally, for each (m, n) we set Σ(m, n) to be the set of all functions φ : [m+n] → P([n]), such that: -For all i > m, |φ(i)| ≤ 1 and, moreover, the values for φ(i) are picked in the following sequential manner: if φ(i) = {j} then either φ(i ′ ) = {j} for some m < i ′ < i, or j is the least element of [n] which has not appeared in φ(m+1), We call elements of Σ(m, n) skeletons.For each skeleton φ, its restriction to indices greater than m represents a partition of the n registers: registers i and j are in the same part if φ(m+i) = φ(m+j) = ∅; register i is empty if φ(m+i) = ∅.On the other hand, for each i ≤ m, φ(i) contains the index φ(m+j) just if the name of the j-th register appears in the i-th history.For example, both configurations in (1) have the skeleton ({2}, {1}, ∅, {2}, {1}).
Note that, because of the canonical selection of indices for skeleton values, each assignment H has a unique skeleton, which we denote by Σ(H).Moreover, which is slightly better than the 2 n(m+n) we would have obtained had we taken skeletons to be all functions in [m+n] → P([n]).Let us now describe how do we update skeletons so that they mimic assignment updates.For each φ and X ⊆ [m+n], we set φ@X = i∈X φ(i) \ i / ∈X φ(i).In the specific case of X = ∅ we slightly abuse this and set φ@ ∅ = {0}.Thus, the @ operator mimics the @ operator for assignments: if φ@X = {j} and φ = Σ(H), for some assignment H, then there is a name a such that H@X = {a}.In such a case, we write φ[j in X ′ ] for Σ(H[a in X ′ ]), for any X ′ .Finally, for each φ representing some H and X ⊆ [m+n] we write φ[X → ∅] for Σ(H[X → ∅]).This completes the definition of skeleton updates.
Simulating R-VASSs We now proceed to the concrete construction of counter machines, in the form of R-VASSs, which simulate HRAs for emptiness.Suppose A = Q, q 0 , H 0 , δ, F is an (m, n)-HRA and let X 1 , • • • , X m ′ be an enumeration of the non-empty subsets of [m] (which require each a counter for the symbolic representation of assignments), so m ′ = 2 m − 1.We construct a simulating R-VASS A ′ = Q ′ , δ ′ with m ′ dimensions in which states are equipped with skeletons.At skeleton φ, each q X,X ′ −→ q ′ ∈ δ shall be mapped to a sequence of transitions in A ′ , according to the following rules.
-If X = ∅ and φ@X = ∅ then the sequence is void.
-Otherwise, if X = X j then the first transition is a decrement of the j-th counter.
-If X ′ = X i then the next transition is an increment of the i-th counter.
-If X ′ ⊆ [m] then the next transition increments each counter i such that there is a set Y i with φ@Y i = ∅ and ).This reconciles for the fact that the registers in X ′ will be overwritten and therefore their names transferred.
On the other hand, at the same φ, a transition q X −→ q ′ ∈ δ shall be mapped to a transition in A ′ , according to the rules: -If [m] ⊆ X then the sequence is just a reset of all counters.
-Otherwise, [m] ∩ X = ∅ and, therefore, transitions increasing all counters according to the last point above will occur.
In each case, the skeleton is updated according to X, X ′ .Formally, we set , where the last component is an index used to facilitate breaking each transition of δ into potentially two transitions.We include in δ ′ the following transitions.For each (q, φ, 0) ∈ Q ′ and q X,X ′ −→ q ′ ∈ δ: − → (q ′ , φ ′ , 0) where φ ′ = φ[0 in X ′ ] and v j = 1 for all j such that there is Y j with φ@Y j = ∅ and X j = Y j \ (X ′ \ [m]), and v j = 0 otherwise, and Moreover, for each q X −→ q ′ ∈ δ: if [m] ∩ X = ∅ then add (q, φ, 0) v −→ (q, φ[X → ∅], 0) where v j = 1 for all j such that there is Y j with φ@Y j = ∅ and X j = Y j \ (X ′ \ [m]), and v j = 0 otherwise; Thus, A ′ symbolically simulates the transition behaviour of A and updates at each transition its skeleton and counters in such a way that, for each configuration (q, H) of A, A ′ is in the configuration (q, φ, 0, v) with Σ(H) = φ and |H@X j | = v j for each j ∈ [m ′ ].We can therefore show the following.

⊓ ⊔
Proof (Lemma 29).Let A = Q, δ be an R-VASS of 1 dimension.We first state two rather straightforward facts about A. Fact 1.A is up-monotonic: if (q, i) −→ −→ (q ′ , i ′ ) is a configuration path of A then, for each k > 0, there is a path (q, i+k) −→ −→ (q ′ , i ′′ ) of the same length.Fact 2. A is down-monotonic: if (q, i) −→ −→ (q ′ , i ′ ) is a configuration path of A in which there are no reset edges and the counter never becomes less than k, some k > 0, then there is a path (q, i−k) −→ −→ (q ′ , i ′′ ) of the same length.Now, let (A, q 0 , i 0 , q F ) be an instance for Reach and let p be a configuration path from (q 0 , i 0 ) to (q F , i F ), some i F , such that p is of least length among all paths leading to some (q F , i).By Fact 1, we have that p is non-decreasing: if (q, i ′ ) appears after (q, i) in p and i ′ ≤ i then we can circumvent the entire subpath between (q, i) and (q, i ′ ).Now suppose (q, i+k) appears after (q, i) in p, some k > 0. By Fact 2 and minimality of p, there must be a configuration (q ′ , k−1) after (q, i+k) in p such that there are no reset edges between (q, i+k) and (q ′ , k−1).Let p ′ be a subpath of p of the form (q, i+k), (q ′′ , i+k−1), • • • , (q ′ , k−1). 9Since p ′ is non-decreasing, all its states are different and hence, as p ′ has length i+2, we have i+2 ≤ |Q|, i.e. i ≤ |Q|−2.This gives us a bound on the counter value of any state that can be repeated in p.Thus, each state can appear in p at most |Q| times, with counter values 0, 1, 2, 3, • • • , |Q|−2, j (last occurrence can have any value).This implies that the length of p is at most |Q| 2 and that in p the counter does not exceed the value i 0 + |Q| 2 − 1.We can therefore check (A, q 0 , i 0 , q F ) ∈ Reach as follows.Note first that, by Facts 1,2 and the fact that the length of minimal reaching path is at most |Q| 2 , if i 0 ≥ |Q| 2 − 1 then it suffices to check (A, q 0 , |Q| 2 −1, q F ) ∈ Reach.Thus, we need only check (A, q 0 , N 0 , q F ) ∈ Reach with N 0 = min(i 0 , |Q| 2 −1).We do this by non-deterministically computing |Q| 2 consecutive configurations and checking whether any of them is final.We only store the current configuration and a counter bounded by |Q| 2 .Thus, we require space log |Q|+log(N 0 +|Q| 2 −1) for the configuration and log |Q| 2 for the counter so, in total, less than log |Q| + log(2|Q| 2 ) + log |Q| 2 .Since N = (A, q 0 , N 0 , q F ) ≥ |Q| • log |Q|, we require space O(log N ).By Savitch's theorem, we get Space(log 2 N ).
⊓ ⊔ Proof (Proposition 26).For simplicity, and in order to make our argument cleaner, the proof we present here assumes that names are kept in at most one register at a time, and in particular transitions have singletons for labels as far as registers are concerned.The same technique, though, applies to the general case modulo some extra technical nuances.For the same reasons, we shall assume n = 0. We shall simulate each register of A by 3 histories in A ′ : each register i in A will have counterparts i r , i b , i y in A ′ . 10Whenever a name a is assigned to register i (in A), in A ′ it is assigned to one of i r , i b , i y .More precisely, it is assigned to i r if the next time the name appears in the computation of A is by reading register i.Otherwise, the next occurrence of a can only happen after the contents of register i are rewritten, and a is assigned again to some register j as a locally fresh name; in the latter case, the name will be stored in either of i b , i y .The reason we need two histories for the latter case is so that we can ensure that A ′ does not select a locally non-fresh name when it is expected to accept instead a locally fresh one.This can already be seen in Example 30, and will become clearer below.Let A = Q, q 0 , H 0 , δ, F with H 0 (i) = ∅ for all i ∈ [m].We set A ′ = Q ′ , q ′ 0 , H ′ 0 , δ ′ , F ′ , a non-reset HRA of type (3m, 0), where The extra component f in each state serves the purpose of recording, at each point during the computation, where does the name of register i of A reside in A ′ : f (i) = r (= b, y) means it is in history i r (i b , i y resp.).If register i is empty then we set f (i) = ∅.Finally, we include in δ ′ precisely the following transitions.
Note that the conditions on f and outgoing labels always ensure that histories i r contain at most one name.We claim that L(A) = L(A ′ ).Let first w ∈ L(A ′ ) have an accepting transition path p in A ′ with edges (q k , f k ) X k ,Y k −→ (q k+1 , f k+1 ).Reading the definition of δ ′ backwards, this yields an accepting transition path p ′ in A with edges q k X ′ k ,Y ′ k −→ q k+1 where -X ′ k = i if X k = i r , and X k = ∅ otherwise; -Y ′ k = j if Y k ∈ {j r , j b , j y }, and Y k = ∅ otherwise.To see that p ′ accepts w, note that, for each configuration (q k , f k , H k ), -if X k = i r then H k (i r ) = {a} and f k (i) = r so a the last name stored in either of i r , i b , i y ; -if X k = i b then f k (i) = b and therefore the last name a stored in either of i r , i b , i y is not stored in i b , hence a is locally fresh; similarly if X k = y; -if X k = ∅ then the accepted name is globally fresh.
Hence, noting also that by design the last name stored in either of i r , i b , i y (in the run of p) is the same as the name stored in register i (in p ′ ), we have that w ∈ L(A ′ ).Conversely, let w = a 1 • • • a N ∈ L(A) have an accepting transition path p with edges q k X k ,Y k −→ q k+1 (k = 0, • • • , N −1).We construct an accepting path p ′ in A ′ with edges (q k , f k ) k ,Y ′ k −→ (q k+1 , f k+1 ) as follows.We have that f 0 = {(i, ∅) | i ∈ [m]}.Moreover: (a) For each position k such that in all previous appearances of a k in s, say as a k = a k ′ with k ′ < k (if any), a k ′ is not stored (i.e.Y k = ∅), we set X k = ∅.(b) For each position k such that Y k = i and the next appearance of a k in s is some a k ′ with X k ′ = i, we set Y k = i r .(c) For each position k such that Y k = i and the next appearance of a k in s is some a k ′ with X k ′ = ∅, we choose some Y k ∈ {i b , i y }.
The rest of the labels in p ′ and the form of the f k 's is derived from the above according to the definition of δ ′ .To show that p ′ indeed accepts w we need to show that our above labelling is correct and, in particular, that there is a valid choice of labels from {i b , i y } in the step (c) above.By a valid choice we mean one such that if, for instance, Y k = i b then f k ′ (i) = b and therefore X k ′ can correctly pick a k .By definition, the value of f k ′ (i) is determined by the rightmost position l, with k < l < k ′ , which assigns a name in either of i r , i b , i y (since a k becomes locally fresh from state q k to q k ′ , such an l always exists).Our constraint, therefore, (in this case) is that Y l = b.In particular, if position l falls under case (c) above, we need to choose Y l = y.Thus, it suffices to colour all our positions which fall under case (c) with colours from b, y, such that no inter-related q k and q l have the same colour.We claim that such a colouring is always possible.Indeed, we can build a graph G as follows.The nodes of G are the positions which fall under case (c), arranged on a line in ascending order, from left to right.Now, for each inter-related positions k and l as above, we add a directed edge from node k to node l.Then, a valid colouring of our positions is possible iff G is 2-colourable, i.e. if it contains no cycles.Now note that each node in G has at most one outgoing edge, and all edges go from left to right (above, k < l).Hence, G is 2-colourable and we can therefore build a valid path p ′ in A ′ accepting w. ⊓ ⊔

Fig. 1 .
Fig.1.Expressiveness of history-register automata compared to previous models (in italics).The inclusion M −→ M ′ means that for each A ∈ M we can effectively construct an A ′ ∈ M ′ accepting the same language as A. All inclusions are strict.

Definition 27 .
A (1, n)-HRA is called a unary HRA of n registers.